1 min
Metasploit
Make Your Voice Heard & Make Metasploit More Awesome
We've sharpened our pencils and put up a drawing board to decide where we want
to take Metasploit in 2014 and beyond. Metasploit is built on collaboration with
the community, both through the contributions of security researchers in
building the open source Metasploit Framework, and through a continuous feedback
loop with our customers that enables us to keep driving the solution to meet
their needs. As part of our continued commitment to the latter, we're asking you
to let us know how you use
4 min
Metasploit
Bypassing Adobe Reader Sandbox with Methods Used In The Wild
Recently, FireEye identified and shared information
[http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html]
about two vulnerabilities used in the wild to exploit Adobe Reader on Windows XP
SP3 systems. The vulnerabilities are:
* CVE-2013-3346 [http://cvedetails.com/cve/CVE-2013-3346]: An Use After Free on
Adobe Reader. Specifically in the handling of a ToolButton object, which can
be exploited through document's Java
3 min
Metasploit
Weekly Metasploit Update: SAP and Silverlight
SAP SAPpy SAP SAP
We've been all SAP all the time here in the Independent Nations of Metasploit,
and expect to be for the rest of the week. You might recall that Metasploit
exploit dev, Juan Vazquez [https://twitter.com/_juan_vazquez_] published his
SAP
survey paper
[http://information.rapid7.com/sap-penetration-testing-using-metasploit.html] a
little while back; on Tuesday, we did a moderated twitter chat on the hashtag
#pwnSAP [https://twitter.com/search?q=%23pwnSAP&src=tyah] with the major
S
2 min
Metasploit
Weekly Metasploit Update: Patching Ruby Float Conversion DoS (CVE-2013-4164)
Metasploit 4.8.1 Released
Thanks to the revelations around the recent Ruby float conversion denial of
service, aka CVE-2013-4164
[https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/]
discovered and reported by Charlie Somerville, this week's release is pretty
slim in terms of content; on Friday (the day of the first disclosure), we pretty
much dropped everything and got to work on testing and packaging up new
Metasploit installers that ship with R
3 min
Metasploit
Weekly Metasploit Update: BrowserExploitServer (BES), IPMI, and KiTrap0D
Browser Exploit Server
This release includes the much vaunted and anticipated BrowserExploitServer
(BES) mixin
[https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/browser_exploit_server.rb]
, the brainchild of Metasploit exploit developer Wei @_sinn3r
[https://twitter.com/_sinn3r] Chen. Metasploit, at its core, is designed to be
both an exploit delivery system and exploit development system, so this new
mixin should help tremendously with the latter. BES, in a
5 min
Metasploit
Exploiting the Supermicro Onboard IPMI Controller
Last week @hdmoore [https://twitter.com/hdmoore] published the details about
several vulnerabilities into the Supermicro IPMI firmware
[/2013/11/06/supermicro-ipmi-firmware-vulnerabilities]. With the advisory's
release, several modules were landed into Metasploit in order to check
Supermicro's device against several of the published vulnerabilities:
Module Purpose smt_ipmi_static_cert_scanner
[http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner]
This module ca
2 min
Metasploit
Tech Preview Feedback: Vulnerability Validation in Metasploit Pro 4.8
By guest blogger and Rapid7 customer David Henning, Director Network Security,
Hughes Network Systems
A few weeks ago, Rapid7 asked me to participate in the Metasploit Tech Preview
for 2013. I've participated in a couple of other product previews in the past. I
like the interaction with the Rapid7 development teams. This tech preview was
smooth and it was easy to participate. Previous testing sessions required
interactions over e-mail and there was
some associated lag. This preview was mana
15 min
Metasploit
Don't Get Blindsided: Better Visibility Into User and Asset Risks with Metasploit 4.8
Not having visibility can be dangerous in many situations. The new Metasploit
4.8 [https://www.rapid7.com/products/metasploit/download/] gives you better
visibility in four key areas:
* View phishing exposure in the context of the overall user risk
* See which vulnerabilities pose the biggest risk to your organization
* Have all host information at your fingertips when doing a pentest
* Discover the latest risks on your network with new exploits and other modules
See Phishing Exposure as O
3 min
Metasploit
Learn to Pentest SAP with Metasploit As ERP Attacks Go Mainstream
This month, a security researcher disclosed that a version of the old banking
Trojan “Trojan.ibank” has been modified to look for SAP GUI installations, a
concerning sign that SAP system hacking has gone into mainstream cybercrime.
Once a domain of a few isolated APT attacks, SAP appears to be in the cross
hairs of hackers that know just how much sensitive data ERP systems house,
including financial, customer, employee and production data. With more than
248,500 customers in 188 countries, SAP
2 min
Metasploit
Staying Stealthy: Passive Network Discovery with Metasploit
One of the first steps in your penetration test is to map out the network, which
is usually done with an active scan. In situations where you need to be stealthy
or where active scanning may cause instability in the target network, such as in
SCADA environments, you can run a passive network
scan to avoid detection and reduce disruptions. A passive network scan
stealthily monitors broadcast traffic to identify the IP addresses of hosts on
the network. By initially running a passive scan, you c
4 min
Metasploit
Change the Theme, Get a Shell: Remote Code Execution with MS13-071
Recently we've added an exploit for MS13-071
[https://www.rapid7.com/db/vulnerabilities/windows-hotfix-ms13-071] to
Metasploit. Rated as "Important" by Microsoft, this remote code execution, found
by Eduardo Prado, for Windows XP and Windows 2003 environments is achieved by
handling specially crafted themes. In this blog post we would like to discuss
the vulnerability and give some helpful tips for exploiting it from Metasploit.
First of all, the bug occurs while handling the [boot] section on
3 min
Metasploit
Weekly Update
Windows Meterpreter: Reloaded
If you've been around Metasploit for any length of time, you know that
Meterpreter is the preferred and de facto standard for manipulating a target
computer after exploit. While Meterpreter and Metasploit go hand-in-hand, we did
manage to get some code seperation between the two by breaking Windows
Meterpreter out to its own open source respository on GitHub
[https://github.com/rapid7/meterpreter].
As threatened in a previous blog post [/2013/09/05/weekly-update],
3 min
Metasploit
Weekly Update: MSIE, GE Proficy, and handling Metasploit merge conflicts
Exploiting Internet Explorer (MS13-055)
This week, we open with a new IE exploit. This is a pretty recent patch (from
July, 2013), and more notably, it appears it was silently patched without
attribution to the original discoverer, Orange Tsai. So, if you're a desktop IT
admin, you will certainly want to get your users revved up to the latest patch
level. Thanks tons to Peter WTFuzz [https://twitter.com/WTFuzz] Vreugdenhil and
of course Wei sinn3r [https://twitter.com/_sinn3r] Chen for knocking
2 min
Product Updates
Weekly Update: Apple OSX Privilege Escalation
Sudo password bypass on OSX
This week's update includes a nifty local exploit for OSX, the sudo bug
described in CVE-2013-1775. We don't have nearly enough of these Apple desktop
exploits, and it's always useful to disabuse the Apple-based cool-kids web app
developer crowd of the notion that their computing platform of choice is
bulletproof.
Joe Vennix [https://github.com/jvennix-r7], the principle author of this module,
is, in fact, of that very same Apple-based developer crowd, and usually bu
2 min
Metasploit
Firewall Egress Filtering
Why And How You Should Control What's Leaving Your Network
Most companies have firewall rules that restrict incoming traffic, but not
everyone thinks to restrict data leaving the network. That's a shame, because a
few easy configurations can save you a lot of headaches.
Firewall egress filtering controls what traffic is allowed to leave the network,
which can prevent leaks of internal data and stop infected hosts from contacting
their command & control servers. NAT alone won't help you - you ac