Posts by Juan Vazquez

Flipping bits in the Windows Kernel

Recently, the MS15-061 bulletin has received some attention. This security bulletin includes patches for several Windows Kernel vulnerabilities, mainly related to win32k.sys. Details of one of them, discovered by Udi Yavo, have been very well covered. First, the same Udi Yavo published details about the Use After Free on a blog entry [http://breakingmalware.com/vulnerabilities/class-dismissed-4-use-after-free-vulnerabilities-in-windows/] . Later, Dominic Wang [https://twitter.com/d0mzw] wrote a

20 min Metasploit

A debugging session in the kernel

Last week, an awesome paper [https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/] about the MS15-078 vulnerability and it's exploitation was published by Cedric Halbronn [https://twitter.com/saidelike]. This vulnerability, originally found and exploited by Eugene Ching [https://twitter.com/eugeii], already has a work-in-progress module in Metasploit, which you can follow on github [https://

13 min Metasploit

Using Reflective DLL Injection to exploit IE Elevation Policies

As you are probably aware, sandbox bypasses are becoming a MUST when exploiting desktop applications such as Internet Explorer. One interesting class of sandbox bypasses abuse IE's Elevation Policies. An example of this type of sandbox bypass is CVE-2015-0016 [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0016]. The vulnerability has already been analyzed by Henry Li, who published a complete description in this blog entry [http://blog.trendmicro.com/trendlabs-security-intelligence/

5 min Exploits

Revisiting an Info Leak

Today an interesting tweet [https://twitter.com/Laughing_Mantis/status/631170614720462848] from Greg Linares [https://twitter.com/Laughing_Mantis] (who has been posting awesome analysis on twitter lately!) came to our attention, concerning the MS15-080 [https://technet.microsoft.com/en-us/library/security/ms15-080.aspx] patch: This patch (included in MS15-080) may have been intended stop one of the Window kernel bugs exploited by Hacking Team. But, after our analysis, it appears that there is

11 min Exploits

Exploiting a 64-bit browser with Flash CVE-2015-5119 (Part 2)

This post is a continuation of Exploiting a 64-bit browser with Flash CVE-2015-5119 [/2015/07/31/supporting-a-64-bits-renderer-on-flash-cve-2015-5119] , where we explained how to achieve arbitrary memory read/write on a 64-bit IE renderer. As a reminder, we are targeting Windows 8.1 / IE11 (64 bits) with Flash 15.0.0.189. Of course, this write-up may contain a few errors, so your mileage may vary =) Where we left off before, we had created an interface to work with memory by using a corrupted

3 min Exploits

Exploiting a 64-bit browser with Flash CVE-2015-5119

Some weeks ago, on More Flash Exploits in the Framework [/2015/06/30/more-on-flash-exploits-into-the-framework], we introduced the flash_exploiter library, which is used by Metasploit to quickly add new Flash exploit modules. If you read that blog entry, then you already know that flash_exploiter only supports 32-bit browsers (renderers). In this blog post, we will demonstrate initial steps in adding IE11 64-bit support to CVE-2015-5119 [http://www.cvedetails.com/cve/CVE-2015-5119/] , which is o

8 min Flash

More Flash Exploits in the Framework

As todb [/author/tod-beardsley/] pointed out in the last weekly metasploit update wrapup [/2015/06/26/weekly-metasploit-wrapup] we recently added two new exploits for Flash: CVE-2015-3090 [http://www.cvedetails.com/cve-details.php?cve_id=CVE-2015-3090] and CVE-2015-3105 [http://www.cvedetails.com/cve-details.php?cve_id=CVE-2015-3105], based on the samples found in the wild. As you're probably aware, the last years, and especially the end of 2014 and 2015, Flash has become the trending target f

6 min Linux

12 Days of HaXmas: Meterpreter migration for Linux!

This post is the eleventh in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. Hello everyone and Happy HaXmas (again) and New Year! On this HaXmas I would like to share with all you a new feature which I'm personally very happy with. It's nothing super new and has limitations, but it's the first meterpreter feature where I've been collaborating I feel really happy of sharing it with all you: su

6 min Haxmas

12 Days of HaXmas: MS14-068, now in Metasploit!

This post is the first in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2014. Hello everyone and Happy HaXmas! In November of 2014, a really interesting vulnerability was published on Microsoft Windows Kerberos, maybe you have already heard about it... MS14-068 [https://technet.microsoft.com/en-us/library/security/ms14-068.aspx]. Microsoft published an blog post [http://blogs.technet.com/b/srd/archive/2014/1

4 min

R7-2014-06 Disclosure: CVE-2014-3888 Yokogawa CENTUM CS 3000 BKFSim_vhfd.exe Buffer Overflow

Last March 8th, @julianvilas [https://twitter.com/julianvilas] and I spoke at RootedCON [https://www.rootedcon.es/?lang=en] about our work with the Yokogawa CENTUM CS3000 product. As noted in the talk, we are releasing information about all of the vulnerabilities we found in the product at the time. Today, we're disclosing the last one of the discovered vulnerabilities. For all of you who weren't able to attend RootedCON [https://www.rootedcon.es/?lang=en], we're going just to quote the Yokoga

3 min Vulnerability Disclosure

R7-2013-19.2 Disclosure: Yokogawa CENTUM CS 3000 BKESimmgr.exe Buffer Overflow (CVE-2014-0782)

Last March 8th, @julianvilas [https://twitter.com/julianvilas] and I spoke at RootedCON [https://www.rootedcon.es/?lang=en] about our work with the Yokogawa CENTUM CS3000 product, and disclosed three of the vulnerabilities we found on March 10 [/2014/03/10/yokogawa-centum-cs3000-vulnerabilities] on this blog. As noted in the talk, we intended to release information about all of the vulnerabilities we found in the product at the time. Today, after some negotiation with Yokogawa and ICS-CERT, we'

13 min Zero-day

R7-2013-19 Disclosure: Yokogawa CENTUM CS 3000 Vulnerabilities

On Saturday, March 8th, @julianvilas [https://twitter.com/julianvilas] and I spoke at RootedCON [https://www.rootedcon.es/?lang=en] about our work with the Yokogawa CENTUM CS3000 product. Today, as promised, we're publishing details for three of the vulnerabilities found in the product. For all of you who weren't able to attend RootedCON, we're going just to quote the Yokogawa description of their own product [http://www.yokogawa.com/dcs/products/cs3000/overview/dcs-3k-0101en.htm] in order to in

1 min Exploits

Metasploit at RootedCON 2014 in Madrid

First of all let me share with all you, I'm really excited to write this blog post! This week RootedCON [https://www.rootedcon.es/?lang=en] 2014 will be happening in Spain and we got a talk accepted with @julianvilas [https://twitter.com/julianvilas]! The talk's title is not very self-explanatory: "Kicking SCADA Around." So, in case you are interested in attending here is a little more information about the presentation. We plan to share with the audience our experience while dissecting a widel

3 min

News on the Embedded Systems Land

Last year we worked hard to improve the embedded devices capabilities available on Metasploit collaborating with awesome guys like m-1-k-3 [https://twitter.com/s3cur1ty_de] to add new modules and capabilities [/2013/04/05/compromising-embedded-linux-routers-with-metasploit], collaborating [/2013/07/02/a-penetration-testers-guide-to-ipmi] and conducting research [/2013/11/06/supermicro-ipmi-firmware-vulnerabilities] like in the IPMI related work by HD Moore [https://twitter.com/hdmoore], or shari