2 min
Metasploit
R7-2014-05 Vulnerability in Metasploit Modules (Fixed)
Metasploit Pro, Community, and Express users are urged to update to the latest
version of Metasploit to receive the patch for the described vulnerability. Kali
Linux users should use the normal 'apt-get update' method of updating, while
other Metasploit Pro, Community, and Express users can use the in-application
Administration : Software Updates button.
A remote privilege escalation vulnerability has been discovered by Ben Campbell
of MWR InfoSecurity [https://labs.mwrinfosecurity.com/advisori
3 min
Apple
Metasploit Weekly Update: There's a Bug In Your Brain
Running Malicious Code in Safari
The most fun module this week, in my humble opinion, is from Rapid7's own
Javascript Dementor, Joe Vennix [https://twitter.com/joevennix]. Joe wrote up
this crafty implementation of a Safari User-Assisted Download and Run Attack
[http://www.metasploit.com/modules/exploit/osx/browser/safari_user_assisted_download_launch]
, which is not technically a vulnerability or a bug or anything -- it's a
feature that ends up being a kind of a huge risk. Here's how it goes:
3 min
Open Source
Metasploit Weekly Update: On Breaking (and Fixing!) Security Software
Attacking Security Infrastructure
This week, one module stands out for me: the Symantec Endpoint Protection
Manager Remote Command Execution by xistence [https://github.com/xistence], who
built on the proof-of-concept code from Chris Graham
[http://www.exploit-db.com/exploits/31853/], who turned that out after Stefan
Viehbock's disclosure from last week. You can read the full disclosure text
from
SEC Consult Vulnerability Lab [https://sec-consult.com/vulnerability-lab/], and
get an idea of the s
4 min
Exploits
Metasploit Weekly Update: Video Chat, Meterpreter Building, and a Fresh MediaWiki Exploit
"It's Like Chat Roulette for Hackers"
The coolest thing this week... wait, let me start again.
The coolest thing this year is Wei sinn3r [https://twitter.com/_sinn3r] Chen's
brand new amazesauce, humbly named webcam_chat. I know he just posted all about
it [/2014/02/18/lets-talk-about-your-security-breach-with-metasploit-literally]
yesterday, but I just want to reiterate how useful and hilarious this piece of
post-exploit kit really is.
First off, it's entirely peer-to-peer. The communicati
4 min
Exploits
Weekly Metasploit Update: Feb. 13, 2014
Android WebView Exploit, 70% Devices Vulnerable
This week, the biggest news I think we have is the release this week of Joe
Vennix and Josh @jduck Drake's hot new/old Android WebView exploit. I've been
running it for the last day or so out on the Internet, with attractive posters
around the Rapid7 offices (as seen here) in an attempt to pwn something good.
I've popped a couple shells, I guess I didn't make my QR Code attractive enough.
Seriously, though, this vulnerability is kind of a huge d
3 min
Metasploit
Weekly Metasploit Update: ADSI support and MSFTidy for sanity
Meterpreter ADSI support
We ended up skipping last week's update since upwards of 90% of Rapid7 folks
were Shanghaied up to Boston, in the dead of winter, with only
expense-reportable booze too keep us warm at night. So, with much fanfare comes
this week's update, featuring the all new ADSI interface for Meterpreter, via OJ
TheColonial [https://twitter.com/TheColonial] Reeves' Extended API.
Lucky for us, and you, Carlos DarkOperator [https://twitter.com/DarkOperator]
Perez was not ensconced i
3 min
Metasploit
Weekly Metasploit Update: Talking PJL With Printers
Abusing Printers with PJL
This week's release features a half dozen new modules that seek out printers
that talk the Print Job Language (PJL) for use and abuse. Huge thanks to our
newest full time Metasploit trouble maker, William Vu
[https://twitter.com/wvuuuuuuuuuuuuu].
As a penetration tester, you probably already know that office printers
represent tasty targets. Like most hardware with embedded systems, they rarely,
if ever, get patches. They don't often have very serious security controls
2 min
Exploits
Weekly Metasploit Update: Arbitrary Driver Loading & Win a WiFi Pineapple
Wow, I don't know about you, kind reader, but I'm just about blogged out after
that 12 Days of HaXmas sprint. I'll try to keep this update short and sweet.
Arbitrary Driver Loading
This week's update include a delightful new post module for managing a
compromised target, the Windows Manage Driver Loader by longtime Metasploit
community contributor, Borja Merino. If you, as a penetration tester, pops a box
get gains administrator rights (or elevate yourself there using any of the
several strateg
1 min
Haxmas
Metasploit's 12 Days of HaXmas
12 Days of HaXmas, Wrapped!
Over the actual Twelve Days of Christmas
[https://en.wikipedia.org/wiki/Twelve_Days_of_Christmas], we here in Metasploit
Nation have been celebrating the 12 Days of HaXmas by bringing our blog readers
a fresh post about Metasploit (and hackery in general) every day for twelve days
straight, all tagged under HaXmas. That conveniently lists all 12 posts in
reverse order, so as you scroll through the titles, you can sing along:
On the 12th day of HaXmas, my true love g
8 min
Authentication
12 Days of HaXmas: Diving Into Git for Current and Future Metasploit Devs
This post is the eleventh in a series, 12 Days of HaXmas, where we take a look
at some of more notable advancements in the Metasploit Framework over the course
of 2013.
Make no mistake -- the initial learning curve for git and GitHub can be pretty
hairy. Way back in 2011, we made the initial move to GitHub for our source code
hosting, but it took us until 2013 to remove the last vestiges of our old SVN
infrastructure. In the meantime, we've picked up a fair amount of git and GitHub
smarts. For
3 min
Haxmas
12 Days of HaXmas: Meterpreter, Reloaded
This post is the third in a series, 12 Days of HaXmas, where we take a look at
some of more notable advancements in the Metasploit Framework over the course of
2013.
Over the last quarter of 2013, we here in the Democratic Freehold of Metasploit
found that we needed to modernize our flagship remote access toolkit (RAT),
Meterpreter. That started with cleaving Meterpreter out of the main Metasploit
repository and setting it up with its own repository
[https://github.com/rapid7/meterpreter], and
3 min
Exploits
Metasploit Weekly Update: Adobe Reader Exploit and Post-Exploitation YouTube Broadcasting
New Adobe Reader ROP Gadgets
This week, Juan Vazquez [https://twitter.com/_juan_vazquez_] put together a neat
one-two exploit punch that involves a somewhat recent Adobe Reader vulnerability
(disclosed back in mid-May) and a sandbox escape via a OS privilege escalation
bug. I won't give away the surprise there -- he'll have a blog post about it up
in a few hours. Part of the work, though, resulted in some new entries in
Metasploit's RopDB; specifically, for Adobe Reader versions 9, 10, and 11.
3 min
Exploits
Weekly Metasploit Update: New Meterpreter Extended API, Learning About HttpServer, HttpClient, and SAP
Meterpreter Extended API
This week, we've got some new hotness for Meterpreter in the form of OJ
TheColonial [https://twitter.com/thecolonial] Reeves' new Extended API (extapi)
functionality. So far, the extended API is for Windows targets only (hint:
patches accepted), and here's the rundown of what's now available for your
post-exploitation delight:
* Clipboard Management: This allows for reading and writing from the target's
clipboard. This includes not only text, like you'd expect, but
3 min
Metasploit
Weekly Metasploit Update: SAP and Silverlight
SAP SAPpy SAP SAP
We've been all SAP all the time here in the Independent Nations of Metasploit,
and expect to be for the rest of the week. You might recall that Metasploit
exploit dev, Juan Vazquez [https://twitter.com/_juan_vazquez_] published his
SAP
survey paper
[http://information.rapid7.com/sap-penetration-testing-using-metasploit.html] a
little while back; on Tuesday, we did a moderated twitter chat on the hashtag
#pwnSAP [https://twitter.com/search?q=%23pwnSAP&src=tyah] with the major
S
2 min
Metasploit
Weekly Metasploit Update: Patching Ruby Float Conversion DoS (CVE-2013-4164)
Metasploit 4.8.1 Released
Thanks to the revelations around the recent Ruby float conversion denial of
service, aka CVE-2013-4164
[https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/]
discovered and reported by Charlie Somerville, this week's release is pretty
slim in terms of content; on Friday (the day of the first disclosure), we pretty
much dropped everything and got to work on testing and packaging up new
Metasploit installers that ship with R