4 min
Metasploit
Change the Theme, Get a Shell: Remote Code Execution with MS13-071
Recently we've added an exploit for MS13-071
[https://www.rapid7.com/db/vulnerabilities/windows-hotfix-ms13-071] to
Metasploit. Rated as "Important" by Microsoft, this remote code execution, found
by Eduardo Prado, for Windows XP and Windows 2003 environments is achieved by
handling specially crafted themes. In this blog post we would like to discuss
the vulnerability and give some helpful tips for exploiting it from Metasploit.
First of all, the bug occurs while handling the [boot] section on
3 min
Metasploit
Weekly Update
Windows Meterpreter: Reloaded
If you've been around Metasploit for any length of time, you know that
Meterpreter is the preferred and de facto standard for manipulating a target
computer after exploit. While Meterpreter and Metasploit go hand-in-hand, we did
manage to get some code seperation between the two by breaking Windows
Meterpreter out to its own open source respository on GitHub
[https://github.com/rapid7/meterpreter].
As threatened in a previous blog post [/2013/09/05/weekly-update],
3 min
Metasploit
Weekly Update: MSIE, GE Proficy, and handling Metasploit merge conflicts
Exploiting Internet Explorer (MS13-055)
This week, we open with a new IE exploit. This is a pretty recent patch (from
July, 2013), and more notably, it appears it was silently patched without
attribution to the original discoverer, Orange Tsai. So, if you're a desktop IT
admin, you will certainly want to get your users revved up to the latest patch
level. Thanks tons to Peter WTFuzz [https://twitter.com/WTFuzz] Vreugdenhil and
of course Wei sinn3r [https://twitter.com/_sinn3r] Chen for knocking
2 min
Product Updates
Weekly Update: Apple OSX Privilege Escalation
Sudo password bypass on OSX
This week's update includes a nifty local exploit for OSX, the sudo bug
described in CVE-2013-1775. We don't have nearly enough of these Apple desktop
exploits, and it's always useful to disabuse the Apple-based cool-kids web app
developer crowd of the notion that their computing platform of choice is
bulletproof.
Joe Vennix [https://github.com/jvennix-r7], the principle author of this module,
is, in fact, of that very same Apple-based developer crowd, and usually bu
2 min
Metasploit
Firewall Egress Filtering
Why And How You Should Control What's Leaving Your Network
Most companies have firewall rules that restrict incoming traffic, but not
everyone thinks to restrict data leaving the network. That's a shame, because a
few easy configurations can save you a lot of headaches.
Firewall egress filtering controls what traffic is allowed to leave the network,
which can prevent leaks of internal data and stop infected hosts from contacting
their command & control servers. NAT alone won't help you - you ac
3 min
Product Updates
Weekly Update: Cooperative Disclosure and Assessing Joomla
Cooperative Disclosure
I'm in attendance this year at Rapid7's UNITED Security Summit, and the
conversations I'm finding myself in are tending to revolve around vulnerability
disclosure. While Metasploit doesn't traffic in zero-day vulnerabilities every
day, it happens often enough that we have a disclosure policy that we stick to
when we get a hold of newly uncovered vulnerabilities.
What's not talked about in that disclosure policy is the Metasploit exploit dev
community's willingness to help
0 min
Metasploit
SecureNinjaTV Interview: Tod Beardsley About Metasploit 10th Anniversary
At Black Hat 2013 in Vegas this year, our very own Tod Beardsley was cornered by
SecureNinja TV and social engineered into giving an interview. Here is the
result - captured for eternity:
[http://www.youtube.com/watch?v=yFHA5F2crFE&feature=youtu.be]
Click here to download Metasploit Pro
[https://www.rapid7.com/products/metasploit/download/]
2 min
Metasploit
Metasploit Design Contest: So Much Win!
You may recall that back in May, we announced a Metasploit design contest
[/2013/05/03/metasploits-10th-anniversary-laptop-decal-design-competition] to
commemorate 10 years of Metasploit -- and now, it's time to announce the (many)
winners! Once again, the open source security community has blown me away with
your creativity, dedication, and subversive humor. We had a total of 118 designs
(most of which did not suck!) from 55 designers. Not bad for a nearly completely
hashtag-driven contest! In
6 min
Metasploit
Good Exploits Never Die: Return of CVE-2012-1823
According to Parallels, "Plesk is the most widely used hosting control panel
solution, providing everything needed for creating and offering rich hosting
plans and managing customers and resellers, including an intuitive User
Interface for setting up and managing websites, email, databases, and DNS."
(source: Parallels [http://www.parallels.com/products/plesk/webhosters/]). On
Jun 05 kingcope shocked Plesk world by announcing a new 0 day which could allow
for remote command execution:
Accordi
3 min
Metasploit
Metasploit Update: Those Sneaky IPMI Devices
IPMI, in my network?
This week's update features a set of tools for auditing your IPMI
infrastructure. "Phew, I'm glad I'm not one of those suckers," you might be
thinking to yourself. Well, the thing about IPMI (aka, the Intelligent Platform
Management Interface) is that it's just a skootch more esoteric than most
protocols, and even experienced server administrators may not be aware of it. Do
you use server hardware from IBM, Dell, or HP? Have you ever had to use IBM's
Remote Supervisor adapte
13 min
Metasploit
A Penetration Tester's Guide to IPMI and BMCs
Introduction
Dan Farmer is known for his groundbreaking work [http://fish2.com/security/] on
security tools and processes. Over the last year, Dan has identified some
serious security issues [http://fish2.com/ipmi/] with the Intelligent Platform
Management Interface (IPMI) protocol and the Baseboard Management Controllers
(BMCs) that speak it. This post goes into detail on how to identify and test for
each of the issues that Dan identified, using a handful of free security tools.
If you are lo
2 min
Metasploit
Weekly Update: Fun with ZPanel, MoinMoin, and FreeBSD
Chaining Zpanel Exploits for Remote Root
ZPanel is a fun, open source web hosting control panel, written in code
auditors' favorite language, PHP. For bonus points, ZPanel likes to do some
things as root, so it installs a nifty little setuid binary called 'zsudo' that
does pretty much what you might expect from a utility of that name -- without
authentication. In the wake of some harsh words on reddit and elsewhere in
regard to the character of ZPanel's development team, the project came to the
13 min
Metasploit
From the Wild to Metasploit: Exploit for MoinMoin Wiki (CVE-2012-6081)
Recently we've added to Metasploit a module for CVE-2012-6081,
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6081] an arbitrary file
upload vulnerability affecting to the version 1.9.5 (patched!) of the MoinMoin
[http://moinmo.in/] Wiki software. In this blog entry we would like to share
both the vulnerability details and how this one was converted in RCE (exploited
in the wild!) because the exploitation is quite interesting, where several
details must have into account to successful e
2 min
Product Updates
Weekly Update: Smaller is Better
In this week's episode, the role of Tod Beardsley will be played by egypt.
Smaller is better
Perhaps the most prominent addition to the framework this week is not an
addition at all, but rather a deletion. We've been working toward a slimmer,
more manageable source tree for a while now, and as part of that effort, we
recently removed a pile of old-and-busted unit tests. This update goes a bit
further, moving source code for some compiled payloads into seperate
repositories. Metasploit's version
3 min
Product Updates
Weekly Update: The Nginx Exploit and Continuous Testing
Nginx Exploit for CVE-2013-2028
The most exciting element of this week's update is the new exploit for Nginx
which exercises the vulnerability described by CVE-2013-2028
[http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html]. The
Metasploit module was written by Metasploit community contributors hal and
saelo, and exploits Greg McManus's bug across a bunch of versions on a few
pre-compiled Linux targets. We don't often come across remote, server-side stack
buffer overflows in popul