6 min
Android
12 Days of HaXmas: A year of Metasploit Android exploits
This post is the ninth in a series, 12 Days of HaXmas, where we take a look at
some of more notable advancements and events in the Metasploit Framework over
the course of 2014.
It has been a busy year for Android exploitation here at Metasploit. As the
makers of the greatest pentesting toolkit on the planet, vulnerabilities that
affect over 1 billion active devices greatly interest us, not to mention the
amazing independent researchers out in the world, such as Rafay Baloch
[https://twitter.
Read Full Post
4 min
Javascript
12 Days of HaXmas: Improvements to jsobfu
This post is the third in a series, 12 Days of HaXmas, where we take a look at
some of more notable advancements and events in the Metasploit Framework over
the course of 2014.
Several months ago, Wei sinn3r [https://twitter.com/_sinn3r] Chen and I landed
some improvements to Metasploit's Javascript obfuscator, jsobfu. Most notably,
we moved it out to its own repo [https://github.com/rapid7/jsobfu] and gem
[https://rubygems.org/gems/jsobfu], wrapped it in tests, beefed up its AV
resilience, and
Read Full Post
5 min
Exploits
Exploiting CSRF under NoScript Conditions
CSRFs -- or Cross-Site Request Forgery [https://www.owasp.org/index.php/CSRF]
vulnerabilities -- occur when a server accepts requests that can be “spoofed”
from a site running on a different domain. The attack goes something like this:
you, as the victim, are logged in to some web site, like your router
configuration page, and have a valid session token. An attacker gets you to
click on a link that sends commands to that web site on your behalf, without
your knowledge.
These vulnerabilities ca
Read Full Post
2 min
Exploits
New Metasploit Payloads for Firefox Javascript Exploits
Those of you with a keen eye on metasploit-framework/master
[https://github.com/rapid7/metasploit-framework] will notice the addition of
three new payloads:
* firefox/shell_reverse_tcp
* firefox/shell_bind_tcp
* firefox/exec
These are Javascript payloads meant for executing in a privileged Javascript
context inside of Firefox. By calling certain native functions not meant to be
exposed to ordinary web content, a classic TCP command shell can be opened. To a
pentester, these payloads are use
Read Full Post
4 min
Ruby on Rails
12 Days of HaXmas: Exploiting (and Fixing) RJS Rails Info Leaks
This post is the fifth in a series, 12 Days of HaXmas, where we take a look at
some of more notable advancements in the Metasploit Framework over the course of
2013.
Several weeks ago, Egor Homakov wrote a blog post
[http://homakov.blogspot.com/2013/11/rjs-leaking-vulnerability-in-multiple.html]
pointing out a common info leak vulnerability in many Rails apps that utilize
Remote JavaScript. The attack vector and implications can be hard to wrap your
head around, so in this post I'll explain ho
Read Full Post
5 min
Apple
Abusing Safari's webarchive file format
tldr: For now, don't open .webarchive files, and check the Metasploit module,
Apple Safari .webarchive File Format UXSS
[https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb]
Safari's webarchive format saves all the resources in a web page - images,
scripts, stylesheets - into a single file. A flaw exists in the security model
behind webarchives that allows us to execute script in the context of any domain
(a Universal Cross-site S
Read Full Post