exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 62 RSS Feed

Files from Ruben Santamarta

Email addressruben at reversemode.com
First Active2006-02-02
Last Active2024-08-31
Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands
Posted Aug 31, 2024
Authored by Tod Beardsley, Ruben Santamarta, K. Reid Wightman | Site metasploit.com

The EtherNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which implements the protocol. This Metasploit module implements the CPU STOP command, as well as the ability to crash the Ethernet card in an affected device. This Metasploit module is based on the original ethernetip-multi.rb Basecamp module from DigitalBond.

tags | exploit, protocol
SHA-256 | 887d7ca941da90893389c8d56d690e8e44325dff76f8eba61e9b105f62a0c3e5
Novell Client 4.91 SP4 nwfs.sys Local Privilege Escalation
Posted Jun 23, 2013
Authored by Ruben Santamarta, juan vazquez | Site metasploit.com

This Metasploit module exploits a flaw in the nwfs.sys driver to overwrite data in kernel space. The corruption occurs while handling ioctl requests with code 0x1438BB, where a 0x00000009 dword is written to an arbitrary address. An entry within the HalDispatchTable is overwritten in order to execute arbitrary code when NtQueryIntervalProfile is called. The module has been tested successfully on Windows XP SP3 with Novell Client 4.91 SP4.

tags | exploit, arbitrary, kernel
systems | windows
advisories | OSVDB-46578
SHA-256 | 02221705500fa599274361e29583fc85f5bc7d9c953dfd6c235f742e5c0948a8
SCADA Trojans: Attacking The Grid
Posted Mar 23, 2011
Authored by Ruben Santamarta | Site reversemode.com

Presentation slides from "SCADA Trojans: Attacking the Grid" as it was presented at RootedCon'11 in Madrid.

tags | paper, trojan
SHA-256 | b859f48eb76310750d6445553c321c3c561679e19c67b8bde7dec9455c01c929
Advantec/BroadWin SCADA WebAccess 7.0 Network Service RPC Party Exploit
Posted Mar 23, 2011
Authored by Ruben Santamarta | Site reversemode.com

Advantec/BroadWin SCADA WebAccess 7.0 Network Service RPC party exploit that demonstrates the leaking of a security code and remote command execution.

tags | exploit, remote
SHA-256 | 83becf12b501bcc267fbd1be7561838dd7024b5d4fe6c3a51d4a00011e8a4337
Win32k Keyboard Layout Vulnerability
Posted Jan 13, 2011
Authored by Ruben Santamarta

Demonstration code for the Win32k Keyboard Layout vulnerability as described in MS10-073.

tags | exploit
advisories | CVE-2010-2743
SHA-256 | 7005d59ca11deb8904289606e53b191d81477434efe81a88cc522d487108ef02
MOXA Device Manager Tool 2.1 Buffer Overflow
Posted Nov 8, 2010
Authored by Ruben Santamarta, MC | Site metasploit.com

This Metasploit module exploits a stack overflow in MOXA MDM Tool 2.1. When sending a specially crafted MDMGw (MDM2_Gateway) response, an attacker may be able to execute arbitrary code.

tags | exploit, overflow, arbitrary
SHA-256 | d1dd4e7fce98d32b48eac6791f3f78990a4253f063ff4c36a0b84dd00ca14a1c
Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution
Posted Aug 30, 2010
Authored by Ruben Santamarta, jduck | Site metasploit.com

This Metasploit module exploits a memory trust issue in Apple QuickTime 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX control will treat a supplied parameter as a trusted pointer. It will then use it as a COM-type pUnknown and lead to arbitrary code execution. This exploit utilizes a combination of heap spraying and the QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This Metasploit module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. NOTE: The addresses may need to be adjusted for older versions of QuickTime.

tags | exploit, arbitrary, code execution, activex
systems | windows, apple
advisories | CVE-2010-1818
SHA-256 | ad2a818e38de29a3d18064e2a155fb84222ea75ee5b000f0fd2526843600bd1b
Apple QuickTime _Marshaled_pUnk Backdoor Parameter Code Execution
Posted Aug 30, 2010
Authored by Ruben Santamarta | Site reversemode.com

Apple QuickTime suffers from a "_Marshaled_pUnk" backdoor parameter client-side arbitrary code execution vulnerability.

tags | exploit, arbitrary, code execution
systems | apple
SHA-256 | 644b799b15a352ece2eb968a2fc1a39765068d3237f090e9e9ad901abdde450d
Microsoft mshtml.dll CTimeoutEventList::InsertIntoTimeoutList Memory Leak
Posted Jul 1, 2010
Authored by Ruben Santamarta | Site reversemode.com

Microsoft mshtml.dll CTimeoutEventList::InsertIntoTimeoutList proof of concept memory leak exploit.

tags | exploit, proof of concept, memory leak
SHA-256 | 26c6bc3c22f10f89c89c0f8bb76f0987adefcfa26780a828bac7b1cc58dbf7b7
Consona Cross Site Scripting / Code Execution / Buffer Overflow
Posted May 8, 2010
Authored by Ruben Santamarta | Site wintercore.com

Consona products uses a proprietary ActiveX site-lock mechanism that can be defeated through XSS attacks. Once an attacker can inject arbitrary JS code within the context of an allowed domain, unsafe methods can invoked to download and execute arbitrary binaries. A local privilege escalation flaw discovered in the Consona's Repair Service can be used to bypass IE8 Protected Mode, thus gaining SYSTEM privileges.

tags | advisory, arbitrary, local, activex
SHA-256 | 60dc5031646713bbf359f4aa1393fda67c72eb7e5d7cb4926fed44ab1fda9840
JAVA Web Start Arbitrary Command-Line Injection
Posted Apr 9, 2010
Authored by Ruben Santamarta | Site reversemode.com

JAVA Web Start suffers from an arbitrary command-line injection vulnerability.

tags | exploit, java, web, arbitrary
SHA-256 | f56c7424142422fcf7bb61a39fbdea3fc49a395ed67cfe06093c8317279d4aa9
HMS HICP Modification / Intellicom NetBiterConfing.exe Stack Overflow
Posted Dec 15, 2009
Authored by Ruben Santamarta | Site reversemode.com

This advisory documents vulnerabilities in the HMS HICP protocol as well as an Intellicom NetBiterConfing.exe remote stack overflow vulnerability. Proof of concept code included.

tags | exploit, remote, overflow, vulnerability, protocol, proof of concept
SHA-256 | 568bd797eaf1f7ed214afde142e6f10f82177d14ce3e3f83f9c7be7f09b32e90
Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow
Posted Nov 26, 2009
Authored by Ruben Santamarta, MC | Site metasploit.com

This Metasploit module exploits a stack overflow in Novell's NetIdentity Agent. When sending a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be able to execute arbitrary code. The success of this module is much greater once the service has been restarted.

tags | exploit, overflow, arbitrary
advisories | CVE-2009-1350
SHA-256 | 24be81255f40b751b92a165d5f12fc755361fe4c61c5b4ecd0363cd976e3c766
iDEFENSE Security Advisory 2009-06-25.2
Posted Jun 26, 2009
Authored by iDefense Labs, Ruben Santamarta | Site idefense.com

iDefense Security Advisory 06.25.09 - Remote exploitation of a stack-based buffer overflow vulnerability in Motorola Inc.'s Timbuktu Pro could allow attackers to execute arbitrary code with SYSTEM privileges. Timbuktu fails to properly handle user-supplied data passed through a named pipe session. When the PlughNTCommand named pipe receives an overly large character string, a buffer overflow will occur resulting in arbitrary code execution. iDefense has confirmed the existence of this vulnerability in Timbuktu Pro version 8.6.5. Previous versions may also be affected.

tags | advisory, remote, overflow, arbitrary, code execution
advisories | CVE-2009-1394
SHA-256 | ab79faf675800d7b7b3746fd9f41707ec4fd077918d41f3c4a45aebd457ac0a3
Kaspersky Klim5.sys Advisory
Posted Feb 2, 2009
Authored by Ruben Santamarta | Site wintercore.com

KIS 2008 and Kaspersky AntiVirus for Workstations suffer from a local privilege escalation vulnerability in Klim5.sys.

tags | advisory, local
SHA-256 | 986d0ad816e789cda1a3b6e60acf76a92dd2c3e35c8b13cf6af11184f8f77d00
Kaspersky Klim5.sys Privilege Escalation Exploit
Posted Feb 2, 2009
Authored by Ruben Santamarta | Site wintercore.com

KIS 2008 and Kaspersky AntiVirus for Workstations local privilege escalation exploit for Klim5.sys.

tags | exploit, local
SHA-256 | 85cd67d9a7dd14368a87ecb0b6e2697b18ac25ac9ed708ce4af6e323ab93fca8
Wintercore Advisory WM01-0109
Posted Jan 21, 2009
Authored by Ruben Santamarta | Site wintercore.com

Wintercore Advisory - PXEService.exe is prone to a remote buffer overflow due to improper bounds checking when handling PXE requests. A remote unauthenticated malicious attacker can take advantage of this flaw to execute arbitrary code by sending a specially crafted UDP packet. SystemcastWizard Lite versions 2.0 and below are affected.

tags | advisory, remote, overflow, arbitrary, udp
SHA-256 | 1e4e1fc447fa7a1d81f5dee9dc92ca06a9dc682581918bf7809c0defad38df4b
afd_plugin.zip
Posted Oct 16, 2008
Authored by Ruben Santamarta | Site reversemode.com

K-Plugin for Kartoffel that exploits a kernel memory overwrite in AFD.sys as outlined in MS08-066. Applies to Microsoft Windows XP and 2003.

tags | exploit, kernel
systems | windows
SHA-256 | 84af59e87dcb1abe14f460ff6eb43f6b7512b3faaa0899dacb200f13bddb2eb9
advisory_W021008.txt
Posted Oct 9, 2008
Authored by Ruben Santamarta

Microsoft Windows Kernel is prone to a local privilege escalation due to an integer overflow error within the IopfCompleteRequest function. This vulnerability may allow attackers to execute arbitrary code in the kernel context, thus allowing to escalate privileges to SYSTEM.

tags | advisory, overflow, arbitrary, kernel, local
systems | windows
SHA-256 | 83416b5326404b535c7aca5df86a5d9d9c86e01657b803c965feda37f7d987fa
exploit_realwin.c
Posted Sep 26, 2008
Authored by Ruben Santamarta | Site reversemode.com

DATAC RealWin versions 2.0 SCADA Software remote pre-auth exploit.

tags | exploit, remote
SHA-256 | 9ca9706b47c78dc4087b149021c2eff497f57a0a28a9ecac8e398ea2ee7970f6
iDEFENSE Security Advisory 2008-08-12.4
Posted Aug 13, 2008
Authored by iDefense Labs, Ruben Santamarta | Site idefense.com

iDefense Security Advisory 08.12.08 - Remote exploitation of an integer overflow vulnerability in Microsoft Corp.'s PowerPoint Viewer 2003 could allow an attacker to execute arbitrary code in the context of the user running the application. This vulnerability specifically exists when handling CString objects embedded in a PowerPoint presentation file. An issue in this object results in a very small amount of buffer being allocated while a very large amount of data is copied into it. This leads to an exploitable heap-based buffer overflow. iDefense has confirmed that pptview.exe file version 11.0.5703.0 and file version 11.0.6566.0, as included in Microsoft Office 2003 SP2, are vulnerable. Other versions are also likely to be affected.

tags | advisory, remote, overflow, arbitrary
advisories | CVE-2008-0120
SHA-256 | ab9458aeec88e0b4bfc7e9fb864d5c1741e1a1d79728cab3e7e18f9e302f5a5e
iDEFENSE Security Advisory 2008-08-12.3
Posted Aug 13, 2008
Authored by iDefense Labs, Ruben Santamarta | Site idefense.com

iDefense Security Advisory 08.12.08 - Remote exploitation of an out of boundary array index vulnerability in Microsoft Corp.'s PowerPoint Viewer 2003 could allow an attacker to execute arbitrary code in the context of the user running the application. This vulnerability specifically exists in PowerPoint Viewer 2003 when handling certain records in a PowerPoint presentation file. In some circumstances, an array index can be directly controlled by data from within the PowerPoint presentation file. Thus, a function pointer can be directly controlled by the attacker and leveraged for arbitrary code execution. iDefense has confirmed that pptview.exe file version 11.0.5703.0 is vulnerable. Previous versions are also likely to be affected.

tags | advisory, remote, arbitrary, code execution
advisories | CVE-2008-0121
SHA-256 | fdbaba262f38504a718a7a20bdfe67eb45165704219047a0a47f08f9c4936860
iDEFENSE Security Advisory 2008-05-12.1
Posted May 12, 2008
Authored by iDefense Labs, Ruben Santamarta | Site idefense.com

iDefense Security Advisory 05.12.08 - Local exploitation of an input validation vulnerability within version 5.1.2600.2180 of i2omgmt.sys, as included with Microsoft Corp's Windows XP operating system, could allow an attacker to execute arbitrary code in the context of the kernel. iDefense has confirmed the existence of this vulnerability in i2omgmt.sys version 5.1.2600.2180 as installed on some Windows XP SP2 systems. All other Windows releases with this driver, including previous versions, are suspected to be vulnerable.

tags | advisory, arbitrary, kernel, local
systems | windows
advisories | CVE-2008-0322
SHA-256 | 35cc46cc0db1c95bb2b83fbdfc1887d6ce9e719845e83fd361e320e5522b35c9
ms08-25-exploit.zip
Posted Apr 29, 2008
Authored by Ruben Santamarta | Site reversemode.com

Microsoft Windows XP SP2 privilege escalation exploit that leverages win32k.sys and takes advantage of the vulnerability noted in MS08-025.

tags | exploit
systems | windows
SHA-256 | b4efbc03e8e8bce846b7495ffaf1bc53241706ee6c268f503a27d9ca2958ff2c
W01-0408.txt
Posted Apr 24, 2008
Authored by Ruben Santamarta | Site wintercore.com

Wintercore Advisory - Realtek HD Audio Codec Drivers are prone to a local privilege escalation due to insufficient validation of user-mode buffers. RTKVHDA.sys versions below 6.0.1.5605 and RTKVHDA64.sys signed versions below 6.0.1.5605 are affected.

tags | advisory, local
SHA-256 | a6fc2d5582e8a71c4fed62361743ae6f26030ad35992614a9525a578ae75632c
Page 1 of 3
Back123Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close