Howdy folks. Today I'll be introducing you to the EXTRAnet Collaboration Tool (EXTRACT) 0.5.1. We'll explore leveraging EXTRACT to escalate privileges with a 0day bug. I'll also show you how you can enjoy some remote shell goodness thanks to inter-protocol exploitation (with some luck and a little user interaction).

Time for some more fun with browser URL handlers! This time we'll take a look into abusing the handlers for news/snews/nntp.

There are multiple security vulnerabilities in ActivDesk 3.0 which may allow an attacker to take control of the software.

There is a SQL Injection vulnerability in iSupport 1.8 which may allow an attacker to take control of the software.

There are multiple security vulnerabilities in BrewBlogger 2.3.2 which may allow an attacker to take control of the software.

There is an SQL Injection vulnerability in iGiveTest 2.1.0 which may allow an attacker to take control of the software.

Bitcoin - fun, profit and anonymity on the wire. A brief analysis of the BitCoin network.

There is a reflected Cross Site Scripting (XSS) vulnerability in DoceboLMS 4.0.4 which may allow an attacker to take control of the software. There are also numerous Full Path Disclosure vulnerabilities. Previous versions may also be affected.

There are multiple Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerabilities in PHP Event Calendar 1.4 which may allow an attacker to take control of the software if a user with admin privileges browses a malicious page while authorized.

There are multiple Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerabilities in PHP Event Calendar 1.4 which may allow an attacker to take control of the software if a user with admin privileges browses a malicious page while authorized.

There are multiple security vulnerabilities in Cachelogic Expired Domains Script 1.0 which may allow a remote attacker to take control of the software.

There are two reflected Cross Site Scripting (XSS) vulnerabilities in KSearch 1.5b. Prior versions are presumably affected however only version 1.4 has been tested.

There are multiple security vulnerabilities in Webbased PEAR Package Manager 0.7.5 (Beta) which may allow an attacker to take control of the software if an authorized user browses a malicious page during an authorized session.

There are multiple Full Path Disclosure (FPD) vulnerabilities and a reflected Cross Site Scripting (XSS) vulnerability in Rapidleech v2.3 Final (Update v42 SVN 322)

There are multiple Cross Site Scripting (XSS) vulnerabilities in the demo pages which are provided with isiAJAX 1.0 by default.

There are multiple security vulnerabilities in YOURLS <= 1.5 sample pages and plugins which may allow an unauthorized user to take control of the software.

There are multiple Full Path Disclosure (FPD) and reflected Cross-Site Scripting (XSS) vulnerabilities in Flyr.

It is possible to send traffic to a third-party website without leaking the referer. With this knowledge it is possible to "patsy" a third party by forcing their browser to submit "evil" requests to a target server.

There is a Persistent Cross-Site Scripting (XSS) vulnerability in rightscripts.com PHP Website Content Monitor which may allow an attacker to take control of the software.

There is a Reflected Cross-Site Scripting (XSS) vulnerability in rightscripts.com I Visit You which may allow an attacker to take control of the software if a user browses a malicious page during an authorized session.

There is a Local File Inclusion (LFI) vulnerability in rightscripts.com Extract Website Script which may allow an attacker to take control of the web-server.

There is a Cross Site Scripting (XSS) vulnerability in Google Dance Tool.

There is a Cross-Site Scripting (XSS) vulnerability in ToTalMaTch 1.2a which may allow an unauthorized user to take control of the software if an authenticated user browses a malicious page.

There are multiple security vulnerabilities in InDoorsLogger (IDLogger) version 7.7 which may allow an attacker to take control of the software.

There are multiple security vulnerabilities in phpRechnung 1.6 RC2 which allow an unauthorized user to take control of the software.

There are multiple security vulnerabilities in thERP which allow an unauthorized user to take control of the software.

There are multiple security vulnerabilities in newswall which may allow an attacker to compromise the web server.

All scripts generated by CodeCharge Studio 4.3 contain Cross-Site Request Forgery (CSRF) vulnerabilities which may allow an attacker to take control of the software if an authorized user browses a malicious page while authorized.

There are multiple security vulnerabilities in MonoQL 0.1a which may allow an attacker to take control of the software.

There are multiple Cross-Site Scripting (XSS) and Full Path Disclosure vulnerabilities in the WSN product line which may allow an attacker to take control of the software if a user with admin privileges browses a malicious page while logged in.

There are multiple security vulnerabilities in Dolibarr ERP CRM 3.0.0-alpha which may allow an attacker to take control of the software.

I recently noticed brief mentions of "SAVSys" in the rogue security tool Security Antivirus in use by the Koobface worm.

Back in 2002 I put together a macro worm targeting Microsoft Word 97 under the name "SavSys". It was more an experiment than anything - using very little stealth and mostly well known techniques circa 1995-2001. I never released the code.

Macro worms appeared in 1995 and were still fairly new to anti-virus in 2002. Some macros spread enough to gain media attention, such as Melissa and ILOVEYOU aka LoveBug.

There are two Cross-Site Scripting vulnerabilities in Trade Expert 2.2 build 11 which may allow an attacker to take control of the software if an authorized user browses a malicious page while authenticated.

There are multiple security vulnerabilities in SmartCJ Pro 1.45 which may allow an attacker to take control of the software if an authorized user browses a malicious page while authenticated.

There are two Cross-Site Scripting vulnerabilities in the latest version of Easy Niche Store Script as at 2010-11-09 11:45PM.

There are multiple Cross-Site Scripting (XSS) vulnerabilities in KMleague 2.1.2 which may allow an attacker to take control of the software if an authorized user browses a malicious page while logged in.

There are multiple Cross-Site Scripting vulnerabilities in SocketTimesheet 3.0 which may allow an attacker to take control of the software if an authenticated user browses a malicious page.

There are multiple Cross-Site Scripting (XSS) vulnerabilities in Online Attendance System: Lite Edition 1.0 which may allow an attacker to take control of the software.

There are multiple Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerabilities in Webmedia Explorer 6.13.2 which may allow an attacker to take control of the software if a user with admin privileges browses a malicious page.

There is a Cross-Site Scripting vulnerability in Truworth Flip Photo Album 1.1 which may allow an attacker to take control of the software if an authorized user browses a malicious page while logged in.

There are two Full Path Disclosure vulnerabilities in Truworth SEO Ecommerce Software 2.1.

There are multiple security vulnerabilities in Truworth PHP Invoice Software 2.1 which allow an attacker to remotely compromise the software.

There is an authentication bypass vulnerability in Truworth Online Time Sheet 2.1 due to the application failing to properly sanitize user-supplied input during authentication. Exploitation of this vulnerability would permit unauthorized access with admin privilages.

There are multiple Cross-Site Scripting (XSS) vulnerabilities in Online Knowledge Base System: Lite Edition 1.0 which may allow an attacker to take control of the software.

There are multiple Cross-Site Scripting (XSS) vulnerabilities in Site4 CMS 3.0.1 which may allow an attacker to take control of the software if an authorized user browses a malicious page while logged in.

The process of discovering web applications and their current version on a target domain is known as web application fingerprinting. Effective fingerprinting enables a penetration tester to perform targeted exploit delivery as knowing the version is good enough to infer vulnerabilities.

nmap_to_services extracts the ip address and associated ports from an nmap log and returns the results in an easy to use format.

Multiple security vulnerabilities exist in the QNAP TS-239 Pro network attached storage device which could allow an attacker to take control of the device if a user with administrator privileges browses a malicious web page.

Multiple vulnerabilities exist in the Kloxo Single Server webhosting platform which may allow an attack to take control of the software if a user with admin privileges browses a malicious page while logged in.

Using HTTP Referrers for Targeted XSS Attacks

There are many files in Wordpress which spit out PHP error messages if accessed directly over HTTP.

If a user is masking their user-agent in Internet Explorer or Mozilla Firefox it is still possible to identify their browser and operating system using protocols which are unique to the browser.

Hacker Defender is one of the most widely deployed rootkits in the wild. There's plenty of talk about obfuscating binaries to avoid anti-virus detection but you won't find that here. Just shift a few bytes or use a packer - you know the drill. What I want talk about is obfuscating the Hacker Defender INI configuration file to avoid detection by anti-virus programs.

An issue exists in Firefox, Internet Explorer and Google Chrome which causes the browser to hang due to memory exhaustion when browsing a specially crafted HTML page. An unwary user who does not kill the browser process quickly may have to wait several minutes to recover control and kill the process.

fingerprint-http-cpanel Determines the URL and version of cpanel on the target server.

This is a brief article about digging up information on people who play online video games. To begin with you may only have the gamer's username/handle. This is often enough to track down an avid gamer.

Multiple vulnerabilities exist in the Wordpress 2.7.1 blogging software however successful exploitation requires admin roles.

Multiple vulnerabilities exist in the Belkin F1PI242EGau (wireless 4 port) router distributed by Australian ISP iiNet which could allow an attacker complete control over the user's router if the user browses a malicious web page. CSRF and XSS issues in the web administration interface lead to denial of service, information disclosure and DNS Hijacking.

Escalating Wordpress 2.6 search XSS to Arbitrary File Upload

Reverse shell with IExpress.exe Win32 Cabinet Self-Extractor

Helpful commands (Win32/64)

Exploiting environment variables

Port forwarding on Cisco 800 Series

Exploiting VLANs with Yersinia

Cracking Cisco service password encryption (type-7)

This article covers backdooring later versions of Cisco IOS to allow an attacker to maintain access to the device without knowledge of the passwords set by the administrator.

File and directory permissions are very important when discussing security, consider the ramifications if an attacker had write access to system log files, they would be able to modify log entries, to prevent tracing or notification that an attacker had breached the system.

In this article, I will cover how to remotely control a target windows machine by installing and running a VNC program without the targets knowledge. This is best done when the machine is idle, as interfacing directly with the GUI can be seen on the target’s monitor. eg; the mouse cursor movements are seen, etc.

Exploiting hard links on filesystem

EtherChannel is a network link aggregation technology that allows you to basically create one logical interface combining the bandwidth of multiple physical interfaces. It is a good solution to not only increase bandwidth, but also increase redundancy in your network link.

This short tutorial is focused on how to setup NIS clients & servers on Debian Linux.

Solaris 10 comes prepackaged with BART - a great tool that allows you to compare the contents of an entire filesystem at any two points in time.

ARP spoofing/poisoning on switched networks using the dsniff package

Useful proc security modifications