11 min
Exploits
Exploiting a 64-bit browser with Flash CVE-2015-5119 (Part 2)
This post is a continuation of Exploiting a 64-bit browser with Flash
CVE-2015-5119 [/2015/07/31/supporting-a-64-bits-renderer-on-flash-cve-2015-5119]
, where we explained how to achieve arbitrary memory read/write on a 64-bit IE
renderer. As a reminder, we are targeting Windows 8.1 / IE11 (64 bits) with
Flash 15.0.0.189. Of course, this write-up may contain a few errors, so your
mileage may vary =)
Where we left off before, we had created an interface to work with memory by
using a corrupted
3 min
Exploits
Exploiting a 64-bit browser with Flash CVE-2015-5119
Some weeks ago, on More Flash Exploits in the Framework
[/2015/06/30/more-on-flash-exploits-into-the-framework], we introduced the
flash_exploiter library, which is used by Metasploit to quickly add new Flash
exploit modules. If you read that blog entry, then you already know that
flash_exploiter only supports 32-bit browsers (renderers). In this blog post, we
will demonstrate initial steps in adding IE11 64-bit support to CVE-2015-5119
[http://www.cvedetails.com/cve/CVE-2015-5119/] , which is o
2 min
Exploits
Weekly Metasploit Wrapup: Meterpretersauce
When You Wish Upon A Shell
Back in February we ran a survey
[/2015/03/26/meterpreter-2015-you-spoke-we-listened] to figure out where you,
the savvy penetration tester, would like to see Meterpreter go. As a result, we
now have the Meterpreter Wishlist
[https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Wishlist], and
have been working steadily off of that for the last few months.
As of this week, we have a pile of accomplishments taken off the wishlist and
committed as working cod
8 min
Flash
More Flash Exploits in the Framework
As todb [/author/tod-beardsley/] pointed out in the last weekly metasploit
update wrapup [/2015/06/26/weekly-metasploit-wrapup] we recently added two new
exploits for Flash: CVE-2015-3090
[http://www.cvedetails.com/cve-details.php?cve_id=CVE-2015-3090] and
CVE-2015-3105 [http://www.cvedetails.com/cve-details.php?cve_id=CVE-2015-3105],
based on the samples found in the wild.
As you're probably aware, the last years, and especially the end of 2014 and
2015, Flash has become the trending target f
3 min
Flash
Weekly Metasploit Wrapup: Two More Flash Exploits
Flash as a Vulnerability Vector
While Adobe has made great progress in releasing both regular and emergency
updates to Flash, it's becoming clear that Flash itself is becoming an albatross
around the neck of every browser. This week, Adobe released APSB15-14
[https://helpx.adobe.com/security/products/flash-player/apsb15-14.html], a fix
for CVE-2015-3133
[http://www.cvedetails.com/cve-details.php?cve_id=CVE-2015-3133]. This
cross-browser vulnerability was discovered and reported by FireEye, and l
2 min
Flash
Weekly Metasploit Wrapup: Recog
Recog Scanning with Metasploit
This week, our own Jon Hart [https://twitter.com/jhartftw] started in on souping
up a couple auxiliary modules with Recog [https://github.com/rapid7/recog],
Rapid7's free, open source platform recognition framework. Metasploit has lots
of these version scanners -- 27, to be precise -- in the auxiliary module tree,
and nearly all of them would be better off with some more normalized
fingerprinting. The SMB scanner already uses it, and has been for a little while
now
2 min
Microsoft
Patch Tuesday - September 2014
It's a light round of Microsoft Patching this month. Only four advisories, of
which only one is critical. The sole critical issue this month is the expected
Internet Explorer roll up affecting all supported (and likely some unsupported)
versions. This IE roll up addresses 36 privately disclosed Remote Code
Execution issues and 1 publically disclosed Information Disclosure issue which
is under limited attack in the wild. This will be the top patching priority for
this month.
Of the three no
2 min
Flash
Weekly Metasploit Update: More Meterpreters!
Meterpreter for All The Platforms
This week is pretty exciting for us, since it's not every day we give out
commit
rights [https://github.com/rapid7/metasploit-framework/wiki/Committer-Keys] to
the Rapid7 Metasploit repo. I'm very happy to report that Tim Wright
[https://github.com/timwr] has agreed to step up and help out with moving
Meterpreter research and development forward, focusing mainly on the Java and
Android implementations.
Many Metasploit users are familiar with Meterpreter for Wi
4 min
Flash
Weekly Metasploit Update: Disclosing Usernames, More Flash Bugs, and Wireshark Targets
Back from the UK!
As I mentioned last blog post, I was off last week in London, where I finally
got the chance to meet an overflow of far-flung Metasploit and security
luminaries, including the folks from 44Con [https://44con.com/] and MWR Labs
[https://labs.mwrinfosecurity.com/]. My bucket list just got shorter. And yes,
"overflow" is the correct collective noun for a gathering of security
professionals and hackers.
Sadly, this means I managed to completely miss last week's blog post, so this
1 min
Nexpose
IE 0-day, we got you covered
News broke
[http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html]
this weekend of yet another IE 0-day under ("limited, targeted") exploitation in
the wild. Microsoft responded
[https://technet.microsoft.com/en-US/library/security/2963983] with an advisory,
but no patches yet. Given that the risk from the known exploit is mitigated by
the usual defence in depth tactics
[https://technet.mic
3 min
Flash
Weekly Metasploit Update: Operation Snowman and LadyBoyle
Scary-Sounding Flash Exploits
This week's update brings us two new exploits from Juan Vazquez,
[https://twitter.com/_juan_vazquez_] Boris dukeBarman
[https://github.com/dukebarman] Ryutin, Jean-Jamil Khalife, and a criminal
conspiracy of superhackers. Yep, seriously.
That last bit is why these exploits deserve a special mention. These modules
implement the attacks wrought by "Operation Snowman," and "LadyBoyle," two of
the cooler-sounding names I've heard in a while. They allow for penetration
2 min
Metasploit
Federal Friday - 2.28.14 - Flash Zero Day Targets Foreign Policy Sites
Federal Friday has come again, which means another week has passed us by. It's
been a busy week for the Moose of Rapid7 with an imminent move for our Boston HQ
for on the horizon. We also had a great week at RSA with SC Magazine naming
Nexpose the Best Vulerability Management Solution!
The threat landscape has had a wild few days with a major security flaw for
Apple desktops and iOS devices as well as another IE zero day being discovered.
In addition, a detailed report from FireEye
[http://www.
1 min
Patch Tuesday
Adobe joins the January patching fun!
Adobe has released two advisories today (APSB13-01
[http://www.adobe.com/support/security/advisories/apsa13-01.html] & APSB13-02
[http://www.adobe.com/support/security/bulletins/apsb13-02.html]) for Flash and
Acrobat/Reader and updated their recent advisory
[http://www.adobe.com/support/security/advisories/apsa13-01.html] for
ColdFusion.
The Flash patch applies to all versions including Windows, Linux, Mac, Android,
embedded in Chrome & IE 10, and AIR. This is a serious bug, since Adobe is
adm
3 min
Flash
Weekly Metasploit Update: New Flash Exploit, HTTP Client Trickery, and More!
After the last couple bumper crops of exploits, having merely six new modules
this week is kind of a relief, at least from an editing standpoint. Of course,
one of them is for a fresh Adobe Flash exploit, so let's jump into that.
Flash Malware Module
This week's update features an exploit for Adobe Flash, which Metasploit exploit
developers Wei "sinn3r" Chen and Juan Vazquez wrote about last week
[/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit]
. Since that bl
3 min
Metasploit
Weekly Metasploit Update: Meterpreter, GPP, and More!
We've been cooking along here in Stately Metasploit Manor, mostly heads-down
prepping for BlackHat/Defcon season. (Yes, it's that time of year already). In
the meantime, we've a grab bag of mostly post modules, a drive-by update to
Meterpreter, and Juan's and sinn3r's most excellent new Flash module.
Meterpreter for Visual Studio 2010
Meterpreter is the default payload that many of our Windows exploits drop on the
target server, and allows for things like unified shell access, file access,
etc.