Posts tagged Exploits

2 min Vulnerability Disclosure

UserInsight Gets the All-Clear for ShellShock and Helps Detect Attackers on Your Network

If you're in security, you've likely already heard about the ShellShock vulnerability [http://www.rapid7.com/resources/bashbug.jsp] (aka Bash Bug, CVE-2014-6271, and CVE-204-7169). We have reviewed how ShellShock is being exploited, and the disclosed vectors are not applicable to our UserInsight deployment, yet we're following the security community's lead around patching all of our systems. In case other systems on your network have been compromised, you should be extra vigilant about suspicio
3 min Vulnerability Disclosure

Bash the bash bug: Here's how to scan for CVE-2014-6271 (Shellshock)

_[Edited 10:05 AM PDT, October, 2014 for the Nexpose 5.10.13 release]_ [Edited 10:05 AM PDT, September 26, 2014 for the Nexpose 5.10.11 release] A severe vulnerability was disclosed in bash that is present on most Linux, BSD, and Unix-like systems, including Mac OS X. The basis of this vulnerability (nicknamed Shellshock) is that bash does not stop processing after the function definition, leaving it vulnerable to malicious functions containing trailing commands. Common Vulnerabilities and Exp
4 min Exploits

You have no SQL inj--... sorry, NoSQL injections in your application

Everyone knows about SQL injections. They are classic, first widely publicized by Rain Forest Puppy, and still widely prevalent today (hint: don't interpolate query string params with SQL). But who cares? SQL injections are so ten years ago. I want to talk about a vulnerability I hadn't run into before that I recently had a lot of fun exploiting. It was a NoSQL injection. The PHP application was using MongoDB, and MongoDB has a great feature [http://www.php.net//manual/en/mongocollection.find.
5 min Exploits

Oracular Spectacular

Nexpose version 5.9.10 includes significant improvements to its Oracle Database fingerprinting and vulnerability coverage. When configured with appropriate database credentials, Nexpose scans can accurately identify which patches have been applied. This post will go through the steps for setting up such a scan, as well as discuss some of the finer details about Oracle's versioning scheme and the terminology around their quarterly Critical Patch Update program. Scanning Oracle Databases with Nex
5 min Exploits

Exploiting CSRF under NoScript Conditions

CSRFs -- or Cross-Site Request Forgery [https://www.rapid7.com/fundamentals/cross-site-request-forgery/] vulnerabilities -- occur when a server accepts requests that can be “spoofed” from a site running on a different domain. The attack goes something like this: you, as the victim, are logged in to some web site, like your router configuration page, and have a valid session token. An attacker gets you to click on a link that sends commands to that web site on your behalf, without your knowledge
2 min Exploits

Sophos Web Appliance Privilege Escalation and Remote Code Execution Vulnerability

Sophos Web Protection Appliance vs 3.8.1.1 and likely prior versions was vulnerable to both a mass assignment attack which allowed privilege escalation, as well as a remote command execution vulnerability as root available to admin users. ZDI details the vuln here [http://www.zerodayinitiative.com/advisories/ZDI-14-069/]. This Metasploit module exploits both vulnerabilities in order to go from an otherwise unprivileged authenticated user to root on the box. This is particularly bad because this
3 min Exploits

Metasploit's Brand New Heartbleed Scanner Module (CVE-2014-0160)

Is the Internet down? Metasploit publishes module for Heartbleed If you read this blog at all regularly, you're quite likely the sort of Internet citizen who has heard about the Heartbleed attack and grasp how serious this bug is. It's suffice to say that it's a Big Deal -- one of those once-a-year bugs that kicks everyone in security into action. OpenSSL underpins much of the security of the Internet, so widespread bugs in these critical libraries affects everyone. The subsequently published
14 min Exploits

"Hack Away at the Unessential" with ExpLib2 in Metasploit

This blog post was jointly written by Wei sinn3r [https://twitter.com/_sinn3r] Chen and Juan Vazquez [https://twitter.com/_juan_vazquez_] Memory corruption exploitation is not how it used to be. With modern mitigations in place, such as GS, SafeSEH, SEHOP, DEP, ASLR/FASLR, EAF+, ASR, VTable guards, memory randomization, and sealed optimization, etc, exploit development has become much more complicated. It definitely shows when you see researchers jumping through hoops like reverse-engineering

3 min Apple

Metasploit Weekly Update: There's a Bug In Your Brain

Running Malicious Code in Safari The most fun module this week, in my humble opinion, is from Rapid7's own Javascript Dementor, Joe Vennix [https://twitter.com/joevennix]. Joe wrote up this crafty implementation of a Safari User-Assisted Download and Run Attack [http://www.metasploit.com/modules/exploit/osx/browser/safari_user_assisted_download_launch] , which is not technically a vulnerability or a bug or anything -- it's a feature that ends up being a kind of a huge risk. Here's how it goes:

4 min Exploits

Metasploit Weekly Update: Video Chat, Meterpreter Building, and a Fresh MediaWiki Exploit

"It's Like Chat Roulette for Hackers" The coolest thing this week... wait, let me start again. The coolest thing this year is Wei sinn3r [https://twitter.com/_sinn3r] Chen's brand new amazesauce, humbly named webcam_chat. I know he just posted all about it [/2014/02/18/lets-talk-about-your-security-breach-with-metasploit-literally] yesterday, but I just want to reiterate how useful and hilarious this piece of post-exploit kit really is. First off, it's entirely peer-to-peer. The communicati
4 min Exploits

Weekly Metasploit Update: Feb. 13, 2014

Android WebView Exploit, 70% Devices Vulnerable This week, the biggest news I think we have is the release this week of Joe Vennix and Josh @jduck Drake's hot new/old Android WebView exploit. I've been running it for the last day or so out on the Internet, with attractive posters around the Rapid7 offices (as seen here) in an attempt to pwn something good. I've popped a couple shells, I guess I didn't make my QR Code attractive enough. Seriously, though, this vulnerability is kind of a huge d
2 min Exploits

Weekly Metasploit Update: Arbitrary Driver Loading & Win a WiFi Pineapple

Wow, I don't know about you, kind reader, but I'm just about blogged out after that 12 Days of HaXmas sprint. I'll try to keep this update short and sweet. Arbitrary Driver Loading This week's update include a delightful new post module for managing a compromised target, the Windows Manage Driver Loader by longtime Metasploit community contributor, Borja Merino. If you, as a penetration tester, pops a box get gains administrator rights (or elevate yourself there using any of the several strateg
4 min Metasploit

Bypassing Adobe Reader Sandbox with Methods Used In The Wild

Recently, FireEye identified and shared information [http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html] about two vulnerabilities used in the wild to exploit Adobe Reader on Windows XP SP3 systems. The vulnerabilities are: * CVE-2013-3346 [http://cvedetails.com/cve/CVE-2013-3346]: An Use After Free on Adobe Reader. Specifically in the handling of a ToolButton object, which can be exploited through document's Java
3 min Exploits

Metasploit Weekly Update: Adobe Reader Exploit and Post-Exploitation YouTube Broadcasting

New Adobe Reader ROP Gadgets This week, Juan Vazquez [https://twitter.com/_juan_vazquez_] put together a neat one-two exploit punch that involves a somewhat recent Adobe Reader vulnerability (disclosed back in mid-May) and a sandbox escape via a OS privilege escalation bug. I won't give away the surprise there -- he'll have a blog post about it up in a few hours.  Part of the work, though, resulted in some new entries in Metasploit's RopDB; specifically, for Adobe Reader versions 9, 10, and 11.

3 min Exploits

Weekly Metasploit Update: New Meterpreter Extended API, Learning About HttpServer, HttpClient, and SAP

Meterpreter Extended API This week, we've got some new hotness for Meterpreter in the form of OJ TheColonial [https://twitter.com/thecolonial] Reeves' new Extended API (extapi) functionality. So far, the extended API is for Windows targets only (hint: patches accepted), and here's the rundown of what's now available for your post-exploitation delight: * Clipboard Management: This allows for reading and writing from the target's clipboard. This includes not only text, like you'd expect, but

Popular Topics

Tags