2 min
Metasploit
Hacker's Dome: An Online Capture-the-Flag (CTF) Competition on May 17
Many folks ask me how you can get started as a penetration tester. Save for a
real-life penetration test, capture-the-flag (CTF) competitions are probably the
most effective ways for you to hone your offensive security skills. What's best:
they're a ton of fun, even for experienced pentesters. The folks over at
CTF365.com [http://www.ctf365.com/] have put together a one-off CTF called
Hacker's Dome, which will start on May 17th and run for 48 hours, so save the
date.
Hacker's Dome - First Bloo
4 min
Metasploit
Security Advisory: OpenSSL Heartbleed Vulnerability (CVE-2014-0160) in Metasploit (Updated 4/11/14 2:20pm EDT)
Metasploit 4.9.0 and earlier vulnerable to Heartbleed, update 4.9.1 addresses
critical cases
The Metasploit editions Metasploit Pro, Metasploit Express, and Metasploit
Community in versions 4.9.0 or earlier are vulnerable to the OpenSSL Heartbleed
Vulnerability (CVE-2014-0160). Please update to version 4.9.1 to remediate
critical vulnerabilities. See below for remediation instructions.
Metasploit Framework itself is not affected, but it has dependencies on other
components that may need to be u
2 min
Metasploit
R7-2014-05 Vulnerability in Metasploit Modules (Fixed)
Metasploit Pro, Community, and Express users are urged to update to the latest
version of Metasploit to receive the patch for the described vulnerability. Kali
Linux users should use the normal 'apt-get update' method of updating, while
other Metasploit Pro, Community, and Express users can use the in-application
Administration : Software Updates button.
A remote privilege escalation vulnerability has been discovered by Ben Campbell
of MWR InfoSecurity [https://labs.mwrinfosecurity.com/advisori
3 min
Metasploit
Weekly Metasploit Update: Encoding-Fu, New Powershell Payload, Bug Fixes
I Got 99 Problems but a Limited Charset Ain't One
In this week's Metasploit weekly update, we begin with OJ TheColonial Reeves
[https://twitter.com/TheColonial]' new optimized sub encoding module (opt_sub.rb
). As the name implies, this encoder takes advantage of the SUB assembly
instruction to encode a payload with printable characters that are file path
friendly. Encoders like this are incredibly useful for developing a memory
corruption exploit that triggers a file path buffer overflow, where
3 min
Metasploit
Weekly Metasploit Update: ADSI support and MSFTidy for sanity
Meterpreter ADSI support
We ended up skipping last week's update since upwards of 90% of Rapid7 folks
were Shanghaied up to Boston, in the dead of winter, with only
expense-reportable booze too keep us warm at night. So, with much fanfare comes
this week's update, featuring the all new ADSI interface for Meterpreter, via OJ
TheColonial [https://twitter.com/TheColonial] Reeves' Extended API.
Lucky for us, and you, Carlos DarkOperator [https://twitter.com/DarkOperator]
Perez was not ensconced i
5 min
Metasploit
Making Your Printer Say "Feed Me a Kitten" and Also Exfiltrate Sensitive Data
As of this last release, PJL
[https://en.wikipedia.org/wiki/Printer_Job_Language] (HP's Printer Job Language)
is now a grown-up Rex::Proto protocol! Since extending a protocol in Metasploit
is beyond the scope of this post, we'll just be covering how to use the PoC
modules included with the new protocol. Feel free to dig around in
lib/rex/proto/pjl*, though!
Okay, let's get started!
printer_version_info
First off, we have printer_version_info. This module lets us scan a range of
hosts for pri
3 min
Metasploit
Weekly Metasploit Update: Talking PJL With Printers
Abusing Printers with PJL
This week's release features a half dozen new modules that seek out printers
that talk the Print Job Language (PJL) for use and abuse. Huge thanks to our
newest full time Metasploit trouble maker, William Vu
[https://twitter.com/wvuuuuuuuuuuuuu].
As a penetration tester, you probably already know that office printers
represent tasty targets. Like most hardware with embedded systems, they rarely,
if ever, get patches. They don't often have very serious security controls
1 min
Metasploit
Free Webcast: From Framework to Pro - Using Metasploit Pro in Penetration Tests
Metasploit Pro [https://www.rapid7.com/products/metasploit/download/] is more
than just a pretty web interface for Metasploit; it contains many little known
features that simplify large scale network penetration tests. In this technical
webinar for penetration testers who are familiar with Metasploit Framework
[http://information.rapid7.com/how-to-use-metasploit-pro-in-penetration-tests.html?LS=2903674&CS=web]
, David Maloney shows which features he finds most useful in Metasploit Pro.
Watch
2 min
Exploits
Weekly Metasploit Update: Arbitrary Driver Loading & Win a WiFi Pineapple
Wow, I don't know about you, kind reader, but I'm just about blogged out after
that 12 Days of HaXmas sprint. I'll try to keep this update short and sweet.
Arbitrary Driver Loading
This week's update include a delightful new post module for managing a
compromised target, the Windows Manage Driver Loader by longtime Metasploit
community contributor, Borja Merino. If you, as a penetration tester, pops a box
get gains administrator rights (or elevate yourself there using any of the
several strateg
1 min
Metasploit
Make Your Voice Heard & Make Metasploit More Awesome
We've sharpened our pencils and put up a drawing board to decide where we want
to take Metasploit in 2014 and beyond. Metasploit is built on collaboration with
the community, both through the contributions of security researchers in
building the open source Metasploit Framework, and through a continuous feedback
loop with our customers that enables us to keep driving the solution to meet
their needs. As part of our continued commitment to the latter, we're asking you
to let us know how you use
4 min
Metasploit
Bypassing Adobe Reader Sandbox with Methods Used In The Wild
Recently, FireEye identified and shared information
[http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html]
about two vulnerabilities used in the wild to exploit Adobe Reader on Windows XP
SP3 systems. The vulnerabilities are:
* CVE-2013-3346 [http://cvedetails.com/cve/CVE-2013-3346]: An Use After Free on
Adobe Reader. Specifically in the handling of a ToolButton object, which can
be exploited through document's Java
3 min
Metasploit
Weekly Metasploit Update: SAP and Silverlight
SAP SAPpy SAP SAP
We've been all SAP all the time here in the Independent Nations of Metasploit,
and expect to be for the rest of the week. You might recall that Metasploit
exploit dev, Juan Vazquez [https://twitter.com/_juan_vazquez_] published his
SAP
survey paper
[http://information.rapid7.com/sap-penetration-testing-using-metasploit.html] a
little while back; on Tuesday, we did a moderated twitter chat on the hashtag
#pwnSAP [https://twitter.com/search?q=%23pwnSAP&src=tyah] with the major
S
2 min
Metasploit
Weekly Metasploit Update: Patching Ruby Float Conversion DoS (CVE-2013-4164)
Metasploit 4.8.1 Released
Thanks to the revelations around the recent Ruby float conversion denial of
service, aka CVE-2013-4164
[https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/]
discovered and reported by Charlie Somerville, this week's release is pretty
slim in terms of content; on Friday (the day of the first disclosure), we pretty
much dropped everything and got to work on testing and packaging up new
Metasploit installers that ship with R
3 min
Metasploit
Weekly Metasploit Update: BrowserExploitServer (BES), IPMI, and KiTrap0D
Browser Exploit Server
This release includes the much vaunted and anticipated BrowserExploitServer
(BES) mixin
[https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/browser_exploit_server.rb]
, the brainchild of Metasploit exploit developer Wei @_sinn3r
[https://twitter.com/_sinn3r] Chen. Metasploit, at its core, is designed to be
both an exploit delivery system and exploit development system, so this new
mixin should help tremendously with the latter. BES, in a
5 min
Metasploit
Exploiting the Supermicro Onboard IPMI Controller
Last week @hdmoore [https://twitter.com/hdmoore] published the details about
several vulnerabilities into the Supermicro IPMI firmware
[/2013/11/06/supermicro-ipmi-firmware-vulnerabilities]. With the advisory's
release, several modules were landed into Metasploit in order to check
Supermicro's device against several of the published vulnerabilities:
Module Purpose smt_ipmi_static_cert_scanner
[http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner]
This module ca