Last updated at Mon, 24 Jul 2017 18:56:40 GMT
Vegas Time!
Like the rest of the information security industry, we're buttoning down for the annual pilgramage to Vegas next week. This means collecting up all our new community-sourced swag, finishing up training and presentation material, figuring out what the heck to do with our phones to avoid casual ownage, and test driving our new Chromebook builds of Metasploit Pro. They're pretty sweet. The latest update for ARM-arch Kali should run without a problem on a SD Card-installed Chromebook alternate OS, as seen here:
This just in: Metasploit Pro is known to successfully pop shells from a Galaxy Tab, as well -- this photo courtesy of Mati "muts" Aharoni of Offensive Security:
While the technical work is impressive by itself, the decals that Lance @lsanchez-r7 Sanchez cooked up pretty much steal the show:
Yeah, we're pretty pleased with these. (:
As far as confirmed meatspace appearances from the Rapid7 Metasploit contingent, nex and rep are presenting at BlackHat about Cuckoo Sandbox, todb will be speaking at BSidesLV Common Ground with Thomas d'Otreppe about the vices and virtues of open source security, and of course Egypt will be delivering in-depth Metasploit training at BlackHat.
So, be careful out there, stay safe (infosec-wise, if not health-wise), swing by our BlackHat Booth #517 for some awesome Metasploit 10-year anniversary T-shirts, and let's see what we can do to advance the state of the art of open source security for another year or ten.
New Modules
We've got seven new modules with this week's update. As you can see below, this week is pretty heavy on the ZDI-reversed exploits. We've got ZDI-13-352 for HP products, a couple vectors for ZDI-13-110 for Apple Quicktime, and ZDI-13-147 for VMWare.
- Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment by Ramon de C Valle exploits CVE-2013-2113
- D-Link Devices UPnP SOAP Command Execution by juan vazquez and Michael Messner exploits OSVDB-94924
- Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection by Ramon de C Valle exploits CVE-2013-2121
- Apple Quicktime 7 Invalid Atom Length Buffer Overflow by sinn3r, Jason Kratzer, Paul Bates, and Tom Gallagher exploits ZDI-13-110
- Apple Quicktime 7 Invalid Atom Length Buffer Overflow by sinn3r, Jason Kratzer, Paul Bates, and Tom Gallagher exploits ZDI-13-110
- HP Managed Printing Administration jobAcct Remote Command Execution by juan vazquez and Andrea Micalizzi exploits ZDI-11-352
- VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload by juan vazquez and Andrea Micalizzi exploits ZDI-13-147
Availability
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see Brandont's most excellent release notes.
