Skip navigation
All Places > Metasploit > Blog
1 2 3 Previous Next

Metasploit

700 posts
Pearce Barry

Metasploit Wrapup

Posted by Pearce Barry Employee Aug 11, 2017

Slowloris: SMB edition

Taking a page from the Slowloris HTTP DoS attack, the aptly named SMBLoris DoS attack exploits a vuln contained in many Windows releases (back to Windows 2000) and also affects Samba (a popular open source SMB implementation). Through creation of many connections to a target's SMB port, an attacker can exhaust all available memory on the target by sending a specific NBSS length header value over those connections, rendering the system unusable or crashed (if desired). And systems with SMB disabled are vulnerable to this attack too. Word is that Microsoft currently has no plans to issue a fix. Following the SMBLoris reveal at DEF CON (hat tip to the researchers at RiskSense!), Metasploit Framework now contains an exploit module for fulfilling your SMBLoris needs.

 

The Adventure of LNK

Think Windows shortcut files are a convenient way to reference a file from multiple places? How about as an attack vector to get remote code execution on a target? Affecting a wide range of Windows releases, a recently-landed exploit module might be just what you're looking for to give this vector a go. Microsoft did release a patch this past June, but we're gonna guess a lot of systems still haven't picked that up yet.

 

Would you like RCE with your PDF (reader)?

If so, Nitro's PDF reader might be your hookup. Many versions of both Pro and regular flavors of the reader are vulnerable, providing JavaScript APIs which allow writing a payload to disk and then executing it. Check out the new exploit module and enjoy some of that tasty RCE.

 

Jenkins, tell me your secrets...

If you periodically happen upon a target running Jenkins, we've got a new post module you might find useful. jenkins_gather will locate where Jenkins is installed on a system and then proceed to look for creds, tokens, SSH keys, etc., decrypting what it finds and conveniently adding it to your loot. It's been tested on a number of versions and platforms and is ready for you to give it a try.

 

And more!

We've also:

  • enabled ed25519 support with net-ssh
  • added better error handing for the Eternal Blue exploit module when it encounters a system that has SMB1 disabled (thx, @multiplex3r!)

 

New Modules

Exploit modules (2 new)

 

Auxiliary and post modules (2 new)

 

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Got mad skillz? Want mad skillz? This year at Rapid7’s annual UNITED Summit, we’re hosting a first-of-its-kind Capture the Flag (CTF) competition. Whether you’re a noob to hacking or a grizzled pro, you’ll emerge from our 25-hour CTF with more knowledge and serious bragging rights. Show off your 1337 abilities by competing for top prizes, or learn how to capture your first ever flag. Read on for details, and if you haven’t already done so, register for UNITED!

 

Our UNITED competition isn’t your average CTF. Why? Because this CTF is designed and hosted by the Metasploit team. That means two things: First, if you need a hand learning the ropes or help reverse-engineering an exceptionally tricky flag, you’ll have access to the foremost experts in the offensive security field. Second, you’ll be the first members of the public to test out the brand new Metasploitable3 Linux vulnerable machine. The Metasploit team has been waiting to debut a Linux version of Metasploitable, and we can’t think of a better opportunity than UNITED to do it.

 

Details

The competition will kick off September 13, 2017 at 1:15 PM EDT at the inaugural workshop in UNITED’s Phish, Pwn, and Pivot track: A Hands-on Introduction to Capture the Flag (CTF) Competitions Using Metasploitable (aptly named). Flag-capturing will end at 2:15 PM September 14, when we’ll present awards and host discussion on advanced tactics for all the future CTFs you’ll be able to dominate.

 

New to CTF competitions? Be sure to attend the hands-on introduction. Already captured, like, a million flags in your career? You don’t need to attend sessions to participate—just connect to the competition infrastructure and get to work! Metasploit experts will be available to all participants during the conference, both in and outside of the sessions.

 

OK, what can I win?

Prizes will be awarded to the top three competitors.

 

  • Top prize: Two complimentary passes to UNITED 2018, a HAK5 ESSENTIALS FIELD KIT, and a T-shirt.
  • Second place: A HAK5 WIFI PINEAPPLE and a T-shirt
  • Third place: A HAK5 USB RUBBER DUCKY and a T-shirt

 

What do I need to participate?

A desire to learn, perseverance, and a laptop with WiFi capabilities and Metasploit Framework 4.12.5 or later. Windows users will need PowerShell.

 

We look forward to seeing you at UNITED 2017 for what’s basically guaranteed to be the coolest CTF in the history of flags and competitions. Haven’t yet registered for UNITED? Fix that here—or contact your Rapid7 Account Executive or Customer Success Manager.

 

You can explore more of UNITED 2017's lineup of speakers, trainings, and track sessions here.

Pearce Barry

Metasploit Wrapup

Posted by Pearce Barry Employee Aug 4, 2017

With Hacker Summer Camp 2017 wrapped up and folks now recovering from it, why not grab a drink and read up on what's new with Metasploit?

 

Where there's smoke...

At least a few versions of open source firewall IPFire contain a post-auth RCE vulnerability, and we (well, you!) now have a module to help exploit that. Due to how an incoming Snort Oinkcode is processed via HTTP POST request, the IPFire software leaves itself open for shoving a payload in as the Oinkcode and having it executed. Like throwing water on an IPFire...

 

Razer's edge

Synapse, a computer peripheral configuration application from popular peripheral device vendor Razer, contains an access control vulnerability in their rzpnk.sys driver. Exploiting this vuln allows privilege escalation, including reading and writing of other process' memory and remote code execution. And there's a new module for this. As of this writing, this vulnerability has not yet been patched (and considering Synapse will auto-install on peripheral connect—at least under Windows 10—there may be many susceptible targets out there!).

 

Scanner Lightly

And we've landed a few new aux modules for your scanning pleasure: RDP and NNTP. While RDP is likely familiar to many readers, NNTP (Network News Transfer Protocol) might be less so. But you never know what a target might be running...

 

Mo' Meterpreter

We've had some improvements to a couple of our Meterpreters to share.

 

Windows Meterpreter

  • screen capture of HiDPI screen is now supported (and captures the full screen)
  • new threads are now automatically setup to not throw a dialog box or crash notification on failure

 

macOS/OSX Meterpreter

  • native-code Meterpreter now available
  • microphone audio streaming is supported

 

Feed me, RSS!

Had a desire to follow what your sessions are up to via an RSS feed? If so, rejoice! There's now a new framework plugin for doing exactly that thanks to @mubix.

 

Rise of the robots.txt

In an effort to make framework's HttpServer a bit less leaky, @dbfarrow added the ability to serve up a canned 'plz no crawl/index my pagez' robot.txt response for clients who request it. And, for those clients who do request it and honor it, that canned response should be enough to shoo them off from accessing files HttpServer is hosting...

 

New Modules

Exploit modules (5 new)

 

Auxiliary and post modules (2 new)

 

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Rapid7 just released a new public repo called vm-automation. The vm-automation repository is a Python library that encapsulates existing methodologies for virtual machine and hypervisor automation and provides a platform-agnostic Python API. Currently, only ESXi and VMWare workstation are supported, but I have high hopes we will support other hypervisors in time, and we would love to see contributors come forward and assist in supporting them!

 

That’s awesome. I want to get started now!

Great! Instructions on how to use the library are here: https://github.com/rapid7/vm-automation

 

Why?

The Metasploit team has an embarrassment of riches when it comes to modules and payloads thanks to our amazing community and staff. To give some idea of the embarrassment of riches, feel free to launch msfconsole and check the output:

 

       =[ metasploit v4.15.0-dev-7e1b50a                  ]

+ -- --=[ 1665 exploits - 953 auxiliary - 294 post        ]

+ -- --=[ 486 payloads - 40 encoders - 9 nops             ]

+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

 

We have 486 payloads, 1,665 exploits, nearly 1,000 aux modules, and 294 post modules. Additionally, we have 443 super-awesome contributors across the globe sending us modules every single day. All this is impressive, and we are incredibly thankful for everyone’s support. At the same time, this is a challenge to test—especially since Microsoft and Linux keep updating things to break our code without warning (don't they know who we are?!).

 

One of the efforts that we are working on is some test automation to help us maintain our modules and payloads—or at least know when things break faster—and to streamline the PR landing process. To do that we made a testing infrastructure that uses virtual and physical machines as attackers and targets; then we launch payloads, scripts, and modules on the virtual machines and track the responses. As we are all lazy, it needed automation, so we looked for a clean, simple way to interact with different kinds of vms that was consistent across hypervisors. In a former life, I was also an instructor and CTF developer; as a result, I know that ability to script vm management tasks makes life much easier for a lot of people beyond the narrow case of module and payload testing in Metasploit, so we split the library for automating vm tasks into a separate repo for anyone to use (and contribute new ideas!).

 

Aren’t there already things that do this?

Yes...sort of. There are multiple projects out there that exist and give varying amounts of control over vms using lots of different languages. Pyvmomi is one great example; it allows spectacular levels of customization and power over virtual machines that the average CTF-er or tester has absolutely no need to use, while simple tasks like getting a list of snapshots take ~40 lines of code. I certainly do not want to denigrate or disparage Pyvmomi: they provide an awesome API, and I know people who need that level of power over virtual machines, but it is just too powerful and complex for a lot of hobby-level hypervisor scripters. This library wraps a lot of Pyvmomi API calls into simple, comprehensible API calls to support the majority of what most hypervisor script users would need, while abstracting a lot of the complexities in Pyvmomi.

 

Also, Pyvmomi only supports ESXi, and this library leverages Pyvmomi API calls to support ESXi, but then uses VMrun.exe to support VMware workstation. So while much of the underlying code is changing, the functions to interact with vms remain the same across hypervisors, supporting the main goal for this repo: one function call, multiple hypervisors.

 

So what is it you say you do around here?

The supported functions are currently limited to those you might want to automate a CTF or test-range:

  • checkTools
    • Returns the state of VMWare tools
  • deleteSnapshot
    • Deletes a given snapshot
  • getArch
    • Returns the vm architecture
  • getFileFromGuest
    • Pulls a file from the virtual machine
  • getSnapshots
    • Updates the vm object’s snapshot list attribute
  • getVmIp
    • Updates the vm object’s IP address to match the vm
  • getUsername
    • Returns the vm’s username
  • isPoweredOff
    • Returns true or false
  • isPoweredOn
    • Returns true or false
  • makeDirOnGuest
    • Creates a directory on the specified vm
  • powerOn
    • Turns on the vm
  • powerOff
    • Turns off the vm
  • revertToSnapshot
    • Reverts the vm to a given snapshot
  • runCmdOnGuest
    • Runs a command or executable on the vm
  • setPassword
    • Updates the password in the vm object
  • setUsername
    • Updates the username in the vm object
  • takeSnapshot
    • Takes a snapshot of the vm
  • updateProcList
    • Updates the process list in the vm object
  • uploadAndRun
    • Uploads a script or executable file and runs it
  • uploadFileToGuest
    • Uploads a file to the vm
  • waitForTask
    • Waits for a given task to complete before allowing continued execution. Most of the API calls can be synchronous or asynchronous. This function allows us to toggle between the two.

 

How are you implementing the functions?

The basic layout is this: for each hypervisor (currently two), there are two classes. The first class is the hypervisor class. It contains all the attributes required to make the hypervisor work, like IP address, login information, and vm list. The other class is the vm class with supporting functions and attributes associated with the vms to handle normal vm interactions with snapshots, process lists, IP addresses, and the hypervisor. By overloading the function names across the vm classes, we can interact with any vm exactly the same, regardless of the hypervisor (or type of hypervisor) on which it runs.

 

Moving forward

The obvious thing is that we need to support more hypervisors: I would love to support cheaper or free virtualization options like VirtualBox or even Hyper-V.

 

I hope that this library proves as useful to others as it would have been to me over the years. I welcome anyone who would like to contribute, especially if they want to start work on supporting extra hypervisors! It is a relatively simple project. I think if we do it right it will see a lot of use, and we can help a lot of people.

UPDATE: With the release of version 4.15 on July 19, 2017, commercial Metasploit 32-bit platforms (Metasploit Pro, Metasploit Express, and Metasploit Community) no longer receive future product or content updates. These platforms are now obsolete and are no longer supported.

 

Rapid7 announced the end of life of commercial Metasploit 32-bit versions for both Windows and Linux operating systems on July 5th, 2017. This announcement applies to all editions: Metasploit Pro, Metasploit Express and Metasploit Community. After this date Metasploit 32-bit platforms will not receive product or content updates. Metasploit Framework will continue to provide installers and updates for the 32-bit versions.

 

MilestoneDescription      Date                
End-of-life announcement dateThe date that the end-of-life date has been announced to the general public.July 5th, 2016
Last date of available installersThe last date Rapid7 will generate 32-bit installers. After this date, Rapid7 will continue to provide updates until the last date of support.July 5th, 2016
Last date of supportThe last date to receive service and support for the product. After this date, all support services for the product are unavailable, and the product becomes obsolete.July 5th, 2017

 

 

Product Migrations

Customers are encouraged to migrate to Metasploit 64-bit versions of the product, installation files can be found in the following link. When upgrading to 64-bit, there maybe changes to system requirements including memory, please view the System requirements to see if your current system meets the minimum requirements. To migrate to a newer platform you create a platform independent backup and restore it on the new system. Please see this page to learn how to determine if you need to migrate, how to do a backup/restore, and about other related topics.

 

More Information

Brendan Watters

Metasploit Wrapup

Posted by Brendan Watters Employee Jun 30, 2017

Metasploit Hackathon

We were happy to host the very first Metasploit framework open source hackathon this past week in the Rapid7 Austin. Eight Metasploit hackers from outside of Rapid7 joined forces with the in-house team and worked on a lot of great projects, small and large.

 

@bcook started the hackathon working with @sempervictus on his amazing backlog of framework features, including REX library improvements, UDP sessions, TLS encrypted sessions, and support for running framework in Rubinius . We had a lot of good chats on how to move forward with bigger features, and our trees have begun to converge more.

 

@zerosteiner worked on server support for the Net-ssh library, and gave right after dropped Railgun support for OSX Meterpreter, and gave a talk on it at BSides Cleveland. On the module side, we got the long-awaited DNS injection module from @kingsabri rewritten and enhanced. @bcook worked a lot with @mubix's, whose intense testing and feedback made the module really great. Mubix served a unique role at the hackathon to of testing everyone's ideas and providing a critical eye on usability and reliability in engagements. @bcook also worked with @sure-fire testing public PoC code for CVE-2017-3881 on a variety of Cisco gear, and we were able to convert @artkond's great research into another module PR.

 

@bperry stopped by with his guitar, and worked on a plugin for the Arachni web scanner. In his words, "This complements the sqlmap plugin well, going from general web app scanning with arachni to full exploitation with sqlmap straight from Metasploit. It's something I've wanted in Metasploit for a while now.". He also composed a song for the occasion.

 

@bcook worked on a long-awaited search function for the Metasploit RPC interface while @mubix added a nifty new plugin that publishes an RSS feed of shells as they come in. While testing various things, @mubix noticed that his database was taking a long time to delete a workspace. @darkbushido took a look and found that we could speed up deleting workspaces by several orders of magnitude by using a different method.

 

Joining the hackathon virtually, @oj completed his PR for an all-new crypto layer for Meterpreter transports, which provides application-layer encryption for sessions independent of the transport used. It also has the nice effect of reducing the size of Windows meterpreter 5-fold!

 

@bwatters-r7, @hdm, @kernelsmith, @acammack-r7, and @izobashi also worked on a number of interesting projects as well, like a socks5 proxy, automated payload testing, selfhash support, and mimipenguins integration. We will be covering those as the make their way into the PR queue. In total, the hackathon was a great success and we look forward to having another one soon.

 

Passwords

In the continual game of cat and mouse with Windows password storage, Rogdham has brought the mice back on top this week. SQUEEK! Previously, Windows stored hashes using RC4 hashing, but Windows 10 uses AES128. With this update, the hashdump module will work with the AES128 hashes, too.

 

catch yourself before you wrek yourself

No one likes seg faults while you're trying to be stealthy, so kudos to tkmru who added some error handling to our armle reverse_tcp payload. Previously, the payload would segfault if it could not call back. Now, if it fails to call back, it fails silently, because the best kind of failure is the kind no one notices!

 

New Modules

Exploit modules (4 new)

* Netgear DGN2200 dnslookup.cgi Command Injection by SivertPL and thecarterb exploits CVE-CVE-2017-6334

* Symantec Messaging Gateway Remote Code Execution by Mehmet Ince exploits CVE-CVE-2017-6326

* Easy File Sharing HTTP Server 7.2 POST Buffer Overflow by Marco Rivoli and bl4ck h4ck3r

Auxiliary and post modules (1 new)

* Riverbed SteelHead VCX File Read by Gregory DRAPERI and h00die

 

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Brendan Watters

Metasploit Wrapup

Posted by Brendan Watters Employee Jun 16, 2017

A fresh, new UAC bypass module for Windows 10!

Leveraging the behavior of fodhelper.exe and a writable registry key as a normal user, you too can be admin! Unpatched as of last week, this bypass module works on Windows 10 only, but it works like a charm!

 

Reach out and allocate something

This release offers up a fresh denial/degradation of services exploit against hosts running a vulnerable version of rpcbind. Specifically, you can repeatedly allocate up to four gigabytes of RAM on the remote host with predictably bad results. It becomes worse when you realize that the allocation process is outside tracked memory, so that memory will not be unallocated. As a bonus, the granularity of the module accommodates those who wish to be truly evil by allowing them to simply degrade a host's performance, rather than completely crashing it.

 

Hardware agnosticism

Thanks to our great community, this release contains a fix for a troublesome bug where a Meterpreter session would crash under a specific set of circumstances when running on an AMD CPU. The exact cause is yet to be determined, but it appears the AMD chip becomes confused about the memory it can access, and inserting an otherwise bogus move instruction causes the chip to recover or somehow right itself, allowing it to execute the originally-offending instruction. If you are a bit of a hardware junkie, feel free to read more.

 

Improved reporting

There were multiple fixes to help in a less exciting, but still incredibly important, aspect of pen-testing: reporting. We fixed a bug in vulnerability reporting where Metasploit was not correctly tracking the attempted vulnerabilities so reports would be less accurate than they could be. Also, an update to our scanner modules increases the CVE references for each scan to allow better reporting or researching for methods of attack.

 

Download now supports terrible networks

A new feature allows Metasploit users to control the block size when downloading files. In most cases, this is not important, but on a network that might be slow or laggy, the ability to control block size will result in more reliable downloads. Included is an adaptive flag to drop the block size in half every time a block transfer fails. If you've never had to redteam on a bad network, count yourself lucky; if you have, you'll love this new feature.

 

It happens to the best of us

In addition to adding functionality and fixing user bugs, this release also includes a security fix reported by our community. The CSRF vulnerability is now patched; we send a hearty thank you to the reporter, @SymbianSyMoh!

 

New Modules

Exploit modules (2 new)

 

Auxiliary and post modules (1 new)

* RPC DoS targeting *nix rpcbind/libtirpc by Pearce Barry and guidovranken exploits CVE-2017-8779

 

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Summary

A vulnerability in Metasploit Pro, Express, and Community was patched in Metasploit v4.14.0 (Update 2017061301). Routes used to stop running tasks (either particular ones or all tasks) allowed GET requests. Only POST requests should have been allowed, as the stop/stop_all routes change the state of the service. This could have allowed an attacker to stop currently-running Metasploit tasks by getting an authenticated user to execute JavaScript (example below). As of Metasploit 4.14.0 (Update 2017061301), the routes for stopping tasks only allow POST requests, which validate the presence of a secret token to prevent CSRF attacks.

 

CVE-2017-5244 is classified as CWE-352 (Cross-Site Request Forgery), and its CVSSv3 base score is 3.1. This is a lower severity issue due to the complexity of deployment and the lack of data exposure, but we nevertheless strongly encourage Metasploit users to update their instances using the steps outlined under “Remediation” below. In addition, Rapid7 will be doing further review of other important routes to verify they properly restrict access.

 

Credit

Rapid7 warmly thanks Mohamed A. Baset (Founder and Cyber Security Advisor at Seekurity.com SAS de C.V. Mexico; @SymbianSyMoh) for reporting this vulnerability to us, as well as providing information to help us resolve the issue and protect Metasploit users. You can read his report on the issue here.

 

Am I affected?

Versions of Metasploit Pro, Express, and Community editions before 4.14.0 (Update 2017061301) are vulnerable to CVE-2017-5244, regardless of operating system.

 

Additional details and exploitation

While POST requests go through normal Rails anti-CSRF verification, this doesn’t apply to GET requests. Routes that aren’t idempotent (i.e. they make changes) need to be limited to POST only. Since that was not the case before this patch, and the stop action could be triggered through GET requests, an attacker able to trick an authenticated user to request a URL which runs JavaScript could trigger the same action. It may also be possible to exploit this vulnerability by injecting network traffic impersonating the same request. This video shows the reporter exploiting this vulnerability to stop a running discovery scan.

 

Example exploitation Javascript calling the affected route after 5 seconds:

<script> 
setInterval(function(){ window.location.replace("https://127.0.0.1:3790/tasks/stop_all"); }, 5000); 
</script>

 

Regardless of vector, the result of that route being called by an authenticated user would be to stop all running tasks (e.g. discovery scans, report generation). This should show up in UI notifications and task logs. In terms of impact, while some tasks can be replayed (i.e. restarted with the same configuration), there’s no way to resume the stopped tasks; thus data limited to that task may be not be saved to the database, and therefore lost.

 

Remediation

We strongly encourage Metasploit users to update their instances to the latest version (Metasploit 4.14.0 (Update 2017061301) or above). You can find detailed update steps here. Release notes and offline installers are available here.

 

Disclosure Timeline

  • Sat, May 27, 2017: Vulnerability reported to Rapid7 by Mohamed A. Baset
  • Tue, May 30, 2017: Vulnerability confirmed by Rapid7
  • Fri, June 9, 2017: Vulnerability fixed by Rapid7
  • Sun, June 11, 2017: Rapid7 assigned CVE-2017-5244 to this vulnerability
  • Wed, June 14, 2017: Rapid7 released patch; public disclosure
  • Wed, June 14, 2017: Rapid7 reported vulnerability to MITRE
Brendan Watters

Metasploit Wrapup

Posted by Brendan Watters Employee Jun 2, 2017

It has only been one week since the last wrapup, so it's not like much could have happened, right? Wrong!

 

Misery Loves Company

After last week's excitement with Metasploit's version of ETERNALBLUE (AKA the Wannacry vulnerability), this week SAMBA had its own "Hold My Beer" moment with the disclosure that an authenticated (or anonymous) client can upload a shared library to a SAMBA server, and that server will happily execute the library! The vulnerability is present in all versions of SAMBA since 2010 and was only patched a few days ago. That length of time paired with the number, simplicity, and price points of the devices that run SAMBA mean that this vulnerability will be around for a very, very long time. The always-original internet appears to have dubbed this "Sambacry" whereas we here at Rapid7 have taken a more animated path in our references. In the scant week since the vulnerability was released, we've already landed and improved a module that takes advantage of the vulnerability, and it works on fifteen different computing architectures. Because SAMBA runs on so many different architectures, and we're supporting them, this really is the perfect opportunity to go out and play with the new and improved POSIX Meterpreter!

 

Make New Friends, But Keep the Old

Just because we had a shiny new exploit does not mean we forgot about our old friend from last week, ETERNALBLUE. This update sees several improvements to last week's module, including:

  • An improved architecture verification when port 135 is blocked
  • Ignoring and continuing if the target does not reply to an SMB request
  • OS Verification

 

We've Got Your Back

Not too long ago, we added a module to migrate from one architecture to another on Windows hosts. Unfortunately, if you were running as an elevated user, the new session did not maintain those privileges. Now, if you try to migrate as SYSTEM, we'll stop you and make sure you really want to privdesc(?) yourself.

 

Speaking of Running Metasploit in Strange Places

zombieCraig has extended support for the hardware bridge in Metasploit, squashing bugs and adding two new commands: testerpresent and isotpsend. The first sends keepalive packets in the background to maintain the diagnostic connection, and the second allows communication with ISO-TP compatible modules. We've also added a module to dump credentials on scadaBR systems.

 

Target your Target

For those who have enjoyed the recent Office Macro exploit, you can now embed it into custom docx templates for that personal touch.

 

New Modules

Exploit modules (5 new)

 

Get It

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

 

More Improvements

release-notes

egypt

Metasploit Wrapup

Posted by egypt Employee May 26, 2017

It has been an intense couple of weeks in infosec since the last Wrapup and we've got some cool things for you in the latest update.

 

Hacking like No Such Agency

I'll admit I was wrong. For several years, I've been saying we'll never see another bug like MS08-067, a full remote hole in a default Windows service. While I'm not yet convinced that MS17-010 will reach the same scale as MS08-067 did, EternalBlue has already done substantial damage to the internet. Rapid7 bloggers covered a bunch of the details last week.

EternalBlue: Metasploit Module for MS17-010

 

Since the last Wrapup, we've added an exploit for EternalBlue that targets x64 on the Windows 7 kernel (including 2008 R2). Updates are in the works to cover x86 and other kernels. There is also a scanner that can reliably determine exploitability of MS17-010, as well as previous infection with DOUBLEPULSAR, the primary payload used by the original leaked exploit.

 

While EternalBlue was making all the headlines, we also landed an exploit module for the IIS ScStoragePathFromUrl bug (CVE-2017-7269) for Windows 2003 from the same dump. This one requires the victim to have WebDAV enabled, which isn't default but is really common, especially on webservers of that era. Since 2003 is End of Support, Microsoft is not going to release a patch.

 

Dance the Samba

In the few days since we spun this release, we also got a shiny new exploit module for Samba, the Unixy SMB daemon that runs on every little file sharing device ever. Expect some more discussion about it in the next wrapup. In the mean time, you can read more about the effects of the bug.

 

WordPress PHPMailer

WordPress, which powers large swaths of the internet, embeds a thing called PHPMailer for sending email, mostly for stuff like password resets. Earlier this May, security researcher Dawid Golunski published a vulnerability in PHPMailer. The vulnerability is similar to CVE-2016-10033, discovered by the same researcher. Both of these bugs allow you to control arguments to sendmail(1).

 

Now, vulns in WordPress core are kind of a big deal, since as previously mentioned, WP is deployed everywhere. Unfortunately (or maybe fortunately depending on your perspective), there is a big caveat -- Apache since 2.2.32 and 2.4.24 changes a default setting, HttpProtocolOptions to disallow the darker corners of RFC2616, effectively mitigating this bug for most modern installations.

 

The intrepid @wvu set forth to turn this into a Metasploit module and came out the other side with some shells and interesting discoveries that he'll cover in a more detailed technical post coming soon to a Metasploit Blog near you.

 

Railgun

While Meterpreter is a very powerful and flexible tool for post exploitation on its own, sometimes you need the flexibility to go beyond the functionality that it provides directly. There may be a special API that needs to be called to extract a credential, or a certain system call that is required to trigger an exploit. For a long time, Windows Meterpreter users have enjoyed the use of the Railgun extension, which provides a way to do just that, similar to FFI (Foreign Function Interface) that is available in many scripting languages, but operating remotely. Thanks to an enormous effort by Metasploit contributor, zeroSteiner, Linux users can now also take advantage of Railgun, as it is now implemented as part of Python Meterpreter! This functionality opens the door to many new post-exploitation module possibilities, including the ability to steal cleartext passwords from gnome-keyring. See zeroSteiner’s blog and his more technical companion piece for more details.

 

Steal all the things

This week's update also continues the fine tradition of Stealing All the Things(tm). The aforementioned gnome-keyring dumper allows you to steal passwords from a logged-in user. In a similar vein, if you have a shell on a JBoss server, post/multi/gather/jboss_gather will give you all the passwords. The fun thing about both of these is that they work on the principle that you have permission to read these things -- there is no exploit here, and nothing to be patched.

 

On the other side of things, auxiliary/admin/scada/moxa_credentials_recovery does take advantage of a vulnerability to grab all the creds from a cute little SCADA device.

 

New Modules

Exploit modules (10 new)

 

Auxiliary and post modules (6 new)

 

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

 

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

This week's release of Metasploit includes a scanner and exploit module for the EternalBlue vulnerability, which made headlines a couple of weeks ago when hacking group, the Shadow Brokers, disclosed a trove of alleged NSA exploits. Included among them, EternalBlue, exploits MS17-010, a Windows SMB vulnerability. This week, EternalBlue has been big news again due to attackers using it to devastating effect in a highly widespread ransomware attack, WannaCry. Unless you've been vacationing on a remote island, you probably already know about this; however, if you have somehow managed to miss it, check out Rapid7's resources on it, including guidance on how to scan for MS17-010 with Rapid7 InsightVM or Rapid7 Nexpose.

 

The Metasploit module - developed by contributors zerosum0x0 and JennaMagius - is designed specifically to enable security professionals to test their organization's vulnerability and susceptibility to attack via EternalBlue. It does not include ransomware like WannaCry does and it won't be worming its merry way around the internet.

 

Metasploit is built on the premise that security professionals need to have the same tools that attackers do in order to understand what they're up against and how best to defend themselves. The community believes in this, and we have always supported it. This philosophy drove the amazing Metasploit contributor community to take on the challenge of reverse engineering and recreating the EternalBlue exploit as quickly and reliably as possible, so they could arm defenders with the info they need. We want to say a big thanks to JennaMagius and zerosum0x0 for their work on this.

 

From a vulnerability management perspective, there are a lot things that security practitioners can do to understand their exposure, however, with Metasploit you can go beyond theoretical risk and show the impact of compromise. Access to systems is more concrete evidence of the problem. Metasploit effectively allows security practitioners to test their own systems and dispel the hype and speculation of headlines with facts.

 

From a penetration testing perspective, research shows that over two thirds of engagements had exploitable vulnerabilities leading to compromise. Metasploit modules such as EternalBlue enable security practitioners to communicate the real impact of not patching to the business.

 

UPDATE – May 19, 2017: Security researcher, Krypt3ia, wrote a blog post highlighting a possible connection between the process that zerosum0x0 and JennaMagius went through in reversing the EternalBlue exploit, and the WannaCry attack.

 

Zerosum0x0 and JennaMagius both work at as security researchers at RiskSense, a provider of pro-active cyber risk management solutions. In response to Krypt3ia’s blog, RiskSense provided this clarification of the situation:

 

The module was developed to enable security professionals to test their organization's vulnerability and susceptibility to attack via EternalBlue. As part of their research, the researchers created a recording of the network traffic that occurs when the Fuzzbunch EternalBlue exploit is run. The purpose of this recording was to help educate other security professionals, and get feedback as they worked through the process. This kind of approach is fairly common in both the security researcher and open source contributor communities, where transparent collaboration enables individuals to pool their expertise and achieve greater results. It’s possible that data from this analysis was copied and rewritten by individuals with malicious intent; we cannot confirm if this is the case or not. Unfortunately, this is a risk that is taken whenever technical information and techniques are shared publicly. None-the-less, we believe the educational and collaborative benefits generally outweigh the risk. To our knowledge, no code from the Metasploit module was ever used in the WannaCry attacks, and once Krypt3ia’s blog pointed out the possibility that some of the information may have been used by the attackers, we removed the recording from the Github repository to ensure no other bad actors would be able to do likewise to create variants of the malware.

 

Here’s a summary of context and the technical details:

 

    • Recording the replay and playing it back works against freshly booted boxes because the Tree Connect AndX response will assign TreeID 2048 on the first few connections, after which it will move on to other tree IDs. This is the same for the user login request. The replay would then fail because the rest of the replay is using "2048" for the tree and user IDs, and the server has no idea what the client is talking about.

 

 

    • Zerosum0x0x’s research supplemented these findings by outlining that __USERID__PLACEHOLDER__ and __TREEID__PLACEHOLDER__ strings were also present in the malware.

 

Replaying ANY recording of EternalBlue will produce the same result, so the attackers may have chosen to use that particular recording to throw investigators off track. It is important to note that to our knowledge no code from the Metasploit module was ever used in the WannaCry attacks.

 

To be successful, the attackers independently implemented sending the network traffic in C; constructed additional code to interact with DoublePulsar (which is a significantly harder undertaking than just replaying the recorded traffic), implemented the rest of their malware (maybe before or after), and then released it on the world.

 

Again, Rapid7 wants to reiterate how much we appreciate community participants such as zerosum0x0 and JennaMagius, who contribute their time and expertise to better arm organizations to defend themselves against cyberattackers.

The Python Meterpreter has received quite a few improvements this year. In order to generate consistent results, we now use the same technique to determine the Windows version in both the Windows and Python instances of Meterpreter. Additionally, the native system language is now populated in the output of the sysinfo command. This makes it easier to identify and work with international systems.

 

The largest change to the Python Meterpreter is the addition of Railgun functionality. Railgun - in the context of the Metasploit Framework - refers to a set of features available in the standard API (stdapi) extension of Meterpreter. The intention of the feature set is to allow the Metasploit side to call functions in native libraries on the compromised host. This has some very practical applications when it comes to post exploitation, but is also used in some older local exploit modules. The functionality has been around since 2010, but until recently was only supported by the native Windows Meterpreter.

 

Recent additions to Metasploit are expanding the scope of this functionality to support non-Windows platforms. Specifically, the Python Meterpreter has received support for these Railgun API functions when on the Windows and Linux platforms. Bringing this functionality to the Linux platform will increase what Metasploit users can do with their sessions.

 

To demonstrate the functionality, one of the newest Linux post-exploit modules uses Railgun to call functions in libgnome-keyring.so.0 as the current user. This is then used to enumerate and extract all plaintext passwords that it holds for the user - all without having to write any files to disk.

 

Without Railgun, a common practice to call a native library code would be to upload a precompiled binary to perform the necessary tasks, or upload the source to compile one. Most penetration testers want to avoid writing things to disk for obvious reasons. With expanded Railgun support, uploading files such as these isn’t necessary.

 

For more technical details on how the new Python Meterpreter Railgun implementation works, check out this War Room blog post.

Integrating InsightVM or Nexpose (Rapid7's vulnerability management solutions) with Metasploit (our penetration testing solution) is a lot like Cupid playing “matchmaker” with vulnerabilities and exploit modules. When a vulnerability scan is imported into Metasploit, many things happen under the hood, outside of generating host, service, and vulnerability data in your workspace. In much the same way that Cupid takes into account the qualities of the individuals he is matchmaking, when a host’s service is found to have a vulnerability, Metasploit will check its ever growing store of modules for one that can potentially be run against the host’s vulnerabilities. This is referred to as an Automatic Exploitation Match. Match generation takes into account not only the vulnerability, but attributes of the host like platform, architecture, etc. This special set of criteria leads to the generation of module matches that have a pretty high chance of successfully being run on the host. Of course, just like with Cupid’s matchmaking, given the uncertain nature of networking environments and other factors, the default configuration for a module may not always work without some tweaking of parameters (e.g. using a bind payload for a target that is behind a NAT). Two people may be compatible, but sometimes things just don’t work out.

 

Screen Shot 2017-05-11 at 7.34.44 AM.png

The Vuln count is over 9000!! X.X

 

Modules that have been matched with vulnerable hosts can be viewed at a single vulnerability instance’s related modules tab. This is all well and good, but vulnerability instances are attributed to a single host, which means the same Vulnerability definition will show up in several Vulnerability instances, one for each host that has an instance of that Vulnerability. When dealing with a non-trivial environment containing several hosts, the table of Vulnerabilities quickly explodes in number, becoming difficult to manage and make sense of. This can be similar to the feeling of being overwhelmed by the plenty of fish that are out there in the sea: a lot of noise, when you really just want to know which are even compatible. It is difficult to determine which vulnerability instances actually have modules that can be used against them, requiring iteratively clicking on each Vulnerability instance’s related modules tab to see.  If only there was a way to view the results of matchmaking modules with vulnerabilities in an intuitive and productive way…

 

Screen Shot 2017-05-11 at 7.38.39 AM.png

Introducing the Applicable Modules tab: a list of modules that can be run against targets in your workspace.

 

Screen Shot 2017-05-11 at 7.43.57 AM.png

Quick visibility into associated hosts and vulnerability instances with aggregated counts.

 

With the latest release of Metasploit Pro, we introduce the Applicable Modules tab to the workspace analysis view. This view aims to solve the problem of making sense of a massive list of vulnerabilities. Similar to the way a single vulnerability page has a related modules tab, the Applicable Modules tab in workspace analysis aggregates a list of related modules across all vulnerable instances in your workspace. Along with each module entry in this list, relevant metadata related to the module are also quickly viewable, including the affected hosts and associated vulnerabilities. Hover over the various metadata entities to view additional information, such as services on a host or a full vulnerability description, without having to navigate away from the page. You can click on a module to autoconfigure a module run with all affected hosts filled in as targets. This list defaults to being sorted by module release date, so you can quickly see the latest hotness Metasploit has to offer that can target hosts in your environment. The Applicable Modules table densely packs and associates host, vuln, and module-matching information that is relevant to your workspace into a single view, allowing for deeper insight at a glance.

Screen Shot 2017-05-11 at 7.39.38 AM.png

Handy hover-overs to view further details without having to navigate away from page.

 

Metasploit generates quite a bit of insightful data regarding the relationship of vulnerabilities found in your workspace and their exploitability via modules. The Applicable Modules workspace analysis tab intuitively presents the relevant information relating hosts, vulnerabilities, and the exploit modules within Metasploit by listing modules that can target assets in your environment. Be sure to also catch the other productivity enhancements included in the latest release: “Single Host’s modules view as a searchable/sortable table” and “Pushing InsightVM and Nexpose Exceptions and Validations from Task Chains”. All is fair in <3 and Infosec. Happy exploiting, friends!

Ghost...what???

hdm recently provided a new exploit module for a type confusion vulnerability that exists in Ghostscript versions 9.21 and earlier, allowing remote code execution on the target. And to "kick it up a notch", this exploit got itself a snazzy logo which also contains the exploit:

GhostButt

(spoiler alert: it's called GhostButt)

Forever and a day

From mr_me comes a one-two punch in the form of two exploits which target an EOL'd Trend Micro appliance. Certain versions of the Threat Discovery Appliance contain both authentication bypass and command injection vulnerabilities, which can be used to gain access to the appliance and run whatevs, respectively. And because this product is no longer supported by Trend Micro, these vulns are expected to be "forever day".

 

HTA RCE FTW

If you're looking for remote code execution via an MS Office document vuln, nixawk's exploit module might fit the bill nicely. This new addition allows Framework users to easily craft a doc file containing an OLE object which references an HTML Application (HTA). When the target opens this document, the HTA is accessed over the network (Framework acting as the server, of course), and remote code execution is back on the menu.

 

Feeling constrained?

Mercurial SCM users with ssh access can now move about more freely thanks to a new exploit module from claudijd. By targeting weak repo validation in HG server's customizable hg-ssh script, users can use this module to break out of their restricted shell and execute arbitrary code. Give it a go and enjoy your new-found freedom...!

 

But wait, there's more!

Rounding out our tech updates, bcook-r7 has given us a polite push forward and "flipped the switch" so that the POSIX Meterpreter used by Framework is now providing Mettle as its payload. Not only does Mettle weigh-in at ~1/2 the size of the old POSIX Meterpreter, it also provides more functionality. Additionally, it's being actively worked on these days, unlike the old POSIX Meterpreter. Yes, plz!

 

The Summer of Code is upon us!

We are excited to welcome Tabish Imran, B.N. Chandrapal, and Taichi Kotake to the Metasploit community as 2017 Google Summer of Code students. We thank everyone who took the time to participate; it was a fierce competition, with over 30 applicants. Look forward to seeing the great projects these students create this summer!

 

New Modules

Exploit modules (6 new)

 

Auxiliary and post modules (1 new)

 

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Editor's Note: While this edition of the Metasploit Wrapup is a little late (my fault, sorry), we're super excited that it's our first ever Metasploit Wrapup to be authored by an non-Rapid7 contributor. We'd like to thank claudijd -long-time Metasploit contributor, Mozilla security wrangler, and overall nice guy - for writing this post. If other Metasploit contributors want to get involved with spreading the word, we want to hear from you!

 

We should be back on track timing-wise with our Wrapup for this week on Friday.  Without any further delay, here's what's new in Metasploit versions 4.14.4 through 4.14.11.

- JE

 

Here's my number, text me maybe?

Metasploit sessions can happen at any time. Fortunately, you can always be plugged in to what's going on with the new session notifier plugin, compliments of wchen. This plugin allows you to send SMS notifications for Metasploit sessions to a variety of carriers (AllTel, AT&T wireless, Boost Mobile, Cricket Wireless, Google Fi, T-Mobile, Version, and Virgin Mobile) so you'll never miss out on the pwnage.

 

sms.png

 

Text-editors and Programming Languages

If you've ever been cornered by a VIM user around the water cooler and been regaled to exhaustion about why you should also choose VIM, you probably hold your ability to choose in high regard. Recently, acammack extended Metasploit to provide initial support to include more choice in what programming language you can write Metasploit modules in. The idea here would be that instead of being forced to write all modules in Ruby, you could write one in Python, Go, LOLCODE, or whatever your heart desires.

 

Improve Your Spider Sense

Many of us have had that feeling before that something doesn't add up, you can think of it as your own "hacker spider-sense." This can sometimes happen when you tell yourself, "that seemed way too easy" or "these services don't quite make sense", only to find out later that you've owned a honeypot. To help fight against this, thecarterb recently added an auxillary module to Metasploit, which allows you to check Shodan's honeyscore to see if your target is or is not known to act like a honeypot with a score between 0.0-1.0 (0.0 being not a honeypot and 1.0 being a honeypot). Having this data can be useful both after exploitation (to realize your blunder) or even earlier in the process to avoid an obvious honeypot before you send a single byte in its direction.

 

Waste Not, Want Not

You never know when a useful bit of information will be the key to another door. In that spirit, it's encouraged to loot as much as you can when you can. Recently, a number of useful modules have been added to help you loot as much as possible and improve your odds of success...

 

Multi Gather IRSSI IRC Passwords - This post module allows you to steal an IRSSI user's configuration file if it contains useful IRC user/network passwords. This could be helpful if you'd like to mix in a little social engineering, by impersonating your target to get additional people working for you.

 

Windows Gather DynaZIP Saved Password Extraction - This post module allows you to harvest clear text passwords from dynazip.log files. This can be pretty handy if you have have an encrypted zip file that you need opened in a hurry.

 

Multiple Cambium Modules - If you find yourself testing Cambium ePMP 1000's, you're in luck, as multiple modules have been added to effectively juice all sorts of information from these devices. These modules allow you to pull a variety of configuration files and password hashes over HTTP and SNMP. This is helpful to identify a shared password or password scheme that's been re-used on other network infrastructure devices to expand your influence.

 

New Modules

Exploit Modules (5 new)

 

Auxiliary and post modules (10 new)

 

Get It

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Filter Blog

By date: By tag: