Palo Alto PostAuth CLI memory corruption bug - Metasploit module

Few days ago I posted some notes about the bug found in January in Palo Alto VM. Today you'll find some details about a working poc for Metasploit created for this bug. Here we go...

WatchGuard 12.11 (Firebox) PostAuth CLI memory corruption bug

In one of the latest pentests projects I had a pleasure to play a bit with latest WatchGuard. Below you'll find some details about it. Here we go...

Palo Alto PostAuth CLI memory corruption bug

Hi, it's been a while. Long story short: below you'll find few details about the postauth bug I found in Palo Alto CLI. Here we go...

Waiting for The Hack Summit 2024

During last years I had a pleasure to present few of my notes and ideas during The Hack Summit conference in Poland. This year I'll try to present few words about a new topic - more related to Ghidra. So just as a quick summary for previous years - below you'll find a 'current timeline'. ;) Here we go... 

Join Mnemonic - UD2

Below you'll find few notes about one simple RE challenge I found on Hack The Box. Here we go...

Automating Network Pentests with Metasploit and Ruby

This time we'll continue the journey started in previous post to create a small 'semi-automated' tool to perform some 'basic' network pentests. For this case we'll focus (mostly;)) on CVE-2021-20039 for SonicWall SMA. Here we go...

Postauth SQLi in Centreon 23.10-1.el8

Similar to previous notes about hunting bugs in Centreon few weeks ago I prepared a new lab to test 'current/latest' version of this webapp. Below you'll find the details. Here we go...

Postauth SQLi in AdvantechWeb/SCADA 9.1.5U

During some internal pentests performed few weeks ago I found an SQL injection (postauth) bug in "latest" AdvantechWeb/SCADA (9.1.5U). Below you'll find more details about it. Here we go...

The Hack Summit 2023 - Online presentation

This year I had a pleasure to present few of the topics from my research during The Hack Summit Conference in Poland[1, 2, 3]. This time we (mostly;)) talked about one preauth RCE bug I found in ConQuest DICOM server (1.5.0d). Below you'll find more details about it. Here we go...

Monitoring SUFF - Part 2

During one night I decided to continue my tests with suff.py script described before. This time I decided to run it with FortiWeb VM (v7.4.0 build577) so below you'll find few notes about it. Here we go...

Monitoring SUFF

Few months ago we talked about Simple Universal Fortigate Fuzzer. Small script created in Python to mutate commands we'd like to send to Forti CLI. Today we'll check how to grab few "log details" for our future analysis. Here we go... 

Windows Embedded Eternally Blue

Few weeks ago I was asked to help a bit with exploitation of MS17_010 for one of the hosts found in the pentest project scope. Below you'll find more details about it. Here we go...

Simple Universal Fortigate Fuzzer

Today we'll finish the topic started few months ago: Simple Universal Fortigate Fuzzer. Below youl'l find the details about it. Here we go...

Fuzzing Fortigate 7

Continuing my journey with the Mutiny Fuzzing Framework one of the apps I decided to test was a Fortigate 7.x VM (what I initially described during the last TheHackSummit conference). Below you'll find more details about it. Here we go... 

Protocols Mutiny

From time to time I'm posting here some of the bugs I found in the past during my (file format) fuzzing adventures. This time we'll (again) try to focus a bit more on the protocol fuzzing scenarios. To continue - we will use Mutiny Fuzzing Framework. Here we go...

Bruting FortiGates

After my previous adventures with FortiGate VM's I decided to check it again and finally finish some of the ideas I was talking about during the last The Hack Summit Conference (PL, 2022). One of them was to bypass FortiGate's "anti-bruteforce protection". Below you'll find the details about it. Here we go...

Postauth SQL injection in ZoneMinder 1.34.25

Few weeks ago I was looking for some (web) apps related to RTSP. Somehow I landed in TurnKeyLinux page where I found a VM with ZoneMinder (1.34.25).  Below you will find the details about the (postauth SQLi) bug I was able to spot. Here we go...

Fuzzing DICOM - Crashing PaxeraHealth Viewer

After checking few other apps I found for fuzzing DICOM files I tried PaxeraHealth Viewer. Below you will find the details about it. Here we go...

Fuzzing DICOM - Crashing AMIDE

Similar to previous cases related to fuzzing DICOM software I used the same approach and decided to check the application called AMIDE. Few details about it you can find below. Here we go...

Fuzzing DICOM - Crashing MicroDicom

Just like before I found an application that was able to handle my fuzzing scenario so I decided to give it a try. Details from another 'night fuzzing session' you will find below. Here we go...