Select Page

Death by keystrokes

As part of our Red Team operations, at SECFORCE we research about effective and stealthy ways of delivering and executing arbitrary code on victim workstations. One of the key areas of research is around identification of AV limitations in Macro-enabled Office...

OpenSSH <=6.6 SFTP misconfiguration universal exploit

Recently our team ran into an interesting SFTP misconfiguration which allows for a reliable RCE on affected systems. The original discovery by Jann Horn can be found here http://seclists.org/fulldisclosure/2014/Oct/35. Although the affected OpenSSH version is a bit...

CVE-2017-0199 exploitation with Cobalt Strike tutorial

Background CVE-2017-0199 leverages the way an OLE object is embedded into a Word/RTF document making it possible to execute its content without user interaction. OLE is supported by many different programs, and OLE is generally used to make content that is created in...

Pre-Auth MySQL remote DOS (Integer Overflow)

MySQL server is affected by a remote DoS attack, which could be exploited by a remote unauthenticated attacker to cause a loss of availability on the targeted service. The issue has been verified to affect 5.6.X branch up to 5.6.35 and 5.7.X branch up to 5.7.17. It is...

Tunna v1.1a SOCKS!

Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. Due to popular demand, in this new version, Tunna (v1.1a) can be set up to be a local SOCKS proxy, that will accept any TCP traffic and send over to the webserver using HTTP requests....

From CVS import to cmd.exe – via SQL injection

This blog post explains the process that we followed in a recent penetration test to gain command execution from a CVS import feature. One of the most challenging issues was that we had to escape commas during the SQL injection attack, as it would break the CVS...