4 min
Metasploit
Serialization Mischief in Ruby Land (CVE-2013-0156)
This afternoon a particularly scary advisory
[https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion]
was posted to the Ruby on Rails (RoR) security discussion list. The summary is
that the XML processor in RoR can be tricked into decoding the request as a YAML
document or as a Ruby Symbol, both of which can expose the application to remote
code execution or SQL injection. A gentleman by the name of Felix Wilhelm went
into detail [http://www.insinuator.net/2013/01/r
4 min
Penetration Testing
Free Metasploit Penetration Testing Lab in the Cloud
No matter whether you're taking your first steps with Metasploit or if you're
already a pro, you need to practice, practice, practice your skillz. Setting up
a penetration testing lab can be time-consuming and expensive (unless you have
the hardware already), so I was very excited to learn about a new, free service
called Hack A Server, which offers vulnerable machines for you to pwn in the
cloud. The service only required that I download and launch a VPN configuration
to connect to the vulnerab
3 min
Metasploit
Using BackTrack 5 R3 with Metasploit Community or Metasploit Pro
Update: Kali Linux now superseded BackTrack as a platform. We strongly recommend
using Kali Linux over BackTrack if you are going to run Metasploit. More info
here
[https://www.rapid7.com/blog/post/2013/03/13/metasploit-now-supports-kali-linux-the-evolution-of-backtrack/]
.
As of version 5 R3, BackTrack comes pre-installed with Metasploit 4.4, so it's
now easier to use Metasploit Community Edition or Metasploit Pro on BackTrack.
Here is how it's done:
* After BackTrack boots, enter startx t
2 min
Metasploit
How Metasploit's 3-Step Quality Assurance Process Gives You Peace Of Mind
Metasploit exploits undergo a rigorous 3-step quality assurance process so you
have the peace of mind that exploits will work correctly and not affect
production systems on your next assignment.
Step 1: Rapid7 Code Review
Many of the Metasploit exploits are contributed by Metasploit's community of
over 175,000 users, making Metasploit the de-facto standard for exploit
development. This is a unique ecosystem that benefits all members of the
community because every Metasploit user is a “sensor”
8 min
Metasploit
New Metasploit Exploit: Crystal Reports Viewer CVE-2010-2590
In this blog post we would like to share some details about the exploit for
CVE-2010-2590, which we released in the last Metasploit update. This module
exploits a heap-based buffer overflow, discovered by Dmitriy Pletnev, in the
CrystalReports12.CrystalPrintControl.1 ActiveX control included in
PrintControl.dll. This control is shipped with the Crystal Reports Viewer, as
installed by default with Crystal Reports 2008. While this is a vulnerability
from the end of 2010, its exploitation has some
2 min
Metasploit
Weekly Metasploit Update: CrystalReports and Testing Discipline
Dissecting CrystalPrintControl
This week's update is, by all accounts, pretty light. This may be the first
update we've shipped that has exactly one new module. To make up for the lack
of quantity, though, we've got some quality for you, oh boy.
If it's snowy and blustery where you live, grab yourself a cup of hot cocoa,
gather the kids, and watch their little eyes twinkle in the firelight as you
regale them with the classic fable of how Metasploit Exploitation Elf Juan
@_juan_vazquez [https:
2 min
Metasploit
Introduction to Metasploit Hooks
Metasploit provides many ways to simplify your life as a module developer. One
of the less well-known of these is the presence of various hooks you can use for
processing things at important stages of the module's lifetime. The basic one
that anyone who has written an exploit will be familiar with is exploit, which
is called when the user types the exploit command. That method is common to all
exploit modules. Aux and post modules have an analogous run method. Common to
all the runnable modules
8 min
Metasploit
The Odd Couple: Metasploit and Antivirus Solutions
I hear a lot of questions concerning antivirus evasion with Metasploit, so I'd
like to share some the information critical to understanding this problem. This
blog post is not designed to give you surefire antivirus (AV) evasion
techniques, but rather to help you understand the fundamentals of the issue.
A Quick Glossary
Before we begin, let's define a few terms. This will be important for
understanding some of the things we will discuss.
Payload: A payload is the actual code that is being del
3 min
Metasploit
Weekly Metasploit Update: Exploit Dev How-to and InfoSec Targets
Metasploit 4.5 has been out for a few days, so it's high time for an update.
Let's hop to it!
1000th Exploit: Freefloat FTP WMI
I often hear the question, "How do I get started on writing exploits?" Well, I'd
like to point you to Metasploit's 1000th exploit (future Hacker Jeopardy
contestants, take note): On December 7, 2012, Wei "sinn3r" Chen and Juan Vazquez
committed FreeFloat FTP Server Arbitrary File Upload
[http://www.metasploit.com/modules/exploit/windows/ftp/freefloatftp_wbem]. Now,
as
2 min
Metasploit
Weekly Metasploit Update: OpenVAS, SAP, NetIQ, and More!
Now that I've consumed a significant percentage of my own weight in turkey
(seriously, it was something like five percent), it's time to shake off the
tryptophan and get this week's update out the door.
Attacking Security Infrastructure: OpenVAS
This week's update features three new module for bruteforcing three different
OpenVAS authentication mechanisms, all provided by community contributor Vlatko
@k0st [https://twitter.com/k0st] Kosturjak. OpenVAS is an open source security
management stac
2 min
Metasploit
Weekly Metasploit Update: Web Libs, SAP, ZDI, and More!
Fresh Web Libs
As we head into the holiday season here in the U.S., Metasploit core developers
Tasos @Zap0tek [https://twitter.com/Zap0tek] Laskos and James @Egyp7
[https://twitter.com/egyp7] Lee finished up a refresh of the Metasploit fork of
the Anemone libraries, which is what we use for basic web spidering. You can
read up on it here [http://anemone.rubyforge.org/]. The Metasploit fork isn't
too far off of Chris Kite's mainline distribution, but does account for
Metasploit's Rex sockets, ad
4 min
Metasploit
Weekly Metasploit Update: WinRM x2, ADDP, RealPort, CI and BDD
WinRM, Part Two
In the last Metasploit update blog post, we talked about the work from
Metasploit core contributors @TheLightCosine [http://twitter.com/thelightcosine]
, @mubix [http://twitter.com/mubix] and @_sinn3r [http://twitter.com/_sinn3r] on
leveraging WinRM / WinRS. As of this update, Metasploit users can now execute
WQL queries
[http://www.metasploit.com/modules/auxiliary/scanner/winrm/winrm_wql], execute
commands [http://www.metasploit.com/modules/auxiliary/scanner/winrm/winrm_cmd],
an
6 min
Metasploit
Abusing Windows Remote Management (WinRM) with Metasploit
Late one night at Derbycon [https://www.derbycon.com/], Mubix
[https://twitter.com/mubix] and I were discussing various techniques of mass
ownage. When Mubix told me about the WinRM service, I wondered: "Why don't we
have any Metasploit modules for this yet?" After I got back , I began digging.
WinRM/WinRS
WinRM is a remote management service for Windows that is installed but not
enabled by default in Windows XP and higher versions, but you can install it on
older operating systems as well. Win
3 min
Metasploit
Weekly Metasploit Update: WinRM Part One, Exploiting Metasploit, and More!
WinRM Exploit Library
For the last couple weeks, Metasploit core contributor David @TheLightCosine
[http://twitter.com/thelightcosine] Maloney has been diving into Microsoft's
WinRM services with @mubix [http://twitter.com/mubix] and @_sinn3r
[http://twitter.com/_sinn3r]. Until these guys started talking about it, I'd
never heard WinRM. If you're also not in the Windows support world day-to-day,
you can read up on it at Microsoft
[http://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(
2 min
Metasploit
Weekly Metasploit Update: Microsoft Windows and SQL, TurboFTP, and More!
AppSecUSA 2012
Last week was AppSecUSA 2012 here in Austin, which may explain the curious
absence of a weekly Metasploit Update blog post. The hilights of Appsec for me,
were (in no particular order): Meeting Raphael @ArmitageHacker
[https://twitter.com/armitagehacker] Mudge in person for the first time, meeting
Scott @_nullbind [https://twitter.com/_nullbind]Sutherland, author of a bunch of
recent Microsoft SQL post modules, and both of whom happened to contribute to
last week's Metasploit upda