Black Hat & Shmoocon

Just got accepted to both Black Hat DC 2011 and Shmoocon 2011! Unfortunately, I will not be able to attend Shmoocon. I wish I could come; I have never spoken there before, and it’s a great conference. Instead you will have to see me at Black Hat. Link: Advertisements

Leave a comment

Fun with lnk files

Stuxnet used an 0day .lnk icon dll-loading vulnerability to own its targets via thumb drives. But if you don’t have a fancy 0day, chances are, you can still get someone to open a link. Link files are great because they often escape the scrutiny of executable .exe files or batch scripts since they don’t directly […]

Leave a comment

Command stagers in Windows

Command injection/execution bugs are a relatively common vulnerability. For example, Internet Explorer, Google Chrome, and Mozilla Firefox have all had these problems, at least including common add-ons. (see,, etc.) Many server-side scripts in webapps also suffer from the same issues. Against a Linux target, many exploitation possibilities abound, from staging a payload via […]

, , , , , , ,

Leave a comment

Team metasploit and msfgui on Windows

First, in answer to a common question, the new msfgui can be run on Windows if Java is installed by double-clicking (starting in your program files directory) \Metasploit\Framework3\msf3\data\gui\msfgui.jar so make a shortcut to that and place it on your desktop. Next think about the fact that Metasploit has more features and runs with less memory […]

Leave a comment

Sessionthief linux

In response to a number of questions about how to get sessionthief running on linux, here are the steps to get it working on Ubuntu: First, I apologize, because if anyone tried, the compilation failed due to a case-mismatch on a filename. I had not noticed because I had stored the files on a FAT-formatted […]


Insecure service permission privilege escalation

A number of metasploit modules already exist to escalate privileges based on insecurely installed services, such as the HP PML driver. But other services also suffer from the same problems and it is not worth making a new script for every obscure service; it would be easier to have one that could scan for such […]

Leave a comment

Screwing with Nmap

It is always interesting to me to see what defense can be put up against tools used by attackers/pen testers. I don’t believe there are any public exploits against Nmap (Secunia is not aware of any at least) and I doubt I could find a useful one against a basic scan. On the other hand, […]

Leave a comment

PXE exploitation

Update 2: See the latest, including the Defcon talk at my new blog: Update: This complete attack, including the DHCP server, has been incorporated into Metasploit. Update and enjoy. The module is auxiliary/server/pxexploit PXE booting has been around for over a decade and is supported by most system BIOSs. And I have also seen […]



Another little project I put together a couple of years ago is sessionthief. When I need to quickly demonstrate the insecurity of open wireless networks, this is my first choice, as it has the ability to immediately hack into most websites another user on the same LAN is logged into. It performs HTTP session cloning […]


msfgui – now in metasploit

The new msfgui is now in metasploit; svn up your msf3/ directory to get it. There is also a good review at Initial reception has been good, although a few bugs have popped up. It supports most scripts and most options on them via a right-click menu on a meterpreter session, generates a basic […]

Leave a comment