Blog

I’ve been fuzzing http-server for a few days now and I found 3 interesting vulnerabilities which may affect versions 2.2.1 (some), 3.3.2, 3.3.1, 3.3.0 and 4.1.2 of ecstatic web-server:

• Directory listing due to insecure default configuration + “range: 10000” HTTP header
• Denial of Service by sending the %00 null character in the URL
• Internal path disclosure caused by a long URL

According to shodan there are up to 5k ecstatic webservers

Continue reading “Multiple vulnerabilities in nodejs ecstatic/http-server (http-party)” →

For this article I’ll set up a Windows 8.1 VM with XAMPP + PHP web app vulnerable to RCE and explain how to use the Windows server as a SOCKS proxy similar to SSH tunneling on Linux servers.

Resources

• https://ngrok.com/
• https://github.com/jpillora/chisel
• https://www.apachefriends.org/download.html
• https://0xdf.gitlab.io/2019/01/28/tunneling-with-chisel-and-ssf.html#examples

Steps

1. Set up the web server on a Windows VM
2. Chisel binaries
3. Serve chisel binary with ngrok
4. Download chisel binary to vulnerable web server
5. Set up proxychains
6. Chisel tunneling
7. Testing the SOCKS proxy
8. Wrap it up

Continue reading “Using Windows web server as SOCKS proxy with proxychains, chisel and ngrok” →

Resources

• https://github.com/therealsaumil/static-arm-bins
• https://ketansingh.net/overview-on-linux-userland-rootkits/

Steps

1. Download the httpd and shared libraries from router
2. Install QEMU
3. Run httpd with QEMU
4. Create a chroot jail
5. Find all shared libraries + run bash in chroot
6. Set LD_LIBRARY_PATH inside chroot jail
7. Automate the LD_LIBRARY_PATH set

Continue reading “Running ARM binaries on Ubuntu x86 with QEMU” →