October 05, 2020
HP Device Manager – CVE-2020-6925, CVE-2020-6926, CVE-2020-6927
Ever come across a system that did so many little things wrong that you were certain you could “get r00t”? You chip away, gradually uncovering the links in the chain,…
Author: Nicky Bloor
August 21, 2020
X-Cart 5 <= 5.4.0.12/5.4.1.7 Unauthenticated RCE via File Write
This one was a fun little hack. Versions 5.4.1.7 and below, and 5.4.0.12 and below of the X-Cart PHP ecommerce platform are affected by an unauthenticated vulnerability that allows an…
March 29, 2020
Patching Android Split APKs
I recently came up against my first split APK during an Android app security assessment. My usual toolkit doesn’t support split APKs, so I hacked together a solution to allow…
October 12, 2019
Reversing JNBridge to Build an n-day Exploit for CVE-2019-7839
I was chatting to @Random_Robbie at the inaugural BSides Liverpool (@BSidesLivrpool), when he mentioned a new Adobe ColdFusion RCE and then said… “There’s no public exploit.” I’ve dabbled a bit…
July 19, 2018
Drupal Coder Module – Unauth RCE – SA-CONTRIB-2016-039
Note: This is an old write-up from 2016 but I was prompted to resurrect it after my tweet about it was recently retweeted. I do think it’s a good example…
June 18, 2018
Another ColdFusion RCE – CVE-2018-4939
In October 2017 I published an overview and video proof-of-concept of a Java RMI/deserialization vulnerability affecting the Flex Integration service of Adobe ColdFusion. I held off on publishing all of…
February 28, 2018
POPping WordPress
Fun with PHP deserialization and some accidental WordPress bugs. A few months ago I was putting together a blog post on PHP deserialization vulnerabilities. I decided to look for a…
January 26, 2018
Popping Password-“Protected” JMX
The name gives it away, Java Management Extensions (JMX) is a potentially juicy target for attack. One of the ways that a JMX service may be exposed is using Java…
January 08, 2018
Improving the BMC RSCD RCE Exploit
Last week I wrote about how I semi-blindly produced an RCE exploit for the BMC Server Automation RSCD service without access to a test environment. Since then I’ve got my…
January 01, 2018
RCE with BMC Server Automation
If you’ve ever come across BMC Server Automation during network scanning then you may have seen Nessus flag up a Critical vulnerability titled “BMC Server Automation RSCD Agent Weak ACL NSH…
NickstaDB 