lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20101029234720.7d62ce0d694966352fe2ca2663df5034.cfb02c4860.wbe@email00.secureserver.net>
Date: Fri, 29 Oct 2010 23:47:20 -0700
From: "chr1x" <chr1x@...tester.net>
To: full-disclosure@...ts.grok.org.uk, websecurity@...appsec.org
Cc: webappsec@...ts.securityfocus.com, bugtraq@...urityfocus.com
Subject: [TOOL] DotDotPwn v2.1 - The Directory Traversal
	Fuzzer

CubilFelino Security Research Lab and Chatsubo (IN) Security Labs
proudly present...

DotDotPwn v2.1 - The Directory Traversal Fuzzer
===============================================

Authors: Christian Navarrete (chr1x @ http://chr1x.sectester.net) and
Alejandro Hernández H. (nitr0us @ http://chatsubo-labs.blogspot.com)

Release date: 29/Oct/2010 (PUBLIC Release at BugCon Security Conferences
2010)

Tool Description
================
It's a very flexible intelligent fuzzer to discover traversal directory
vulnerabilities in software such as Web/FTP/TFTP servers, Web platforms
such as CMSs, ERPs,Blogs, etc. Also, it has a protocol-independent
module to send the desired payload to the host and port specified. On
the other hand, it also could be used in a scripting way using the
STDOUT module.

It's written in perl programming language and can be run either under
*NIX or Windows platforms. 

Fuzzing modules supported in this version: 
- HTTP
- HTTP URL
- FTP
- TFTP
- Payload (Protocol independent)
- STDOUT

Discovered Vulnerabilities
==========================

- HTTP (4 security advisories)
        * MultiThreaded HTTP Server @
http://www.inj3ct0r.com/exploits/11894
        * Wing FTP Server v3.4.3 @
http://packetstormsecurity.org/1005-exploits/wingftp-traversal.txt
	* Yaws 1.89
	* Mongoose 2.11
 
- FTP (2 security advisories)
        * VicFTPS v5.0 @ http://www.inj3ct0r.com/exploits/12131
	* Home FTP Server vr1.11.1 (build 149) @
http://www.exploit-db.com/exploits/15349

- TFTP (2 security advisories)
        * TFTP Desktop 2.5 @ http://www.exploit-db.com/exploits/14857
        * TFTPDWIN v0.4.2 @ http://www.exploit-db.com/exploits/14856


Download
========
Official site: http://dotdotpwn.sectester.net
Mirror site: http://chatsubo-labs.blogspot.com

Contact
=======
Contact: dotdotpwn@...tester.net

Vote for DotDotPwn as tool for next BackTrack release!! ->
http://www.backtrack-linux.org/forums/tool-requests/32082-dotdotpwn.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ