Research
#17 Microsoft Windows Server Service (MS08-067) Exploit
Description This exploit demonstrate the vulnerability found in Microsoft Windows Server Service (SRVSVC). Presently the exploit is only made to work against Windows 2000 and Windows 2003 (sp2).
Release Date 17-Nov, 2008
External Link(s) SecurityFocus, SecurityVulns, exploit-db
Credits for exploit only
Download PoC

 

#16 Adobe Reader Javascript Printf Buffer Overflow Exploit
Description This exploit demonstrate the vulnerability found in Adobe Reader javascript util.printf method. The download includes the exploit script which needs to be embedded into the pdf file for exploit test.
Release Date 6-Nov, 2008
External Link(s) SecurityFocus, exploit-db
Credits for exploit only
Download PoC

 

#15 Defeating Microsoft Office Genuine Advantage (OGA) Check
Description The Office Genuine Advantage (OGA) check is part of a Microsoft effort to reduce piracy. However there are possibly 101 ways to defeat any such lame attempt to prevent software piracy. Though I do not believe in software piracy but I was bit intrigued to check whether Microsoft has any fool proof plans to beat piracy. Interestingly it did not took me longer to beat the piracy protection implemented by Microsoft. Refer the PoC where I have outlined two different methods to defeat Office Genuine Advantage validation check.
Release Date 29-Jan, 2007
External Link(s)  ZDNet
Credits for both vulnerability and exploit
Download PoC

 

#14 Adobe Acrobat 'Collab.collectEmailInfo' Function Download/Exec Exploit - CVE-2007-5659
Description This vulnerability was made public back in Feb,2008 and I wrote the exploit for this issue back in Oct 2008 but could not release it due to IP agreement with my contractor. Hence released a download/exec demo video.
Release Date 24-Oct, 2008
External Link(s)  
Credits for Only exploit video was released and the exploit code was kept as zero day as per contract agreement.
Download PoC Video

 

#13 RealPlayer ierpplug.dll ActiveX Control BO Exploit - CVE-2007-5601
Description This vulnerability was made public back in Oct,2007 however there were no publicly available exploit until 2008. I wrote the exploit for this issue back in April 2008 but could not release it due to IP agreement with my contractor. Hence released a video for demo back in 2008.
Release Date 11-Apr, 2008
External Link(s)  
Credits for Only exploit video was released and the exploit was kept as zero day as per contract agreement.
Download PoC Video

  

#12 Google AdWords Multiple HTTP Response Splitting
Description Multiple CRLF injection (aka HTTP response splitting) vulnerabilities are identified in Google AdWords, which may be exploited by a remote attackers to inject arbitrary HTTP headers.
Release Date 14-Dec, 2006
External Link(s) ISS X-Force, Internetnews.com
Credits for both vulnerability and exploit
Download PoC

 

#11 Multiple HTTP response splitting vulnerabilities in SHOP-SCRIPT
Description Multiple CRLF injection (aka HTTP response splitting) vulnerabilities are identified in Shop-Script PREMIUM, which may be exploited by a remote attackers to inject arbitrary HTTP headers.
Release Date 23-Oct, 2006
External Link(s) BID 20685, CVE-2006-5566, Secunia
Credits for both vulnerability and exploit
Download PoC

 

#10 Microsoft Excel File Embedded Shockwave Flash Object Abuse
Description Malicious Flash files with explicit java scripts can be embedded within excel spreadsheets using “Shockwave Flash Object” which can be made to run once the file is opened by the user. It doesn’t require user’s intervention to activate the object rather it runs automatically once the file is opened.
Release Date 20-Jun, 2006
External Link(s) BID 18583, CVE-2006-3014, Microsoft Bulletin MS06-069, SecuriTeam, ISS X-Force
Credits for both vulnerability and exploit
Download PoC

  

#09 Firefox (with IETab Plugin) Null Pointer Dereference
Description Firefox with the IETab installed crashes when ietab plugin is unable to handle specific javascripts. The vulnerability can be confirmed to be a null pointer dereference issue. Refer the PoC for more details.
Release Date 17-May, 2006
External Link(s) Bugzilla ID 14151, CVE-2006-2538, NIST, ISS X-Force
Credits for both vulnerability and exploit
Download PoC

 

#08 Microsoft ASP.NET w3wp.exe COM component DoS
Description Often developers forget to use the “AspCompat” directive which is required while referencing COM components in ASP.NET. Missing AspCompat directive causes general instability and poor performance of the web application, just a simple increase of load on a web server may cause it to crash. After working for more than one month with Microsoft (MSRC) on this issue, it is finally concluded that the w3wp crash can occur un-expectedly and is due to improper reference of COM or COM+ in the asp.net applications. Refer the PoC (Proof of Concept) for more details.
Release Date 21-Mar, 2006
External Link(s) BID 17188, CVE-2006-1364, NIST, SecuriTeam
Credits for both vulnerability and exploit
Download PoC

 

#07 Google Reader Improper Feed Validation Vulnerability
Description Google reader is a rss and atom feed reader which displays only those contents which the user has subscribed for however two vulnerabilities has been identified which may allow an attacker to entice it’s victim (using Google reader service) to view unwanted web contents carrying malicious payloads.
Release Date 22-Feb, 2006
External Link(s) Zone-H
Credits for both vulnerability and exploit
Download No PoC available for download. Refer PoC details posted over full-disclosure mailing list.

 

#06 phpMyChat Identical User Id and Password Authentication Bypass
Description In the default installation of phpmychat (version 0.14.5) any unregistered user can gain access to the chat rooms by inputting identical user name and password in the input box. i.e. the user name should be same as password. I tried logging in through various vulnerable sites using identical user id and password combination which granted me un-authorized access to the rooms.
Release Date 20-Feb, 2006
External Link(s) ISS X-Force, securityvulns.ru
Credits for both vulnerability and exploit
Download No PoC available for download. Refer details posted over full-disclosure mailing list.

 

#05 Zone Labs Products Advance Program Control Bypass
Description Zone Alarm products with Advance Program Control or OS Firewall Technology enabled, detects and blocks almost all those APIs (like Shell, ShellExecuteEx, SetWindowText, SetDlgItem etc) which are commonly used by malicious programs to send data via http by piggybacking over other trusted programs. However, it is still possible for a malicious program (Trojans or worms etc) to make outbound connections to the evil site by piggybacking over trusted Internet browser using “HTML Modal Dialog” in conjunction with simple “JavaScript”. Here it is assumed that the default browser (IE or Firefox etc) has authorization to access internet. The PoC demonstrate how the ZoneAlarm Advance Program Control and Behavior Based Technology can be defeated by using HTML Modal Dialog Box in conjunction with JavaScript. Refer the PoC (Proof of Concept) for more details.
Release Date 8-Nov, 2005
External Link(s) BID 15347, CVE-2005-3560, SecuriTeam Advisory, NIST, ISS X-Force, Secunia
Credits for both vulnerability and exploit
Download PoC

  

#04 Bypassing Zone Alarm Firewall Using DDE-IPC
Description The Zone Alarm Pro and Free version desktop firewall were found to be vulnerable to an outbound bypass which will allow a malicious program to bypass the desktop firewall outbound restrictions by using DDE-IPC (Direct Data Exchange – Inter-Process Communication).  This PoC demonstrates how an untrusted program can make an outbound connection to the attacker by piggybacking over other trusted programs running in the system (Ex: Internet Explorer). Refer to the PoC (Proof of Concept) for more details.
Release Date 28-Sep, 2005
External Link(s) Zone Labs Security Advisory, Juniper Advisory
Credits for both vulnerability and exploit
Download PoC has been archived. Download not available on this website anymore.

  

#03 Defeating Citi-Bank Virtual Keyboard Protection
Description
Early in the year 2005, Citi-Bank introduced the concept of Virtual Keyboard (aka On-Screen Keyboard) to defend against malicious programs such as keyloggers and spyware etc. However, the Virtual Keyboard concept can be easily defeated by using Win32 APIs to access HTML documents. Refer to the PoC for details.
 
The PoC was created back in 2005 and was particularly made to work with virtual keyboards on Citibank India website. The same PoC can be modified to make it work for most of the virtual keyboard on any website. The PoC available for download will not currently work with Citibank website as the site has undergone several changes since the PoC was released. Therefore, a little modification will be required to the PoC to make it work for any virtual keyboard.
Release Date 6-Aug, 2005
External Link(s) ISS X-Force, HITB
Credits for both vulnerability and PoC.
Download PoC has been archived. Download not available on this website anymore.

 

#02 Defeating Microsoft WGA (Windows Genuine Advantage) Validation Check
Description
WGA (Windows Genuine Advantage) was a software piracy check introduced by Microsoft in few of it's products to perform a piracy check before the product gets installed. Microsoft products with WGA check enabled can only be installed on a valid/genuine copy of MS Windows OS. In case the product is pirated then the product denies to install. The PoC published, demonstrates a very simple way to bypass this piracy check.
 
Really doesn't require a true hack. It is not always about memory corruption. Simply an old school trick was used to bypass their $$$$$$ worth attempt to check piracy. :)
Release Date 23-May, 2005
External Link(s) OSVDB-ID 16827, CNET News, Times of India
Credits for both the bug discovery and bypass PoC.
Download PoC has been archived. Download not available on this website anymore.

  

#01 CuteNews ‘archive’ parameter XSS Vulnerability
Description CuteNews “archive” parameter was found vulnerable to Cross Site Scripting (XSS) issue, caused by improper validation of user-supplied input.
Note: I am not a big fan of XSS issue but during the year (2004) it was published, web application security was starting to get some importance. Therefore, my first and last publicly disclosed XSS. :D
Release Date 16-Aug, 2004
External Link(s) Secunia Advisory SA12260, Bugtraq ID 10948
Credits for both vulnerability and PoC
Download N/A 

 

Follow Us

Twitter

Stay Tuned

Stay tuned to our twitter account and the mailing list Ring-of-Fire for any news and updates.