• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > R&D > Development > 2017 FOSS Contributions

2017 FOSS Contributions

January 16, 2018 By Spencer

We here at RSM heavily rely on the Open Source tools that are available from the information security community. Like many penetration testing and research teams we rely on gems such as the Metasploit Framework, Responder, and Empire. We like to support to give back to the community and help others like us by contributing to these projects as well as by releasing and maintaining our own Open Source tools including King Phisher and Termineter. In this blog we’ll explore the contributions that our team made during 2017.

The Metasploit Framework

In 2017 we submitted the following 4 modules to the Metasploit Framework.

CVE-2017-8464 (Windows LNK Processing)

This module targeted a vulnerability (not found by us) in the processing of LNK files on Windows systems. It was heavily based on an existing Metasploit module that was intended to be used in conjunction with a USB-style attack vector.

CVE-2017-9769 (Windows Razer Synapse)

Probably one of the more exciting exploit modules that was released was for one of two vulnerabilities we did find in gaming peripheral company Razer’s Synapse application. This Local Privilege Escalation (LPE) exploit leveraged a flaw in the driver that allowed a critical security check to be bypassed.

DC/OS Marathon UI

This feature abuse module allows Metasploit to execute code when the DC/OS Marathon UI creates a new Docker container. Being a feature abuse, this module is likely to have better longevity than the other exploits which have patches available for their respective vulnerabilities.

Gnome Keyring Dumping

Last but not least in the Metasploit category, this auxiliary module demonstrated a large effort in bringing Railgun functionality to non-Windows platforms. The module itself allowed users that had a Python Meterpreter session on a Linux system to dump the network passwords out of the Gnome Keyring service. This wrapped the native API calls and did not require spawning any new processes or writing anything to disk.

As was just mentioned, the new Railgun support for OSX and Linux creates a lot of opportunities for new post-exploitation functionality. The Railgun API allows functions in native libraries on the compromised host to be called through Meterpreter. This is already heavily used by many of the Windows post-exploit modules and we hope to see new modules for the newly support platforms in the coming year.

Empire – Wlrmdr

For the Empire project we added the new Wlrmdr module that can be used for social engineering attempts. This module utilizes the Windows logon reminder service to launch a customized balloon reminder in a user’s taskbar.

BeEF –  Get Cookie Automatic Rule

This submission was created for a specific need while we were performing one of our red team engagements. When a browser is hooked through cross site scripting, it automatically captures any cookies for the site and logs them.

Various Bug Fixes

Sometimes contributions to have to be cutting edge techniques or provide new features but rather improve on or fix existing functionality. To that end we reported issues we noticed in MimiPenguin, and proposed a fix for Ruler. Having maintained open source projects ourselves, we understand the value of detailed bug reports and how they aid in project development.

The RSM Projects

King Phisher

2017 was a major year for King Phisher, with 4 major releases, and 10 new plugins. With the integration of the plugin catalog, it’s now also easier than ever to install and update plugins for the King Phisher client. We expect a lot of plugin development to continue as new features are added outside of the core application. Finally, we released 4 new email phishing templates and 1 new website template.

Termineter

And then there’s Termineter, the open source Smart Meter testing framework. This particular tool saw some long over due improvements since it’s first release almost 6 years ago in 2012. We’ve made numerous improvements to it through our testing with additional clients over the year and have finally tagged it with the well-deserved version 1.0 tag. This release saw a new module, a better user interface and many other improvements, but that’s a topic for another blog.

We hope everyone found our contributions as useful as those that we have benefited from. Here’s to what improvements 2018 may bring, and happy hacking.

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Spencer

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.