Archive for category Metasploit

Exploiting Ammyy Admin – developing an 0day

Background For the past few years, a number of groups of scammers have been cold-calling thousands if not millions of people in what’s been referred to as the “Ammyy Scam” or the “Microsoft Tech Support Scam” among other names. The scammers pretend to be from Microsoft or another official group and claim to have detected […]


More Spiders, Fewer Trees: Meterpreter Hop

Just about every time you see a serious network intrusion where the attackers obtain access to internal networks, the attackers used “hop points” to conceal their identity and evade detection. … Setting up and using hop points has been a chore for penetration testers as well. Normally setting up a hop requires owning the server to open and listen on arbitrary ports and forward data. But today, using a new payload and session type I contributed to the metasploit framework, you can use any common PHP host as a hop for meterpreter. This is a big deal since it’s the first time metasploit has natively supported receiving a connect-back shell that goes somewhere other than directly to the Metasploit controller. … Check it out in the video below:


No Comments

Using the GUI in Metasploit 4.6

Unfortunately, Rapid7 recently informed me that they would no longer be including msfgui from the official distribution of Metasploit (along with Armitage). But don’t worry, because even though it is now a separate program, msfgui is still supported and still provides (in my humble opinion) the best way of harnessing all the power of Metasploit.

, , ,


Saving shells with PrependMigrate

One of the more frustrating experiences in infosec is getting a session back – just to have it die a second later. Often, exploited processes are simply unstable; after smashing the heap or some other data structures, the process crashes not long after starting the shellcode. Sometimes the process freezes and the user exits the […]


Shellcode sizes in Metasploit

When working on DNS tunneling shellcode, I was wondering how small the shellcode needed to be to work with most exploits. In case you have the same question, this is how you find out how much space, for example, all Windows exploits have, or see how many exploits a given payload will work with, although […]

No Comments

Direct shellcode execution in MS Office macros

Metasploit has for years supported encoding payloads into VBA code. (VBA, or Visual Basic for Applications, is the language that Microsoft Office macros are written in.) Macros are great for pentesters, since they don’t rely on a specific version, and they are a supported method of code execution that most people don’t realize and are […]


Writing Meterpreter Extensions

Railgun and other meterpreter functionality is awesome and can do almost everything you would like on a compromised system, but sometimes, due to performance or bandwidth requirements or just weird threading issues, you need to be able to run compiled code on a target. You can upload an executable to a system and run that, […]

, ,


Custom payloads in Metasploit 4

One of the key features of Metasploit is the customization of the framework; for example, different payloads can be generated with many different options and placed in any of a large number of exploits. Custom scripts can be written with many commands for automated post-exploit actions. Nevertheless, there have still been a number of customizations […]

, , , , , ,


Network Nightmare – PXE talk at Defcon

Hope you were able to see my talk at Defcon 19, Network Nightmare – Ruling the Nightlife Between Shutdown and Boot with PXEsploit. If not, you can see the slides here and watch the demos below. As a quick summary, the Preboot Execution Environment, available on almost all motherboards as “Network Boot,” provides a way […]

, ,


Firefox Exploit Analyzed

[I found some old posts lurking around my hard drive from a few months ago. This is no longer the newest or best Firefox exploit, but you might find it interesting] To learn a little bit more about exploit development and RE I took a look at the latest Firefox exploit in exploit-db (; […]

, , , , , , , , , , , ,

No Comments