Recognize-Security » Exploits

Microsoft Internet Explorer iepeers.dll use-after-free exploit (meta)

Trancer — Wed, 10 Mar 2010 21:22:34 +0000

A new Microsoft Internet Explorer 0day exploit has been found circulating in-the-wild. According to Microsoft, there are targeted attacks attempting to use this vulnerability. Microsoft published a security advisory for this vulnerability here:
Microsoft Security Advisory (981374): Vulnerability in Internet Explorer Could Allow Remote Code Execution

The vulnerability is a use-after-free (invalid pointer reference) vulnerability within iepeers.dll and only Internet Explorer versions 6 and 7 are vulnerable. Internet Explorer 8 and 5 are not affected.

I’ve found this exploit in-the-wild on www.topix21century.com. The payload download and executes a binary file which connects back to notes.topix21century.com.
Here’s the exploit as it was found in-the-wild, a bit un-obfuscated and payload removed – ie_iepeers_wild.txt

And here’s a Metasploit exploit module for this vulnerability. Tested successfully on the following platforms:
– Microsoft Internet Explorer 7, Windows Vista SP2
– Microsoft Internet Explorer 7, Windows XP SP3
– Microsoft Internet Explorer 6, Windows XP SP3

Download ie_iepeers_pointer.rb.
Also on Metasploit.

As usual, this post will update with further references and updates when available.
Happy exploitation :-)

>> References:
CVE-2010-0806
OSVDB 62810
BID 38615
McAfee Labs Blog – Targeted Internet Explorer Zero-Day Attack Announced (CVE-2010-0806)
Symantec Connect – Zero-Day attack on IE6 – JS.Sykipot Doesn’t Spare Retired Software

South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation exploit (meta)

Trancer — Tue, 26 Jan 2010 07:54:26 +0000

Here’s a local privilege escalation exploit I wrote, as a Metasploit Meterpreter script, for the South River Technologies WebDrive Service Bad Security Descriptor vulnerability.

This vulnerability was discovered by bellick of the Nine:Situations:Group and the original advisory can be found on the Nine:Situations:Group web site – South River Technologies WebDrive Service Bad Security Descriptor Local Elevation Of Privileges.
As you can understand from the advisory, local elevation of privileges is possible due to bad (empty actually) security descriptor of the South River Technologies WebDrive service.

This exploit was inspired by MC’s HP PML Driver HPZ12 privilege escalation exploit.
In this exploit I’ve also added a mitigation option, which will set correct service security descriptor configuration for SRT WebDrive. Note that the vulnerability is still unpatched, exploit tested on the latest version of SRT WebDrive.

The exploit was successfully tested on the following platforms:
– South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.

Download srt_webdrive_priv.rb.
Also on Metasploit and exploit-db.

References:
CVE-2009-4606
OSVDB 59080
BID 37955
exploit-db 9970

AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow exploit (meta)

Trancer — Mon, 25 Jan 2010 16:00:05 +0000

Wrote a new Metaspoit exploit module for the AOL 9.5 Phobos.Playlist ActiveX control Import() stack-based buffer overflow vulnerability.

This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5. By setting an overly long value to ‘Import()’, an attacker can overrun a buffer and execute arbitrary code.

This vulnerability was found by Hellcode Research and was published recently by Dz_attacker. Still no patch from AOL, if you want to test it you can get the vulnerable package from the AOL 9.5 page.

The exploit was successfully tested on the following platforms:
– AOL 9.5 (Revision 4337.155) on Internet Explorer 7, Windows XP SP3

Phobos.dll version tested:
– File Version: 9.5.0.1
– ClassID: A105BD70-BF56-4D10-BC91-41C88321F47C
– RegKey Safe for Script: False
– RegKey Safe for Init: False
– Implements IObjectSafety: False
– KillBitSet: False

Due to the safe for initialization and safe for scripting settings of this ActiveX control, exploitation is possible only from Local Machine Zone, which means the victim must run the generated exploit file locally.

Download aol_phobos_bof.rb.
Also on Metasploit and exploit-db.

References:
OSVDB 61964
exploit-db 11204

HTTPDX h_handlepeer() Function Buffer Overflow exploit (meta)

Trancer — Fri, 16 Oct 2009 14:08:28 +0000

Hello readers, I wrote a new Metaspoit exploit module for the HTTPDX h_handlepeer() function stack-based buffer overflow vulnerability.

The vulnerability was found in HTTPDX HTTP/FTP server version 1.4 by Pankaj Kohli and the original exploit can be found on his website – httpdx 1.4 GET Request Remote Buffer Overflow Exploit (0day).

This module exploits a stack-based buffer overflow vulnerability in HTTPDX HTTP server 1.4. The vulnerability is caused due to a boundary error within the “h_handlepeer()” function in http.cpp. By sending an overly long HTTP request, an attacker can overrun a buffer and execute arbitrary code.

Download httpdx_handlepeer.rb.
Also on Metasploit.

References:
CVE-2009-3711
OSVDB 58714

AwingSoft Web3D Player SceneURL() Buffer Overflow exploit (meta)

Trancer — Tue, 28 Jul 2009 05:45:11 +0000

Here’s a new Metaspoit exploit module I wrote for the AwingSoft Web3D Player SceneURL() stack-based buffer overflow vulnerability.

This module exploits a stack-based buffer overflow within Winds3D Viewer of AwingSoft Awakening 3.0 (WindsPly.ocx v3.5.0.0). This ActiveX is a plugin of AwingSoft Web3D Player. By setting an overly long value to ‘SceneURL()’, an attacker can overrun a buffer and execute arbitrary code.

This vulnerability was found by shinnai and was published recently on milw0rm and shinnai web site.

Download awingsoft_web3d_bof.rb.
Also on Metasploit.

References:
OSVDB 60017

Enjoy.

Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption exploit (meta)

Trancer — Mon, 06 Jul 2009 13:37:58 +0000

The CSIS Security Group ~~found~~ (credit correction – see the update below) a 0day exploit in-the-wild that exploit a vulnerability within Microsoft DirectShow (msvidctl.dll) in the way it handles MPEG-2 files.
The exploit found is used to preform drive-by attacks via compromised Chinese web sites.
Original exploit (as it is in-the-wild) can be found here (shellcode changed to execute calc.exe) – aa.rar.
You can read the translated post here or read this post from ISC diary.

Here’s a Metasploit exploit module I wrote that exploit this vulnerability.
Tested successfully on the following platforms (fully patched 06/07/09):
– Internet Explorer 6, Windows XP SP2
– Internet Explorer 7, Windows XP SP3

Download msvidctl_mpeg2.rb.
Also on Metasploit.

Also, if you want to test this vulnerability manually, here’s a little Ruby script I wrote that build GIF files to trigger the vulnerability:
Download msvidctl_gif.rb.

This is the second exploit found in-the-wild in the past month that exploit a vulnerability in Microsoft DirectShow. In June, an exploit was found in-the-wild that exploit a vulnerability in DirectShow QuickTime Movie Parser Filter (quartz.dll). Liam O Murchu of Symantec wrote an analysis for this exploit here:
DirectShow Exploit In the Wild
DirectShow Exploit In the Wild, Part II

This post will update with additional updates about this vulnerability.

Updates:

>> It seems that CSIS Security Group wasn’t the first to discover this exploit in-the-wild, KingSoft from China was the first to spot this exploit – KingSoft blog (translated).
Thank to Carsten Eiram for pointing it out.

>> References:
CVE-2008-0015
OSVDB 55651
BID 35558
Microsoft Security Advisory (972890)
SA35683

>> Blog posts and news:
Microsoft Security Research & Defense blog
ZDNet Zero Day blog
Symantec Connect blog

>> SANS ISC Handler’s Diary have posted a blog post that will update frequently with list of domains that is actively exploiting this vulnerability. Note that the vast majority of the domains is up for only a short period of time – IE 0day exploit domains (updating).

>> As the CVE number implies (early 2008), it turns out that Microsoft was aware of this vulnerability for a long time. In the security advisory, Microsoft thanks Ryan Smith and Alex Wheeler of Hustle Labs of ISS X-Force for initially reporting this vulnerability. Well, I guess that’s what happens when you wait too long to patch a vulnerability, eventually someone else will discover it and wont chose the path of responsible disclosure.

>> Guido Landi details the vulnerability in his blog – PornoSecurity.

>> In their security advisory, Microsoft recommends setting the kill bit for 44 classid’s. With some of them it is possible to reproduce the bug. Check out I)ruid’s update for the Metasploit exploit.

>> Microsoft Video ActiveX control 0day technical details blog post by TippingPoint DVLabs.

>> Interesting post regarding this vulnerability by Halvar Flake – Poking around MSVIDCTL.DLL.

>> Microsoft fix the msvidctl.dll memory corruption vulnerability in MS09-032. The “patch” does NOT fix the vulnerability, only setting a kill bit to all the vulnerable Video ActiveX controls.

>> Microsoft fix the source of the msvidctl.dll memory corruption vulnerability in MS09-037.

Green Dam URL Processing Buffer Overflow exploit (meta)

Trancer — Tue, 16 Jun 2009 17:34:24 +0000

As of June 1st, the Chinese government demands every personal computer in China to install or be sold with Green Dam Youth Escort Censorware program. Three security researchers – Scott Wolchok, Randy Yao, and J. Alex Halderman from University of Michigan have released an analysis of the Green Dam Censorware system, disclosing multiple vulnerabilities and weaknesses in it. You can read the whole story in the ZDNet Zero Day blog.
The vendor, Jinhui Computer System Engineering Ltd., already patched the vulnerabilities but you can still find vulnerable installations with Google if you want to test it.

One of the vulnerabilities disclosed in the security analysis is a remotely exploitable stack-based buffer overflow vulnerability in the way Green Dam process overly long URLs (OSVDB 55126). seer[N.N.U] posted a simple exploit for this vulnerability on milw0rm.
And here, I wrote a Metasploit exploit module for Internet Explorer which exploits this stack-based buffer overflow vulnerability in Green Dam 3.17. This module uses the .NET DLL memory technique by Alexander Sotirov and Mark Dowd and should bypass DEP, NX and ASLR.
I’ve tested this exploit successfully on the following platforms:
– Internet Explorer 6, Windows XP SP2
– Internet Explorer 7, Windows XP SP3
– Internet Explorer 7, Windows Vista SP1

Download greendam_url.rb.
Also on Metasploit and milw0rm.

References:
OSVDB 55126

According to the latest Microsoft Security Intelligence Report, China is the world leading country in Malware distribution so I guess they deserve some pwning :P

AOL Radio AmpX ActiveX Control ConvertFile() Buffer Overflow exploit (meta)

Trancer — Sun, 24 May 2009 03:38:57 +0000

Wrote a new Metaspoit exploit module for the AOL Radio AmpX ActiveX control ConvertFile() stack-based buffer overflow vulnerability.

This module exploits a stack-based buffer overflow in AOL IWinAmpActiveX class (AmpX.dll) version 2.4.0.6 installed via AOL Radio website. By setting an overly long value to ‘ConvertFile()’, an attacker can overrun a buffer and execute arbitrary code.

This vulnerability was found by rgod and was published recently by Nine:Situations:Group. Still no patch from AOL, if you want to test it you can get the vulnerable package here on the AOL Radio web site.

Download aol_ampx_convertfile.rb.
Also on Metasploit.

References:
BID 35028
OSVDB 54706
milw0rm 8733

Roxio CinePlayer ActiveX Control Buffer Overflow exploit (meta)

Trancer — Thu, 30 Apr 2009 21:50:10 +0000

And another new exploit module for Metasploit.
This module exploits a stack-based buffer overflow in SonicPlayer ActiveX control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2. By setting an overly long value to ‘DiskType’, an attacker can overrun a buffer and execute arbitrary code.

This vulnerability was found by Carsten Eiram of Secunia Research back in April 2007. No patch or any kind of solution is offered by the vendor. Also, there was no public exploit for this vulnerability, until now ;-)

Download roxio_cineplayer.rb.
Also on Metasploit.

References:
CVE-2007-1559
BID 23412
OSVDB 34779

Autodesk IDrop ActiveX Control Heap Memory Corruption exploit (meta)

Trancer — Thu, 30 Apr 2009 18:49:17 +0000

Wrote a new Metaspoit exploit module for the Autodesk IDrop ActiveX control heap-based memory corruption vulnerability.

This module exploits a heap-based memory corruption vulnerability in Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160. An attacker can execute arbitrary code by triggering a heap use after free condition using the Src, Background, PackageXml properties.

This vulnerability was found by Elazar Board and apparently Autodesk is not going to fix this issue… Better flip on the killbit for this one.

Download autodesk_idrop.rb.
Also on Metasploit.

References:
BID 34352
OSVDB 53265
milw0rm 8560

Microsoft Internet Explorer Object Clone Deletion Memory Corruption (MS09-002) Proof-of-Concept exploit

Trancer — Tue, 24 Feb 2009 08:43:24 +0000

Here’s a proof-of-concept exploit for Microsoft Internet Explorer Object Clone Deletion Memory Corruption vulnerability in case you don’t use the Metasploit Framework and still want to test it.

Like the Metasploit module I wrote for it, it has been tested successfully on Windows XP SP3, Windows Vista SP1 and Windows Server 2003 SP2 (no 961260 patch).
Update: also tested successfully on Windows Server 2008 with no DEP (OptOut – iexplorer.exe).

Download ms09-002.html.

Enjoy it.

Microsoft Internet Explorer Object Clone Deletion Memory Corruption (MS09-002) exploit for Metasploit

Trancer — Fri, 20 Feb 2009 12:46:01 +0000

Just finish writing a quick Metasploit exploit module for the Microsoft Internet Explorer Object Clone Deletion Memory Corruption vulnerability.

Tested successfully on Windows XP SP3, Windows Vista SP1 and Windows Server 2003 SP2 (without patch 961260 of course).
Update: also tested successfully on Windows Server 2008 with no DEP (OptOut – iexplorer.exe).

Download ms09_002_object_delete.rb.

Was a fun one to play with ^_^

References:
MS09-002
CVE-2009-0075
BID 33627
OSVDB 51839
ZDI-09-011

HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow exploit (meta)

Trancer — Tue, 14 Oct 2008 21:53:41 +0000

Wrote a new Metaspoit exploit module for HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow vulnerability.

This module exploits a stack-based buffer overflow in SPIDERLib.Loader ActiveX control (Spider90.ocx) 9.1.0.4353 installed by TestDirector (TD) for Hewlett-Packard Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32. By setting an overly long value to ‘ProgColor’, an attacker can overrun a buffer and execute arbitrary code.

Download hpmqc_progcolor.rb.
Also on Metasploit.

References:
CVE-2007-1819
BID 23239
OSVDB 34317
iDefense Labs
HP Security Bulletin