Posts by Egypt

2 min Metasploit

Metasploit, Google Summer of Code, and You!

Spend the summer with Metasploit I'm proud to announce that the Metasploit Project has been accepted as a mentor organization in the Google Summer of Code! For those unfamiliar with the program, their about page [https://summerofcode.withgoogle.com/about/] sums it up nicely: > Google Summer of Code is a global program focused on introducing students to open source software development. Students work on a 3 month programming project with an open source organization during their break from univer

1 min Python

The Foam Goes Straight to Your Brain

Yesterday, we announced the availability of a PowerShell extension for Meterpreter [/2016/03/31/weekly-metasploit-wrapup], primarily as a toy for laughs because no one would seriously consider using it for anything important. But today? Today we've got a real treat for you. For serious programmers and serious pentesters, what you really want is a serious language. Something with the power of a Turing Machine and the readability of raw bytecode. Something beautiful and subtle, like a chainsaw. S

6 min Haxmas

12 Days of Haxmas: Authenticated Code Execution by Design

This post is the tenth in the series, "The 12 Days of HaXmas." What's your favorite exploit? My favorite exploit is not an exploit at all. It's authenticated code execution by design. As an attacker, what you're really looking for is the ability to control a system in all the same ways that a system's normal users and administrators do. Administrators need to examine attributes of the system such as the users that log into it, the software installed on it, the services running on it, and most

1 min Metasploit

Workspace in your prompt

This is the simple prompt that msfconsole gives you by default: The second part, "exploit(psexec)" shows your current context is the exploit module named psexec. You can't change that because it's an important indicator of where you are. The first part, though, is just a default string to tell you you're in msfconsole. It can be controlled with the global Prompt option; you can set it to whatever you want: setg Prompt lolhax But that's not too exciting. To make it more interesting, there a

2 min Metasploit

Weekly Update: Fun with ZPanel, MoinMoin, and FreeBSD

Chaining Zpanel Exploits for Remote Root ZPanel is a fun, open source web hosting control panel, written in code auditors' favorite language, PHP. For bonus points, ZPanel likes to do some things as root, so it installs a nifty little setuid binary called 'zsudo' that does pretty much what you might expect from a utility of that name -- without authentication. In the wake of some harsh words on reddit and elsewhere in regard to the character of ZPanel's development team, the project came to the

2 min Product Updates

Weekly Update: Smaller is Better

In this week's episode, the role of Tod Beardsley will be played by egypt. Smaller is better Perhaps the most prominent addition to the framework this week is not an addition at all, but rather a deletion. We've been working toward a slimmer, more manageable source tree for a while now, and as part of that effort, we recently removed a pile of old-and-busted unit tests. This update goes a bit further, moving source code for some compiled payloads into seperate repositories. Metasploit's version

4 min Exploits

Stage Encoding -or- How I Learned to Stop Worrying and Love the String#<<Operator

As I mentioned in my post about compiling on the fly [/2013/01/08/compiling-payloads-on-the-fly-for-postgresql], encoders' primary purpose in life is to avoid bad characters in a payload. To recap, the main reason a character is considered "bad" is that some aspect of the exploit makes use of that character impossible.  One reason this might be the case is when a character gets stripped out or mangled along its journey through protocol decoding. For example, in the telnet protocol, \xff is the I

1 min Exploits

Serialization Mischief Redux: Exploit for Ruby on Rails CVE-2013-0333

This afternoon, another scary advisory [https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo] was posted to the Ruby on Rails security discussion list. Fortunately, this one doesn't affect any Metasploit products. The previous advisory [https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion] (that HD talked about here [/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156]) dealt with Rails parameter parsing of XML from a POS

4 min

Compiling payloads on the fly for PostgreSQL

The update from 2012-12-14 [/2012/12/14/weekly-metasploit-update] contains a new module that brings code execution on an authenticated Postgres database to Linux. Metasploit has had this capability on Windows for quite some time but it took community contributor midnitesnake to scratch this particular itch. There are two reasons I'd like to talk about this module. First, it's not an exploit in the traditional sense because the vulnerability it takes advantage of is not really a vulnerability. Po

2 min Metasploit

Introduction to Metasploit Hooks

Metasploit provides many ways to simplify your life as a module developer. One of the less well-known of these is the presence of various hooks you can use for processing things at important stages of the module's lifetime. The basic one that anyone who has written an exploit will be familiar with is exploit, which is called when the user types the exploit command. That method is common to all exploit modules. Aux and post modules have an analogous run method. Common to all the runnable modules

1 min Metasploit

Current User psexec

At DEF CON this year I talked about some of the post exploitation capabilities within Metasploit and demo'd a cool technique I developed with Jabra on a pentest a year or so ago (I later found out that Mubix had come up with basically the same idea - great minds think alike). It is essentially this: use a session's current token to create a remote service on a victim machine. It takes advantage of a feature in Windows that most people take completely for granted. Given that you are already logg

3 min Exploits

Press F5 for root shell

As HD mentioned [/2012/06/11/scanning-for-vulnerable-f5-bigips-with-metasploit], F5 has been inadvertently shipping a static ssh key that can be used to authenticate as root on many of their BigIP devices. Shortly after the advisory, an anonymous contributor hooked us up with the private key. Getting down to business, here it is in action:     18:42:35 0 exploit(f5_bigip_known_privkey) > exploit     [ ] Successful login     [*] Found shell.     [*] Command shell session 3 opened ([redacted]

2 min

Eternal Sunshine of the Spotless RAM

The purpose of this post is to point out a little-known jewel -- the -m flag to meterpreter's execute command. The help tells us that this flag causes the executable to "Execute from memory" but that doesn't really explain it. Here's an example of the -m option in action: meterpreter > pwd C:\Windows\SYSTEM32 meterpreter > download cmd.exe [*] downloading: cmd.exe -> cmd.exe [*] downloaded : cmd.exe -> cmd.exe meterpreter > execute -H -m -d calc.exe -i -f cmd.exe Process 572 created. Channel 5

1 min Metasploit

Progress on the Internet

The Internet has made a lot of progress in the last few years. Censorship has been virtually eliminated. Youtube comments are universally insightful. The people owning networks and dropping docs are now only occasionally on the FBI payroll. Published breaches are at an all-time low. Everyone is running IPv6. In light of all this progress, it is with a heavy heart that we must announce the demise of IPv4 support in all Metasploit products. This decision has been in the offing for several years,

1 min Metasploit

New Sectools.org List is Out

Sectools.org, from our friends at the Nmap project, has updated its list of the best security tools [http://sectools.org/]. I'm proud to say Metasploit has come in second among an entire ecosystem of awesome tools. Many of our favorite tools that make use of Metasploit are represented as well, including BeEF, Nexpose, and Social Engineer Toolkit. John the Ripper and w3af, two open source projects that Rapid7 supports through sponsorship, also made the list. This is a great resource for people