1 min
Metasploit Framework 3.5.2 Released!
On February 1st, Eduardo Prado of Secumania notified us of a privilege
escalation vulnerability on multi-user Windows installations of the Metasploit
Framework. The problem was due to inherited permissions that allowed an
unprivileged user to write files in the Metasploit installation directory.
Today we are releasing version 3.5.2 to fix this vulnerability. The new
installers fix this issue through two changes: first, we've moved the default
installation to %ProgramFiles%, which does not nor
2 min
Exploiting SEH Overwrites Using ROP
In the final days of 2010, an exploit for the Windows CreateSizedDIBSECTION
vulnerability was added
[https://twitter.com/#!/jduck1337/status/22315323722039296] to the Metasploit
trunk. The trigger bitmap was taken byte-for-byte from Moti and Xu Hao's slides
[http://www.exploit-db.com/download_pdf/15899/] from the Power of Community
[http://powerofcommunity.net/] conference. However, the method for achieving
code execution on Windows XP was slightly different.
Since this vulnerability is basical
3 min
Mobile Device Security and Android File Disclosure
Back in November, Thomas Cannon brought to light
[http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/] an
issue within the Android operating system. Specifically, he found that it was
possible to obtain the contents of files on an Android device by simply
persuading its owner to visit a web site under attacker control. The issue only
garners a 3.5 CVSS score, but yet it's still fairly serious.
Thomas reported this issue responsibly to Google and they took it seriously.
Ho
2 min
Patch Tuesday
January Patch Tuesday Roundup
So I know we all were hoping to see a fix for some of this Windows Graphic
Rendering Engine [http://] nastiness...but no go. For now, you'll need to resort
to the good ol' FixIt [http://support.microsoft.com/kb/2490606] option or if you
wanna get your hands dirty, you can modify the ACL on shimgvw.dll directly.
Either way, if you're running IE, you'll have to patiently wait for the official
patch release.
So this monthly release was lean-n-mean, Microsoft released (2) bulletins,
addressing (3)
7 min
Plunderous Informative Pirates
Gawker got owned. Bad. The resulting data breach resulted in some pretty
entertaining fallout: a hacker gang took down a website purely on perceived
arrogance and self-worth of the target, millions of accounts wound up
compromised all across the web. NPR and other outlets wound up trying to tell us
for like the 10th time how to make a secure password. Overall, it was probably
the second-most entertaining data-breach this year. (The first one, of course,
was when the GNAA goatse'd the world with
6 min
Metasploit
Cisco IOS Penetration Testing with Metasploit
The Metasploit Framework and the commercial Metasploit products have always
provided features for assessing the security of network devices. With the latest
release, we took this a step further and focused on accelerating the penetration
testing process for Cisco IOS devices. While the individual modules and
supporting libraries were added to the open source framework, the commercial
products can now chain these modules together to quickly compromise all
vulnerable devices on the network. The sc
2 min
Offensive Security = Backtrack Linux + Metasploit Pro
This week the guys over at Offensive Security [https://www.offsec.com/]
officially added Metasploit Pro
[https://www.rapid7.com/products/metasploit/download/] to their curriculum for
the class Pentration Testing with Backtrack
[https://www.offsec.com/courses-and-certifications/]. For those not familiar
with it, BackTrack [http://www.backtrack-linux.org/] is a Linux distribution
that includes a lot of tools for penetration testing. Since 2006, it has been
downloaded three million times and has b
2 min
Metasploit
Sesame Open: Auditing Password Security with Metasploit 3.5.1
Secret passwords don't only get you into Aladdin's cave or the tree house, but
also into corporate networks and bank accounts. Yet, they are one of the weakest
ways to protect access. Sure, there are better ways to secure access, such as
smart cards or one-time password tokens, but these are still far from being
deployed everywhere although the technology has matured considerably over the
past years. Passwords are still the easiest way into a network.
The new Metasploit version 3.5.1 adds a l
1 min
Metasploit Framework 3.5.1 Released!
Rapid7 and the Metasploit Project are proud to announce version 3.5.1 of the
Metasploit Framework! This minor version release adds 47 new modules, including
exploit covereage for recent bugs in the news: Exim4
[http://www.metasploit.com/modules/exploits/unix/smtp/exim4_string_format],
Internet Explorer
[http://www.metasploit.com/modules/exploit/windows/browser/ms10_xxx_ie_css_clip]
, and ProFTPd. Java payloads have seen significant improvement and
java_signed_applet can now use them for compl
6 min
Capturing Windows Logons with Smartlocker
Oftentimes during a penetration test engagement, a bit of finesse goes a long
way. One of the most effective ways to capture the clear-text user password from
a compromised Windows machine is through the "keylogrecorder" Meterpreter
script. This script can migrate into the winlogon.exe process, start capturing
keystrokes, and then lock the user's desktop (the -k option). When the user
enters their password to unlock their desktop, you now have their password.
This, while funny and effective, can
4 min
Exploits
Setting Up a Test Environment for VPN Pivoting with Metasploit Pro
Penetration testing software only shows its true capabilities on actual
engagements. However, you cannot race a car before you've ever sat in the
driver's seat. That's why in this article I'd like to show you how to set up a
test environment for VPN pivoting, a Metasploit Pro
[https://www.rapid7.com/products/metasploit/download/] feature for intermediate
and advanced users recently described in this post
[https://community.rapid7.com/blogs/rapid7/2010/11/08/how-vpn-pivoting-creates-an-undetectab
10 min
The Big Easy
People don't like to hire blackhats. It's great because it speaks to so many
levels of assumptions and interests me immensely because of it. Arguably, the
mentality speaks to a much lower level issue with the pervasive American ideal
of perfectionism-- but if I wanted to wax wasteful poetic on the irritating
low-level sociological tendencies of our culture, I'd start a LiveJournal. I've
already got this blog, so let's just stick to the context of the greater
security community.
We all know th
1 min
Metasploit
Turning Your World Upside Down: Metasploit Ambigram Tattoos
Bill Swearingen aka hevnsnt blew us away by designing
a Metasploit ambigram for the Metasploit Pro tattoo
contest
You may remember Roy's Metasploit tattoo
[https://community.rapid7.com/blogs/rapid7/2010/11/01/we-weren-t-joking-when-we-said-tattoos]
a few weeks ago, which prompted our Metasploit Pro
[http://www.rapid7.com/products/metasploit-pro.jsp] tattoo competition. We
thought it was a cute idea, expecting a few fun pictures with felt pen tattoos
or tattoo photo montages of of the Metas
7 min
Metasploit: Now with more commercial-grade-y-ness
Update (11/17/2010 10:14PM): I've updated the title of this post, based on
solely on the fact that I don't think the old title captured the essence of the
post, and didn't convey the tone i wanted to take.
Clearly Metasploit is a commercial grade product, so the title is decidedly
tongue-in-cheek, but it's important to highlight this fact. A huge benefit of
the commercial products is that we now have the resources to provide QA'd
snapshots (see below). In addition, every submission is hand-revi
1 min
Patch Tuesday
November Patch Tuesday Roundup
Microsoft's November Patch Tuesday was fairly light with only 3 security
bulletins covering 11 vulnerabilities, only one bulletin, MS10-087, was rated
critical. The bulletin related to MS Office 2007 and Office 2010
vulnerability which could be exploited by a classic drive by type attack when a
customer views a malicious RTF.
As Josh Abraham, Rapid7 security research analyst noted, the fact that November
is fairly light could be a blessing. "Based on the huge amount of patches from
last mo