Posts by Juan Vazquez

Flipping bits in the Windows Kernel

Recently, the MS15-061 bulletin has received some attention. This security bulletin includes patches for several Windows Kernel vulnerabilities, mainly related to win32k.sys. Details of one of them, discovered by Udi Yavo, have been very well covered. First, the same Udi Yavo published details about the Use After Free on a blog entry. Later, Dominic Wang [https://twitter.com/d0mzw] wrote a even more detailed analysis of both the vulnerability and its exploitation on this paper. Finally, Meysam

A debugging session in the kernel

Last week, an awesome paper [https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/] about the MS15-078 vulnerability and it's exploitation was published by Cedric Halbronn [https://twitter.com/saidelike]. This vulnerability, originally found and exploited by Eugene Ching [https://twitter.com/eugeii], already has a work-in-progress module in Metasploit, which you can follow on github [https://

Using Reflective DLL Injection to exploit IE Elevation Policies

As you are probably aware, sandbox bypasses are becoming a MUST when exploiting desktop applications such as Internet Explorer. One interesting class of sandbox bypasses abuse IE's Elevation Policies. An example of this type of sandbox bypass is CVE-2015-0016 [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0016]. The vulnerability has already been analyzed by Henry Li, who published a complete description in this blog entry [http://blog.trendmicro.com/trendlabs-security-intelligence/

Revisiting an Info Leak

Today an interesting tweet [https://twitter.com/Laughing_Mantis/status/631170614720462848] from Greg Linares [https://twitter.com/Laughing_Mantis] (who has been posting awesome analysis on twitter lately!) came to our attention, concerning the MS15-080 [https://technet.microsoft.com/en-us/library/security/ms15-080.aspx] patch: This patch (included in MS15-080) may have been intended stop one of the Window kernel bugs exploited by Hacking Team. But, after our analysis, it appears that there is

Exploiting a 64-bit browser with Flash CVE-2015-5119 (Part 2)

This post is a continuation of Exploiting a 64-bit browser with Flash CVE-2015-5119 [/2015/07/31/supporting-a-64-bits-renderer-on-flash-cve-2015-5119] , where we explained how to achieve arbitrary memory read/write on a 64-bit IE renderer. As a reminder, we are targeting Windows 8.1 / IE11 (64 bits) with Flash 15.0.0.189. Of course, this write-up may contain a few errors, so your mileage may vary =) Where we left off before, we had created an interface to work with memory by using a corrupted

Exploiting a 64-bit browser with Flash CVE-2015-5119

Some weeks ago, on More Flash Exploits in the Framework [/2015/06/30/more-on-flash-exploits-into-the-framework], we introduced the flash_exploiter library, which is used by Metasploit to quickly add new Flash exploit modules. If you read that blog entry, then you already know that flash_exploiter only supports 32-bit browsers (renderers). In this blog post, we will demonstrate initial steps in adding IE11 64-bit support to CVE-2015-5119 [http://www.cvedetails.com/cve/CVE-2015-5119/] , which is o

News on the Embedded Systems Land

Last year we worked hard to improve the embedded devices capabilities available on Metasploit collaborating with awesome guys like m-1-k-3 [https://twitter.com/s3cur1ty_de] to add new modules and capabilities [/2013/04/05/compromising-embedded-linux-routers-with-metasploit], collaborating [/2013/07/02/a-penetration-testers-guide-to-ipmi] and conducting research [/2013/11/06/supermicro-ipmi-firmware-vulnerabilities] like in the IPMI related work by HD Moore [https://twitter.com/hdmoore], or shari

Bypassing Adobe Reader Sandbox with Methods Used In The Wild

Recently, FireEye identified and shared information [http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html] about two vulnerabilities used in the wild to exploit Adobe Reader on Windows XP SP3 systems. The vulnerabilities are: * CVE-2013-3346 [http://cvedetails.com/cve/CVE-2013-3346]: An Use After Free on Adobe Reader. Specifically in the handling of a ToolButton object, which can be exploited through document's Java

A Pentester's Introduction to SAP & ABAP

If you're conducting security assessments on enterprise networks, chances are that you've run into SAP systems. In this blog post, I'd like to give you an introduction to SAP and ABAP to help you with your security audit. The full SAP solution (ERP or SAP Business Suite) consists of several components. However, to manage the different areas of a large enterprise, probably one of the better known components or features of the SAP solution is the development system based on ABAP [http://en.wikipe

Exploiting the Supermicro Onboard IPMI Controller

Last week @hdmoore [https://twitter.com/hdmoore] published the details about several vulnerabilities into the Supermicro IPMI firmware [/2013/11/06/supermicro-ipmi-firmware-vulnerabilities]. With the advisory's release, several modules were landed into Metasploit in order to check Supermicro's device against several of the published vulnerabilities: Module Purpose smt_ipmi_static_cert_scanner [http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner] This module ca

Change the Theme, Get a Shell: Remote Code Execution with MS13-071

Recently we've added an exploit for MS13-071 [https://www.rapid7.com/db/vulnerabilities/windows-hotfix-ms13-071] to Metasploit. Rated as "Important" by Microsoft, this remote code execution, found by Eduardo Prado, for Windows XP and Windows 2003 environments is achieved by handling specially crafted themes. In this blog post we would like to discuss the vulnerability and give some helpful tips for exploiting it from Metasploit. First of all, the bug occurs while handling the [boot] section on

Good Exploits Never Die: Return of CVE-2012-1823

According to Parallels, "Plesk is the most widely used hosting control panel solution, providing everything needed for creating and offering rich hosting plans and managing customers and resellers, including an intuitive User Interface for setting up and managing websites, email, databases, and DNS." (source: Parallels [http://www.parallels.com/products/plesk/webhosters/]). On Jun 05 kingcope shocked Plesk world by announcing a new 0 day which could allow for remote command execution: Accordi

From the Wild to Metasploit: Exploit for MoinMoin Wiki (CVE-2012-6081)

Recently we've added to Metasploit a module for CVE-2012-6081, [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6081] an arbitrary file upload vulnerability affecting to the version 1.9.5 (patched!) of the MoinMoin [http://moinmo.in/] Wiki software. In this blog entry we would like to share both the vulnerability details and how this one was converted in RCE (exploited in the wild!) because the exploitation is quite interesting, where several details must have into account to successful e

New 1day Exploits: Mutiny Vulnerabilities

Exploit for new Vulnerability on Honeywell EBI ActiveX (CVE-2013-0108)

Today, we present to you a new vulnerability, CVE-2013-0108 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0108], discovered in Honeywell Enterprise Buildings Integrator (EBI) [https://buildingsolutions.honeywell.com/Cultures/en-US/ServicesSolutions/BuildingManagementSystems/EnterpriseBuildingsIntegrator/] R310 - R410.2. This platform is used to integrate different systems and devices such as heating, ventilation, and air conditioning (HVAC) controls; security; access control; life sa