Weaponizing Perl Serialization Flaws with Metasploit
This was definitely not your average talk for Houston.pm. John Lightsey described a few flaws in Perl serialization frameworks. Then, he explained how one of these flaws is actually exploitable in the MovableType blogging system.
He walked us through using the Metasploit framework to use this flaw to open a shell prompt on another machine. In this case, he was attacking a virtual machine on his own laptop, but the implication was clear.
The talk is available on-line. This is not a talk for the faint of heart, but you'll learn quite a lot. The code iss available as well.
We had 12 people attending this month. As always, we'd like to thank HostGator, LLC for providing the meeting space and food for the group.