Attribution: Phantom Open Emoji maintainers and contributors

spinfoo.ninja


Because Computer Security Matters...

BLOG

[*] April 3, 2018 / Small tool to decode ASP.NET __VIEWSTATE variable when doing webpentests

Get ASP.NET __VIEWSTATE decoder

[*] Feb 13, 2018 / CVE-2017-12544 Hewlett Packard Enterprise, HP System Management Homepage Software prior to 7.6.1 Cross-site Scripting (XSS)

HP original bulletin (Nr HPESBMU03753) || Bugtraq advisory

The HP System Management Homepage (SMH) is a web-based interface that consolidates and simplifies the management of ProLiant and Integrity servers running Microsoft Windows or Linux, or HP 9000 and HP Integrity servers running HP-UX 11i. ...more...

[*] Jan 4, 2017 / CVE-2016-10113 Samsung DVR Web Viewer weak credentials

MITRE assigned me CVE-2016-10113 for reporting this vulnerability.

Samsung DVR Web Viewer is by default using HTTP (port 80) and transmits the credentials encoded in the Cookie header using very bad security practice, just encoding the login and password in BASE64 codification. It is trivial to decode those values and gain access to Samsung DVR web interface to monitor and control IP cameras, if the default credentials have been changed.
Vulnerable function:
document.cookie=
'ID='+encode64(document.login_page.id.value)
+'&PWD='+encode64(document.login_page.pwd.value)
+'&SessionID='+Math.random();

[*] Aug 7, 2016 / net2ftp 1.0 Multiple XSS on Unauthenticated Users

net2ftp is a web based FTP client (http://www.net2ftp.com/index.php). It can be used as a standalone version and also integrated in some web platforms as ISP providers, e-commerce sites and other websites. ... more ...

[*] Dec 22, 2008 / Roundcube Webmail 0.2 Remote Code Execution

Roundcube Webmail is a browser-based IMAP client that uses "chuggnutt.com HTML to Plain Text Conversion" library to convert HTML text to plain text, this library uses the preg_replace PHP function in an insecure manner. As this vulnerability was discovered in-the-wild: http://trac.roundcube.net/ticket/1485618 was quite sure that would be exploitable, using PHP curly we can execute phpinfo():
wget -q --header="Content-Type: ''" \
-O - --post-data='<b>{${phpinfo()}}</b>' \
--no-check-certificate \
http://127.0.0.1/roundcubemail-0.2-alpha/bin/html2text.php
...more...

[*] Offensive Techniques: Buffer Overflow off-by-one

An article written by klog for Phrack called The Frame Pointer Overwrite explains off by one vulnerabilities in the stack zone, this article was written in 1999, nowadays some things have changed, i.e behaviour of GCC compiler is different, now by default GCC left 2 words boundary in the stack between the local variables and the ebp and eip pushed, that means that no off by one vulnerabilities can be exploited. ...more...

[*] Aug 20, 2006 / CVE-2006-3747 POC & exploit for Apache 1.3/2.0/2.2 mod_rewrite off-by-one, SecurityFocus

https://www.securityfocus.com/archive//443870

My Tools

Public contributions




© 2018 spinfoo.ninja
Contact (backwards): moc.liamnotorp@oofnips
Ninja picture attribution: Phantom Open Emoji maintainers and contributors https://commons.wikimedia.org/wiki/File:PEO-ninja.svg