Posts tagged Exploits

2 min Exploits

New Metasploit Payloads for Firefox Javascript Exploits

Those of you with a keen eye on metasploit-framework/master [https://github.com/rapid7/metasploit-framework] will notice the addition of three new payloads: * firefox/shell_reverse_tcp * firefox/shell_bind_tcp * firefox/exec These are Javascript payloads meant for executing in a privileged Javascript context inside of Firefox. By calling certain native functions not meant to be exposed to ordinary web content, a classic TCP command shell can be opened. To a pentester, these payloads are use

2 min Exploits

Weekly Metasploit Update: Arbitrary Driver Loading & Win a WiFi Pineapple

Wow, I don't know about you, kind reader, but I'm just about blogged out after that 12 Days of HaXmas sprint. I'll try to keep this update short and sweet. Arbitrary Driver Loading This week's update include a delightful new post module for managing a compromised target, the Windows Manage Driver Loader [http://www.metasploit.com/modules/post/windows/manage/driver_loader] by longtime Metasploit community contributor, Borja Merino. If you, as a penetration tester, pops a box get gains administra

3 min Exploits

12 Days of HaXmas: BMC and IPMI Research and Exploitation

This post is the sixth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013. This year, infosec superstars Dan Farmer [http://fish2.com/security/] and HD Moore [https://twitter.com/hdmoore] have been making an impressive effort to spread the warnings around the Baseboard Management Controllers (BMCs), used to provide remote management capabilities for servers and installed in nearly all servers manufactured

4 min Apple

12 Days of HaXmas: Apple Safari Makes Password Stealing Fun and Easy? Yes, Please!

This post is the second in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013. If you are reading this blog post, I reckon you are somewhat a geeky security person, and you use some sort of application like KeyPass [http://keepass.info/] , Keychain [http://www.apple.com/support/icloud/keychain/], LastPass [https://lastpass.com/], etc, to manage your passwords. After all, we all know too well password stealin

4 min Metasploit

Bypassing Adobe Reader Sandbox with Methods Used In The Wild

Recently, FireEye identified and shared information [http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html] about two vulnerabilities used in the wild to exploit Adobe Reader on Windows XP SP3 systems. The vulnerabilities are: * CVE-2013-3346 [http://cvedetails.com/cve/CVE-2013-3346]: An Use After Free on Adobe Reader. Specifically in the handling of a ToolButton object, which can be exploited through document's Java

3 min Exploits

Metasploit Weekly Update: Adobe Reader Exploit and Post-Exploitation YouTube Broadcasting

New Adobe Reader ROP Gadgets This week, Juan Vazquez [https://twitter.com/_juan_vazquez_] put together a neat one-two exploit punch that involves a somewhat recent Adobe Reader vulnerability (disclosed back in mid-May) and a sandbox escape via a OS privilege escalation bug. I won't give away the surprise there -- he'll have a blog post about it up in a few hours.  Part of the work, though, resulted in some new entries in Metasploit's RopDB; specifically, for Adobe Reader versions 9, 10, and 11.

3 min Exploits

Weekly Metasploit Update: New Meterpreter Extended API, Learning About HttpServer, HttpClient, and SAP

Meterpreter Extended API This week, we've got some new hotness for Meterpreter in the form of OJ TheColonial [https://twitter.com/thecolonial] Reeves' new Extended API (extapi) functionality. So far, the extended API is for Windows targets only (hint: patches accepted), and here's the rundown of what's now available for your post-exploitation delight: * Clipboard Management: This allows for reading and writing from the target's clipboard. This includes not only text, like you'd expect, but

1 min Nexpose

NEX-37823 XSS in Nexpose vuln-summary.jsp (Fixed)

Nexpose users are urged to update to the lastest version of Nexpose to receive the patch for the described security vulnerability. Note that by default, Nexpose installations update themselves automatically. A cross-site scripting (XSS) vulnerability has been discovered by Yunus ÇADIRCI [https://twitter.com/yunuscadirci] and subsequently patched in recent versions of Rapid7's Nexpose vulnerability scanner. By providing URL-encoded HTML tags (including script tags), an unauthenticated attacker

3 min Metasploit

Weekly Metasploit Update: BrowserExploitServer (BES), IPMI, and KiTrap0D

Browser Exploit Server This release includes the much vaunted and anticipated BrowserExploitServer (BES) mixin [https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/browser_exploit_server.rb] , the brainchild of Metasploit exploit developer Wei @_sinn3r [https://twitter.com/_sinn3r] Chen. Metasploit, at its core, is designed to be both an exploit delivery system and exploit development system, so this new mixin should help tremendously with the latter. BES, in a

5 min Metasploit

Exploiting the Supermicro Onboard IPMI Controller

Last week @hdmoore [https://twitter.com/hdmoore] published the details about several vulnerabilities into the Supermicro IPMI firmware [/2013/11/06/supermicro-ipmi-firmware-vulnerabilities]. With the advisory's release, several modules were landed into Metasploit in order to check Supermicro's device against several of the published vulnerabilities: Module Purpose smt_ipmi_static_cert_scanner [http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner] This module ca

16 min Metasploit

Don't Get Blindsided: Better Visibility Into User and Asset Risks with Metasploit 4.8

Not having visibility can be dangerous in many situations. The new Metasploit 4.8 gives you better visibility in four key areas: * View phishing exposure in the context of the overall user risk * See which vulnerabilities pose the biggest risk to your organization * Have all host information at your fingertips when doing a pentest * Discover the latest risks on your network with new exploits and other modules See Phishing Exposure as One Factor of User Risk Users are often a weak part of t

1 min Metasploit

SOHO Router Horror Stories: German Webcast with Mike Messner

This Thursday, it's my distinct pleasure to host Mike @s3cur1ty_de Messner for a German-language webcast about SOHO router security [http://information.rapid7.com/soho-router-horror-stories-webcast.html]. For those not familiar with him, Mike is the author of the most comprehensive German Metasploit book (published by dpunkt) [http://www.amazon.de/Metasploit-Das-Handbuch-zum-Penetration-Testing-Framework/dp/3898647722] and worked several years as a Metasploit trainer. His personal passion is p

4 min Product Updates

Weekly Update: Exploiting (Kind of) Popular FOSS Apps

Disclosure for FOSS Projects Earlier today, we published seven modules for newly disclosed vulnerabilities [/2013/10/30/seven-foss-disclosures-part-one] that target seven free and open source (FOSS) projects, all discovered and written by long time Metasploit contributor Brandon Perry [https://twitter.com/brandonprry]. These vulnerabilies moved through Rapid7's usual disclosure process [https://rapid7.com/disclosure.jsp], and as you can read in the summary blog post, it was a little bit of an ad

3 min Exploits

Estimating ReadyNAS Exposure with Internet Scans

I wanted share a brief example of using a full scan of IPv4 to estimate the exposure level of a vulnerability. Last week, Craig Young [https://twitter.com/craigtweets], a security researcher at Tripwire, wrote a blog post [http://www.tripwire.com/state-of-security/vulnerability-management/readynas-flaw-allows-root-access-unauthenticated-http-request/] about a vulnerability in the ReadyNAS network storage appliance. In an interview with Threatpost [http://threatpost.com/netgear-readynas-storag

1 min Java

Oracle October 2013 CPU roundup

The story here is that Oracle has synced up their Java patching with the rest of their patching cycle and, when it comes to vulnerabilities, Java always steals the show. The CPU includes fixes for 127 vulnerabilities in Oracle products, but aside from Java, it's mostly ho-hum, low impact stuff. There's a CVSS 8.5 vulnerability in MySQL's Enterprise Service manager, but besides the Java patches, nothing else jumps out as particularly interesting. The Java patches include 51 of the 127 addresse