Posts by William Vu

2 min Metasploit

Metasploit Wrap-Up: 6/12/20

Windows BITS CVE-2020-0787 LPE in the Metasploit tree! This week, Grant Willcox [https://github.com/gwillcox-r7] presents his first Metasploit module contribution [https://github.com/rapid7/metasploit-framework/pull/13554] as part of our team. Research [https://itm4n.github.io/cve-2020-0787-windows-bits-eop/] from itm4n [https://github.com/itm4n] yielded CVE-2020-0787 [https://nvd.nist.gov/vuln/detail/CVE-2020-0787], describing a vulnerability in the Windows Background Intelligent Transfer Serv

Read Full Post

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: 2/21/20

Long live copy and paste Adam Galway enhanced the set PAYLOAD command to strip the /payload/, payload/, and / prefixes from a payload name in an effort to improve the user experience while configuring an exploit's payload. You can see the new behavior [https://github.com/rapid7/metasploit-framework/pull/12946] below! msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload /payload/windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf5 exploit(windows/smb/ms

Read Full Post

22 min Research

DOUBLEPULSAR RCE 2: An RDP Story

In this sequel, wvu [https://github.com/wvu-r7] recounts the R&D (in all its imperfect glory) behind creating a Metasploit module for the DOUBLEPULSAR implant's lesser-known RDP variant. If you're unfamiliar with the more common SMB variant, you can read our blog post [/2019/10/02/open-source-command-and-control-of-the-doublepulsar-implant/] detailing how we achieved RCE with it. Table of Contents 0. Background 1. Extracting the implant 2. Installing the implant 3. Pinging the implant 4.

Read Full Post

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up 11/15/19

Pulse Secure VPN exploit modules, a notable BlueKeep exploit reliability improvement, and an overhaul of MSF's password cracking integration, including new support for hashcat.

Read Full Post

20 min Research

Open-Source Command and Control of the DOUBLEPULSAR Implant

Metasploit researcher William Vu shares technical analysis behind a recent addition to Framework: a module that executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB and allows users to remotely disable the implant.

Read Full Post

5 min Metasploit Weekly Wrapup

Metasploit Wrap-Up 8/16/19

Hacker Summer Camp Last week, the Metasploit team flew out to sunny, hot, and dry Las Vegas for Hacker Summer Camp (Black Hat, BSidesLV, and DEF CON). It was a full week of epic hacks, good conversation, and even a little business! If you managed to catch us at our Open Source Office Hours [https://blog.rapid7.com/2019/07/15/metasploit-open-source-office-hours-in-vegas/] (previously OSSM, the Open Source Security Meetup) in Bally's, we just wanted to say thanks for making the trek through the

Read Full Post

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up 2/15/19

Crock-Pot cooking with Metasploit Belkin's Wemo [https://en.wikipedia.org/wiki/Belkin_Wemo] line of smart home devices offers users a variety of internet-connected gadgets and gizmos they can control around the home. One of those happens to be a Crock-Pot [https://www.crock-pot.com/on/demandware.store/Sites-crockpot-Site/default/Support-Show?cfid=wemo-how-to-videos] . We went ahead and bought one. Naturally, it made sense for us to write a module [https://github.com/rapid7/metasploit-framework/

Read Full Post

25 min Haxmas

The Ghost of Exploits Past: A Deep Dive into the Morris Worm

In this post, we will dive into the exploit development process for the three modules we created in honor of the 30th anniversary of the Morris worm.

Read Full Post

3 min Metasploit Weekly Wrapup

Metasploit Wrapup: 7/13/18

Committing to some shells in GitList Shelby [https://github.com/space-r7] has been killing it with new exploit and aux modules by the day. In this iteration, she's produced an exploit [https://github.com/rapid7/metasploit-framework/pull/10262] for GitList 0.6.0 and likely older versions. The software is built on PHP and allows users to view a Git repo on the web. Through an argument injection, a fake pager [https://en.wikipedia.org/wiki/Terminal_pager] can be executed... that is really our shell

Read Full Post

3 min Release Notes

Weekly Metasploit Wrapup: March 14, 2016

Scanning for the Fortinet backdoor with Metasploit Written by wvu Metasploit now implements a scanner for the Fortinet backdoor. Curious to see how to use it? Check this out! wvu@kharak:~/metasploit-framework:master$ ./msfconsole -qL msf > use auxiliary/scanner/ssh/fortinet_backdoor msf auxiliary(fortinet_backdoor) > set rhosts 417.216.55.0/24 rhosts => 417.216.55.0/24 msf auxiliary(fortinet_backdoor) > set threads 100 threads => 100 msf auxiliary(fortinet_backdoor) > run [*]

Read Full Post

1 min Metasploit

New "show missing" Command in msfconsole

Hello, Metasploiters! Just wanted to update y'all on a new feature in msfconsole that *hopefully* should make vgrepping [https://en.wikipedia.org/wiki/Visual_inspection#Humorous_terminology] through module options a little easier. Show empty required options The new command is show missing, and all it does is show empty required options. Instead of looking through a long list of options and picking out the required ones that haven't been set, just run show missing, and a list of unset required

Read Full Post

5 min Metasploit

Making Your Printer Say "Feed Me a Kitten" and Also Exfiltrate Sensitive Data

As of this last release, PJL [https://en.wikipedia.org/wiki/Printer_Job_Language] (HP's Printer Job Language) is now a grown-up Rex::Proto protocol! Since extending a protocol in Metasploit is beyond the scope of this post, we'll just be covering how to use the PoC modules included with the new protocol. Feel free to dig around in lib/rex/proto/pjl*, though! Okay, let's get started! printer_version_info First off, we have printer_version_info. This module lets us scan a range of hosts for pri

Read Full Post