Core Impact 2017 R1 and Metasploit Pro are tools used to create multi-staged, real-world attacks to test enterprise security defenses. Organizations need improved visibility into the the holes in their enterprise network defenses. Pen Testing tools allow an organization to evaluate their ability to detect, prevent, and respond to attacks using multi-staged, real-world attacks.

As part of my daily work as an Exploit Writer, I decided to take a look at CVE-2017-7308. It is a Linux Kernel vulnerability related to packet sockets. I will not go into details about the bug itself or its exploitation because there is an…

1. Introduction In this blog post, we will cover the analysis and exploitation of a simple heap buffer overflow found in SAPCAR a few weeks ago. SAP published security note #2441560 classifying the issue as "Potential Denial of Service". This post is our attempt to show

In November 8, 2016 Microsoft released a security update for Windows Authentication Methods (MS16-137) which included 3 CVEs: Virtual Secure Mode Information Disclosure Vulnerability CVE-2016-7220 Local Security Authority Subsystem Service Denial of Service Vulnerability CVE-2016-7237 Windows NTLM Elevation of Privilege Vulnerability CVE-2016-7238 Talking specifically about CVE-2016-7237, this…

Here’s the scenario: You’ve compromised a system but it hasn’t been logged into recently by an administrator, so you’re quite disappointed by your Mimikatz results. You’ve got local system credentials but nothing that’s on the domain except the machine account. Your mission: do something with the system that will attract the attention of someone with administrator credentials and make them log into the system WITHOUT setting off enough alarm bells to trigger a full blown incident response.

What if I told you that in most networks these days, you don’t have to bother with cracking the passwords? With most networks with Active Directory, you can use the stored hash obtained via Mimikatz or a WPAD attack to authenticate. How, you may ask? It’s because of the wondrous bit of mis-engineering that is the Windows NT Login Challenge and Response. I’m going to dive into this a bit, so that we understand just what it is that we’re exploiting.

Continuing with my Getting Physical blog posts series (CanSec2016’s presentation), in this third episode I’m going to talk about how Windows Paging is related to the HAL's heap and how it can be abused by kernel exploits. This is probably the simplest way of abusing Windows paging structures, because deep knowledge about how Intel paging works is not necessary to implement the attack.

Dropped USB flash drives are still effective means for getting into networks. The goal of this post is to give you a bit of a hands on lab and show you some tricks for actually conducting USB drop attacks, including how to prepare the payload using Core Impact. USB drop attacks are a bit of a performance art form. You need to build an enticing story that’ll make the discoverers of the drop, whom I will refer to as ‘The Marks’, curious enough to override common sense and plug in the stick to figure out what’s on it.

Continuing with the previous Getting Physical blog posts series (CanSec2016's presentation), this time I'm going to talk about what paging implementation has been chosen by Windows and how it works. At the same time and according to Alex Ionescu's blog post, it's interesting to see that Microsoft has...

Hi, After Enrique Elias Nissim (@kiqueNissim) and I presented "Getting Physical: Extreme abuse of Intel based Paging Systems" at CanSecWest2016 (slides here), I decided to write a series of blog posts explaining in detail what we presented and show what we couldn't in a full time talk (50 minutes of presentation is a lot but not in this case !).

In October 13, 2015 Microsoft published security bulletin MS15-106, addressing multiple vulnerabilities in Internet Explorer. Zero Day Initiative published advisory ZDI-15-521 for one of those vulnerabilities affecting IE...

Every once in a while I get to work on something special, something that leaves me with the keys to open new doors. Introduction: Not long ago I came across a certain font related vulnerability, it was a 0day being exploited in the wild...

On August 11, 2015 Microsoft released 14 security fixes, including an SMB Server fix. In this post I'll explain how I triggered the SMB Server bug. Microsoft Security Bulletin MS15-083: Of all the available patches...

Windows has been around a long time. After years of evolving from one version to another, it is rare to find vulnerabilities that allow remote code execution from Windows XP to Windows 8.1 (32 and 64-bit)...

At the beginning of March we published a blog post analyzing CVE-2015-0311, a Use-After-Free vulnerability in Adobe Flash Player, and we outlined how to exploit it on Windows 7 SP1 machines...

At the end of January, Adobe published the security bulletin APSA15-01 for Flash Player, which fixes a critical use-after-free vulnerability affecting Adobe Flash Player 16.0.0.287 and earlier versions. This vulnerability, identified as CVE-2015-0311, allows attackers to execute arbitrary code...

A few weeks ago a critical vulnerability (MS14-068) affecting Windows environments was published by Microsoft (credited to Tom Maddock and team). Specifically, the vulnerability affects Kerberos. [The vulnerability will] allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account.

Oftentimes after using Network Information Gathering, we are still left with a number of devices that may reflect an "Unknown" OS. With the saturation of these devices in the market today, there is a good chance there may be some located on your network. By identifying these devices we can also potentially expand our attack surface and gain other useful information. So, where do we start? We may as well create a new search folder so that only the machines that reflect "unknown" under the OS column can be viewed.

Alfredo Ortega and Anibal Sacco presented their findings in Absolute Software’s Computrace “persistent agent” as part of their ongoing research on BIOS rootkits at Black Hat USA 2009. Before I dig into some technicalities of the findings of Alfredo and Anibal, let me dispel any doubts about the disclosure process that we followed. The vendor was made aware of the report and upcoming presentation several weeks prior to Black Hat by at least three separate sources.

In our last installment, I gave you a final hunk of code with several function calls and decided to let you stew for a week before revealing what was going on under the hood. Well, you’ve stewed for a week, so let’s review.

Last week, we discussed exactly what we’ll be building and got some of the boilerplate done along the way. I’m sure that you dug into the modules that I strongly hinted that you take a look at for inspiration. To review, this module will need to:

In this installment, we’ll start diving into the anatomy of an Impact module where you'll get the opportunity to absorb some of the features and implications before we dive into building something real and useful. In the course of conducting penetration tests, we often come across password hashes of various types. We can sometimes use these without cracking them, but, it is often useful and necessary to crack those hashes. Why? You may ask.