Posts by Egypt

1 min Release Notes

Weekly Metasploit Wrapup

One of the greatest things about Metasploit is that it supports lots of different protocols and technologies that you would otherwise need a huge menagerie of tools to be able to talk to, an ever-expanding bubble of interoperability that you didn't have to write. Due to some great ongoing work by Bigendian Smalls [], the bubble is getting even bigger, now encompassing shell sessions on mainframes. You can see the beginnings in #6013 [

1 min Metasploit Weekly Wrapup

Weekly Metasploit Wrapup

This week's update brings a fun user-assisted code execution bug in Safari. It works by opening up an "applescript://" URL, which pops an Applescript editor, and then getting the user to hit Command-R (normally the keybinding for reloading the page). The key combo will pass down to the editor and run the script. There is a mitigating factor here in the form of Gatekeeper, part of Apple's "walled garden" architecture, designed to protect users from people who haven't given Apple $99 [https://de

3 min Metasploit Weekly Wrapup

Weekly Metasploit Wrapup

Welcome to another edition of the increasingly inaccurately named Weekly Wrap up! I'm egypt [] and I'll be your host. Since the last one of these, a lot of work has landed on the Framework. I talked about some of it with a bit of a yearly wrapup at my Derbycon talk []. We also had a fun time at the Metasploit Townhall []. One of the recent things I didn't cover is the super cool BusyBo

1 min Metasploit

Workspace in your prompt

This is the simple prompt that msfconsole gives you by default: The second part, "exploit(psexec)" shows your current context is the exploit module named psexec. You can't change that because it's an important indicator of where you are. The first part, though, is just a default string to tell you you're in msfconsole. It can be controlled with the global Prompt option; you can set it to whatever you want: setg Prompt lolhax But that's not too exciting. To make it more interesting, there a

3 min Payload

Shellcode Golf: Every Byte is Sacred

Shellcode is an exercise in trade-offs. To be really flexible and fit in the most exploits, shellcode must be small.  On the other side of the scale, there are certain features that you need or want, each adding to the size. For instance, doing DNS resolution in the first stage payload is useful, but (in Windows) requires adding 80 bytes to the stager. So we have to balance size, which is very important for compatibility with some exploits that have limited buffers to work with, with features a

3 min Metasploit

Fun With VMware Utilities: vmware_mount Exploit (CVE-2013-1662)

On August 22, Tavis Ormandy dropped a bug in VMWare [] that takes advantage of a build configuration in Linux distributions. Providing you have user-level access to a Debian or Ubuntu box with VMWare installed, this exploit gives you root access. It's a fun bug and I want to explain how the Metasploit module for it works: The background There's this thing called priv_mode in bash that means it will drop privs if euid != uid. Anyone who h

2 min Metasploit

Weekly Update: Fun with ZPanel, MoinMoin, and FreeBSD

Chaining Zpanel Exploits for Remote Root ZPanel is a fun, open source web hosting control panel, written in code auditors' favorite language, PHP. For bonus points, ZPanel likes to do some things as root, so it installs a nifty little setuid binary called 'zsudo' that does pretty much what you might expect from a utility of that name -- without authentication. In the wake of some harsh words on reddit and elsewhere in regard to the character of ZPanel's development team, the project came to the

2 min Product Updates

Weekly Update: Smaller is Better

In this week's episode, the role of Tod Beardsley will be played by egypt. Smaller is better Perhaps the most prominent addition to the framework this week is not an addition at all, but rather a deletion. We've been working toward a slimmer, more manageable source tree for a while now, and as part of that effort, we recently removed a pile of old-and-busted unit tests. This update goes a bit further, moving source code for some compiled payloads into seperate repositories. Metasploit's version

5 min Exploits

Stage Encoding -or- How I Learned to Stop Worrying and Love the String#<<Operator

As I mentioned in my post about compiling on the fly [/2013/01/08/compiling-payloads-on-the-fly-for-postgresql], encoders' primary purpose in life is to avoid bad characters in a payload. To recap, the main reason a character is considered "bad" is that some aspect of the exploit makes use of that character impossible.  One reason this might be the case is when a character gets stripped out or mangled along its journey through protocol decoding. For example, in the telnet protocol, \xff is the I

1 min Exploits

Serialization Mischief Redux: Exploit for Ruby on Rails CVE-2013-0333

This afternoon, another scary advisory [!topic/rubyonrails-security/1h2DR63ViGo] was posted to the Ruby on Rails security discussion list. Fortunately, this one doesn't affect any Metasploit products. The previous advisory [!topic/rubyonrails-security/61bkgvnSGTQ/discussion] (that HD talked about here [/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156]) dealt with Rails parameter parsing of XML from a POS

4 min

Compiling payloads on the fly for PostgreSQL

The update from 2012-12-14 [/2012/12/14/weekly-metasploit-update] contains a new module that brings code execution on an authenticated Postgres database to Linux. Metasploit has had this capability on Windows for quite some time but it took community contributor midnitesnake to scratch this particular itch. There are two reasons I'd like to talk about this module. First, it's not an exploit in the traditional sense because the vulnerability it takes advantage of is not really a vulnerability. Po

2 min Metasploit

Introduction to Metasploit Hooks

Metasploit provides many ways to simplify your life as a module developer. One of the less well-known of these is the presence of various hooks you can use for processing things at important stages of the module's lifetime. The basic one that anyone who has written an exploit will be familiar with is exploit, which is called when the user types the exploit command. That method is common to all exploit modules. Aux and post modules have an analogous run method. Common to all the runnable modules

1 min Metasploit

Current User psexec

At DEF CON this year I talked about some of the post exploitation capabilities within Metasploit and demo'd a cool technique I developed with Jabra on a pentest a year or so ago (I later found out that Mubix had come up with basically the same idea - great minds think alike). It is essentially this: use a session's current token to create a remote service on a victim machine. It takes advantage of a feature in Windows that most people take completely for granted. Given that you are already logg

3 min Exploits

Press F5 for root shell

As HD mentioned [/2012/06/11/scanning-for-vulnerable-f5-bigips-with-metasploit], F5 has been inadvertently shipping a static ssh key that can be used to authenticate as root on many of their BigIP devices. Shortly after the advisory, an anonymous contributor hooked us up with the private key. Getting down to business, here it is in action:     18:42:35 0 exploit(f5_bigip_known_privkey) > exploit     [ ] Successful login     [*] Found shell.     [*] Command shell session 3 opened ([redacted]

2 min

Eternal Sunshine of the Spotless RAM

The purpose of this post is to point out a little-known jewel -- the -m flag to meterpreter's execute command. The help tells us that this flag causes the executable to "Execute from memory" but that doesn't really explain it. Here's an example of the -m option in action: meterpreter > pwd C:\Windows\SYSTEM32 meterpreter > download cmd.exe [*] downloading: cmd.exe -> cmd.exe [*] downloaded : cmd.exe -> cmd.exe meterpreter > execute -H -m -d calc.exe -i -f cmd.exe Process 572 created. Channel 5