exploit the possibilities

Register | Login

FilesNewsUsersAuthors

Home Files News &[SERVICES_TAB]About Contact Add New

Showing 1 - 5 of 5

Files from Alberto Solino

Windows Secrets Dump

Posted Aug 31, 2024

Authored by Alberto Solino, Christophe de la Fuente, antuache | Site metasploit.com

Dumps SAM hashes and LSA secrets (including cached creds) from the remote Windows target without executing any agent locally. This is done by remotely updating the registry key security descriptor, taking advantage of the WriteDACL privileges held by local administrators to set temporary read permissions. This can be disabled by setting the INLINE option to false and the module will fallback to the original implementation, which consists in saving the registry hives locally on the target (%SYSTEMROOT%\Temp\<random>.tmp), downloading the temporary hive files and reading the data from it. This temporary files are removed when its done. On domain controllers, secrets from Active Directory is extracted using [MS-DRDS] DRSGetNCChanges(), replicating the attributes we need to get SIDs, NTLM hashes, groups, password history, Kerberos keys and other interesting data. Note that the actual NTDS.dit file is not downloaded. Instead, the Directory Replication Service directly asks Active Directory through RPC requests. This Metasploit modules takes care of starting or enabling the Remote Registry service if needed. It will restore the service to its original state when its done. This is a port of the great Impacket secretsdump.py code written by Alberto Solino.

tags | exploit, remote, local, registry

systems | windows

SHA-256 | 2c2374c930c873d22b4c85b045bb0508b32f1c378ce30ec41a5db088c7033190

Download | Favorite | View

Trend Micro ServerProtect Disclosure / CSRF / XSS

Posted May 24, 2017

Authored by Alberto Solino, Core Security Technologies, Maximiliano Vidal, Leandro Barragan | Site coresecurity.com

Trend Micro ServerProtect suffers from information disclosure, manipulation, cross site request forgery, cross site scripting, and various other vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure, csrf

advisories | CVE-2017-9032, CVE-2017-9033, CVE-2017-9034, CVE-2017-9035, CVE-2017-9036, CVE-2017-9037

SHA-256 | 8e879696170b8b1f6b2ecc8c0d882967bb47bb12e348f1e061c984909eef85df

Download | Favorite | View

Hikvision IP Cameras Overflow / Bypass / Privilege Escalation

Posted Aug 7, 2013

Authored by Alberto Solino, Core Security Technologies, Anibal Sacco, Alejandro Rodriguez | Site coresecurity.com

Core Security Technologies Advisory - Hikvision IP Cameras suffer from buffer overflow, authentication bypass, hard-coded credential, and privilege escalation vulnerabilities.

tags | exploit, overflow, vulnerability

advisories | CVE-2013-4975, CVE-2013-4976, CVE-2013-4977

SHA-256 | a4a4535ab067aafda1e020840c583034d91d05f5ea87d44f5643945fba43b443

Download | Favorite | View

ssh-1.2.27-exploit.txt

Posted Dec 16, 1999

Authored by Alberto Solino

Exploit for SSH-1.2.27 compiled with RSAREF2. It was tested against sshd running on Linux (Redhat 6.0) and OpenBSD 2.6, from a Linux Redhat 6.0 box. The exploit is more or less "script-kid-proof" since if it doesnt work a bit of debugging, coding and probably crypto skills are needed to make it work. More information available here.

tags | exploit, cryptography

systems | linux, redhat, openbsd

SHA-256 | f5d81f91644fc5cbc5d955dffdf2e9e49303cd9490296a806aef8229ac7c24a0

Download | Favorite | View

wftpdexp.tgz

Posted Nov 4, 1999

Authored by Alberto Solino

Working WFTPD 2.34 exploit for WIN NT 4.0 [SP3-4], Windows 95, and Windows 98.

tags | exploit

systems | windows

SHA-256 | e93583a8ad6790f8fcc5d89fd92ac5cf35a39e8b949e1f4f009407192d1bd500

Download | Favorite | View