Sysax Multi Server 6.10 SSH DoS

6 minute read Apr 8, 2013 Comments
I was recently fuzzing a bunch of SSH servers, hoping to find some remote code execution in a non-mainstream server. I ended up finding no code execution in the several that I tried, but I did find one pre-auth denial of service in Syax Multi Server 6.10. Try this at home! The vulnerable version can be downloaded here for anyone that would like to duplicate the DoS conditions. Understanding the Key Exchange I found that during the key exchange, where the SSH client and SSH server negotiate which ciphers to use, if you messed up just a single specific byte, the server would crash.

Buffer Overflow in HexChat 2.9.4

6 minute read Apr 6, 2013 Comments
A buddy of mine, Mulitia, and I were talking about 0-days, and he mentioned finding one in Hex-Chat, a popular IRC client. It was super low severity, but still neat. If you entered “/server ” followed by 20,000 random characters, the application died. I decided to try to make a working exploit out of this for fun. I contacted HexChat, by initialling going into the #hexchat channel on irc.freenode.net and trying to find a security contact.

Sysax 5.64 HTTP Remote Buffer Overflow

2 minute read Jul 28, 2012 Comments
I have discovered a bug in the Sysax Multi-Server application. More specifically, it’s in the HTTP File Server service, which is not enabled by default. It has to be turned on by the admin for this exploit to properly function. The user in question also needs permission to create a directory. In the Sysax service, the configuration would look like this: To trigger this vulnerability is pretty simple. Log into the HTTP File Server:

Using .net to bypass AV

3 minute read Feb 23, 2012 Comments
I’ve read a ton of articles on bypassing Antivirus software when trying to run shellcode on machines. There’s just a ton available. These are just a few examples: http://dev.metasploit.com/redmine/projects/framework/wiki/Using_a_Custom_Executable_to_Bypass_AV http://www.offensive-security.com/metasploit-unleashed/Antivirus_Bypass http://www.irongeek.com/i.php?page=videos/bypassing-anti-virus-with-metasploit http://clshack.com/metasploit-shellcodeexec-bypassing-any-anti-virus.html http://carnal0wnage.attackresearch.com/2011/07/process-injection-outside-of-metasploit.html I was recently working with some Windows web-servers, which had ASP.net enabled, but not any other useful language. I had recently read about PowerSyringe, so I started tinkering with making some shellcode run similarly. I ended up finding out that I couldn’t do what I was wanting to do in ASP.

Finding DLL files in the GAC

1 minute read Oct 14, 2011 Comments
So last night I was working on a project where I needed a specific version of a .net assembly that was installed somewhere on my system, but I could not locate it by a common search. Whenever I would open up C:\Windows\Assembly\ I could see the file and the multiple versions that I had installed. However, from that window, you can not copy the files out. All I wanted, was to copy the file to my local source branch, and include it in source control.