6 min
Metasploit
Flipping bits in the Windows Kernel
Recently, the MS15-061 bulletin has received some attention. This security
bulletin includes patches for several Windows Kernel vulnerabilities, mainly
related to win32k.sys. Details of one of them, discovered by Udi Yavo, have been
very well covered.
First, the same Udi Yavo published details about the Use After Free on a blog
entry
[http://breakingmalware.com/vulnerabilities/class-dismissed-4-use-after-free-vulnerabilities-in-windows/]
. Later, Dominic Wang [https://twitter.com/d0mzw] wrote a
20 min
Metasploit
A debugging session in the kernel
Last week, an awesome paper
[https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/]
about the MS15-078 vulnerability and it's exploitation was published by Cedric
Halbronn [https://twitter.com/saidelike]. This vulnerability, originally found
and exploited by Eugene Ching [https://twitter.com/eugeii], already has a
work-in-progress module in Metasploit, which you can follow on github
[https://
13 min
Metasploit
Using Reflective DLL Injection to exploit IE Elevation Policies
As you are probably aware, sandbox bypasses are becoming a MUST when exploiting
desktop applications such as Internet Explorer. One interesting class of sandbox
bypasses abuse IE's Elevation Policies. An example of this type of sandbox
bypass is CVE-2015-0016
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0016]. The
vulnerability has already been analyzed by Henry Li, who published a complete
description in this blog entry
[http://blog.trendmicro.com/trendlabs-security-intelligence/
5 min
Exploits
Revisiting an Info Leak
Today an interesting tweet
[https://twitter.com/Laughing_Mantis/status/631170614720462848] from Greg
Linares [https://twitter.com/Laughing_Mantis] (who has been posting awesome
analysis on twitter lately!) came to our attention, concerning the MS15-080
[https://technet.microsoft.com/en-us/library/security/ms15-080.aspx] patch:
This patch (included in MS15-080) may have been intended stop one of the Window
kernel bugs exploited by Hacking Team. But, after our analysis, it appears that
there is
11 min
Exploits
Exploiting a 64-bit browser with Flash CVE-2015-5119 (Part 2)
This post is a continuation of Exploiting a 64-bit browser with Flash
CVE-2015-5119 [/2015/07/31/supporting-a-64-bits-renderer-on-flash-cve-2015-5119]
, where we explained how to achieve arbitrary memory read/write on a 64-bit IE
renderer. As a reminder, we are targeting Windows 8.1 / IE11 (64 bits) with
Flash 15.0.0.189. Of course, this write-up may contain a few errors, so your
mileage may vary =)
Where we left off before, we had created an interface to work with memory by
using a corrupted
3 min
Exploits
Exploiting a 64-bit browser with Flash CVE-2015-5119
Some weeks ago, on More Flash Exploits in the Framework
[/2015/06/30/more-on-flash-exploits-into-the-framework], we introduced the
flash_exploiter library, which is used by Metasploit to quickly add new Flash
exploit modules. If you read that blog entry, then you already know that
flash_exploiter only supports 32-bit browsers (renderers). In this blog post, we
will demonstrate initial steps in adding IE11 64-bit support to CVE-2015-5119
[http://www.cvedetails.com/cve/CVE-2015-5119/] , which is o
8 min
Flash
More Flash Exploits in the Framework
As todb [/author/tod-beardsley/] pointed out in the last weekly metasploit
update wrapup [/2015/06/26/weekly-metasploit-wrapup] we recently added two new
exploits for Flash: CVE-2015-3090
[http://www.cvedetails.com/cve-details.php?cve_id=CVE-2015-3090] and
CVE-2015-3105 [http://www.cvedetails.com/cve-details.php?cve_id=CVE-2015-3105],
based on the samples found in the wild.
As you're probably aware, the last years, and especially the end of 2014 and
2015, Flash has become the trending target f
6 min
Linux
12 Days of HaXmas: Meterpreter migration for Linux!
This post is the eleventh in a series, 12 Days of HaXmas, where we take a look
at some of more notable advancements and events in the Metasploit Framework over
the course of 2014.
Hello everyone and Happy HaXmas (again) and New Year! On this HaXmas I would
like to share with all you a new feature which I'm personally very happy with.
It's nothing super new and has limitations, but it's the first meterpreter
feature where I've been collaborating I feel really happy of sharing it with all
you: su
6 min
Haxmas
12 Days of HaXmas: MS14-068, now in Metasploit!
This post is the first in a series, 12 Days of HaXmas, where we take a look at
some of more notable advancements in the Metasploit Framework over the course of
2014.
Hello everyone and Happy HaXmas! In November of 2014, a really interesting
vulnerability was published on Microsoft Windows Kerberos, maybe you have
already heard about it... MS14-068
[https://technet.microsoft.com/en-us/library/security/ms14-068.aspx]. Microsoft
published an blog post
[http://blogs.technet.com/b/srd/archive/2014/1
4 min
R7-2014-06 Disclosure: CVE-2014-3888 Yokogawa CENTUM CS 3000 BKFSim_vhfd.exe Buffer Overflow
Last March 8th, @julianvilas [https://twitter.com/julianvilas] and I spoke at
RootedCON [https://www.rootedcon.es/?lang=en] about our work with the Yokogawa
CENTUM CS3000 product. As noted in the talk, we are releasing information about
all of the vulnerabilities we found in the product at the time. Today, we're
disclosing the last one of the discovered vulnerabilities.
For all of you who weren't able to attend RootedCON
[https://www.rootedcon.es/?lang=en], we're going just to quote the Yokoga
3 min
Vulnerability Disclosure
R7-2013-19.2 Disclosure: Yokogawa CENTUM CS 3000 BKESimmgr.exe Buffer Overflow (CVE-2014-0782)
Last March 8th, @julianvilas [https://twitter.com/julianvilas] and I spoke at
RootedCON [https://www.rootedcon.es/?lang=en] about our work with the Yokogawa
CENTUM CS3000 product, and disclosed three of the vulnerabilities we found on
March 10 [/2014/03/10/yokogawa-centum-cs3000-vulnerabilities] on this blog. As
noted in the talk, we intended to release information about all of the
vulnerabilities we found in the product at the time. Today, after some
negotiation with Yokogawa and ICS-CERT, we'
13 min
Zero-day
R7-2013-19 Disclosure: Yokogawa CENTUM CS 3000 Vulnerabilities
On Saturday, March 8th, @julianvilas [https://twitter.com/julianvilas] and I
spoke at RootedCON [https://www.rootedcon.es/?lang=en] about our work with the
Yokogawa CENTUM CS3000 product. Today, as promised, we're publishing details for
three of the vulnerabilities found in the product. For all of you who weren't
able to attend RootedCON, we're going just to quote the Yokogawa description of
their own product
[http://www.yokogawa.com/dcs/products/cs3000/overview/dcs-3k-0101en.htm] in
order to in
1 min
Exploits
Metasploit at RootedCON 2014 in Madrid
First of all let me share with all you, I'm really excited to write this blog
post! This week RootedCON [https://www.rootedcon.es/?lang=en] 2014 will be
happening in Spain and we got a talk accepted with @julianvilas
[https://twitter.com/julianvilas]! The talk's title is not very
self-explanatory: "Kicking SCADA Around." So, in case you are interested in
attending here is a little more information about the presentation.
We plan to share with the audience our experience while dissecting a widel
3 min
News on the Embedded Systems Land
Last year we worked hard to improve the embedded devices capabilities available
on Metasploit collaborating with awesome guys like m-1-k-3
[https://twitter.com/s3cur1ty_de] to add new modules and capabilities
[/2013/04/05/compromising-embedded-linux-routers-with-metasploit], collaborating
[/2013/07/02/a-penetration-testers-guide-to-ipmi] and conducting research
[/2013/11/06/supermicro-ipmi-firmware-vulnerabilities] like in the IPMI related
work by HD Moore [https://twitter.com/hdmoore], or shari
3 min
Exploits
12 Days of HaXmas: BMC and IPMI Research and Exploitation
This post is the sixth in a series, 12 Days of HaXmas, where we take a look at
some of more notable advancements in the Metasploit Framework over the course of
2013.
This year, infosec superstars Dan Farmer [http://fish2.com/security/] and HD
Moore [https://twitter.com/hdmoore] have been making an impressive effort to
spread the warnings around the Baseboard Management Controllers (BMCs), used to
provide remote management capabilities for servers and installed in nearly all
servers manufactured