Posts by Adam Cammack

2 min Metasploit

Metasploit Wrap-Up

Three new modules for achieving code execution, a new way to play favorites, and more! Plus a Google Summer of Code announcement!

3 min Metasploit

Metasploit Wrap-Up

Two new RCE-capable modules and some good fixes and enhancements!

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Yes, it’s a huge enterprise vulnerability week (again) For our 100th release since the release of 5.0 [/2019/01/10/metasploit-framework-5-0-released/] 18 months ago, our own zeroSteiner [https://github.com/zeroSteiner] got us a nifty module for the SAP "RECON" vulnerability [https://attackerkb.com/topics/JubO1RiVBP/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-as-java] affecting NetWeaver version 7.30 to 7.50. It turns out those versions will allow anyone to create a

3 min Metasploit

Metasploit Wrap-up

Security fix for the libnotify plugin (CVE-2020-7350) If you use the libnotify plugin to keep track of when file imports complete, the interaction between it and db_import allows a maliciously crafted XML file [https://github.com/rapid7/metasploit-framework/pull/13049] to execute arbitrary commands on your system. In proper Metasploit fashion, pastaoficial [https://github.com/pastaoficial] PR'd a file format exploit to go along with the fix, and our own smcintyre-r7 [https://github.com/smcintyre

6 min Haxmas

Memory Laundering: Is Cleaner Better?

In this HaXmas blog, we discuss how to bypass SELinux's commonly-applied `execmem` permission.

3 min Metasploit

Metasploit Wrap-Up

Payload payday As we blogged about yesterday [/2019/11/21/metasploit-shellcode-grows-up-encrypted-and-authenticated-c-shells/] , a new form of payload that is compiled directly from C when generated was added by space-7 [https://github.com/space-r7]. We hope this is only the first step in a journey of applying the myriad tools that obfuscate C programs to our core payloads, so be sure to check out all the nifty workings of the code! If that wasn't enough, we also got a pair of payloads written f

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Back to school blues Summer is winding down and while our for contributions haven't dropped off (thanks y'all!), we've been tied up with events and a heap of research. Don't despair, though: our own Brent Cook [https://github.com/busterb], Pearce Barry, Jeffrey Martin [https://github.com/jmartin-r7], and Matthew Kienow [https://github.com/mkienow-r7] will be at DerbyCon 9 running the Metasploit Town Hall at noon Friday. They'll be delivering a community update and answering questions, so be sur

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

A LibreOffice file format exploit, plus improvements to TLS and CredSSP-based fingerprinting.

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

BSD love Outside of macOS, not many people run (or run into) a BSD-flavored system very often. Even still, bcoles [https://github.com/bcoles] and space-r7 [https://github.com/space-r7] teamed up for a pair of BSD enhancements. The first, a privilege escalation, affects FreeBSD's runtime linker dealing with LD_PRELOAD in FreeBSD 7.1, 7.2, and 8.0. The next enhancement adds BSD targets to our known-credential ssh executor which now allows BSD-specific payloads. Not wanting macOS to be left out ti

4 min Metasploit Weekly Wrapup

Metasploit Wrap-up

Document ALL THE THINGS! This release sees quite a bit of documentation added with a module doc from bcoles and four new module docs from newer docs contributor Yashvendra [https://github.com/Yashvendra]. Module docs can be viewed with info -d and are extremely helpful for getting acquainted with a modules capabilities and limitations. We greatly value these contributions because, while not cool h4x0r features by themselves, each one means that fewer people have to read the code to understand ho

7 min Haxmas

Santa's ELFs: Running Linux Executables Without execve

Santa's ELFs do not get a post-holiday break, since the Executable and Linkable Format (ELF) is the base of numerous Unix-like operating systems.

4 min Metasploit Weekly Wrapup

Metasploit Wrapup

Why can't I hold all these Pull Requests? It has been a busy month here in Metasploit-land, with the holidays, the holiday community contributions, and our community CTF [/2018/11/05/announcing-the-2018-metasploit-community-ctf/]. It doesn't help that the last few months have seen our open pull request count keep climbing as well, reaching over 90 at times. Our fearless leader, busterb [https://github.com/busterb], decided to take on the challenge and landed over 20 PRs by himself in the last tw

2 min Metasploit Weekly Wrapup

Metasploit Wrapup

Ghost(script) in the shell There has been a lot of buzz the last couple weeks about Google Project Zero's Tavis Ormandy's new Ghostscript -dSAFER bypass, now complete with a Metasploit module. With some valiant work by wvu [https://github.com/wvu-r7] and taviso [https://github.com/taviso] himself, the latest way to break out of a PDF is now at your fingertips. If you pulled an advanced copy from the PR [https://github.com/rapid7/metasploit-framework/pull/10564], make sure to use the refined vers

6 min Metasploit

External Metasploit Modules: The Gift that Keeps on Slithering

For HaXmas last December, I wrote about the introduction of Python modules to Metasploit Framework. As our module count keeps on growing, we thought that it would be a good time to update the community on where we are at.

2 min Metasploit Weekly Wrapup

Metasploit Wrapup

Just Let Me Grab My Popcorn First This week, rmdavy [https://github.com/rmdavy] contributed a pair of modules designed to fool Windows into authenticating to you so you can capture sweet, sweet NetNTLM hashes. BadODT [https://github.com/rapid7/metasploit-framework/pull/10067] targets LibreOffice/Apache OpenOffice by providing a link to an image on a network share, and the new Multi Dropper [https://github.com/rapid7/metasploit-framework/pull/10115] creates all sorts of files Windows itself lov