no one is safe ...
//secure it#

Listed at Top Contributors 2014

With 57 commits I am listed at the Metasploit Top Contributors for the year 2014. *h00ray*

I was not able to create as much code as in 2013 (121 commits), but some shiny new modules for pwning embedded devices were created in 2014.

You can find some more details in the original blogpost.

Now let’s go ahead in 2015 and see what the 2nd edition of my Metasploit book is doing … btw. you should pre-order it now on Amazon.

Weekly Metasploit Update with more Embedded Device Attacks

The last Metasploit Update includes some new exploits for breaking embedded devices.

D-Link Embedded Device Shells
This week, esteemed Metasploit contributor @m-1-k-3 has been at it again with his valiant personal crusade against insecure SOHO (small office/home office) embedded devices with known vulnerabilities. We have a new trio of modules that target D-Link gear, based on the research released by Craig Heffner and Zachary Cutlip, which exploit two bugs present in the DSP-W215 Smart Plug, and one UPnP command injection bug found in the DIR-815.

The research on these embedded devices is really quite solid -- if you're at all interested in this kind of research, you can Craig's excellent notes on his first and second SmartPlug bugs, published in May of 2014, and Zachary's notes on the DIR-815 bug. Following along is now a ton easier with m-1-k-3's Metasploitization of these exploits, too, since you can now see the traffic on the wire if you happen to have one of these routers in your home or lab.

This is the part where I rail about the Internet-of-Things. I'll keep beating this drum because it's not "merely" your home networks that are at risk. If the gadgets are cool and useful enough, you can be sure they will find their way into office spaces across all kinds of industries, making the job of the penetration tester less of an exercise in finding vulnerable devices to target and more of prioritizing which ones should get exploited first.

Nobody updates firmware, ever. Nobody. As long as they're passing packets, and there's no IT department control over these things, these guys will remain vulnerable forever -- at least, until something radical changes in the embedded device space where updates are automatic and routine -- and don't fall prey to Evilgrade-like attacks, which have been around for a few years now.

Exploit modules

  • D-Link info.cgi POST Request Buffer Overflow by Craig Heffner and Michael Messner exploits OSVDB-108249
  • D-Link HNAP Request Remote Buffer Overflow by Craig Heffner and Michael Messner exploits CVE-2014-3936
  • D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection by Michael Messner and Zachary Cutlip

Read more:

New #Metasploit modules for attacking embedded devices are available

During the last few weeks a lot of new stuff in breaking embedded devices has arrived. There are some quite interesting vulnerabilities, exploits and some new payloads available.

Linksys WRT120N

First of all Craig Heffner has analyzed the Linksys WRT120N router and he has created a lot of detailed information about this work on his blog. The series of blogposts start with some details about breaking the hardware. Second he shows how it is possible to extract the firmware from the device. Finally Craig has found an interesting buffer overflow vulnerability and he has created a nice and shiny exploit for it. This exploit is able to reset the password for the web-interface of the router. So I thought this would be a quite nice Metasploit Auxiliary module.

The following code is the interesting part of the module – the full code is available on Github.

Within the main function (run) it starts with a first test of the login with the username admin and no password. If this test is successful there is no further need for this module and it is finished:

Erhalten Sie gratis Probekapitel aus den deutschsprachigen Metasploit-Büchern

Fangen Sie gerade erst mit Metasploit an und brauchen eine Einführung? Oder sind sie ein Metasploit-Profi und brauchen ein gutes Referenzwerk?

SOHO Router Horror Stories Webcast mit Rapid7 - 7. November 2013 - 14 Uhr MEZ [Update: 12.01.2013]

In diesem deutschsprachigen, technischen Online-Seminar für Security Researcher, Penetration Tester, und IT-Sicherheitsbeauftragte stellt Michael Messner Forschungsergebnisse zur Sicherheit von SOHO Routern vor. Da diese Systeme sehr weit verbreitet sind und selten aktualisiert werden, haben sie oft schwerwiegende Sicherheitsprobleme. Vor einigen Monaten wurden beispielsweise 420,000 Embedded Devices von einem Botnetz namens Carna befallen und für ein weltweites Internet-Scanning-Projekt benutzt. Während dieser sogenannte Internet Census zwar illegal aber dennoch wohlwollend war, zeigt er deutliche Probleme in der Routersicherheit auf. IT Security Researcher, Hersteller, und Sicherheitsbeauftragte für Firmennetze sollten darüber überaus beunruhigt sein.