Posts by Wei Chen

5 min

Stack Smashing: When Code Execution Becomes a Nightmare

Last year at BSides Vegas, James Lee (egypt) and David Rude (bannedit) did a presentation about "Long Beard's Guide to Exploit Dev".  During the talk, James said one thing that I'll never forget: "exploit development is never an easy task, because pretty much every step you do -- finding the offset, finding a return value, using a ROP gadget, etc -- could lead to a failure." Ain't that the truth!  But here's the thing, exploits don't just fail before you pop a shell, it can also happen WHILE you

3 min Metasploit

New Critical Microsoft IE Zero-Day Exploits in Metasploit

We've been noticing a lot of exploit activities against Microsoft vulnerabilities lately. We decided to look into some of these attacks, and released two modules for CVE-2012-1889 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1889] and CVE-2012-1875 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1875] within a week of the vulnerabilities' publication for our users to test their systems. Please note that both are very important to any organization using Windows, because one of

1 min

CVE-2012-0507 - Java Strikes Again

Recently, Microsoft published a blog post regarding a Java exploit that's being used in the wild.  The vulnerability is more of a logical flaw that results in unsafe operations, which allows any attacker to run arbitrary code under the context of the user.  You may see the blog here: http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sa ndbox-breach-cve-2012-0507.aspx About two days ago, Metasploit obtained a partial sample of that malware thanks to an anonymous cont

3 min

URI Parsing: It's harder than you think... or is it?

I have to admit, parsing a URI is tricky.  Most Metasploit modules try to do it with some kind of crazy custom regex-fu, but unfortunately most of them are kind of buggy.  Because of this, I've committed a new patch to HttpClient -- a target_uri function that can automatically parse the URI for you. It's only a 4-line change, but should change the way we code HTTP-related modules. Before I demonstrate how you can take advantage of target_uri, I should briefly explain why you should avoid doing

2 min Exploits

Metasploit Bounty: Code, Sweat, and Tears

After more than 30 days of hardcore and intense exploit hunting, the Metasploit Bounty program has finally come to an end. First off, we'd like to say that even though the Metasploit Framework has made exploit development much easier, the process is not always an easy task. We're absolutely amazed how hard our participants tried to make magic happen. Often, the challenge begins with finding the vulnerable software. If you're lucky, you can find what you need from 3rd-party websites that mirror