Posts by bperry

5 min

GKsu and VirtualBox Root Command Execution by Filename (CVE-2014-2943)

Poisoning VirtualBox via Crafted Filenames When I began researching this, I believed the vulnerability laid within Virtualbox, but I realized this was not true after a bit. The vulnerability being hit is actually within gksu itself. In fact, virtual box did everything right (sort of). I do take advantage of a weakness in the way they validate their extension packs, but the reason the vulnerability results in a root shell is because the vulnerability is hit after gksu escalates privs to root. You

4 min Exploits

You have no SQL inj--... sorry, NoSQL injections in your application

Everyone knows about SQL injections. They are classic, first widely publicized by Rain Forest Puppy, and still widely prevalent today (hint: don't interpolate query string params with SQL). But who cares? SQL injections are so ten years ago. I want to talk about a vulnerability I hadn't run into before that I recently had a lot of fun exploiting. It was a NoSQL injection. The PHP application was using MongoDB, and MongoDB has a great feature [http://www.php.net//manual/en/mongocollection.find.

2 min Exploits

Sophos Web Appliance Privilege Escalation and Remote Code Execution Vulnerability

Sophos Web Protection Appliance vs 3.8.1.1 and likely prior versions was vulnerable to both a mass assignment attack which allowed privilege escalation, as well as a remote command execution vulnerability as root available to admin users. ZDI details the vuln here [http://www.zerodayinitiative.com/advisories/ZDI-14-069/]. This Metasploit module exploits both vulnerabilities in order to go from an otherwise unprivileged authenticated user to root on the box. This is particularly bad because this

9 min Vulnerability Disclosure

Seven FOSS Tricks and Treats (Part Two)

Adventures in FOSS Exploitation, Part Two: Exploitation This is part two of a pair of articles about disclosing vulnerabilities in a set of FOSS projects, see part one [/2013/10/30/seven-foss-disclosures-part-one] for some background on these vulnerabilities in particular, and some general advice for FOSS developers and maintainers. A while back, I started a project to go over some of the top Sourceforge web applications and try to write some Metasploit modules for them. In the end, I was able

2 min Government

GestioIP Authenticated Remote Command Execution module

GestioIP is an open-source IPAM (IP Address Management) solution available on Sourceforge, written in Perl. There is a vulnerability in the way the ip_checkhost.cgi deals with pinging IPv6 hosts passed to it. If you pass an IPv4 address, the CGI uses a Perl library to perform the ping and return the results to the user. However, this library doesn't seem to support IPv6 hosts, so the developer uses the ping6 utility to perform the ping of an IPv6 machine. The developer did perform some validat

2 min Metasploit

Communicating and integrating with Metasploit from your Mono/.NET applications

I recently checked into github a C# library [https://github.com/brandonprry/metasploit-sharp/] that helps allow easy communication and integration from your Mono/.NET applications. The library follows the same Session/Manager pattern as the Nexpose library [https://github.com/brandonprry/nexpose-sharp] I mentioned [/2012/01/13/communicating-and-integrating-with-nexpose-from-your-netmono-applications] previously in the Nexpose blog. It has support for both the core Metasploit RPC and for the Me

6 min Nexpose

Integrating Nexpose Community and Metasploit Community in Backtrack 5 R2

I recently packaged up the new Nexpose release so that Backtrack users can have an up-to-date version of Nexpose, straight from the Backtrack repos. This seemed like a great time to also go over installing Nexpose Community and integrating it with the already-installed Metasploit Community. 1. Getting Started Before we get started, I would recommend grabbing a copy of Backtrack 5 R2 64-bit. The machine you want to use will need to have at a minimum 2GB of RAM and at least 5GB space on the hard

5 min Metasploit

Adventures in the Windows NT Registry: A step into the world of Forensics and Information Gathering

As of a few days ago [https://github.com/rapid7/metasploit-framework/pull/98], the Metasploit Framework has full read-only access to offline registry hives. Within Rex you will now find a Rex::Registry namespace that will allow you to load and parse offline NT registry hives (includes Windows 2000 and up), implemented in pure Ruby. This is a great addition to the framework because it allows you to be sneakier and more stealthy while gathering information on a remote computer. You no longer need

2 min Nexpose

Communicating and integrating with Nexpose from your .NET/Mono applications

Tuesday, the 17th, will be my first day with the Rapid7 crew. In the past, I have worked a lot with C#/.NET technologies, so Chad Loder asked me to get a C# library written for the Nexpose API. You may find the relevant code here [https://github.com/brandonprry/nexpose-sharp]. Within the repository, you have a nexpose-sharp folder and a nexpose-client folder. The nexpose-client folder contains a small application that consumes the Nexpose XML API via the C# library that I have written, which re