Posts tagged Exploits

Weekly Metasploit Update: BrowserExploitServer (BES), IPMI, and KiTrap0D

Browser Exploit Server This release includes the much vaunted and anticipated BrowserExploitServer (BES) mixin [https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/browser_exploit_server.rb] , the brainchild of Metasploit exploit developer Wei @_sinn3r [https://twitter.com/_sinn3r] Chen. Metasploit, at its core, is designed to be both an exploit delivery system and exploit development system, so this new mixin should help tremendously with the latter. BES, in a

Exploiting the Supermicro Onboard IPMI Controller

Last week @hdmoore [https://twitter.com/hdmoore] published the details about several vulnerabilities into the Supermicro IPMI firmware [/2013/11/06/supermicro-ipmi-firmware-vulnerabilities]. With the advisory's release, several modules were landed into Metasploit in order to check Supermicro's device against several of the published vulnerabilities: Module Purpose smt_ipmi_static_cert_scanner [http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner] This module ca

Don't Get Blindsided: Better Visibility Into User and Asset Risks with Metasploit 4.8

Not having visibility can be dangerous in many situations. The new Metasploit 4.8 [https://www.rapid7.com/products/metasploit/download/] gives you better visibility in four key areas: * View phishing exposure in the context of the overall user risk * See which vulnerabilities pose the biggest risk to your organization * Have all host information at your fingertips when doing a pentest * Discover the latest risks on your network with new exploits and other modules See Phishing Exposure as O

Weekly Update: New Exploits for MS13-069, MS13-071

Let's Curbstomp Windows! This week, we've got two new exploits for everyone's favorite punching bag, Microsoft Windows. First up, we'll take on Microsoft Internet Explorer. MSIE has a long and storied history of browser bugs, but truth be told, they're really pretty hard to exploit reliably these days. If you don't believe me, take a look at the hoops we had to jump through to get reliable exploits together for MS13-069. MS13-069 [http://technet.microsoft.com/en-us/security/bulletin/ms13-069] w

Change the Theme, Get a Shell: Remote Code Execution with MS13-071

Recently we've added an exploit for MS13-071 [https://www.rapid7.com/db/vulnerabilities/windows-hotfix-ms13-071] to Metasploit. Rated as "Important" by Microsoft, this remote code execution, found by Eduardo Prado, for Windows XP and Windows 2003 environments is achieved by handling specially crafted themes. In this blog post we would like to discuss the vulnerability and give some helpful tips for exploiting it from Metasploit. First of all, the bug occurs while handling the [boot] section on

Good Exploits Never Die: Return of CVE-2012-1823

According to Parallels, "Plesk is the most widely used hosting control panel solution, providing everything needed for creating and offering rich hosting plans and managing customers and resellers, including an intuitive User Interface for setting up and managing websites, email, databases, and DNS." (source: Parallels [http://www.parallels.com/products/plesk/webhosters/]). On Jun 05 kingcope shocked Plesk world by announcing a new 0 day which could allow for remote command execution: Accordi

Weekly Update: Fun with ZPanel, MoinMoin, and FreeBSD

Chaining Zpanel Exploits for Remote Root ZPanel is a fun, open source web hosting control panel, written in code auditors' favorite language, PHP. For bonus points, ZPanel likes to do some things as root, so it installs a nifty little setuid binary called 'zsudo' that does pretty much what you might expect from a utility of that name -- without authentication. In the wake of some harsh words on reddit and elsewhere in regard to the character of ZPanel's development team, the project came to the

From the Wild to Metasploit: Exploit for MoinMoin Wiki (CVE-2012-6081)

Recently we've added to Metasploit a module for CVE-2012-6081, [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6081] an arbitrary file upload vulnerability affecting to the version 1.9.5 (patched!) of the MoinMoin [http://moinmo.in/] Wiki software. In this blog entry we would like to share both the vulnerability details and how this one was converted in RCE (exploited in the wild!) because the exploitation is quite interesting, where several details must have into account to successful e

New 1day Exploits: Mutiny Vulnerabilities

Abusing Safari's webarchive file format

tldr: For now, don't open .webarchive files, and check the Metasploit module, Apple Safari .webarchive File Format UXSS [https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb] Safari's webarchive format saves all the resources in a web page - images, scripts, stylesheets - into a single file. A flaw exists in the security model behind webarchives that allows us to execute script in the context of any domain (a Universal Cross-site S

Exploit for new Vulnerability on Honeywell EBI ActiveX (CVE-2013-0108)

Today, we present to you a new vulnerability, CVE-2013-0108 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0108], discovered in Honeywell Enterprise Buildings Integrator (EBI) [https://buildingsolutions.honeywell.com/Cultures/en-US/ServicesSolutions/BuildingManagementSystems/EnterpriseBuildingsIntegrator/] R310 - R410.2. This platform is used to integrate different systems and devices such as heating, ventilation, and air conditioning (HVAC) controls; security; access control; life sa

Malicious SSIDs And Web Apps

On February 13th 2013, Cisco released a security notice related to CVE-2013-1131 [http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1131] . According to Cisco, the vulnerability is due to improper validation of the Service Set Identifier (SSID) when performing a "site survey" to discover other wireless networks. On the face of it, this vulnerability seems to be low-risk. Indeed, site surveys are not often performed and an adversary would need to either be incredibly luc

Ray Sharp CCTV DVR Password Retrieval & Remote Root

On January 22, 2013, a researcher going by the name someLuser detailed a number of security flaws in the Ray Sharp DVR platform. These DVRs are often used for closed-circuit TV (CCTV) systems and security cameras. In addition to Ray Sharp, the exposures seem to affect rebranded DVR products by Swann, Lorex, URMET, KGuard, Defender, DEAPA/DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000. The vulnerabilities allow for unauthenticated acce

Exploiting Ruby on Rails with Metasploit (CVE-2013-0156)

Background Earlier this week, a critical security flaw [https://www.rapid7.com/blog/post/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156/] in Ruby on Rails (RoR) was identified that could expose an application to remote code execution, SQL injection [https://www.rapid7.com/fundamentals/sql-injection-attacks/], and denial of service attacks. Ruby on Rails is a popular web application framework that is used by both web sites and web-enabled products and this flaw is by far the worst

Serialization Mischief in Ruby Land (CVE-2013-0156)

This afternoon a particularly scary advisory [https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion] was posted to the Ruby on Rails (RoR) security discussion list. The summary is that the XML processor in RoR can be tricked into decoding the request as a YAML document or as a Ruby Symbol, both of which can expose the application to remote code execution or SQL injection. A gentleman by the name of Felix Wilhelm went into detail [http://www.insinuator.net/2013/01/r