J3rryBl4nks (83)

Last Login: October 09, 2020
Assessments
22
Score
83

J3rryBl4nks's Latest (20) Contributions

Sort by:
Filter by:
2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Because the SSH key was published, this becomes a quick win for an attacker who encounters this service running with the default key in place. The mitigation would require easy steps, but the affected party might not even know they are vulnerable.

3
Ratings
Technical Analysis

Due to this being an unauthenticated serialization exploit, the bar for exploitation is very low. Serialization is rampant in software, and most companies aren’t doing it correctly.

It’s realtively easy these days to exploit serialization vulnerabilities with ysoserial/yososerial.net and it will be a problem for years going forward.

2

I agree. The proliferation of OWA spraying tools makes me think that there are a lot of attackers that are going after this vulnerability right now.

1
Ratings
Technical Analysis

Because this is a kernel panic, it is only useful if your goal is to take the host offline. Because DOS attacks are less useful overall to an attacker than RCE, LFI, or anything useful really, these vulnerabilities are not useful to have in your toolkit.

1
Ratings
Technical Analysis

The fact that Alpine is widely used makes this an easy way to escalate privileges. Most Enterprises also don’t update their “Golden” containers that often. Privilege escalation on a host that is using containers is likely valuable as that host will likely have valuable information on it.

2
Ratings
Technical Analysis

This de-serialization exploit can be performed without authentication in many instances. Because it leads to a reverse shell, this is incredibly valuable to an attacker.

There are many tools that will perform this exploit but my favorite is: https://github.com/joaomatosf/jexboss

Due to many legacy applications being internet facing with these vulnerabilities still present, this is an extremely valuable tool for an attacker to have in their arsenal.

2
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very High
Technical Analysis

This is an authenticated SQL Injection that should lead to a reverse shell.

https://github.com/J3rryBl4nks/eLection-TriPath-/blob/master/SQLiIntoRCE.md

It’s very easy to identify, and to exploit. The value is low because it is rarely seen on real machines.

2
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very High
Technical Analysis

The exploit for this is easy to pull off, but due to the low install base for this application, the exploit is not incredibly valuable.

2
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very High
Technical Analysis

Because there is no stored XSS (That I could find at least) you need to have interaction for this exploit. It is nice that you can change the admin password and then get SQL Injection to get a shell.

This is not installed on very many servers and is not incredibly valuable.

https://github.com/J3rryBl4nks/SOPlanning

2
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very High
Technical Analysis

This SQL Injection is trivial to identify and exploit:

https://github.com/J3rryBl4nks/SOPlanning

This injection will allow you to dump the contents of the database and can be done with low privilege access.

This application does not have a large install base and so it is not incredibly valuable.

2
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very High
Technical Analysis

This is an injection that is trivial to exploit and also to find.

https://github.com/J3rryBl4nks/SOPlanning

You can see the POC in my github. The exploit does require authentication, but you can extract the admin hash through the other SQL injection vulnerability or through the CSRF to add an admin user.

Due to the low volume of installs, this isn’t incredibly useful in the wild.

4
Ratings
  • Attacker Value
    High
  • Exploitability
    Very Low
Technical Analysis

You would have to chain this vulnerability with a working sandbox escape in order to get full value. While there are no doubt working sandbox escapes, this is only one piece of the exploit chain that is necessary to get a reliable foothold on a machine.

Often times there are full chain exploits published which include the code exec, sandbox escape, and a valid privesc but I have been unable to find a full chain for this exploit.

For the average attacker, this hill would be too high to climb to make this useful.

3
Ratings
Technical Analysis

Due to the fact that files that are uploaded are able to be browsed to, this exploit means that an authenticated administrator could upload a reverse shell payload and get the connection back easily.

Many vendors will dismiss this type of vulnerability as not easily exploitable or within the bounds of what the program allows. I believe that it should never be possible for a web application to allow code execution to the underlying host unless that is core functionality of the software.

This same type of vulnerability seems to be present in a large number of monitoring software packages until they get egg on their face and patch it.

The Pandora FMS website lists a good target base that would allow you to start trying to compromise admin creds and get the file upload to hopefully get a foothold.

I would place this as valuable to attackers, but more difficult to exploit due to the fact that you have to be an authenticated admin user.

5
Ratings
Technical Analysis

Due to being almost 100% non-existent in the wild, this is only useful in CTF environments. The exploit is extremely easy to trigger, and I weep for the machine that has this configured in the wild.

4

https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys

This has the exploit POC generation as a part of the blog. Using yososerial.net they generate a command that you can copy/paste and just change the payload.

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Due to public exploits being available : https://github.com/synacktiv/Exim-CVE-2019-15846, and the fact that Exim is installed on a large number of mail servers, the value to an attacker lies in the fact that this requires no authentication.

There is a deeper explanation of the vulnerability here: https://www.synacktiv.com/posts/exploit/scraps-of-notes-on-exploiting-exim-vulnerabilities.html

3
Ratings
Technical Analysis

Due to public exploits being flaky and sometimes resulting in a Blue Screen on the victim, this exploit is still somewhat difficult to always replicate. If you have paid tools that have better versions of the exploit, it’s more reliable.

The fact that an exploit is included in newer versions of metasploit massively lowers the bar for being able to exploit this vulnerability.

The damage potential is astronomical as there are so many machines that expose RDP to the internet.

4
Ratings
Technical Analysis

Due to many public exploits for this flaw this is an incredibly valuable tool for an attacker to have in their arsenal. My favorite variant of this exploit is: https://github.com/g0tmi1k/Drupalgeddon2

3
Ratings
Technical Analysis

This exploit does not appear to need admin credentials in order to trigger: https://www.rapid7.com/db/vulnerabilities/WINDOWS-HOTFIX-MS14-054, https://www.tenable.com/plugins/nessus/77574

Any privilege escalation using built in Windows components is a valuable tool for attackers.

4
Ratings
Technical Analysis

Due to many enterprise environments using Confluence, and many of them exposing it to the internet, this vulnerability is incredibly useful.

There is a public POC available:https://github.com/Yt1g3r/CVE-2019-3396_EXP from which you could base other attacks.