Barco ClickShare Wireless Presentation System

Not to long ago I was tasked with performing a wireless network penetration test for one of my clients. As expected the wireless network was pretty secure from top to bottom, however as I was working in one of conference rooms my baby-sitter requested I share my screen with some dongle so he could see what scripts and other cool stuff I was running (Pretty sure this was just to satisfy some inner nerdom or something).

Barco ClickShare Wireless Presentation System

So moving along I inquired as to the security of the device because why would I want to broadcast client vulnerability information out over a wireless dongle to something over the air… So I ended up getting permission to test it first because there was some level of ignorance in his certainty that it was secure from intrusions.

Needless to say the whole ordeal required me writing a bit on how that cool device you’ve been using in your corporate board room for strategic meetings and financial meetings is also streaming RTSP to my car in the parking lot with a yagi antenna.

Read More

Wells Fargo – Online Banking Authentication Weakness / “Feature”

Try as I might to contact Wells Fargo regarding an almighty issue of issues regarding their authentication logic.

Probably equally secure

So let’s say your password that you set purposely to “SuperDuperPassword” or better yet your actual password if you use Wells Fargo you can try this at home. Back to the monologue; so you want a secure password for your account? Who wouldn’t? So you add lower cases and upper case into the mix. Try to make your password all sexy and shit right?


Now imagine this, none of the complexity that you created means anything. Login to your account with all upper case, lower case or mixed case it doesn’t matter.

Read More

Happy HTTPS Everywhere + Only Day!

Well, I finally tackled the whole HTTPS SSL Certificate thing and boy did I mess up the first go around 😀

Accidentally purchased and generated a SSL certificate for the wrong domain name and didn’t even realize until I went to go assign it and it’s screaming at me about name mismatch.

Welp, moment of discovery… a while later… Finally got the other certificate revoked and removed, got the new cert in place and enabled some fancy browser side security headers (not a challenge to break please).

Anyways, I’ll be posting another post here in a minute announcing a new forum I’ve setup for folks.

Meltdown Write-up (Old News)

This is a write up I did, after reading the white paper and investigating the workings of speculative execution. I was genuinely interested in how it all played out and how this seems like the year for exploits and vulns.

I’m legitimately wondering if this ever did get weaponized yet. I’ve often thought about trying to implement it with BEeF as a post module of sorts as a JavaScript payload.

Also take note, that I really didn’t have the energy to try to read through Spectre even though its probably the worst one.

A non-technical synopsis of the microprocessor and kernel flaws.
Meltdown (CVE-2017-5754)

Read More



Welcome to the new domain for anything any everything unrelated to what you were probably looking for.

Lets go explore this rotting mess we call the internet on our trusty Gh0stship =J


The Evil SVG Project

The Evil SVG Project

The purpose of this article is to provide a repeatable means to performing cross-site scripting attacks via a SVG file. SVG, otherwise known as “scalable vector graphics” in which a XML document used to build an image.

The above code generates the following image:

However, by introducing JavaScript or HTML within the SVG, it is possible to in effect store XSS payloads that execute whenever the SVG is loaded into the page’s dynamic content.

However, let’s tweak it to add in some JavaScript and officially “weaponized” the SVG.

Which after loading the SVG within a browser results in XSS.


By simply adding a pair of script tags, an attacker can include any JavaScript functions, actions or even in a worst-case scenario remotely include a JavaScript file whenever the SVG is loaded.

In our case, we are using BeEF (Browser Exploitation Framework) to attack users of an application by including the BeEF JavaScript file within the page allows attackers to carry out attacks and get Beef Shells all from this SVG.

Take for example the following code:

With all of this in mind, seriously consider limiting or blocking SVGs from being uploaded. More often than not, developers have overlooked SVG as a potential threat vector and allow profile picture upload of malicious SVG files.

Additionally, if you are familiar with XXE attacks, this can also be used for that attack vector in some circumstances. If you aren’t already scanning uploads regardless of their extension or mime type, it might be time to change that.

Long story short, if you can pop XSS within a SVG you can do pretty much anything up to and including store malicious JS, malicious XML or malicious HTML in-line.

Dear Diary – Its barely 2018 and skeletons are a plenty…

Excited to see how this Spectre and Meltdown patch madness will pan out, $10 says an engineer somewhere finger flubs something, then the debugger doesn’t catch it and pushes to production distribution.

Meanwhile, still waiting on meaningful exploit code beyond telling me that I’m either vulnerable or not.

In other news, will be trying to post more here. Life is hard, but add in blog stuff on top of that, work and family and you probably have a better idea of my life than I do myself.

Expect more content, I have tons written up for consuming, but need to sort through all the garbage that is my internal monologue dictating narration in them.

That and the non-stop quest to not rehash or regurgitate others works. Once its been done, there is no other point to doing it.

Discovery and the unknown are my two favorite friends, meanwhile chaos and curiosity continue to be my low key friends. We’ll explore all the closets I’ve encountered (minus NDA ones), and hopefully provide something of value to the next person.

Unless you call yourself someone’s “right hand person”, you can stop right there…

CVE-2017-9554 – Synology DSM User Enumeration – Unspecified Vector… Yea Right…

Previously this was identified by the developer and the disclosure states “via unspecified vectors” it is possible to enumerate usernames via forget_passwd.cgi

Haven’t identified any other disclosures that actually identified the attack vector, figure it would be helpful to another.

Per the CVE:
“An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.”
Well then… Here you go, cracked the code and figured it out.
Where XXX should be your injection point for username lists.
Several usernames I’ve found are admin, administrator, root, nobody, ftp, and more. I’m unsure of whether Synology is pulling these entries from it’s passwd file or not, but there you go.
This is now published within ExploitDB

Identified My First Microsoft Product Exploit! IIS UrlScan WAF Bypass

I’ve written up a short UrlScan bypass article, made some edits, but overall this bypass has helped me identify and exploit SQL and XSS or other attacks that are URL based.

#Paper Title: Microsoft IIS UrlScan Module Bypass Exploit
#Date: 16 AUG 2017
#Software Link:
#Author: Steven Kaun (Gh0st)
#Category: WAF Bypass


Identified after coming up with null for help with bypassing a WAF identified as UrlScan. After identifying that a web application was filtering and essentially dropping most attacks and their associated payloads a delve into how to bypass this was constructed. This is as simple as bypasses can possibly get, but at the same time is unique enough to warrant writing about.

Read More