Posts tagged Flash

11 min Exploits

Exploiting a 64-bit browser with Flash CVE-2015-5119 (Part 2)

This post is a continuation of Exploiting a 64-bit browser with Flash CVE-2015-5119 [/2015/07/31/supporting-a-64-bits-renderer-on-flash-cve-2015-5119] , where we explained how to achieve arbitrary memory read/write on a 64-bit IE renderer. As a reminder, we are targeting Windows 8.1 / IE11 (64 bits) with Flash Of course, this write-up may contain a few errors, so your mileage may vary =) Where we left off before, we had created an interface to work with memory by using a corrupted

3 min Exploits

Exploiting a 64-bit browser with Flash CVE-2015-5119

Some weeks ago, on More Flash Exploits in the Framework [/2015/06/30/more-on-flash-exploits-into-the-framework], we introduced the flash_exploiter library, which is used by Metasploit to quickly add new Flash exploit modules. If you read that blog entry, then you already know that flash_exploiter only supports 32-bit browsers (renderers). In this blog post, we will demonstrate initial steps in adding IE11 64-bit support to CVE-2015-5119 [] , which is o

2 min Exploits

Weekly Metasploit Wrapup: Meterpretersauce

When You Wish Upon A Shell Back in February we ran a survey [/2015/03/26/meterpreter-2015-you-spoke-we-listened] to figure out where you, the savvy penetration tester, would like to see Meterpreter go. As a result, we now have the Meterpreter Wishlist [], and have been working steadily off of that for the last few months. As of this week, we have a pile of accomplishments taken off the wishlist and committed as working cod

8 min Flash

More Flash Exploits in the Framework

As todb [/author/tod-beardsley/] pointed out in the last weekly metasploit update wrapup [/2015/06/26/weekly-metasploit-wrapup] we recently added two new exploits for Flash: CVE-2015-3090 [] and CVE-2015-3105 [], based on the samples found in the wild. As you're probably aware, the last years, and especially the end of 2014 and 2015, Flash has become the trending target f

3 min Flash

Weekly Metasploit Wrapup: Two More Flash Exploits

Flash as a Vulnerability Vector While Adobe has made great progress in releasing both regular and emergency updates to Flash, it's becoming clear that Flash itself is becoming an albatross around the neck of every browser. This week, Adobe released APSB15-14 [], a fix for CVE-2015-3133 []. This cross-browser vulnerability was discovered and reported by FireEye, and l

2 min Flash

Weekly Metasploit Wrapup: Recog

Recog Scanning with Metasploit This week, our own Jon Hart [] started in on souping up a couple auxiliary modules with Recog [], Rapid7's free, open source platform recognition framework. Metasploit has lots of these version scanners -- 27, to be precise -- in the auxiliary module tree, and nearly all of them would be better off with some more normalized fingerprinting. The SMB scanner already uses it, and has been for a little while now

2 min Microsoft

Patch Tuesday - September 2014

It's a light round of Microsoft Patching this month.  Only four advisories, of which only one is critical.  The sole critical issue this month is the expected Internet Explorer roll up affecting all supported (and likely some unsupported) versions.  This IE roll up addresses 36 privately disclosed Remote Code Execution issues and 1 publically disclosed Information Disclosure issue which is under limited attack in the wild. This will be the top patching priority for this month. Of the three no

2 min Flash

Weekly Metasploit Update: More Meterpreters!

Meterpreter for All The Platforms This week is pretty exciting for us, since it's not every day we give out commit rights [] to the Rapid7 Metasploit repo. I'm very happy to report that Tim Wright [] has agreed to step up and help out with moving Meterpreter research and development forward, focusing mainly on the Java and Android implementations. Many Metasploit users are familiar with Meterpreter for Wi

4 min Flash

Weekly Metasploit Update: Disclosing Usernames, More Flash Bugs, and Wireshark Targets

Back from the UK! As I mentioned last blog post, I was off last week in London, where I finally got the chance to meet an overflow of far-flung Metasploit and security luminaries, including the folks from 44Con [] and MWR Labs []. My bucket list just got shorter. And yes, "overflow" is the correct collective noun for a gathering of security professionals and hackers. Sadly, this means I managed to completely miss last week's blog post, so this

1 min Nexpose

IE 0-day, we got you covered

News broke [] this weekend of yet another IE 0-day under ("limited, targeted") exploitation in the wild.  Microsoft responded [] with an advisory, but no patches yet.  Given that the risk from the known exploit is mitigated by the usual defence in depth tactics [https://technet.mic

3 min Flash

Weekly Metasploit Update: Operation Snowman and LadyBoyle

Scary-Sounding Flash Exploits This week's update brings us two new exploits from Juan Vazquez, [] Boris dukeBarman [] Ryutin, Jean-Jamil Khalife, and a criminal conspiracy of superhackers. Yep, seriously. That last bit is why these exploits deserve a special mention. These modules implement the attacks wrought by "Operation Snowman," and "LadyBoyle," two of the cooler-sounding names I've heard in a while. They allow for penetration

2 min Metasploit

Federal Friday - 2.28.14 - Flash Zero Day Targets Foreign Policy Sites

Federal Friday has come again, which means another week has passed us by. It's been a busy week for the Moose of Rapid7 with an imminent move for our Boston HQ for on the horizon. We also had a great week at RSA with SC Magazine naming Nexpose the Best Vulerability Management Solution! The threat landscape has had a wild few days with a major security flaw for Apple desktops and iOS devices as well as another IE zero day being discovered. In addition, a detailed report from FireEye [http://www.

1 min Patch Tuesday

Adobe joins the January patching fun!

Adobe has released two advisories today (APSB13-01 [] & APSB13-02 []) for Flash and Acrobat/Reader and updated their recent advisory [] for ColdFusion. The Flash patch applies to all versions including Windows, Linux, Mac, Android, embedded in Chrome & IE 10, and AIR.  This is a serious bug, since Adobe is adm

3 min Flash

Weekly Metasploit Update: New Flash Exploit, HTTP Client Trickery, and More!

After the last couple bumper crops of exploits, having merely six new modules this week is kind of a relief, at least from an editing standpoint. Of course, one of them is for a fresh Adobe Flash exploit, so let's jump into that. Flash Malware Module This week's update features an exploit for Adobe Flash, which Metasploit exploit developers Wei "sinn3r" Chen and Juan Vazquez wrote about last week [/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit] . Since that bl

3 min Metasploit

Weekly Metasploit Update: Meterpreter, GPP, and More!

We've been cooking along here in Stately Metasploit Manor, mostly heads-down prepping for BlackHat/Defcon season. (Yes, it's that time of year already). In the meantime, we've a grab bag of mostly post modules, a drive-by update to Meterpreter, and Juan's and sinn3r's most excellent new Flash module. Meterpreter for Visual Studio 2010 Meterpreter is the default payload that many of our Windows exploits drop on the target server, and allows for things like unified shell access, file access, etc.