Posts tagged Metasploit

Weekly Update: Fun with ZPanel, MoinMoin, and FreeBSD

Chaining Zpanel Exploits for Remote Root ZPanel is a fun, open source web hosting control panel, written in code auditors' favorite language, PHP. For bonus points, ZPanel likes to do some things as root, so it installs a nifty little setuid binary called 'zsudo' that does pretty much what you might expect from a utility of that name -- without authentication. In the wake of some harsh words on reddit and elsewhere in regard to the character of ZPanel's development team, the project came to the

From the Wild to Metasploit: Exploit for MoinMoin Wiki (CVE-2012-6081)

Recently we've added to Metasploit a module for CVE-2012-6081, [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6081] an arbitrary file upload vulnerability affecting to the version 1.9.5 (patched!) of the MoinMoin [http://moinmo.in/] Wiki software. In this blog entry we would like to share both the vulnerability details and how this one was converted in RCE (exploited in the wild!) because the exploitation is quite interesting, where several details must have into account to successful e

Weekly Update: Smaller is Better

In this week's episode, the role of Tod Beardsley will be played by egypt. Smaller is better Perhaps the most prominent addition to the framework this week is not an addition at all, but rather a deletion. We've been working toward a slimmer, more manageable source tree for a while now, and as part of that effort, we recently removed a pile of old-and-busted unit tests. This update goes a bit further, moving source code for some compiled payloads into seperate repositories. Metasploit's version

Weekly Update: The Nginx Exploit and Continuous Testing

Nginx Exploit for CVE-2013-2028 The most exciting element of this week's update is the new exploit for Nginx which exercises the vulnerability described by CVE-2013-2028 [http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html]. The Metasploit module was written by Metasploit community contributors hal and saelo, and exploits Greg McManus's bug across a bunch of versions on a few pre-compiled Linux targets. We don't often come across remote, server-side stack buffer overflows in popul

Weekly Update: 4.6.1, ColdFusion Exploit, and SVN Lockdown

Metasploit 4.6.1 Released This week's update bumps the patch version of Metasploit to 4.6.1 (for installed versions of Metasploit). The major change here is the ability to install Metasploit on Windows 8 and Windows Server 2012. That meant we had to fiddle with the installer and a few of Metasploit Pro's dependencies to get that all working correctly, and that led to skipping last week's release so we could be sure all the moving parts lined up correctly. This release also fixes a few minor iss

Git Clone Metasploit; Don't SVN Checkout

TL;DR: Please stop using SVN with svn co https://www.metasploit.com/svn/framework3/trunk and start using the GitHub repo with git clone git://github.com/rapid7/metasploit-framework As of today, a few of you may notice that an attempt to update Metasploit Framework over SVN (instead of git or msfupdate) results in an authentication request. If you try to SVN checkout on Windows, using TortoiseSVN, you will see a pop up much like this: For command line people, if you try to 'svn co' or 'svn

New 1day Exploits: Mutiny Vulnerabilities

Metasploit's 10th Anniversary: Laptop Decal Design Competition

When I wrote up the Metasploit Hits 1000 Exploits post back in December, I had to perform a little open source forensic work to get something resembling an accurate history of the Metasploit project -- after all, it's difficult for me to remember a time on the Internet without Metasploit. I traced the first mention of 1.0 back to this mailing list post [http://marc.info/?l=pen-test&m=106548308908767&w=2] in 2003. You know what that means, right? This year marks the 10th year of the Metasploit Fr

How To Do Internal Security Audits Remotely To Reduce Travel Costs

An internal penetration tests simulates an attack on the network from inside the network. It typically simulates a rogue employee with user-level credentials or a person with physical access to the network, such as cleaning staff, trying to access resources on the network they're not authorized for. Internal penetration tests typically require the auditor to be physically present in the location. If you are working as a consultant, then conducting internal penetration tests can mean a lot of

Metasploit Now Supports Kali Linux, the Evolution of BackTrack

Today, our friends at Offensive Security announced Kali Linux [http://www.kali.org/offensive-security-introduces-kali-linux/], which is based on the philosophy of an offensive approach to security. While defensive solutions are important to protect your network, it is critical to step into the shoes of an attacker to see if they're working. Kali Linux is a security auditing toolkit that enables you just that: test the security of your network defenses before others do. Kali is a free, open sour

Weekly Update: Splitting DNS Modules and a D-Link Auth Bypass

DNS Module Split up This week, we appear to have a whole bunch of new DNS-based enumeration and information gathering modules. In fact, this was actually more of a housekeeping chore, largely by longtime Metasploit contributor Carlos @darkoperator Perez. Darkoperator wrote most of the original enum_dns module as well. enum_dns became a bit of a junk drawer of DNS functionality -- it did a whole bunch of everything for DNS. So, instead of just tacking on more and more over time, it's been split

Weekly Update: Corelan, MSFTidy, and UNC Path Injection

28 Hours Later This week, much of the Metasploit Framework and Metasploit Pro teams here at Rapid7 had the opportunity to get some intense, in-person training on exploit development from long-time Metapsloit contributor, Peter corelanc0d3r [https://twitter.com/corelanc0d3r] Van Eeckhoutte and local Corelan Teammates @_sinn3r [https://twitter.com/_sinn3r] and TheLightCosine [https://twitter.com/thelightcosine]. I'm the first to admit that my memory corruption skills are pretty light (I hang arou

How to Verify that the Payload Can Connect Back to Metasploit on a NATed Network

If you are running an external penetration test and are working from a NATed network behind a wireless router, for example from home, you will need to adjust your router's port forwarding settings so the payload can connect back to Metasploit. The best option would be to eliminate the router and connect directly to the Internet, but that would make me unpopular with the other folks sharing the Internet connection, so it wasn't an option in my case. Setting up the port forwarding is not too diffi

Security Flaws in Universal Plug and Play: Unplug, Don't Play

This morning we released a whitepaper entitled Security Flaws in Universal Plug and Play [https://information.rapid7.com/rs/411-NAK-970/images/SecurityFlawsUPnP%20%281%29.pdf] . This paper is the result of a research project spanning the second half of 2012 that measured the global exposure of UPnP-enabled network devices. The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet. Somewhere between 40 an

The Forgotten Spying Feature: Metasploit's Mic Recording Command

About two years ago, Metasploit implemented [https://github.com/rapid7/metasploit-framework/commit/2e72926638b0fb972a26b2c1a3b040cf4cc224f2] the microphone recording feature to stdapi thanks to Matthew Weeks [https://twitter.com/scriptjunkie1].  And then almost a year ago, we actually lost that command [https://github.com/rapid7/metasploit-framework/commit/42719ab34bb9ca51d2cd623777662fc2253857f1] due to a typo.  We, and apparently everyone else, never noticed that until I was looking at th