We've been cooking along here in Stately Metasploit Manor, mostly heads-down prepping for BlackHat/Defcon season. (Yes, it's that time of year already). In the meantime, we've a grab bag of mostly post modules, a drive-by update to Meterpreter, and Juan's and sinn3r's most excellent new Flash module.
Meterpreter for Visual Studio 2010
Meterpreter is the default payload that many of our Windows exploits drop on the target server, and allows for things like unified shell access, file access, etc. If you hack on Meterpreter, you may have noticed with some annoyance that some parts required VC10, while others were only compatible with Visual Studio 2008. This last week, HD Moore took a pass through the Meterpreter source code and upgraded everything required to get Meterpreter compiling on Visual Studio 10. Thanks HD!
Collaboration on modules
Also this week, contributors Ben Campbell, and Loic Jaquement and David Maloney all independently submitted modules for stealing credentials out of the Windows Group Policy Preference (GPP) XML datastores. This was an unusual circumstance -- most of the time, modules come in with one author, get a little work from sinn3r or me or somebody, and then either get rejected out or land in the main Metasploit branch.
In this case, Loic was first with a Meterpreter script that later became a post module. David later submitted a similar module, and finally, Ben came on board with a third. Eventually, we managed to get everyone together on the one module, but I think that if you look at the pull request comment threads, it was a pretty painful process.
Looking over the sordid history of this module, it now looks like that someone should have just set up a new public GitHub project for this module. That someone was almost certainly me, so sorry for not jumping on this much sooner. If a side repo was set up and everyone had commit rights to that to collaborate, that almost certainly would have produced better code, faster. That will definitely be the strategy for next time.
Better communication along the way could have helped as well. GitHub issues aren't the greatest way to have a long conversations (outside of code critique). For this, a mailing list would have been more appropriate -- and as it happens, I have this lovely metasploit-hackers mailing list right over there on SourceForge. It's set up specifically for Metasploit development chatter, commit commenting, and other security dev nerd talk. It's not intended for regular user Q&A -- for that, stick to the Security Street community here. But, for an archived forum for dev talk, module writers might want to subscribe to metapsloit-hackers to keep abreast of what's new and current in Metasploit dev-land.
Flash, RMTP, and You
Finally, this week features Juan Vazquez and Wei "sinn3r" Chen's Flash module, complete with a barebones RTMP server. I won't rehash the ripping yarn of that development process here, but will leave it to Juan's blog post from earlier this week.
Finally, here's the list of this week's new modules in our Exploit Database. Thanks to all of our open source contributors for their work on these, especially Loic and Ben for sticking it out for the GPP module.
- MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass by sinn3r and Soroush Dalili exploits MS10-065
- SugarCRM unserialize() PHP Code Execution by sinn3r, juan vazquez, and EgiX exploits CVE-2012-0694
- Adobe Flash Player Object Type Confusion by sinn3r and juan vazquez exploits CVE-2012-0779
- Adobe Flash Player AVM Verification Logic Array Indexing Code Execution by mr_me and Unknown exploits CVE-2011-2110
- Apple iTunes 10 Extended M3U Stack Buffer Overflow by sinn3r and Rh0 exploits OSVDB-83220
- Windows Gather Group Policy Preference Saved Passwords by Ben Campbell, Loic Jaquemet, Rob Fuller, TheLightCosine, and scriptmonkey
- Windows Gather TortoiseSVN Saved Password Extraction by Justin Cacak
- Windows Gather Generic File Collection by 3vi1john and RageLtMan
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.