Posts by Wei Chen

4 min Apple

12 Days of HaXmas: Apple Safari Makes Password Stealing Fun and Easy? Yes, Please!

This post is the second in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013. If you are reading this blog post, I reckon you are somewhat a geeky security person, and you use some sort of application like KeyPass [http://keepass.info/] , Keychain [http://www.apple.com/support/icloud/keychain/], LastPass [https://lastpass.com/], etc, to manage your passwords. After all, we all know too well password stealin

3 min

Metasploit releases CVE-2013-3893 (IE SetMouseCapture Use-After-Free)

Recently the public has shown a lot of interest in the new Internet Explorer vulnerability (CVE-2013-3893 [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3893]) that has been exploited in the wild, which was initially discovered in Japan. At the time of this writing there is still no patch available, but there is still at least a temporary fix-it that you can apply from Microsoft, which can be downloaded here [http://technet.microsoft.com/en-us/security/advisory/2887505]. The nitty

7 min Metasploit

Here's that FBI Firefox Exploit for You (CVE-2013-1690)

Hello fellow hackers, I hope you guys had a blast at Defcon partying it up and hacking all the things, because ready or not, here's more work for you.  During the second day of the conference, I noticed a reddit post [http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/] regarding some Mozilla Firefox 0day possibly being used by the FBI in order to identify some users using Tor for crackdown on child pornography. The security community was amazing: withi

2 min Exploits

Have a Taste of Communism with a Mouthful of APT

Everyone loves a good cyber-espionage story, and we love to put China under the spotlight.  Why? Because their methods work.  China has some well known hacking groups that have conducted cyber-espionage-oriented attacks, such as the Elderwood Group [http://en.wikipedia.org/wiki/Operation_Aurora], Unit 61398 [http://en.wikipedia.org/wiki/PLA_Unit_61398], the Nitro gang [http://eromang.zataz.com/2012/09/03/java-0day-and-the-targeted-nitro-attacks-campaign-analysis/] , etc.  As far as we know, mos

3 min Exploits

Department of Labor IE 0-day Exploit (CVE-2013-1347) Now Available at Metasploit

Recently, the U.S. Department of Labor website was compromised [http://www.eweek.com/security/zero-day-exploit-enabled-cyber-attack-on-us-labor-department/] and had been serving malicious code, capable of detecting and disabling some antivirus products such as Avira, F-Secure, Kaspersky, AVG, Sophos, etc.  It would also attack Internet Explorer 8 users with an 0-day exploit.  The Metasploit vulnerability research community was particularly interested in the exploit part, therefore that's what w

4 min

New Heap Spray Technique for Metasploit Browser Exploitation

![](/content/images/post-images/14831/Screen shot 2013-03-01 at 10.33.14 AM.png#img-half-right) Browser vulnerabilities have always been serious threats in today's security trends.  It's almost becoming too common to see people dropping browser 0days to beef up botnets, or deploying them for "sophisticated" APT-level attacks, etc.  Although browser 0days surface more frequently than ever, some of the techniques don't seem to change much.  The most common trick you'll see is a heap spray [https:/

3 min Metasploit

The forgotten spying feature: Metasploit's Mic Recording Command

About two years ago, Metasploit implemented [https://github.com/rapid7/metasploit-framework/commit/2e72926638b0fb972a26b2c1a3b040cf4cc224f2] the microphone recording feature to stdapi thanks to Matthew Weeks [https://twitter.com/scriptjunkie1].  And then almost a year ago, we actually lost that command [https://github.com/rapid7/metasploit-framework/commit/42719ab34bb9ca51d2cd623777662fc2253857f1] due to a typo.  We, and apparently everyone else, never noticed that until I was looking at the

1 min

ZOMG! Java Vulnerability CVE-2013-0422! Everybody panic!

Hello concerned citizens, I suppose by now you've already noticed there has been a Java vulnerability -- CVE-2013-0422 [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422] -- exploited in the wild at least since mid-December [https://twitter.com/craiu/status/289649477109821441].  This attack was first exposed by Kafeine in his blog post [here [http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html?m=1] ], and then quickly made its way to Metasploit for e

3 min

Microsoft Internet Explorer 0-Day Marks the End of 2012

Not too long ago, HD Moore was interviewed by eSecurity Planet [http://www.esecurityplanet.com/windows-security/did-microsoft-improve-security-in-2012.html] looking back Microsoft's security over 2012.  He made a very interesting remark about the trend of Microsoft vulnerabilities: "It seems like the market for Windows vulnerabilities has burned up most of the easy-to-find bugs, and the folks who would normally report the big ones are keeping them private..." Today, just when we think we get

2 min

What would Trinity do with Kingcope's SSH 0day?

Citizens of the Matrix, Today, I'd like to inform you that there is a Tectia SSH 0day vulnerability discovered by security researcher "Kingcope [http://twitter.com/kingcope]"... or really, we suspect his real name is Mr. Thomas Anderson [http://en.wikipedia.org/wiki/Neo_(The_Matrix)].  The vulnerability itself allows any remote user to bypass login if a USERAUTH CHANGE REQUEST is sent before password authentication, and then gain access as root.  Please note as of now, there is no official patc

4 min

Let's do #FollowFriday the Metasploit Way

Twitter is more than just a social networking tool for people to tweet about their private life... publicly.  At Rapid7, we've had plenty of success getting interesting security information just by monitoring Twitter, and sometimes the stuff we see is actually way better than other resources we use.  If you're obsessed with 0days like me, or just the latest information in general, then here are some really good examples why Twitter is a fantastic tool for security enthusiasts: CVE-2011-0611 was

4 min

Defeat the Hard and Strong with the Soft and Gentle Metasploit RopDB

Data Execution Prevention [http://support.microsoft.com/kb/875352] (DEP) has always been a hot topic in modern software exploitation.  This is a security feature implemented in most popular operating systems, designed to prevent a program from executing in a non-executable memory location.  So when a malicious code tries to inject payload in memory, it should fail during execution, and then simply crashes.  But here's the thing, although DEP plays an important role to your computer's countermeas

3 min Exploits

New Metasploit 0-day exploit for IE 7, 8 & 9 on Windows XP, Vista, and 7

We have some Metasploit freshness for you today: A new zero-day exploit for Internet Explorer 7, 8, and 9 on Windows XP, Vista and 7. Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user. Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already be

1 min Metasploit

Let's start the week with a new Java 0-day in Metasploit

On late Sunday night, the Metasploit Exploit team was looking for kicks, and heard the word on the street that someone was passing around a reliable Java 0-day exploit. Big thanks to Joshua J. Drake (jduck), we got our hands on that PoC [https://twitter.com/jduck1337/status/239875285913317376], and then once again, started our voodoo ritual. Within a couple of hours, we have a working exploit. Download Metasploit here [http://www.rapid7.com/downloads/metasploit.jsp], and apply the latest update

7 min

Adobe Flash Player Exploit CVE-2012-1535 Now Available for Metasploit

Edit: Aug 26 2012. Recently, a new Adobe Flash vulnerability (CVE-2012-1535 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1535]) was being exploited in the wild as a zero-day in limited targeted attacks, in the form of a Word document.  The Metasploit team managed to get our hands on the malware sample, and began our voodoo ritual in order to make this exploit available in the Metasploit Framework.  Although Adobe officially has already released a patch (APSB12-18 [http://www.adobe.co