Backdoor Modules for Netgear, Linksys, and Other Routers

11 minute read Jan 13, 2014 Comments
A week or so ago, I read the news of a new backdoor on several devices, including those made by Belkin, Cisco, NetGear, Linksys, and several others. A list of what seems to be affected devices can be found here. Eloi Vanderbeken, who posted his findings on GitHub made the original discovery. He also wrote a useful python proof-of-concept exploit, which allowed command injection, but I wanted Metasploit integration.

Sysax Multi Server 6.10 SSH DoS

6 minute read Apr 8, 2013 Comments
I was recently fuzzing a bunch of SSH servers, hoping to find some remote code execution in a non-mainstream server. I ended up finding no code execution in the several that I tried, but I did find one pre-auth denial of service in Syax Multi Server 6.10. Try this at home! The vulnerable version can be downloaded here for anyone that would like to duplicate the DoS conditions. Understanding the Key Exchange I found that during the key exchange, where the SSH client and SSH server negotiate which ciphers to use, if you messed up just a single specific byte, the server would crash.

Buffer Overflow in HexChat 2.9.4

6 minute read Apr 6, 2013 Comments
A buddy of mine, Mulitia, and I were talking about 0-days, and he mentioned finding one in Hex-Chat, a popular IRC client. It was super low severity, but still neat. If you entered “/server ” followed by 20,000 random characters, the application died. I decided to try to make a working exploit out of this for fun. I contacted HexChat, by initialling going into the #hexchat channel on and trying to find a security contact.

XBMC Traversal Metasploit Module

3 minute read Feb 25, 2013 Comments
Background I was talking in Intern0t several months ago. AcidGen, from IOActive mentioned that he found a bug in XBMC. I use XBMC quite a bit at home, on various platforms, since it’s extremely wife-friendly. I hit him up, and we started talking. We had a nice Skype conversation, where we discussed possible platforms that were affected, and future exploits that we’d like to find. Since I had a jailbroken Apple TV 2 and RaspberryPi, I told him that I could test those platforms and help out.

Sysax 5.64 HTTP Remote Buffer Overflow

2 minute read Jul 28, 2012 Comments
I have discovered a bug in the Sysax Multi-Server application. More specifically, it’s in the HTTP File Server service, which is not enabled by default. It has to be turned on by the admin for this exploit to properly function. The user in question also needs permission to create a directory. In the Sysax service, the configuration would look like this: To trigger this vulnerability is pretty simple. Log into the HTTP File Server: