Posts by William Vu

2 min Metasploit

Metasploit Wrap-Up

Windows BITS CVE-2020-0787 LPE in the Metasploit tree! This week, Grant Willcox [https://github.com/gwillcox-r7] presents his first Metasploit module contribution [https://github.com/rapid7/metasploit-framework/pull/13554] as part of our team. Research [https://itm4n.github.io/cve-2020-0787-windows-bits-eop/] from itm4n [https://github.com/itm4n] yielded CVE-2020-0787 [https://nvd.nist.gov/vuln/detail/CVE-2020-0787], describing a vulnerability in the Windows Background Intelligent Transfer Serv

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Long live copy and paste Adam Galway [https://github.com/adamgalway-r7] enhanced the set PAYLOAD command to strip the /payload/, payload/, and / prefixes from a payload name in an effort to improve the user experience while configuring an exploit's payload. You can see the new behavior [https://github.com/rapid7/metasploit-framework/pull/12946] below! msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload /payload/windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reve

22 min Research

DOUBLEPULSAR RCE 2: An RDP Story

In this sequel, wvu [https://github.com/wvu-r7] recounts the R&D (in all its imperfect glory) behind creating a Metasploit module for the DOUBLEPULSAR implant's lesser-known RDP variant. If you're unfamiliar with the more common SMB variant, you can read our blog post [/2019/10/02/open-source-command-and-control-of-the-doublepulsar-implant/] detailing how we achieved RCE with it. Table of Contents 0. Background 1. Extracting the implant 2. Installing the implant 3. Pinging the implant 4.

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Pulse Secure VPN exploit modules, a notable BlueKeep exploit reliability improvement, and an overhaul of MSF's password cracking integration, including new support for hashcat.

20 min Research

Open-Source Command and Control of the DOUBLEPULSAR Implant

Metasploit researcher William Vu shares technical analysis behind a recent addition to Framework: a module that executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB and allows users to remotely disable the implant.

5 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Hacker Summer Camp Last week, the Metasploit team flew out to sunny, hot, and dry Las Vegas for Hacker Summer Camp (Black Hat, BSidesLV, and DEF CON). It was a full week of epic hacks, good conversation, and even a little business! If you managed to catch us at our Open Source Office Hours [https://blog.rapid7.com/2019/07/15/metasploit-open-source-office-hours-in-vegas/] (previously OSSM, the Open Source Security Meetup) in Bally's, we just wanted to say thanks for making the trek through the

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Crock-Pot cooking with Metasploit Belkin's Wemo [https://en.wikipedia.org/wiki/Belkin_Wemo] line of smart home devices offers users a variety of internet-connected gadgets and gizmos they can control around the home. One of those happens to be a Crock-Pot [https://www.crock-pot.com/wemo-landing-page.html]. We went ahead and bought one. Naturally, it made sense for us to write a module [https://github.com/rapid7/metasploit-framework/pull/10731] to control our new slow cooker via the UPnP [https:

25 min Haxmas

The Ghost of Exploits Past: A Deep Dive into the Morris Worm

In this post, we will dive into the exploit development process for the three modules we created in honor of the 30th anniversary of the Morris worm.

3 min Metasploit Weekly Wrapup

Metasploit Wrapup

Committing to some shells in GitList Shelby [https://github.com/space-r7] has been killing it with new exploit and aux modules by the day. In this iteration, she's produced an exploit [https://github.com/rapid7/metasploit-framework/pull/10262] for GitList 0.6.0 and likely older versions. The software is built on PHP and allows users to view a Git repo on the web. Through an argument injection, a fake pager [https://en.wikipedia.org/wiki/Terminal_pager] can be executed... that is really our shell

3 min Release Notes

Weekly Metasploit Wrapup

Scanning for the Fortinet backdoor with Metasploit Written by wvu Metasploit now implements a scanner for the Fortinet backdoor. Curious to see how to use it? Check this out! wvu@kharak:~/metasploit-framework:master$ ./msfconsole -qL msf > use auxiliary/scanner/ssh/fortinet_backdoor msf auxiliary(fortinet_backdoor) > set rhosts 417.216.55.0/24 rhosts => 417.216.55.0/24 msf auxiliary(fortinet_backdoor) > set threads 100 threads => 100 msf auxiliary(fortinet_backdoor) > run [*]

2 min Haxmas

12 Days of HaXmas: RCE in Your FTP

This post is the sixth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. It's been quite a year for shell bugs. Of course, we all know about Shellshock, the tragic bash bug that made the major media news. Most of us heard about the vulnerabilities in the command line tools wget, curl, and git (more on that last one later on during HaXmas). But did you notice the FTP command bug? That remains

1 min Metasploit

New "show missing" Command in msfconsole

Hello, Metasploiters! Just wanted to update y'all on a new feature in msfconsole that *hopefully* should make vgrepping [https://en.wikipedia.org/wiki/Visual_inspection#Humorous_terminology] through module options a little easier. Show empty required options The new command is show missing, and all it does is show empty required options. Instead of looking through a long list of options and picking out the required ones that haven't been set, just run show missing, and a list of unset required

5 min Metasploit

Making Your Printer Say "Feed Me a Kitten" and Also Exfiltrate Sensitive Data

As of this last release, PJL [https://en.wikipedia.org/wiki/Printer_Job_Language] (HP's Printer Job Language) is now a grown-up Rex::Proto protocol! Since extending a protocol in Metasploit is beyond the scope of this post, we'll just be covering how to use the PoC modules included with the new protocol. Feel free to dig around in lib/rex/proto/pjl*, though! Okay, let's get started! printer_version_info First off, we have printer_version_info. This module lets us scan a range of hosts for pri

4 min Metasploit

12 Days of HaXmas: Finding shell_bind_tcp_random_port with Nmap and Ndiff

This post is the ninth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013. A few months ago, contributor geyslan [https://github.com/geyslan] submitted a cool pull request [https://github.com/rapid7/metasploit-framework/pull/2350] for a random-port bind shell payload on x86 and x64 Linux systems. In this post, we'll explore how to use this payload with our friends Nmap [http://nmap.org/] and Ndiff [http: