2 min
Metasploit
Weekly Update: Fun with ZPanel, MoinMoin, and FreeBSD
Chaining Zpanel Exploits for Remote Root
ZPanel is a fun, open source web hosting control panel, written in code
auditors' favorite language, PHP. For bonus points, ZPanel likes to do some
things as root, so it installs a nifty little setuid binary called 'zsudo' that
does pretty much what you might expect from a utility of that name -- without
authentication. In the wake of some harsh words on reddit and elsewhere in
regard to the character of ZPanel's development team, the project came to the
13 min
Metasploit
From the Wild to Metasploit: Exploit for MoinMoin Wiki (CVE-2012-6081)
Recently we've added to Metasploit a module for CVE-2012-6081,
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6081] an arbitrary file
upload vulnerability affecting to the version 1.9.5 (patched!) of the MoinMoin
[http://moinmo.in/] Wiki software. In this blog entry we would like to share
both the vulnerability details and how this one was converted in RCE (exploited
in the wild!) because the exploitation is quite interesting, where several
details must have into account to successful e
2 min
Product Updates
Weekly Update: Smaller is Better
In this week's episode, the role of Tod Beardsley will be played by egypt.
Smaller is better
Perhaps the most prominent addition to the framework this week is not an
addition at all, but rather a deletion. We've been working toward a slimmer,
more manageable source tree for a while now, and as part of that effort, we
recently removed a pile of old-and-busted unit tests. This update goes a bit
further, moving source code for some compiled payloads into seperate
repositories. Metasploit's version
3 min
Product Updates
Weekly Update: The Nginx Exploit and Continuous Testing
Nginx Exploit for CVE-2013-2028
The most exciting element of this week's update is the new exploit for Nginx
which exercises the vulnerability described by CVE-2013-2028
[http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html]. The
Metasploit module was written by Metasploit community contributors hal and
saelo, and exploits Greg McManus's bug across a bunch of versions on a few
pre-compiled Linux targets. We don't often come across remote, server-side stack
buffer overflows in popul
3 min
Metasploit
Weekly Update: 4.6.1, ColdFusion Exploit, and SVN Lockdown
Metasploit 4.6.1 Released
This week's update bumps the patch version of Metasploit to 4.6.1 (for installed
versions of Metasploit). The major change here is the ability to install
Metasploit on Windows 8 and Windows Server 2012. That meant we had to fiddle
with the installer and a few of Metasploit Pro's dependencies to get that all
working correctly, and that led to skipping last week's release so we could be
sure all the moving parts lined up correctly.
This release also fixes a few minor iss
3 min
Metasploit
Git Clone Metasploit; Don't SVN Checkout
TL;DR: Please stop using SVN with
svn co https://www.metasploit.com/svn/framework3/trunk
and start using the GitHub repo with
git clone git://github.com/rapid7/metasploit-framework
As of today, a few of you may notice that an attempt to update Metasploit
Framework over SVN (instead of git or msfupdate) results in an authentication
request. If you try to SVN checkout on Windows, using TortoiseSVN, you will see
a pop up much like this:
For command line people, if you try to 'svn co' or 'svn
1 min
Metasploit
Metasploit's 10th Anniversary: Laptop Decal Design Competition
When I wrote up the Metasploit Hits 1000 Exploits post back in December, I had
to perform a little open source forensic work to get something resembling an
accurate history of the Metasploit project -- after all, it's difficult for me
to remember a time on the Internet without Metasploit. I traced the first
mention of 1.0 back to this mailing list post
[http://marc.info/?l=pen-test&m=106548308908767&w=2] in 2003. You know what that
means, right? This year marks the 10th year of the Metasploit Fr
4 min
Metasploit
How To Do Internal Security Audits Remotely To Reduce Travel Costs
An internal penetration tests simulates an attack on the network from inside the
network. It typically simulates a rogue employee with user-level credentials or
a person with physical access to the network, such as cleaning staff, trying to
access resources on the network they're not authorized for.
Internal penetration tests typically require the auditor to be physically
present in the location. If you are working as a consultant, then conducting
internal penetration tests can mean a lot of
2 min
Metasploit
Metasploit Now Supports Kali Linux, the Evolution of BackTrack
Today, our friends at Offensive Security announced Kali Linux
[http://www.kali.org/offensive-security-introduces-kali-linux/], which is based
on the philosophy of an offensive approach to security. While defensive
solutions are important to protect your network, it is critical to step into the
shoes of an attacker to see if they're working. Kali Linux is a security
auditing toolkit that enables you just that: test the security of your network
defenses before others do.
Kali is a free, open sour
3 min
Metasploit
Weekly Update: Splitting DNS Modules and a D-Link Auth Bypass
DNS Module Split up
This week, we appear to have a whole bunch of new DNS-based enumeration and
information gathering modules. In fact, this was actually more of a housekeeping
chore, largely by longtime Metasploit contributor Carlos @darkoperator Perez.
Darkoperator wrote most of the original enum_dns module as well.
enum_dns became a bit of a junk drawer of DNS functionality -- it did a whole
bunch of everything for DNS. So, instead of just tacking on more and more over
time, it's been split
2 min
Metasploit
Weekly Update: Corelan, MSFTidy, and UNC Path Injection
28 Hours Later
This week, much of the Metasploit Framework and Metasploit Pro teams here at
Rapid7 had the opportunity to get some intense, in-person training on exploit
development from long-time Metapsloit contributor, Peter corelanc0d3r
[https://twitter.com/corelanc0d3r] Van Eeckhoutte and local Corelan Teammates
@_sinn3r [https://twitter.com/_sinn3r] and TheLightCosine
[https://twitter.com/thelightcosine]. I'm the first to admit that my memory
corruption skills are pretty light (I hang arou
3 min
Metasploit
How to Verify that the Payload Can Connect Back to Metasploit on a NATed Network
If you are running an external penetration test and are working from a NATed
network behind a wireless router, for example from home, you will need to adjust
your router's port forwarding settings so the payload can connect back to
Metasploit. The best option would be to eliminate the router and connect
directly to the Internet, but that would make me unpopular with the other folks
sharing the Internet connection, so it wasn't an option in my case. Setting up
the port forwarding is not too diffi
3 min
Metasploit
Security Flaws in Universal Plug and Play: Unplug, Don't Play
This morning we released a whitepaper entitled Security Flaws in Universal Plug
and Play
[https://information.rapid7.com/rs/411-NAK-970/images/SecurityFlawsUPnP%20%281%29.pdf]
. This paper is the result of a research project spanning the second half of
2012 that measured the global exposure of UPnP-enabled network devices. The
results were shocking to the say the least. Over 80 million unique IPs were
identified that responded to UPnP discovery requests from the internet.
Somewhere between 40 an
3 min
Metasploit
The Forgotten Spying Feature: Metasploit's Mic Recording Command
About two years ago, Metasploit implemented
[https://github.com/rapid7/metasploit-framework/commit/2e72926638b0fb972a26b2c1a3b040cf4cc224f2]
the microphone recording feature to stdapi thanks to Matthew Weeks
[https://twitter.com/scriptjunkie1]. And then almost a year ago, we actually
lost that command
[https://github.com/rapid7/metasploit-framework/commit/42719ab34bb9ca51d2cd623777662fc2253857f1]
due to a typo. We, and apparently everyone else, never noticed that until I was
looking at th