Posts by joev

6 min Android

12 Days of HaXmas: A year of Metasploit Android exploits

This post is the ninth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. It has been a busy year for Android exploitation here at Metasploit. As the makers of the greatest pentesting toolkit on the planet, vulnerabilities that affect over 1 billion active devices greatly interest us, not to mention the amazing independent researchers out in the world, such as Rafay Baloch [https://twitter.

4 min Javascript

12 Days of HaXmas: Improvements to jsobfu

This post is the third in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. Several months ago, Wei sinn3r [https://twitter.com/_sinn3r] Chen and I landed some improvements to Metasploit's Javascript obfuscator, jsobfu. Most notably, we moved it out to its own repo [https://github.com/rapid7/jsobfu] and gem [https://rubygems.org/gems/jsobfu], wrapped it in tests, beefed up its AV resilience, and

5 min Exploits

Exploiting CSRF under NoScript Conditions

CSRFs -- or Cross-Site Request Forgery [https://www.owasp.org/index.php/CSRF] vulnerabilities -- occur when a server accepts requests that can be “spoofed” from a site running on a different domain. The attack goes something like this: you, as the victim, are logged in to some web site, like your router configuration page, and have a valid session token. An attacker gets you to click on a link that sends commands to that web site on your behalf, without your knowledge. These vulnerabilities ca

2 min Exploits

New Metasploit Payloads for Firefox Javascript Exploits

Those of you with a keen eye on metasploit-framework/master [https://github.com/rapid7/metasploit-framework] will notice the addition of three new payloads: * firefox/shell_reverse_tcp * firefox/shell_bind_tcp * firefox/exec These are Javascript payloads meant for executing in a privileged Javascript context inside of Firefox. By calling certain native functions not meant to be exposed to ordinary web content, a classic TCP command shell can be opened. To a pentester, these payloads are use

4 min Ruby on Rails

12 Days of HaXmas: Exploiting (and Fixing) RJS Rails Info Leaks

This post is the fifth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013. Several weeks ago, Egor Homakov wrote a blog post [http://homakov.blogspot.com/2013/11/rjs-leaking-vulnerability-in-multiple.html] pointing out a common info leak vulnerability in many Rails apps that utilize Remote JavaScript. The attack vector and implications can be hard to wrap your head around, so in this post I'll explain ho

5 min Apple

Abusing Safari's webarchive file format

tldr: For now, don't open .webarchive files, and check the Metasploit module, Apple Safari .webarchive File Format UXSS [https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb] Safari's webarchive format saves all the resources in a web page - images, scripts, stylesheets - into a single file. A flaw exists in the security model behind webarchives that allows us to execute script in the context of any domain (a Universal Cross-site S