Posts by Juan Vazquez

18 min

New 0day Exploits: Novell File Reporter Vulnerabilities

Today, we present to you several new vulnerabilities discovered in Novell File Reporter 1.0.2, which "helps organizations more effectively manage network storage by providing administrators the ability to access comprehensive network storage information so that they can determine the best means of addressing their storage content". Following our standard disclosure policy [http://www.rapid7.com/disclosure.jsp], we notified both Novell and CERT. Vulnerabilities Summary The four vulnerabilities p

8 min Exploits

New 0day Exploit: Novell ZENworks CVE-2012-4933 Vulnerability

Today, we present to you a flashy new vulnerability with a color-matching exploit straight from our super secret R&D safe house here in Metasploit Country. Known as CVE-2012-4933 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4933], it applies to Novell ZENworks Asset Management 7.5, which "integrates asset inventory, software usage, software management and contract management to provide the most complete software asset management tool available". Following our standard disclosure poli

5 min Metasploit

New Metapsloit Exploit: SAP NetWeaver CVE-2012-2611

In this blog post we would like to share some details about the SAP NetWeaver exploit for CVE-2012-2611 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2611], which we've recently added to  Metasploit. This module exploits an unauthenticated buffer overflow, discovered by Martin Gallo, in the DiagTraceR3Info() function where tracing is enabled on SAP NetWeaver. It captured our attention due to the well documented technical details, and tools publicly available in order to trigger the vul

5 min

The Stack Cookies Bypass on CVE-2012-0549

In this blog post we would like to share some details about the Oracle AutoVue exploit for CVE-2012-0549 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0549] which we've recently added to the Metasploit Framework.  This module exploits a buffer overflow flaw, discovered by Brian Gorenc. The problem arises when you call the SetMarkupMode function from the AutoVue control (clsid B6FCC215-D303-11D1-BC6C-0000C078797F) with a long sMarkup parameter. The buffer overflow, even when triggered

4 min

It isn't Always about Buffer Overflow

People often refer to exploits as your good old buffer overflows, but that's not always the case, as there are so many different types of vulnerabilities out there waiting to be found.  One exploit in particular, is the IBM Rational ClearQuest -- CVE-2012-0708 [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0708] -- which we've recently added [https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/clear_quest_cqole.rb] to the Metasploit Framework. 

11 min Exploits

An example of EggHunting to exploit CVE-2012-0124

Recently, we added [https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/hp_dataprotector_new_folder.rb] a module for CVE-2012-0124 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0124] which exploits a stack buffer overflow flaw in the backup management component of HP Data Protector Express [http://h18006.www1.hp.com/products/storage/software/datapexp/index.html]. The overflow occurs during the creation of new folders, and allows an authenticated us

4 min Metasploit

Writing a Metasploit Exploit for the Adobe Flash Vulnerability CVE-2012-0779

Ever since the first sightings of a new zero-day attack (CVE-2012-0779 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0779]) on Adobe Flash last month, the exact path of exploitation has been somewhat of a mystery. The attacks were specifically targeted against defense contractors and other victims as part of a spear phishing attack, and included a Word document with a Flash (SWF) object. The infected machines were observed to contacting malicious servers in China, Korea, and the United

4 min Exploits

My First Week at Metasploit

Hi all. I would like to take a minute to share some of my feelings about my first week here as a full-time Metasploit exploit developer, and share some exploit modules. First of all, I would like to thank everyone on the the Metasploit team for being so nice to me from the first week, and for helping me with anything I need. They are definitely going easy on me during my first days! Their support allowed me to build two exploits for the team during my first week here: * batic_svg_java [htt