After the last couple bumper crops of exploits, having merely six new modules this week is kind of a relief, at least from an editing standpoint. Of course, one of them is for a fresh Adobe Flash exploit, so let's jump into that.
Flash Malware Module
This week's update features an exploit for Adobe Flash, which Metasploit exploit developers Wei "sinn3r" Chen and Juan Vazquez wrote about last week. Since that blog post, there's been a few updates to add in more valid targets -- the current version should successfully exploit unpatched systems running Internet Explorer 6, 7, 8, and 9, tested across Windows XP SP3, Vista SP2, and Windows 7 SP1.
This variety of targets Metasploit provides is one reason why the work sinn3r and Juan do in porting live malware to Metasploit modules is so critical. Let's say you're running an IT department and you don't have complete control over the desktops in your network -- which is of course pretty much every network, not running hyper-secure NAC. Since you can't patch everyone, you might rely on anti-virus (AV), intrusion protection (IPS), or application proxies to protect your constituents from getting nailed by the original exploit. However, it's difficult to know if these defenses are any good at all against variants -- in other words, you generally can't know if your AV/IPS/Proxy is merely "covering the exploit," or if they're "covering the vulnerability." With the Metapsloit exploit and its varied targets, you can test your own defensive gear pretty rapidly.
Incidentally, not everyone can scoop up samples of current malware, and nor is it advisable to go monkeying around with known-evil code without doing a lot of prep work first. In that vein, using Metasploit exploits as a proxy for the bad guys turns out to be way more convenient, not to mention about a million times safer. Go offensive security!
HTTP Client Trickery
Speaking of testing your own environment, this update also has a couple new auxiliary modules that can facilitate testing your users on their password management skills. The first, HTTP Client Basic Authentication Credential Collector by community contributor "saint patrick," is a pretty straight forward credential collector -- it simulates a web server that asks for a username and password. You'd be surprised at how often people will just start typing in a username/password combination when given the opportunity. Of course, if you're a cynical IT security hack, you won't be surprised at all.
The other is an HTTP Client MS Credential Relayer by community contributor Rich Lundeen. This attack is a little more involved: after picking up a set of credentials over HTTP, this module gives you the capability to turn around and immediately replay them against either another HTTP server or an SMB server. This attack isn't new, but bringing this implementation to Metasploit in a modular way is great news.
Thanks to both of you guys for your unconnected-but-related work this week!
Extending JBOSS Targets
Finally, this week sees the culmination of a bunch of work from community contributor h0ng10 in improving Metasploit's support for targeting JBoss application servers. You can read the storied details and testing that happened along the way on on Pull Request #663 , but the end result is, we now have Meterpreter payload support for all three of our current JBoss exploits. That's pretty sweet, so thanks for your work on this, h0ng10!
Here are the new modules -- for details and usage, follow the links to our Exploit Database.
- HTTP Client Basic Authentication Credential Collector by saint patrick
- HTTP Client MS Credential Relayer by Rich Lundeen
- E-Mail Security Virtual Appliance learn-msg.cgi Command Injection by juan vazquez and iJoo exploits an unreported vulnerability
- XODA 0.4.5 Arbitrary PHP File Upload Vulnerability by juan vazquez and Shai rod exploits an unreported vulnerability
- Adobe Flash Player 11.3 Font Parsing Code Execution by sinn3r, juan vazquez, and Alexander Gavrun exploits CVE-2012-1535
- Sysax Multi Server 5.64 Create Folder Buffer Overflow by Craig Freyman and Matt "hostess" Andreko exploits OSVDB-82329
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.