6 min
Metasploit
Flipping Bits in the Windows Kernel
Recently, the MS15-061 bulletin has received some attention. This security
bulletin includes patches for several Windows Kernel vulnerabilities, mainly
related to win32k.sys. Details of one of them, discovered by Udi Yavo, have been
very well covered.
First, the same Udi Yavo published details about the Use After Free on a blog
entry. Later, Dominic Wang [https://twitter.com/d0mzw] wrote a even more
detailed analysis of both the vulnerability and its exploitation on this paper.
Finally, Meysam
20 min
Metasploit
A Debugging Session in the Kernel
Last week, an awesome paper
[https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/]
about the MS15-078 vulnerability and it's exploitation was published by Cedric
Halbronn [https://twitter.com/saidelike]. This vulnerability, originally found
and exploited by Eugene Ching [https://twitter.com/eugeii], already has a
work-in-progress module in Metasploit, which you can follow on github
[https://
13 min
Metasploit
Using Reflective DLL Injection to exploit IE Elevation Policies
As you are probably aware, sandbox bypasses are becoming a MUST when exploiting
desktop applications such as Internet Explorer. One interesting class of sandbox
bypasses abuse IE's Elevation Policies. An example of this type of sandbox
bypass is CVE-2015-0016
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0016]. The
vulnerability has already been analyzed by Henry Li, who published a complete
description in this blog entry
[http://blog.trendmicro.com/trendlabs-security-intelligence/
5 min
Exploits
Revisiting an Info Leak
Today an interesting tweet
[https://twitter.com/Laughing_Mantis/status/631170614720462848] from Greg
Linares [https://twitter.com/Laughing_Mantis] (who has been posting awesome
analysis on twitter lately!) came to our attention, concerning the MS15-080
[https://technet.microsoft.com/en-us/library/security/ms15-080.aspx] patch:
This patch (included in MS15-080) may have been intended stop one of the Window
kernel bugs exploited by Hacking Team. But, after our analysis, it appears that
there is
11 min
Exploits
Exploiting a 64-bit browser with Flash CVE-2015-5119 (Part 2)
This post is a continuation of Exploiting a 64-bit browser with Flash
CVE-2015-5119 [/2015/07/31/supporting-a-64-bits-renderer-on-flash-cve-2015-5119]
, where we explained how to achieve arbitrary memory read/write on a 64-bit IE
renderer. As a reminder, we are targeting Windows 8.1 / IE11 (64 bits) with
Flash 15.0.0.189. Of course, this write-up may contain a few errors, so your
mileage may vary =)
Where we left off before, we had created an interface to work with memory by
using a corrupted
3 min
Exploits
Exploiting a 64-bit browser with Flash CVE-2015-5119
Some weeks ago, on More Flash Exploits in the Framework
[/2015/06/30/more-on-flash-exploits-into-the-framework], we introduced the
flash_exploiter library, which is used by Metasploit to quickly add new Flash
exploit modules. If you read that blog entry, then you already know that
flash_exploiter only supports 32-bit browsers (renderers). In this blog post, we
will demonstrate initial steps in adding IE11 64-bit support to CVE-2015-5119
[http://www.cvedetails.com/cve/CVE-2015-5119/] , which is o
3 min
News on the Embedded Systems Land
Last year we worked hard to improve the embedded devices capabilities available
on Metasploit collaborating with awesome guys like m-1-k-3
[https://twitter.com/s3cur1ty_de] to add new modules and capabilities
[/2013/04/05/compromising-embedded-linux-routers-with-metasploit], collaborating
[/2013/07/02/a-penetration-testers-guide-to-ipmi] and conducting research
[/2013/11/06/supermicro-ipmi-firmware-vulnerabilities] like in the IPMI related
work by HD Moore [https://twitter.com/hdmoore], or shari
4 min
Metasploit
Bypassing Adobe Reader Sandbox with Methods Used In The Wild
Recently, FireEye identified and shared information
[http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html]
about two vulnerabilities used in the wild to exploit Adobe Reader on Windows XP
SP3 systems. The vulnerabilities are:
* CVE-2013-3346 [http://cvedetails.com/cve/CVE-2013-3346]: An Use After Free on
Adobe Reader. Specifically in the handling of a ToolButton object, which can
be exploited through document's Java
1 min
Research
A Pentester's Introduction to SAP & ABAP
If you're conducting security assessments on enterprise networks, chances are
that you've run into SAP systems. In this blog post, I'd like to give you an
introduction to SAP and ABAP to help you with your security audit.
The full SAP solution (ERP or SAP Business Suite) consists of several
components. However, to manage the different areas of a large enterprise,
probably one of the better known components or features of the SAP solution is
the development system based on ABAP [http://en.wikipe
5 min
Metasploit
Exploiting the Supermicro Onboard IPMI Controller
Last week @hdmoore [https://twitter.com/hdmoore] published the details about
several vulnerabilities into the Supermicro IPMI firmware
[/2013/11/06/supermicro-ipmi-firmware-vulnerabilities]. With the advisory's
release, several modules were landed into Metasploit in order to check
Supermicro's device against several of the published vulnerabilities:
Module Purpose smt_ipmi_static_cert_scanner
[http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner]
This module ca
4 min
Metasploit
Change the Theme, Get a Shell: Remote Code Execution with MS13-071
Recently we've added an exploit for MS13-071
[https://www.rapid7.com/db/vulnerabilities/windows-hotfix-ms13-071] to
Metasploit. Rated as "Important" by Microsoft, this remote code execution, found
by Eduardo Prado, for Windows XP and Windows 2003 environments is achieved by
handling specially crafted themes. In this blog post we would like to discuss
the vulnerability and give some helpful tips for exploiting it from Metasploit.
First of all, the bug occurs while handling the [boot] section on
6 min
Metasploit
Good Exploits Never Die: Return of CVE-2012-1823
According to Parallels, "Plesk is the most widely used hosting control panel
solution, providing everything needed for creating and offering rich hosting
plans and managing customers and resellers, including an intuitive User
Interface for setting up and managing websites, email, databases, and DNS."
(source: Parallels [http://www.parallels.com/products/plesk/webhosters/]). On
Jun 05 kingcope shocked Plesk world by announcing a new 0 day which could allow
for remote command execution:
Accordi
13 min
Metasploit
From the Wild to Metasploit: Exploit for MoinMoin Wiki (CVE-2012-6081)
Recently we've added to Metasploit a module for CVE-2012-6081,
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6081] an arbitrary file
upload vulnerability affecting to the version 1.9.5 (patched!) of the MoinMoin
[http://moinmo.in/] Wiki software. In this blog entry we would like to share
both the vulnerability details and how this one was converted in RCE (exploited
in the wild!) because the exploitation is quite interesting, where several
details must have into account to successful e
4 min
Exploits
Exploit for new Vulnerability on Honeywell EBI ActiveX (CVE-2013-0108)
Today, we present to you a new vulnerability, CVE-2013-0108
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0108], discovered in
Honeywell Enterprise Buildings Integrator (EBI)
[https://buildingsolutions.honeywell.com/Cultures/en-US/ServicesSolutions/BuildingManagementSystems/EnterpriseBuildingsIntegrator/]
R310 - R410.2. This platform is used to integrate different systems and devices
such as heating, ventilation, and air conditioning (HVAC) controls; security;
access control; life sa