what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 51 RSS Feed

Files from Ramon de C Valle

Email addressprivate
First Active2003-09-13
Last Active2015-11-06
View User Profile
Java Secure Socket Extension (JSSE) SKIP-TLS
Posted Nov 6, 2015
Authored by Ramon de C Valle

Java Secure Socket Extension (JSSE) SKIP-TLS exploit that has been tested on JDK 8u25 and 7u72. This is a stand-alone ruby exploit and does not require Metasploit.

tags | exploit, java
advisories | CVE-2014-6593
SHA-256 | a90ce607a0f947ec514acaf7bf40cbc108e1c777beec2ab4ae28f703f377d394
OpenSSL Alternative Chains Certificate Forgery
Posted Nov 6, 2015
Authored by Ramon de C Valle

OpenSSL alternative chains certificate forgery exploit that has been tested on OpenSSL 1.0.2c, 1.0.2b, 1.0.1o, 1.0.1n, and Fedora 22 (1.0.1k-fips). This is a stand-alone ruby exploit and does not require Metasploit.

tags | exploit, ruby
systems | linux, fedora
advisories | CVE-2015-1793
SHA-256 | 8b6f9bcf361b0d86c9e3b63d69ba09cc9e41ac56045a61d07a3c130a7c9e1009
Java Secure Socket Extension (JSSE) SKIP-TLS MITM Proxy
Posted Aug 12, 2015
Authored by Ramon de C Valle | Site metasploit.com

This Metasploit module exploits an incomplete internal state distinction in Java Secure Socket Extension (JSSE) by impersonating the server and finishing the handshake before the peers have authenticated themselves and instantiated negotiated security parameters, resulting in a plaintext SSL/TLS session with the client. This plaintext SSL/TLS session is then proxied to the server using a second SSL/TLS session from the proxy to the server (or an alternate fake server) allowing the session to continue normally and plaintext application data transmitted between the peers to be saved. This Metasploit module requires an active man-in-the-middle attack.

tags | exploit, java
advisories | CVE-2014-6593
SHA-256 | 22a68679289289a147b9ebdb5f0ea0fe01da2e11c5941c4f87b8111257d42ea5
OpenSSL Alternative Chains Certificate Forgery MITM Proxy
Posted Jul 27, 2015
Authored by Ramon de C Valle, Adam Langley, David Benjamin | Site metasploit.com

This Metasploit module exploits a logic error in OpenSSL by impersonating the server and sending a specially-crafted chain of certificates, resulting in certain checks on untrusted certificates to be bypassed on the client, allowing it to use a valid leaf certificate as a CA certificate to sign a fake certificate. The SSL/TLS session is then proxied to the server allowing the session to continue normally and application data transmitted between the peers to be saved. The valid leaf certificate must not contain the keyUsage extension or it must have at least the keyCertSign bit set (see X509_check_issued function in crypto/x509v3/v3_purp.c); otherwise; X509_verify_cert fails with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. This Metasploit module requires an active man-in-the-middle attack.

tags | exploit, cryptography
advisories | CVE-2015-1793
SHA-256 | 0be0198fd35b0f082fb3872672e7f1dbe40db0a2ae2abc971e5936c264d03b3b
DHCP Client Bash Environment Variable Code Injection
Posted Sep 26, 2014
Authored by Ramon de C Valle, scriptjunkie, Stephane Chazelas | Site metasploit.com

This Metasploit module exploits a code injection in specially crafted environment variables in Bash, specifically targeting dhclient network configuration scripts through the HOSTNAME, DOMAINNAME, and URL DHCP options.

tags | exploit, bash
advisories | CVE-2014-6271
SHA-256 | 79d7a8dc657f6596bbdf6d89daca73b5c6faa99cc6ea47bed9be15fb8d04a23a
Katello (Red Hat Satellite) users/update_roles Missing Authorization
Posted Mar 25, 2014
Authored by Ramon de C Valle | Site metasploit.com

This Metasploit module exploits a missing authorization vulnerability in the "update_roles" action of "users" controller of Katello and Red Hat Satellite (Katello 1.5.0-14 and earlier) by changing the specified account to an administrator account.

tags | exploit
systems | linux, redhat
advisories | CVE-2013-2143
SHA-256 | e0371216c7f1d8860897ca9e5f3d083fc1371c2aca741321b8cb6ff295f73dbf
Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection
Posted Dec 27, 2013
Authored by Ramon de C Valle | Site metasploit.com

This Metasploit module exploits a SQL injection vulnerability in the "explorer" action of "miq_policy" controller of the Red Hat CloudForms Management Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier) by changing the password of the target account to the specified password.

tags | exploit, sql injection
systems | linux, redhat
advisories | CVE-2013-2050
SHA-256 | b55583d572b94d5be808ddfcb5ca09620c6e831caa6772d47ef4ca397a0d8dfc
Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal
Posted Dec 23, 2013
Authored by Ramon de C Valle | Site metasploit.com

This Metasploit module exploits a path traversal vulnerability in the "linuxpkgs" action of "agent" controller of the Red Hat CloudForms Management Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier). It uploads a fake controller to the controllers directory of the Rails application with the encoded payload as an action and sends a request to this action to execute the payload. Optionally, it can also upload a routing file containing a route to the action. (Which is not necessary, since the application already contains a general default route.)

tags | exploit
systems | linux, redhat
advisories | CVE-2013-2068
SHA-256 | ecc3dfeae56af0d7e8234b449d220c4c30764ffe2c2b2a098d22efcf89701574
Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment
Posted Aug 21, 2013
Authored by Ramon de C Valle | Site metasploit.com

This Metasploit module exploits a mass assignment vulnerability in the create action of users controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator account. For this exploit to work, your account must have create_users permission (e.g., Manager role).

tags | exploit, arbitrary
systems | linux, redhat
advisories | CVE-2013-2113, OSVDB-94655
SHA-256 | 8aba4389b4b51efa17c66a8c2ddaabb0489ae3e020c3f31852637c4d80e383a3
Foreman (Red Hat OpenStack/Satellite) Code Injection
Posted Jul 23, 2013
Authored by Ramon de C Valle | Site metasploit.com

This Metasploit module exploits a code injection vulnerability in the 'create' action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier).

tags | exploit
systems | linux, redhat
advisories | CVE-2013-2121, OSVDB-94671
SHA-256 | c5c9607b201bbed12138b9c01832cadc3f0585df9c929779954f3b1deff22316
Linux Kernel Sendpage Local Privilege Escalation
Posted Jul 19, 2012
Authored by Brad Spengler, Ramon de C Valle, Tavis Ormandy, Julien Tinnes, egypt | Site metasploit.com

The Linux kernel failed to properly initialize some entries the proto_ops struct for several protocols, leading to NULL being derefenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits exist for this vulnerability, including spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. All Linux 2.4/2.6 versions since May 2001 are believed to be affected: 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4

tags | exploit, arbitrary, kernel, protocol, ppc
systems | linux
advisories | CVE-2009-2692
SHA-256 | 9bd69f05ada8cee6b76af8cc4636ab3a3a49a49bfad809f7b97fefaea4e48bb0
Exploiting glibc __tzfile_read Part II
Posted Dec 13, 2011
Authored by Ramon de C Valle

This is a follow-up document that discusses exploiting the glibc __tzfile_read integer overflow to buffer overflow and leveraging Vsftpd.

tags | paper, overflow
SHA-256 | 9fa157a07080306dfb186dfc7d65fae1fe12c4ff8c7beeb94a90bd9698026603
Exploiting glibc __tzfile_read Integer Overflow To Buffer Overflow And Vsftpd
Posted Dec 13, 2011
Authored by Ramon de C Valle | Site rcvalle.com

This is a write up that discusses exploiting the glibc __tzfile_read integer overflow to buffer overflow and leveraging Vsftpd.

tags | paper, overflow
SHA-256 | aa2f52177ccb0dba0def1cbf1e6bb31a25c445b615e0289658b51067f794493e
Apache Range Header Denial Of Service
Posted Dec 9, 2011
Authored by Ramon de C Valle

This is a reverse engineered version of the exploit by ev1lut10n that triggers a denial of service condition using a vulnerability in the Range header of Apache versions 1.3.x, 2.0.64 and below and 2.2.19 and below.

tags | exploit, denial of service
advisories | CVE-2011-3192
SHA-256 | 8924bead3b42a1c38477cea3b48584db4ab1b22693ae7553273e5f0bc044c0ff
Unixasm Assembly Components 1.4.0
Posted May 25, 2010
Authored by Ramon de C Valle | Site risesecurity.org

A collection of shellcodes for various platforms such as bsd-x86, linux-x86, sco-x86, and solaris-x86. This project contains a set of assembly components for proof of concept codes on different operating systems and architectures. These components were carefully designed and implemented for maximum reliability, following strict coding standards and requirements, such as system call invocation standards, position independent, register independent and zero free code. A special attention was put on code length when designing and implementing them, resulting in the most reliable and shortest codes for such purpose available today.

Changes: Added support to AIX Versions 6.1.4, 6.1.3, 6.1.2, 6.1.1, 5.3.10, 5.3.9, 5.3.8, 5.3.7. Changed the base value used for calculating the system call numbers and arguments to avoid null bytes in newer versions of AIX.
tags | x86, shellcode, proof of concept
systems | linux, solaris, bsd
SHA-256 | 5f60ce0fe57bf93f7b9b6dfe2eeef3f12655215826ad25568bf3eafb11595c53
Firebird Relational Database isc_attach_database() Buffer Overflow
Posted Nov 26, 2009
Authored by Ramon de C Valle, Adriano Lima | Site metasploit.com

This Metasploit module exploits a stack overflow in Borland InterBase by sending a specially crafted create request.

tags | exploit, overflow
advisories | CVE-2007-5243
SHA-256 | 75ccae32e6a681ca52041605578b4c74db2c5a1c796211d8a46bddd7f3d1665b
Firebird Relational Database isc_create_database() Buffer Overflow
Posted Nov 26, 2009
Authored by Ramon de C Valle, Adriano Lima | Site metasploit.com

This Metasploit module exploits a stack overflow in Borland InterBase by sending a specially crafted create request.

tags | exploit, overflow
advisories | CVE-2007-5243
SHA-256 | 7ad400608089f7047729b20b5b39242d6c9b2aa7f9014358c786fa3d52c6c287
Firebird Relational Database SVC_attach() Buffer Overflow
Posted Nov 26, 2009
Authored by Ramon de C Valle, Adriano Lima | Site metasploit.com

This Metasploit module exploits a stack overflow in Borland InterBase by sending a specially crafted service attach request.

tags | exploit, overflow
advisories | CVE-2007-5243
SHA-256 | d3ca8564e0dac6b73da45fac60f76f4deb98eb63f6147abc4897595c43465773
Borland InterBase isc_attach_database() Buffer Overflow
Posted Nov 26, 2009
Authored by Ramon de C Valle, Adriano Lima | Site metasploit.com

This Metasploit module exploits a stack overflow in Borland InterBase by sending a specially crafted attach request.

tags | exploit, overflow
advisories | CVE-2007-5243
SHA-256 | 63172546e969a58b1eeddfce0613c163b394447938646b9e5707ca94544913fb
Borland InterBase isc_create_database() Buffer Overflow
Posted Nov 26, 2009
Authored by Ramon de C Valle, Adriano Lima | Site metasploit.com

This Metasploit module exploits a stack overflow in Borland InterBase by sending a specially crafted create request.

tags | exploit, overflow
advisories | CVE-2007-5243
SHA-256 | 6ec0d0b72e02a0c65f646f14cf76eedeab3d9199a07449c8c949412207c2f8d7
Borland InterBase SVC_attach() Buffer Overflow
Posted Nov 26, 2009
Authored by Ramon de C Valle, Adriano Lima | Site metasploit.com

This Metasploit module exploits a stack overflow in Borland InterBase by sending a specially crafted service attach request.

tags | exploit, overflow
advisories | CVE-2007-5243
SHA-256 | ab2756fdbe75cf2876139fa363d8263a33fa8d44c707093e27d9ad321e6174db
Linux sock_sendpage() NULL Pointer Dereference
Posted Sep 11, 2009
Authored by Ramon de C Valle | Site risesecurity.org

Linux 2.4 and 2.6 kernel sock_sendpage() NULL pointer dereference exploit. The third and final version of this exploit. This third version features: Complete support for i386, x86_64, ppc and ppc64; The personality trick published by Tavis Ormandy and Julien Tinnes; The TOC pointer workaround for data items addressing on ppc64 (i.e. functions on exploit code and libc can be referenced); Improved search and transition to SELinux types with mmap_zero permission.

tags | exploit, kernel, ppc
systems | linux
SHA-256 | 4c81627c007c2bba523f9c37b9474159727cda368af2e7454b6bc420e0606a47
Linux sock_sendpage() NULL Pointer Dereference
Posted Sep 7, 2009
Authored by Ramon de C Valle | Site risesecurity.org

Linux 2.4 and 2.6 kernel sock_sendpage() NULL pointer dereference exploit. This newer version of the exploit also works with Linux kernel versions that implement COW credentials (e.g. Fedora 11). For SELinux enforced systems, it automatically searches in the SELinux policy rules for types with mmap_zero permission it can transition, and tries to exploit the system with that types.

tags | exploit, kernel
systems | linux, fedora
SHA-256 | e7a0caddf89d8627bd0b835e2b2cdebadbbcb4d666e016dac2a4f3f13979e955
Linux sock_sendpage() Local Root Exploit
Posted Sep 2, 2009
Authored by Ramon de C Valle | Site risesecurity.org

Linux 2.4 and 2.6 kernel sock_sendpage() local root exploit for powerpc.

tags | exploit, overflow, kernel, local, root
systems | linux
SHA-256 | 7c3b7c143326e680e557cb7d6f0777ebe17c0c85c23641bbd7ba4ac843edfd2e
Linux eCryptfs parse_tag_3_packet Encrypted Key Overflow
Posted Jul 28, 2009
Authored by Ramon de C Valle | Site risesecurity.org

There exists a vulnerability within a function of Linux eCryptfs (Enterprise Cryptographic Filesystem), which when properly exploited can lead to compromise of the vulnerable system. This vulnerability was confirmed in the Linux kernel version 2.6.30.3. Linux kernel versions 2.6.19 and later have eCryptfs support and may be also affected.

tags | advisory, kernel
systems | linux
SHA-256 | 7b90cdef75ea3af4a2047adeb9c65aac0fa6972888b9744805e91c76e8afce1a
Page 1 of 3
Back123Next

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close