Windows Media Center MCL files can specify a URL to be automatically loaded within Media Center. A specially crafted MCL file can abuse this URL parameter in order to trick Windows Media Center into rendering the very same MCL file as a local HTML file within the application's embedded web browser. This way, attacker-controlled Javascript code can run in the context of embedded IE's Local Machine Zone with no security prompts, since Media Center does not opt-in for the Local Machine Zone Lockdown policy. This can be leveraged by an attacker to read and exfiltrate arbitrary files from a victim's local fileystem by convincing an unsuspecting user to open an MCL file. This module will try to steal a couple files that should be present on every vulnerable machine (the mshta.exe executable from the Windows\System32 folder and the WindowsUpdate.log file) in order to confirm the existence of the vulnerability. The module can be configured through the "Files to retrieve" parameters group to try to steal a predefined set of important user files from the Google Chrome and Mozilla Firefox web browsers (such as the Cookies, History, Preferences and Bookmarks files), and the Mozilla Thunderbird email client (address book, preferences, emails). However, note that web browser's History files and Thunderbird's email databases can be pretty big; in those cases, Windows Media Center can get stuck for minutes while trying to read those files. In order to steal Chrome/Firefox/Thunderbird files, the MCL file needs to infer the location of the %USERPROFILE% folder (typically something like C:\Users\JohnDoe) by inspecting its own current path. That means that stealing files from the %USERPROFILE% folder will only work if the MCL file is opened from a path under the %USERPROFILE% folder in the victim's machine, such as the Desktop, the "My Documents" folder, or the "Downloads" folder. The "Files to retrieve" parameters group also accepts a text file containing a custom list of files to be retrieved from the target system. Retrieved files will be saved to the folder specified in the OUTPUT FOLDER parameter. The module will create a separate folder for every compromised target.
The vulnerability is due to an error while parsing ThinApp compressed files which can result in an buffer overflow. This module runs a malicious web site on the Core Impact Console and waits for an unsuspecting user to trigger the exploit by connecting to the web site.
This module exploits a vulnerability in Moxa VPort SDK. This module runs a malicious web site on the CORE IMPACT Console and waits for an unsuspecting user to trigger the exploit by connecting to the web site. This exploit works only with ActiveX implementation (VPortSDK.ocx) of Moxa VProt SDK through Microsoft Internet Explorer 6, 7 and 8.
This module exploits when sending specially crafted argument to makeMeasurement leaving objects in an inconsistent state. This produces a leak via a call to dumpMeasureData storing a file to a share folder with importante addresses and can later be retrieved .Finally using NSendApprovalToAuthorEnabled method it is possible to bypass the Javascript API restrictions and resend a new crafted PDF to the browser to produce buffer overflow and complete exploitation. This module runs a malicious web site on the CORE IMPACT Console and waits for an unsuspecting user to trigger the exploit by connecting to the web site.
Certain Javascript APIs in Adobe Acrobat Pro can only be executed in a privileged context. By adding specially crafted Javascript code to a PDF file it's possible to bypass security restrictions and invoke privileged Javascript APIs, allowing for arbitrary code execution. This exploit takes advantage of the AFParseDate() trusted function, which can call eval() with attacker-controlled input, in order to bypass the security restrictions and ultimately call Collab.uriPutData() to write arbitrary files into the victim's filesystem. The exploit will try to gain code execution on the victim's machine by potentially dropping two files: A DLL named updaternotifications.dll will be written into the same folder where the crafted PDF file is located in the victim's machine. This DLL will be automatically loaded by Adobe Acrobat Pro a few seconds after the crafted PDF file has been opened, as long as the Updater settings of Adobe Acrobat Pro is set to any option different than "Do not download or install updates automatically". An EXE file will be written into the %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder, if possible. This executable containing the agent code will be automatically executed upon next user logon into the vulnerable machine. In order for this EXE file to be dropped, the PDF file needs to infer the location of the %USERPROFILE% folder (typically something like C:\Users\JohnDoe) by inspecting the current path of the PDF file. This means that the EXE file will be dropped only if the PDF file is loaded from a path under the %USERPROFILE% folder in the victim's machine, such as the Desktop, the "My Documents" folder, or the "Downloads" folder.
This module exploits a Use-After-Free vulnerability in Adobe Flash Player. The specific flaw exists within the processing of AS3 ConvolutionFilter objects. By manipulating the matrix property of a ConvolutionFilter object, an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process. This vulnerability was one of the 2015's Pwn2Own challenges.
Subscribe to Client Side