metasploit and meterpreter as a C2 with sessions and channels

It's possible to use the metasploit console and meterpreter as a powerful Command and Control (C2) system using sessions and channels; here's how.

One-liner to start up a multi-handler in the metasploit console listening on a given port for incoming connections from a (staged) metasploit payload:

What is overriding your Drupal config?

Something is overriding config in Drupal - you can see it by invoking drush with and without the flag to include overrides:

$ drush cget system.performance | grep -B1 preprocess
  preprocess: false
  preprocess: false
$ drush cget --include-overridden system.performance | grep -B1 preprocess
  preprocess: true
  preprocess: true

Perhaps we want to turn this config off, but these overrides won't let us.

Where are these config overrides coming from?

Remote Code Execution in Drupal via cache injection, drush, entitycache, and create_function

PHP's create_function() was:

DEPRECATED as of PHP 7.2.0, and REMOVED as of PHP 8.0.0

As the docs say, its use is highly discouraged.

PHP 7 is no longer supported by the upstream developers, but it'll still be around for a while longer (because, for example, popular linux distributions provide support for years beyond the upstream End of Life).

Insecure Deserialisation and IDOR, oh my!

A few years ago I found quite an interesting vulnerability in a contributed Drupal module called tablefield.

The module allows Drupal entities to hold tabular data, and the vulnerability was a combination of Insecure Deserialisation and a type of Insecure Direct Object Reference (IDOR).

The fix was released over 4 years ago so sufficient time has passed for me to share some more details.

The module has a hook_menu page callback (Drupal 7's equivalent of a route) that looks like this:

Stopping apparmor blocking firefox from reading local files in /var/www/

After a recent OS upgrade I was trying to upload a patch to an issue on and encountered a strange error message.

It was very similar to this one on a vanilla Drupal 7 install:

An unrecoverable error occurred. The uploaded file likely exceeded the maximum file size (100 MB) that this server supports.


The best and worst SSH / MOTD banners

I came across an SSH banner recently that I vehemently disliked, but it reminded me of a similar banner that I'd thought was brilliant.

So here are my best and worst banners...

The worst

This is the banner for an appliance provided by a vendor (that shall remain nameless) in the IT security space.

Technically this is an SSH banner so it's displayed before authentication.

A persistent Drupal 7 exploit using a pluggable variable

A couple of years ago I was asked to take a look at a Drupal 7 site that was performing poorly where a colleague had spotted a strange function call in an Application Performance Management (APM) system.

The APM traces we were looking at included a __lamda_func under which was a class called Ratel. Under those were some apparent external calls to some dodgy looking domains.

One of my very excellent colleagues had done some digging and found some more details about the domains which confirmed their apparent dodginess.

Assessing the likelihood of a Drupal exploit of Ghostscript Zero Day CVE-2021-3781

Drupal 9 detects a fake image file

My colleagues and I in the Drupal Security Team recently became aware of a Zero Day RCE vulnerability in Ghostscript. This was later assigned CVE-2021-3781.

At least one viable Proof of Concept (PoC) was made public not long after the Zero Day which illustrated Scalable Vector Graphics (SVG) handling in Imagemagick being used as an attack vector.

Checking for Bad Passwords in Drupal with Drop the Ripper to Avoid Site Compromise

This was originally posted on the blog.

Easy-to-guess passwords are all too often the means by which intruders gain unauthorised access. It's useful to be able to audit the passwords in use on your site - especially for user accounts with administrative privileges.

Password Policies and Drupal

The default Drupal 7 password form
Correct Horse Battery Staple - credit

This was originally posted on the blog.

People tend to choose bad passwords if they are allowed to.

By default Drupal provides some guidance about how to "make your password stronger," but there's no enforcement of any particular password policy out of the box. As usual, there's a module for that. More than one in fact.

Subscribe to RSS