Posts by Juan Vazquez

2 min Haxmas

12 Days of HaXmas: SAP Hacking

This post is the first in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013. This year 2013 disclosure of a banking Trojan modified to look for SAP GUI installations has harisen. A concerning sign that SAP system hacking has gone into mainstream cybercrime.  Once a domain of a few isolated APT attacks, SAP appears to be in the crosshairs of hackers that know just how much sensitive data ERP systems house. 

4 min Metasploit

Bypassing Adobe Reader Sandbox with Methods Used In The Wild

Recently, FireEye identified and shared information [http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html] about two vulnerabilities used in the wild to exploit Adobe Reader on Windows XP SP3 systems. The vulnerabilities are: * CVE-2013-3346 [http://cvedetails.com/cve/CVE-2013-3346]: An Use After Free on Adobe Reader. Specifically in the handling of a ToolButton object, which can be exploited through document's Java

1 min Research

A Pentester's Introduction to SAP & ABAP

If you're conducting security assessments on enterprise networks, chances are that you've run into SAP systems. In this blog post, I'd like to give you an introduction to SAP and ABAP to help you with your security audit. The full SAP solution (ERP or SAP Business Suite) consists of several components. However, to manage the different areas of a large enterprise, probably one of the better known components or features of the SAP solution is the development system based on ABAP [http://en.wikipe

5 min Metasploit

Exploiting the Supermicro Onboard IPMI Controller

Last week @hdmoore [https://twitter.com/hdmoore] published the details about several vulnerabilities into the Supermicro IPMI firmware [/2013/11/06/supermicro-ipmi-firmware-vulnerabilities]. With the advisory's release, several modules were landed into Metasploit in order to check Supermicro's device against several of the published vulnerabilities: Module Purpose smt_ipmi_static_cert_scanner [http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner] This module ca

6 min Exploits

A History of Hard Conditions: Exploiting Linksys CVE-2013-3568

Introduction Earlier this summer Craig Young [https://twitter.com/CraigTweets] posted on Bugtraq [http://seclists.org/bugtraq/2013/Jul/78] about a root command injection vulnerability on the Linksys WRT110 [http://support.linksys.com/en-us/support/routers/WRT110] router. This was a nice one because because the request, basic authentication protected, is also exploitable through CSRF: Our awesome Joe Vennix [https://github.com/jvennix-r7] figured out the vulnerability and how to exploit it to

4 min Metasploit

Change the Theme, Get a Shell: Remote Code Execution with MS13-071

Recently we've added an exploit for MS13-071 [https://www.rapid7.com/db/vulnerabilities/windows-hotfix-ms13-071] to Metasploit. Rated as "Important" by Microsoft, this remote code execution, found by Eduardo Prado, for Windows XP and Windows 2003 environments is achieved by handling specially crafted themes. In this blog post we would like to discuss the vulnerability and give some helpful tips for exploiting it from Metasploit. First of all, the bug occurs while handling the [boot] section on

3 min Metasploit

Time To Patch Joomla

Joomla released earlier this month a security advisory [http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads] for unauthorized uploads affecting to Joomla! version 2.5.13 and earlier 2.5.x versions; and version 3.1.4 and earlier 3.x versions. Later, news has arisen announcing the vulnerability had been exploited in the wild. According to Versafe, who has reported and analyzed the attack in the wild [http://www.versafe-login.com/?q=whitepapers-and-online-threats-resea

6 min Metasploit

Good Exploits Never Die: Return of CVE-2012-1823

According to Parallels, "Plesk is the most widely used hosting control panel solution, providing everything needed for creating and offering rich hosting plans and managing customers and resellers, including an intuitive User Interface for setting up and managing websites, email, databases, and DNS." (source: Parallels [http://www.parallels.com/products/plesk/webhosters/]). On Jun 05 kingcope shocked Plesk world by announcing a new 0 day which could allow for remote command execution: Accordi

13 min Metasploit

From the Wild to Metasploit: Exploit for MoinMoin Wiki (CVE-2012-6081)

Recently we've added to Metasploit a module for CVE-2012-6081, [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6081] an arbitrary file upload vulnerability affecting to the version 1.9.5 (patched!) of the MoinMoin [http://moinmo.in/] Wiki software. In this blog entry we would like to share both the vulnerability details and how this one was converted in RCE (exploited in the wild!) because the exploitation is quite interesting, where several details must have into account to successful e

8 min Metasploit

New 1day Exploits: Mutiny Vulnerabilities

6 min Exploits

Compromising Embedded Linux Routers with Metasploit

Normally we don't get a lot of contributions regarding embedded devices. Even when they are an interesting target from the pentesting point of view, and is usual to find them out of DMZ zones on corporate networks. Maybe it's because access to these devices or the software running in top of them is not so easy. Maybe because usually they are based on MIPS architectures which hasn't get so much attention as x86 or ARM architectures. Or maybe because it's not so easy always to run the their softwa

5 min Exploits

Exploit for new Vulnerability on Honeywell EBI ActiveX (CVE-2013-0108)

Today, we present to you a new vulnerability, CVE-2013-0108 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0108], discovered in Honeywell Enterprise Buildings Integrator (EBI) [https://buildingsolutions.honeywell.com/Cultures/en-US/ServicesSolutions/BuildingManagementSystems/EnterpriseBuildingsIntegrator/] R310 - R410.2. This platform is used to integrate different systems and devices such as heating, ventilation, and air conditioning (HVAC) controls; security; access control; life sa

3 min Java

Java 7 Exploit for CVE-2013-0431 in the Wild

According to the latest news [http://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html] , exploit kits such as Cool EK and Popads are integrating a new exploit for Java, targeting Java 7u11. An exploit for CVE-2013-0431 has been analyzed and shared by SecurityObscurity [http://security-obscurity.blogspot.com/2013/01/about-new-java-0-day-vulnerability.html] , and is also now available as a Metasploit module with some improvements for testability. We would like to use this b

10 min Exploits

New Java Modules in Metasploit... No 0 days this time

Last year Security Explorations published some awesome research [http://www.security-explorations.com/en/SE-2012-01.html], exploring the security state of the Java SE from Oracle, and disclosing different vulnerabilities and exploit vectors in this software. In fact, some of the last Java exploits found in the wild have been using techniques from the mentioned research. Today we're publishing two new modules exploiting some of the documented issues. In this blog post we would like to share somet

8 min Metasploit

New Metasploit Exploit: Crystal Reports Viewer CVE-2010-2590

In this blog post we would like to share some details about the exploit for CVE-2010-2590 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2590], which we released in the last Metasploit update [/2012/12/19/weekly-metasploit-update]. This module exploits a heap-based buffer overflow, discovered by Dmitriy Pletnev, in the CrystalReports12.CrystalPrintControl.1 ActiveX control included in PrintControl.dll. This control is shipped with the Crystal Reports Viewer, as installed by default wi