Weekly Metasploit Update: Sniffing with Meterpreter, Egg Hunting, and More!

Last updated at Thu, 11 Jan 2024 21:01:59 GMT

This week's udpate has seven new modules, a much-anticipated Meterpreter enhancement, and more, so let's jump into it.

Egg Hunting and Stack Smashing

This week's update features a spiffy new module for HP Data Protector from Juan Vazquez and Wei 'sinn3r' Chen. It uises an egg hunting technique to reconstruct the exploit's payload -- and both Wei and Juan have a detailed blog posts in the works that go into detail on the whys and wherefores of egghunter shellcode and troubleshooting payload delivery during exploit dev. So, keep an eye on the #metasploit Twitter hashtag to catch the announcement for those. Both blog posts are really pretty fascinating, especially for those of you who'd like more insight into how working Metasploit exploits are crafted.

Network Sniffing with Meterpreter

This week's update also sees a fix from Stephen Fewer on Meterpreter that enables network interface sniffing on 64-bit systems (as well as the 32-bit variety). If you weren't aware of Meterpreter's network sniffing capabilities, see the Gist screenshots posted up by HD Moore which demos it all. Using Meterpreter as a remote wiretap like this is one of the coolest and underused features of Meterpreter, so thanks Stephen for bringing it to the 64-bit builds.

Ruby Binary Encoding

Finally, this update has a fix to about a thousand of our Ruby source files -- we've added a magic comment to all our library code to treat strings as 8-bit binary fields by default. When Ruby 1.9 was released, it had this idea of native encoding for all String objects. For most web applications, this can be useful and convenient -- after all, the Internet is international, and sometimes people like to use accents and umlauts and what have you.

However, strings in Metasploit are often things like shellcode, which doesn't have any notion of "native" encoding. 0x41414141 is "AAAA" no matter how you slice it. In order to be sure that the String objects we're getting are really the String objects that we need, we've instituted this 1.8-like default behavior. It's still possible to have strings encoded to some native format, of course, but we won't UTF-8 it by default any more.

For more on String encoding, magic comments, and associated esoterica, see the best documentation around: James Edward Gray's blog post, Ruby 1.9's Three Default Encodings.

New Modules

Here are the new modules for this update. See more about how to use them in Metasploit's Exploit Database.

• Atlassian Crowd XML Entity Expansion Remote File Access by juan vazquez, Thaddeus Bogner, Trevor Hartman, and Will Caput exploits CVE-2012-2926
• Openfire Admin Console Authentication Bypass by h0ng10 and Andreas Kurtz exploits CVE-2008-6508
• Apple QuickTime TeXML Style Element Stack Buffer Overflow by sinn3r, juan vazquez, and Alexander Gavrun exploits CVE-2012-0663j
• Irfanview JPEG2000 jp2 Stack Buffer Overflow by juan vazquez, Parvez Anwar, and mr_me exploits CVE-2012-0897
• HP Data Protector Create New Folder Buffer Overflow by sinn3r and juan vazquez exploits CVE-2012-0124
• Windows Gather Unattended Answer File (unattend.xml) Enumeration by sinn3r and Sean Verity
• Windows Gather TCP Netstat by Rob Fuller

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see the most excellent release notes.