2 min
Metasploit
Weekly Update: Corelan, MSFTidy, and UNC Path Injection
28 Hours Later
This week, much of the Metasploit Framework and Metasploit Pro teams here at
Rapid7 had the opportunity to get some intense, in-person training on exploit
development from long-time Metapsloit contributor, Peter corelanc0d3r
Van Eeckhoutte and local Corelan Teammates
@_sinn3r and TheLightCosine
. I'm the first to admit that my memory
corruption skills are pretty light (I hang arou
2 min
Metasploit
How to Verify that the Payload Can Connect Back to Metasploit on a NATed Network
If you are running an external penetration test and are working from a NATed
network behind a wireless router, for example from home, you will need to adjust
your router's port forwarding settings so the payload can connect back to
Metasploit. The best option would be to eliminate the router and connect
directly to the Internet, but that would make me unpopular with the other folks
sharing the Internet connection, so it wasn't an option in my case. Setting up
the port forwarding is not too diffi
3 min
Patch Tuesday - February 2013 Edition!
It's another busy month of patching for Microsoft administrators with a number
of high priority fixes getting out. On the plus side, none of the issues
patched this month are known to be actively being exploited "in the wild".
The highest risk vulnerabilities, and thus the most important to patch are
MS13-009, MS13-010, MS13-011, & MS13-020.
MS13-009 is a cumulative patch addressing 12 CVEs for Internet Explorer.
MS13-010 was indicated as an Internet Explorer patch in the advance
notificati
6 min
Getting Started with the Nexpose Virtual Appliance
Rapid7 now offers a Virtual Appliance to get started quickly with Nexpose. You
can get started with the Nexpose Enterprise Virtual Appliance
or the
Nexpose Community Virtual Appliance
. If you
are an existing customer please contact Support for more
information.
The Nexpose Virtual Appliance is pre-configured with the following h
3 min
Metasploit
Security Flaws in Universal Plug and Play: Unplug, Don't Play
This morning we released a whitepaper entitled Security Flaws in Universal Plug
and Play. This paper is the result of a research project spanning the second
half of 2012 that measured the global exposure of UPnP-enabled network devices.
The results were shocking to the say the least. Over 80 million unique IPs were
identified that responded to UPnP discovery requests from the internet.
Somewhere between 40 and 50 million IPs are vulnerable to at least one of three
attacks outlined in this paper.
3 min
Exploits
Ray Sharp CCTV DVR Password Retrieval & Remote Root
On January 22, 2013, a researcher going by the name someLuser detailed a number
of security flaws in the Ray Sharp DVR platform. These DVRs are often used for
closed-circuit TV (CCTV) systems and security cameras. In addition to Ray Sharp,
the exposures seem to affect rebranded DVR products by Swann, Lorex, URMET,
KGuard, Defender, DEAPA/DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis,
Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000. The vulnerabilities allow
for unauthenticated acce
2 min
New VMware ESX/ESXi coverage is elegant in its simplicity
The Nexpose coverage team is dedicated to providing weekly updates to the
Nexpose vulnerability database so that you can have the assurance that your
assets are protected against the latest security vulnerabilities. For this
week's release, the coverage team is proud to present a complete overhaul for
our VMware ESX/ESXi content.
Why? You may ask
In our old coverage model, we connected to the ESX or ESXi server via an
authenticated SSH session to retrieve a list of installed patches on the serv
3 min
Metasploit
The Forgotten Spying Feature: Metasploit's Mic Recording Command
About two years ago, Metasploit implemented
the microphone recording feature to stdapi thanks to Matthew Weeks
. And then almost a year ago, we actually
lost that command
due to a typo. We, and apparently everyone else, never noticed that until I was
looking at th
2 min
Weekly Update: Metasploit 4.5.1, MSFUpdate, and More Wordpress Hijinks
MSFUpdate
This week, we've addressed the changes introduced by Metasploit 4.5 on the
command line updater, msfupdate. You can read about it over here
, but the gist of it is, if you
want to continue using msfupdate, you will want to take a few tens of seconds to
activate your Metasploit installation, or get yourself moved over to a fully
functional git clone of the Metasploit Framework. And speaking of updates...
Update to 4.5.1
Lately, Metasploit u
5 min
Product Updates
Update to the Metasploit Updates and msfupdate
The Short Story
In order to use the binary installer's msfupdate, you need to first register
your Metasploit installation. In nearly all cases, this means visiting
https://localhost:3790 and filling out the form. No
money, no dense acceptable use policy, just register and go. Want more detail
and alternatives? Read on.
Background
A little over a year ago, Metasploit primary development switched to Git as a
source control platform and GitHub as our primary source hos
1 min
Metasploit
Hacking like it's 1985: Rooting the Cisco Prime LAN Management Solution
On January 9th Cisco released advisory cisco-sa-20130109
to address a vulnerability in the "rsh" service running on their Cisco Prime LAN
Management Solution virtual appliance. The bug is as bad as it gets - anyone who
can access the rsh service can execute commands as the root user account without
authentication. The example below demonstrates how to exploit this flaw using
Metasploit.
First off, the
1 min
Video Tutorial: Introduction to Burp-Suite 1.5 Web Pen Testing Proxy
Author: webpwnized (Twitter: @webpwnized)
Tool: Burp-Suite 1.5 Free Edition
Length: ~1 hour
After installing Burp-Suite, this video covers how to configure the proxy to
intercept, pause, alter, and test requests and responses between a web browser
and a web server (web site).
Much of the basic functionality and some more advanced settings are reviewed
including the Target, Proxy, Sequencer, Repeater, Intruder, and Decoder tab.
While there are many more settings and features than can be covere
5 min
Exploits
Exploiting Ruby on Rails with Metasploit (CVE-2013-0156)
Background
Earlier this week, a critical security flaw
in Ruby on Rails (RoR) was identified that could expose an application to remote
code execution, SQL injection
, and denial of
service attacks. Ruby on Rails is a popular web application framework that is
used by both web sites and web-enabled products and this flaw is by far the
worst
2 min
Metasploit
Weekly Metasploit Update: Rails Scanning, ZDI, and Exploit Dev
Rails Injection Bug
The big news this week turned out to be the new Rails injection bug, aka,
CVE-2013-0156, which you can read about in detail over on HD Moore's blog post.
Soon after the vulnerability was disclosed, @hdmoore had a functional auxiliary
scanner module put together, so as of this moment, you're encouraged to scan the
heck out of your environment, repeatedly, for vulnerable Rails apps. Every Rails
application developed and deployed is vulnerable to this (absent a fix or
workaround
4 min
Metasploit
Serialization Mischief in Ruby Land (CVE-2013-0156)
This afternoon a particularly scary advisory
was posted to the Ruby on Rails (RoR) security discussion list. The summary is
that the XML processor in RoR can be tricked into decoding the request as a YAML
document or as a Ruby Symbol, both of which can expose the application to remote
code execution or SQL injection. A gentleman by the name of Felix Wilhelm went
into detail