Recommended
Recommended
More Related Content
Similar to New Shiny in the Metasploit Framework
Similar to New Shiny in the Metasploit Framework (20)
More from egypt
More from egypt (12)
Recently uploaded
Recently uploaded (20)
New Shiny in the Metasploit Framework
- 1. New Shiny in the Metasploit Framework egypt
- 2. Disclaimer Most of this stuff is: ● Not my code ● Not my research ● Awesome in spite of my involvement
- 5. SVN
- 6. SVN is Dead Our SVN server was constantly DDoS’d ● Sometimes unintentionally by dumb scrapers SVN is kinda slow anyway Big changes required lots more requests Now we’re 100% on github Yay two-and-a-half-nines!
- 7. Stable Updates In an installer environment ● Updates about once per week Development env is still easy to set up ● Tracks bleeding edge (master branch)
- 9. SAP Several people’s research ● CJR did some fun stuff ~2011 ● Mariano Nuñez ● Pulled together by nmonkee Tons of highly valuable information
- 10. sap_smb_relay Convince the SAP box to connect via UNC
- 12. UPnP HDM’s research Tons of devices all over everywhere Mostly ancient and never updated
- 13. libupnp “Intel/Portable SDK for UPnP Devices” Seven, count ‘em SEVEN vulns in one function Actual libupnp code: strncpy( TempBuf, ptr1, ptr3 - ptr1 ); Trigger with one UDP packet
- 14. IPMI Intelligent Platform Management Interface Dan Farmer, HDM Protocol, run by “Baseband Mgmt Controllers” ● iDrac, iLo, lots of others Spec requires cleartext password storage Design-level auth bypass
- 15. multi/upnp/libupnp_ssdp_overflow Remote root on SuperMicro BMCs Old skewl ret2libc to call system(3)
- 16. Other Fun Embedded Stuff Michael Messner’s research 14 exploits for consumer routers and such
- 17. WinRM / WinRS thelightcosine’s research psexec is so last year
- 18. PhpEXE Mixin for PHP code execution bugs For ARCH_PHP payloads, just returns payload For others, drops a proper executable ● Then tries to unlink it
- 19. FileDropper Convenience methods for cleaning up files Works for exploits and post
- 20. Heap Spraying corelanc0der’s research, implemented by sinn3r Uses JS to create many button elements Fast, easy, reliable on IE and Firefox
- 21. ROP DB XML format for describing ROP chains Supported by mona.py
- 22. Mem Vuln Landscape has Changed Mandatory ASLR, DEP Sandboxing Automatic, no-interaction updates
- 23. A Boatload of Browser 0-day Pwn2own Targeted Attacks ● FBI Firefox At least 3 IE vulns used in the wild Flash
- 24. A Boatload of JRE 0-day So many vulns that Oracle basically disabled it
- 25. Payload Stuff
- 26. New Repositories! rapid7/metasploit-javapayload rapid7/meterpreter Easier to build, maintain, and test
- 27. Mac OSX stuff x64 payloads ● osx/x64/say
- 28. lol awk Awk is a text processing utility GNU likes to extend utilities GNU Awk has a full TCP API lolwut
- 29. Ruby Payloads Created for the Rails XML and YAML bugs
- 30. Android Meterpreter Kinda Proof-of-Concepty ● Requires APK installation ● Have to tap on a UI element But still awesome Most features work ● File manipulation ● Configuration stuff ● And Pivoting!
- 31. Demo Android meterpreter in emulator
- 32. Python Meterpreter Based on PHP ● But don’t judge
- 34. Mimikatz In-memory password stealer Cleartext creds for all the things
- 35. Demo Stealing passwords with mimikatz
- 36. New Meterpreter API Stuff netstat/arp commands Victim-side DNS Resolution
- 37. General Meterpreter Improvements Updated to VS2012 ● Much easier to build Fixed a bug with Reflective DLL Injection Fixed x64 reverse_https Fixed stability issues with sniffer on x64
- 38. Encoding Stuff
- 40. Better /bin/sh Command Encoding Handles more badchar edge-cases
- 41. Stage Encoding Adds randomness to second stage Makes network IDS have to work for a living
- 42. Other Stuff
- 43. DB Creds for AuthBrute Modules Lets you easily reuse creds Pop a box, steal creds with mimikatz ● Or one of the many post modules smb_login with them