Posted by Trancer on Jan 26 2010
 Here’s a local privilege escalation exploit I wrote, as a Metasploit Meterpreter script, for the South River Technologies WebDrive Service Bad Security Descriptor vulnerability.
This vulnerability was discovered by bellick of the Nine:Situations:Group and the original advisory can be found on the Nine:Situations:Group web site – South River Technologies WebDrive Service Bad Security Descriptor Local Elevation Of Privileges.
As you can understand from the advisory, local elevation of privileges is possible due to bad (empty actually) security descriptor of the South River Technologies WebDrive service.
This exploit was inspired by MC’s HP PML Driver HPZ12 privilege escalation exploit.
In this exploit I’ve also added a mitigation option, which will set correct service security descriptor configuration for SRT WebDrive. Note that the vulnerability is still unpatched, exploit tested on the latest version of SRT WebDrive.
The exploit was successfully tested on the following platforms:
– South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.
Download srt_webdrive_priv.rb.
Also on Metasploit and exploit-db.
References:
CVE-2009-4606
OSVDB 59080
BID 37955
exploit-db 9970
Categories: Exploits, Metasploit
      
1 Comments |  Comments RSS |  TrackBack URL
Posted by Trancer on Jan 25 2010
 Wrote a new Metaspoit exploit module for the AOL 9.5 Phobos.Playlist ActiveX control Import() stack-based buffer overflow vulnerability.
This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5. By setting an overly long value to ‘Import()’, an attacker can overrun a buffer and execute arbitrary code.
This vulnerability was found by Hellcode Research and was published recently by Dz_attacker. Still no patch from AOL, if you want to test it you can get the vulnerable package from the AOL 9.5 page.
The exploit was successfully tested on the following platforms:
– AOL 9.5 (Revision 4337.155) on Internet Explorer 7, Windows XP SP3
Phobos.dll version tested:
– File Version: 9.5.0.1
– ClassID: A105BD70-BF56-4D10-BC91-41C88321F47C
– RegKey Safe for Script: False
– RegKey Safe for Init: False
– Implements IObjectSafety: False
– KillBitSet: False
Due to the safe for initialization and safe for scripting settings of this ActiveX control, exploitation is possible only from Local Machine Zone, which means the victim must run the generated exploit file locally.
Download aol_phobos_bof.rb.
Also on Metasploit and exploit-db.
References:
OSVDB 61964
exploit-db 11204
Categories: Exploits, Metasploit
0 Comments | Comments RSS | TrackBack URL
Posted by Trancer on Nov 01 2009
 Hello readers. If you didn’t heard about it already, on October 21st, 2009, the hackers favorite exploitation framework – the Metasploit Project was acquired by Rapid7, a vulnerability management, compliance, and penetration testing company. Yep, a commercial company.
The Metasploit Project creator, HD Moore, and one of the developers, Egypt, now got a full time job working on and developing the Metasploit Project. HD in the position of Chief Architect of Metasploit and Egypt as a core developer of Metasploit at Rapid7.
If you read this blog often you probably noticed that I’m a big supporter of the Metasploit Project. I use it on a daily basis, preforming penetration tests and exploit development while at work or at home for fun. As you may guess, my feelings about the acquisition are mixed. On one side this is a good thing, this is a big step for the Metasploit Project. Now it’ll grow and develop faster and rapidly and us, the users, will get a better, faster, more advanced and less buggy program, and I believe we’ll start seeing faster release cycles. But on the other side, now the Metasploit Project which was a free, open source, community driven project, is managed by a commercial company. I think the worst case scenario will be if Rapid7 decide to make Metasploit a commercial product, which will be a sad thing. This won’t be the first time it’ll happen to a good security product. The best example here is the Nessus vulnerability scanner which was acquired by Tenable Network Security back in 2005.
I hope the fate of the Metasploit Project won’t be the same as Nessus. HD Moore stated on the Metasploit blog that the project will remain free and open source. So, if that’s the case and long as the Metasploit Project will stay that way I think the users should be happy about it. I will continue to support the Metasploit Project and develop exploits and other modules for it and contribute in every way I can.
I guess all there’s left to say is congratulations to HD Moore and Egypt for the acquisition, keep on rocking.
References:
>> Metasploit Rising – HD Moore write about the acquisition on the Metasploit blog.
>> Rapid7 Acquires Metasploit – The Metasploit acquisition by Rapid7 CEO.
>> Rapid7 Acquisition FAQ – Questions and answers about the acquisition.
>> Metasploit + Rapid7 shakes up pen-test landscape – Ryan Naraine write about the penetration testing market changes followed by the acquisition.
Categories: Metasploit, Security News
2 Comments | Comments RSS | TrackBack URL
Older Posts » |
Security Advisory for cPanel and WHM (WebHost Manager) versions 11.25.
A new version of Nmap Security Scanner released today which is the first stable release since 5.00 – Nmap 5.20.
A new version for the penetration testers and security experts favorite Linux distrobution released – BackTrack Linux 4.
Hello everyone,
The guys at Rapid7 and the Metasploit team announced the release of version 3.3 of the framework. The new version ships with tons of improvments, bug fixes, new featues, exploits and auxilary modules. I really recommend it. For the complete list of changes read the announcment post by HD Moore – 
RSS 2.0
ATOM 1.0
RDF 1.0
Links OPML
OpenSearch
