Posts by Egypt

4 min

Metasploit Wrapup 5/26/17

It has been an intense couple of weeks in infosec since the last Wrapup and we've got some cool things for you in the latest update. Hacking like No Such Agency I'll admit I was wrong. For several years, I've been saying we'll never see another bug like MS08-067, a full remote hole in a default Windows service. While I'm not yet convinced that MS17-010 will reach the same scale as MS08-067 did, EternalBlue [] has already

3 min Metasploit Weekly Wrapup

Metasploit Wrapup 3/24/17

Faster, Meterpreter, KILL! KILL! You can now search for and kill processes by name in Meterpreter with the new pgrep and pkill commands. They both have flags similar to the older ps command, allowing you to filter by architecture (-a), user (-u), or to show only child processes of the current session's process (-c). We've also added a -x flag to find processes with an exact match instead of a regex, if you're into that. Fun with radiation Craig Smith has been killing it lately with all his h

2 min Metasploit

Metasploit, Google Summer of Code, and You!

Spend the summer with Metasploit I'm proud to announce that the Metasploit Project has been accepted as a mentor organization in the Google Summer of Code! For those unfamiliar with the program, their about page [] sums it up nicely: > Google Summer of Code is a global program focused on introducing students to open source software development. Students work on a 3 month programming project with an open source organization during their break from univer

2 min

Metasploit Wrapup 12/9/16

Finding stuff For a very long time, msfconsole's search command has used a union of the results of all search terms. This means that if you do something like search linux firefox, you'll get a list of all modules that mention linux, regardless of the application they target, and all modules that mention firefox, regardless of their platform. Most people are probably expecting the intersection, i.e. you probably wanted to see only the modules that target Firefox on Linux. So now that's what happe

2 min

Metasploit Wrapup 11/18/16

Everything old is new again As you probably already know, hardware manufacturers are not always great at security. Today we'll be picking on Netgear, who produce a WiFi router called the WNR2200 []. This cute little device, brand new out of the box on store shelves today, runs Linux 2.6.15 with Samba 3.0.24. For those of you keeping score at home, those versions were released in 2007. Way back in 2007, Samba had a pre-auth heap buffer overflow vulnerabil

2 min Metasploit

Weekly Update: Fun with ZPanel, MoinMoin, and FreeBSD

Chaining Zpanel Exploits for Remote Root ZPanel is a fun, open source web hosting control panel, written in code auditors' favorite language, PHP. For bonus points, ZPanel likes to do some things as root, so it installs a nifty little setuid binary called 'zsudo' that does pretty much what you might expect from a utility of that name -- without authentication. In the wake of some harsh words on reddit and elsewhere in regard to the character of ZPanel's development team, the project came to the

2 min Product Updates

Weekly Update: Smaller is Better

In this week's episode, the role of Tod Beardsley will be played by egypt. Smaller is better Perhaps the most prominent addition to the framework this week is not an addition at all, but rather a deletion. We've been working toward a slimmer, more manageable source tree for a while now, and as part of that effort, we recently removed a pile of old-and-busted unit tests. This update goes a bit further, moving source code for some compiled payloads into seperate repositories. Metasploit's version

2 min Metasploit

Introduction to Metasploit Hooks

Metasploit provides many ways to simplify your life as a module developer. One of the less well-known of these is the presence of various hooks you can use for processing things at important stages of the module's lifetime. The basic one that anyone who has written an exploit will be familiar with is exploit, which is called when the user types the exploit command. That method is common to all exploit modules. Aux and post modules have an analogous run method. Common to all the runnable modules

1 min Metasploit

Current User psexec

At DEF CON this year I talked about some of the post exploitation capabilities within Metasploit and demo'd a cool technique I developed with Jabra on a pentest a year or so ago (I later found out that Mubix had come up with basically the same idea - great minds think alike). It is essentially this: use a session's current token to create a remote service on a victim machine. It takes advantage of a feature in Windows that most people take completely for granted. Given that you are already logg

3 min Exploits

Press F5 for root shell

As HD mentioned [/2012/06/11/scanning-for-vulnerable-f5-bigips-with-metasploit], F5 has been inadvertently shipping a static ssh key that can be used to authenticate as root on many of their BigIP devices. Shortly after the advisory, an anonymous contributor hooked us up with the private key. Getting down to business, here it is in action:     18:42:35 0 exploit(f5_bigip_known_privkey) > exploit     [ ] Successful login     [*] Found shell.     [*] Command shell session 3 opened ([redacted]

3 min Release Notes

Metasploit Framework 4.0 Released!

It's been a long road to 4.0. The first 3.0 release was almost 5 years ago and the first release under the Rapid7 banner was almost 2 years ago. Since then, Metasploit has really spread its wings. When 3.0 was released, it was under a EULA-like license with specific restrictions against using it in commercial products. Over time, the reasons for that decision became less important and the need for more flexibility came to the fore; in 2008, we released Metasploit 3.2 under a 3-clause BSD licen

4 min

Metasploit 4.0: The Database as a Core Feature

Early in the 3.x days, metasploit had support for using databases through plugins.  As the project grew, it became clear that tighter database integration was necessary for keeping track of the large amount of information a pentester might encounter during an engagement.  To support that, we moved database functionality into the core, to be available whenever a database was connected and later added postgres to the installer so that functionality could be used out of the box.  Still, the command

1 min Release Notes

Metasploit Framework 3.7.2 Released!

It's that time again! The Metasploit team is proud to announce the immediate release of the latest version [] of the Metasploit Framework, 3.7.2. Today's release includes eleven new exploit modules and fifteen post modules for your pwning pleasure. Adding to Metasploit's well-known hashdump capabilities, now you can easily steal password hashes from Linux, OSX, and Solaris. As an added bonus, if any of the passwords were hashed with crypt_blowfish (which is the d

4 min Exploits

Recent Developments in Java Signed Applets

The best exploits are often not exploits at all -- they are code execution by design. One of my favorite examples of this is a signed java applet. If an applet is signed, the jvm allows it to run outside the normal security sandbox, giving it full access to do anything the user can do. Metasploit has supported using signed applets as a browser exploit for quite awhile, but over the last week there have been a couple of improvements that might help you get more shells. The first of these improve