Penetration Testing Wiki

Vpopmail/QmailAdmin Multiple Integer Overflows

Author: Jacobo Avariento GimenoRelease Date: May 8, 2009CVE/bugtraq id: Not assigned yetSeverity: Low/Medium Vendor’s Description of Software:“Vpopmail is a free GPL package developed by Inter7 to provide an easy way to manage virtual email domains and non /etc/passwd email accounts for qmail or postfix mail servers.” [1] “qmailAdmin is a free software package that provides…
Read more

CVE-2008-5619 Roundcube Webmail 0.2 Remote Code Execution

Public Release Date of POC: 2008-12-22Author: Jacobo AvarientoCVE id: CVE-2008-5619Bugtraq id: 32799Severity: CriticalVulnerability reported by: RealMurphy Intro Roundcube Webmail is a browser-based IMAP client that uses “ HTML to Plain Text Conversion” library to convert HTML text to plain text, this library uses the preg_replace PHP function in an insecure manner. Vulnerable versions RoundCube Webmail…
Read more

How to find shellcode address

Some notes on how to find the right address in your specific environment to exploit Apache On my environment Debian Sarge with Apache 1.3.34 installed from apt-get, the address which I had to jump to execute the shellcode was 0x0834ae77. As this address it is not helpful at all in exactly the same conditions, here…
Read more

Exploit & info about off-by-one overflow in mod_rewrite module of Apache HTTP server

CVE-2006-3747 POC & exploit for Apache 1.3/2.0/2.2 mod_rewrite off-by-one, SecurityFocus Vulnerable Apache Versions 1.3 branch: >1.3.28 and <1.3.37 2.0 branch: >2.0.46 and <2.0.59 2.2 branch: >2.2.0 and <2.2.3 However, due to the nature of the off-by-one sensitive exploitation not all the vulnerables versions are exploitables ones. I did a successful attack on Apache 1.3.34…
Read more

Exploiting the stack: Off-by-one technique

In this post I will explain how the stack is structured in Linux and how to exploit successfully a buffer overflow with only 1 byte overflowed (off-by-one technique).