2 min
Metasploit
Metasploit, Google Summer of Code, and You!
Spend the summer with Metasploit
I'm proud to announce that the Metasploit Project has been accepted as a mentor
organization in the Google Summer of Code! For those unfamiliar with the
program, their about page [https://summerofcode.withgoogle.com/about/] sums it
up nicely:
> Google Summer of Code is a global program focused on introducing students to
open source software development. Students work on a 3 month programming project
with an open source organization during their break from univer
1 min
Python
The Foam Goes Straight to Your Brain
Yesterday, we announced the availability of a PowerShell extension for
Meterpreter [/2016/03/31/weekly-metasploit-wrapup], primarily as a toy for
laughs because no one would seriously consider using it for anything important.
But today? Today we've got a real treat for you. For serious programmers and
serious pentesters, what you really want is a serious language. Something with
the power of a Turing Machine and the readability of raw bytecode. Something
beautiful and subtle, like a chainsaw. S
6 min
Haxmas
12 Days of Haxmas: Authenticated Code Execution by Design
This post is the tenth in the series, "The 12 Days of HaXmas."
What's your favorite exploit?
My favorite exploit is not an exploit at all. It's authenticated code execution
by design.
As an attacker, what you're really looking for is the ability to control a
system in all the same ways that a system's normal users and administrators do.
Administrators need to examine attributes of the system such as the users that
log into it, the software installed on it, the services running on it, and most
1 min
Metasploit
Workspace in your prompt
This is the simple prompt that msfconsole gives you by default:
The second part, "exploit(psexec)" shows your current context is the exploit
module named psexec. You can't change that because it's an important indicator
of where you are. The first part, though, is just a default string to tell you
you're in msfconsole. It can be controlled with the global Prompt option; you
can set it to whatever you want:
setg Prompt lolhax
But that's not too exciting. To make it more interesting, there a
2 min
Metasploit
Weekly Update: Fun with ZPanel, MoinMoin, and FreeBSD
Chaining Zpanel Exploits for Remote Root
ZPanel is a fun, open source web hosting control panel, written in code
auditors' favorite language, PHP. For bonus points, ZPanel likes to do some
things as root, so it installs a nifty little setuid binary called 'zsudo' that
does pretty much what you might expect from a utility of that name -- without
authentication. In the wake of some harsh words on reddit and elsewhere in
regard to the character of ZPanel's development team, the project came to the
2 min
Product Updates
Weekly Update: Smaller is Better
In this week's episode, the role of Tod Beardsley will be played by egypt.
Smaller is better
Perhaps the most prominent addition to the framework this week is not an
addition at all, but rather a deletion. We've been working toward a slimmer,
more manageable source tree for a while now, and as part of that effort, we
recently removed a pile of old-and-busted unit tests. This update goes a bit
further, moving source code for some compiled payloads into seperate
repositories. Metasploit's version
4 min
Exploits
Stage Encoding -or- How I Learned to Stop Worrying and Love the String#<<Operator
As I mentioned in my post about compiling on the fly
[/2013/01/08/compiling-payloads-on-the-fly-for-postgresql], encoders' primary
purpose in life is to avoid bad characters in a payload. To recap, the main
reason a character is considered "bad" is that some aspect of the exploit makes
use of that character impossible. One reason this might be the case is when a
character gets stripped out or mangled along its journey through protocol
decoding. For example, in the telnet protocol, \xff is the I
1 min
Exploits
Serialization Mischief Redux: Exploit for Ruby on Rails CVE-2013-0333
This afternoon, another scary advisory
[https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo]
was posted to the Ruby on Rails security discussion list. Fortunately, this one
doesn't affect any Metasploit products. The previous advisory
[https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion]
(that HD talked about here
[/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156]) dealt with
Rails parameter parsing of XML from a POS
4 min
Compiling payloads on the fly for PostgreSQL
The update from 2012-12-14 [/2012/12/14/weekly-metasploit-update] contains a new
module that brings code execution on an authenticated Postgres database to
Linux. Metasploit has had this capability on Windows for quite some time but it
took community contributor midnitesnake to scratch this particular itch. There
are two reasons I'd like to talk about this module. First, it's not an exploit
in the traditional sense because the vulnerability it takes advantage of is not
really a vulnerability. Po
2 min
Metasploit
Introduction to Metasploit Hooks
Metasploit provides many ways to simplify your life as a module developer. One
of the less well-known of these is the presence of various hooks you can use for
processing things at important stages of the module's lifetime. The basic one
that anyone who has written an exploit will be familiar with is exploit, which
is called when the user types the exploit command. That method is common to all
exploit modules. Aux and post modules have an analogous run method. Common to
all the runnable modules
1 min
Metasploit
Current User psexec
At DEF CON this year I talked about some of the post exploitation capabilities
within Metasploit and demo'd a cool technique I developed with Jabra on a
pentest a year or so ago (I later found out that Mubix had come up with
basically the same idea - great minds think alike). It is essentially this: use
a session's current token to create a remote service on a victim machine.
It takes advantage of a feature in Windows that most people take completely for
granted. Given that you are already logg
3 min
Exploits
Press F5 for root shell
As HD mentioned [/2012/06/11/scanning-for-vulnerable-f5-bigips-with-metasploit],
F5 has been inadvertently shipping a static ssh key that can be used to
authenticate as root on many of their BigIP devices. Shortly after the advisory,
an anonymous contributor hooked us up with the private key.
Getting down to business, here it is in action:
18:42:35 0 exploit(f5_bigip_known_privkey) > exploit
[ ] Successful login
[*] Found shell.
[*] Command shell session 3 opened ([redacted]
2 min
Eternal Sunshine of the Spotless RAM
The purpose of this post is to point out a little-known jewel -- the -m flag to
meterpreter's execute command. The help tells us that this flag causes the
executable to "Execute from memory" but that doesn't really explain it. Here's
an example of the -m option in action:
meterpreter > pwd C:\Windows\SYSTEM32
meterpreter > download cmd.exe
[*] downloading: cmd.exe -> cmd.exe
[*] downloaded : cmd.exe -> cmd.exe
meterpreter > execute -H -m -d calc.exe -i -f cmd.exe
Process 572 created.
Channel 5
1 min
Metasploit
Progress on the Internet
The Internet has made a lot of progress in the last few years. Censorship has
been virtually eliminated. Youtube comments are universally insightful. The
people owning networks and dropping docs are now only occasionally on the FBI
payroll. Published breaches are at an all-time low. Everyone is running IPv6.
In light of all this progress, it is with a heavy heart that we must announce
the demise of IPv4 support in all Metasploit products. This decision has been in
the offing for several years,
1 min
Metasploit
New Sectools.org List is Out
Sectools.org, from our friends at the Nmap project, has updated its list of
the
best security tools [http://sectools.org/]. I'm proud to say Metasploit has come
in second among an entire ecosystem of awesome tools. Many of our favorite tools
that make use of Metasploit are represented as well, including BeEF, Nexpose,
and Social Engineer Toolkit. John the Ripper and w3af, two open source projects
that Rapid7 supports through sponsorship, also made the list.
This is a great resource for people