Posts tagged Exploits

Using Reflective DLL Injection to exploit IE Elevation Policies

As you are probably aware, sandbox bypasses are becoming a MUST when exploiting desktop applications such as Internet Explorer. One interesting class of sandbox bypasses abuse IE's Elevation Policies. An example of this type of sandbox bypass is CVE-2015-0016 [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0016]. The vulnerability has already been analyzed by Henry Li, who published a complete description in this blog entry [http://blog.trendmicro.com/trendlabs-security-intelligence/

2 min Penetration Testing

Top 3 Takeaways from the & Campfire Horror Stories: 5 Most Common Findings in Pen Tests & Webcast

Penetration Tests are a key part of assuring strong security, so naturally, security professionals are very curious about how this best practice goes down from the pen tester perspective. Jack Daniel, Director of Services at Rapid7 with 13 years of penetration testing under his belt, recently shared which flaws pen testers are regularly using to access sensitive data on the job in the webcast, “Campfire Horror Stories: 5 Most Common Findings in Pen Tests [https://information.rapid7.com/campfire-

5 min Exploits

Revisiting an Info Leak

Today an interesting tweet [https://twitter.com/Laughing_Mantis/status/631170614720462848] from Greg Linares [https://twitter.com/Laughing_Mantis] (who has been posting awesome analysis on twitter lately!) came to our attention, concerning the MS15-080 [https://technet.microsoft.com/en-us/library/security/ms15-080.aspx] patch: This patch (included in MS15-080) may have been intended stop one of the Window kernel bugs exploited by Hacking Team. But, after our analysis, it appears that there is

11 min Exploits

Exploiting a 64-bit browser with Flash CVE-2015-5119 (Part 2)

This post is a continuation of Exploiting a 64-bit browser with Flash CVE-2015-5119 [/2015/07/31/supporting-a-64-bits-renderer-on-flash-cve-2015-5119] , where we explained how to achieve arbitrary memory read/write on a 64-bit IE renderer. As a reminder, we are targeting Windows 8.1 / IE11 (64 bits) with Flash 15.0.0.189. Of course, this write-up may contain a few errors, so your mileage may vary =) Where we left off before, we had created an interface to work with memory by using a corrupted

3 min Exploits

Exploiting a 64-bit browser with Flash CVE-2015-5119

Some weeks ago, on More Flash Exploits in the Framework [/2015/06/30/more-on-flash-exploits-into-the-framework], we introduced the flash_exploiter library, which is used by Metasploit to quickly add new Flash exploit modules. If you read that blog entry, then you already know that flash_exploiter only supports 32-bit browsers (renderers). In this blog post, we will demonstrate initial steps in adding IE11 64-bit support to CVE-2015-5119 [http://www.cvedetails.com/cve/CVE-2015-5119/] , which is o

2 min Phishing

Top 3 Takeaways from the "Storming the Breach, Part 1: Initial Infection Vector" Webcast

In the recent Rapid7 webcast, “Storming the Breach, Part 1: Initial Infection Vector [https://information.rapid7.com/storming-the-breach-part-1-initial-infection-vector.html?CS=blog] ”, Incident Response experts Wade Woolwine [/author/wade-woolwine] and Mike Scutt had a technical discussion on investigation methodologies for the 3 most common breach scenarios: spear phishing, browser exploitation, and web server compromise. Their discussion was packed with details and expert tips for investigati

2 min Patch Tuesday

R7-2015-09: Oracle Java JRE AES Intrinsics Remote Denial of Service (CVE-2015-2659)

Java 8 servers versions prior to u46 are susceptible to a remote unauthenticated denial of service (hard crash) when used with AES intrinsics (AES-NI) CPU extensions on supported processors. AES intrinsics are enabled by default on the Oracle JVM if the the JVM detects that processor capability, which is common for modern processors manufactured after 2010. For more on AES-NI, see the Wikipedia article [http://en.wikipedia.org/wiki/AES_instruction_set]. This issue was tracked in the OpenJDK pu

2 min Exploits

Weekly Metasploit Wrapup: Meterpretersauce

When You Wish Upon A Shell Back in February we ran a survey [/2015/03/26/meterpreter-2015-you-spoke-we-listened] to figure out where you, the savvy penetration tester, would like to see Meterpreter go. As a result, we now have the Meterpreter Wishlist [https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Wishlist], and have been working steadily off of that for the last few months. As of this week, we have a pile of accomplishments taken off the wishlist and committed as working cod

5 min Metasploit

Safely Dumping Domain Hashes, with Meterpreter

UPDATE: It has been pointed out that there is prior work worth noting. This blog post [http://www.dcortesi.com/blog/2005/03/22/using-shadow-copies-to-steal-the-sam/] by Damon Cortesi [https://twitter.com/dacort] talked about using Volume Shadow Copy to get the SAM file back in 2005. As with all things in our Industry, we stand on the shoulders of those who came before us. We would certainly not want to take away from anyone else's previous work and accomplishments. Dumping the stored password

8 min Metasploit

Wassenaar Arrangement - Frequently Asked Questions

The purpose of this post is to help answer questions about the Wassenaar Arrangement. You can find the US proposal for implementing the Arrangement here [https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-11642.pdf], and an accompanying FAQ from the Bureau of Industry and Security (BIS) here [http://www.bis.doc.gov/index.php/policy-guidance/faqs#subcat200]. For Rapid7's take on Wassenaar, and information on the comments we intend to submit to BIS, please read this companion pie

7 min Metasploit

Response to the US Proposal for Implementing the Wassenaar Arrangement Export Controls for Intrusion Software

On May 20th 2015, the Bureau of Industry and Security (BIS) published its proposal [https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-11642.pdf] for implementing new export controls under the Wassenaar Arrangement. These controls would apply to: * systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; * software specially designed or modified for the development or production of suc

2 min Vulnerability Disclosure

Remote Coverage for MS15-034 HTTP.sys Vulnerability (CVE-2015-1635)

Patch Tuesday last week saw the release of Microsoft security bulletin MS15-034, which addresses CVE-2015-1635, a remote code execution vulnerability in Microsoft Internet Information Services (IIS) running on Windows 7 / Server 2008 R2 and later. This vulnerability can be trivially exploited as a denial of service attack by causing the infamous Blue Screen of Death (BSoD) with a simple HTTP request [https://www.youtube.com/watch?v=BlBXREzsytc]. In order to provide better assessment of your ass

3 min AppSpider

Security Testing Complex Workflows, Not So Complex Anymore

Conducting web application security testing [http://www.rapid7.com/products/appspider/]for complex workflows can be a real pain. In order to find vulnerabilities, valid test data must be passed through exactly as the workflow prescribes. Most web application security testing scanners aren't up for the job, so security testers must supplement their scans with manual testing. If your organization has just a couple applications that aren't changing, then manual testing may not be a big deal, but t

4 min AppSpider

Modernize Your Application Security Scanning in Four Easy Steps

You've built modern mobile and rich internet applications (RIAs) that are sure to improve your business' next major revenue stream. Conscious of security, you've ensured that the native application authenticates to the server, and you've run the app through a web application security scanner to identify weaknesses in the code. Those vulnerabilities have been remediated, and now you're ready to go live. Not so fast. Despite your best intentions, chances are good your mobile and rich internet ap