Writing a Metasploit post exploitation module

Metasploit framework logoThe exploitation of a machine is only one step in a penetration test. What do you do next? How can you pivot from the exploited machine to other machines in the network? This is the phase where you need to prove your post exploitation skills. Even if Metasploit is a complex framework, it is not complete and it sometimes needs to be extended.

Why would I write such a module?

Metasploit is the “World’s most used penetration testing software”, it contains a huge collection of modules, but it is not complete and you can customize it by writing your own modules.

Even if you manage to compromise a machine, you may ask yourself: “Now what?”. You can use one of the many Metasploit post exploitation modules, but what if you don’t find a suitable module for you? You may request it to the Metasploit community and developers but it may take a lot of time until it will be available. So why don’t you try to write your own module?

Continue reading

Upgrade your DLL to Reflective DLL

Reflective DLL for injectionIf you want to execute code stealthily on a machine and the antivirus stands in your way, you should think about avoiding the disk because this is the place where the antivirus reigns.

In this scenario, you might find it useful to execute a DLL directly inside the address space of a running process without touching the disk. This will bypass the AV in a stealthy and powerful way.

To achieve this, all you need to do is upgrade your DLL to Reflective DLL.


The antivirus can sometimes be a significant problem during a penetration test in the post-exploitation phase. For dealing with this issue, several strategies have been proposed:

  • making use of the command line / PowerShell
  • executing a program (EXE) from memory
  • executing a DLL from memory

Sometimes the command line interface is severely limited.

Also, by executing a program from memory you may still run into problems with the antivirus; you might get away with it by making use of a crypter (a tool that encrypts an executable, decrypting it during execution and executing it from memory) but most of them are detectable.

Thus, you may find it useful to use a DLL instead of an EXE to do your job.

Continue reading

Intercepting functions from statically linked libraries

OpenSSL SSL_write function code asmA common technique for blackbox penetration testing of a binary application is intercepting function calls. This technique helps the pentester to properly understand how the application works and to manipulate application data.


The problem

In most cases, it is pretty easy to intercept a function call: the application calls a function from a shared library (DLL) and you just need to find its address in the DLL’s export address table and breakpoint on it.

But it may happen that your target function is from a statically linked library, which means that you cannot find its address by name in the export table. So how to find the target function’s address in this situation? 

In our case, we have a Windows executable statically linked with OpenSSL and we want to intercept and modify the TLS encrypted traffic which is handled by the SSL_write function from OpenSSL.

However, the same idea can be applied for other operating systems and libraries.

Continue reading

Understanding PHP Object Injection

PHP Object InjectionPHP Object Injection is not a very common vulnerability, it may be difficult to exploit but it also may be really dangerous. In order to understand this vulnerability, understanding of basic PHP code is required.

Vulnerable applications

If you may think this is not an important type of vulnerability, please see the list below. Researchers found PHP Object Injection vulnerabilities in very common PHP applications:

And many others.  There may be a lot of other undiscovered PHP Object Injections in these or in other very common PHP applications, so maybe you can take a coffee break and try to understand it.

Continue reading

How to intercept traffic from Java applications

Intercept Java traffic with Javasnoop During a security assessment you may need to monitor the traffic from a Java application and also to modify it. What can you do? What if the application uses SSL/TLS and even SSL pinning? We found a very useful tool which helped us in this type of situations.


JavaSnoop is a tool developed by Aspect Security with the purpose of helping people to intercept Java function calls (e.g. toString) from Java applications. It allows you to attach to a process and intercept any Java function call, view and modify the parameter values, print the stacktrace or save all function calls to a file.

JavaSnoop allows browsing all Java classes and all functions used by the target application. What you have to do is to choose the right function from the right class to hook in order to intercept the function call and parameters. For example, you may consider functions that send, receive, hash or encrypt data in order to intercept and modify sensitive data.

Continue reading