Time to chalk up one more victory for the forces of goodness and light in our struggle against secret 0-day.
Java 0-Day Exploit Shipped
If you pay any attention at all to the usual security news, you will have certainly already heard about how Accuvant's Josh "jduck" Drake and the Metasploit dev community pounced on the Java 0-Day, aka CVE-2012-4681, aka the Java 7 Applet RCE vulnerability. We shipped this module earlier this week by updating last week's update, mainly so Metasploit Community and Pro users could start testing right away. Of course, it's in this week's normal update as well, and in fact, this version has a much more current description of the bug in light of the ongoing research performed here over the days that followed our initial release.
In a moment of foreshadowing, it was last week's blog post where I mentioned that "not everyone can scoop up samples of current malware," when explaining Metasploit's position on offensive security testing. I think this Java exploit is a perfect case in point. If it wasn't for jduck's inspired detective work, followed up by the R&D work in the Metasploit community that lead to this module, we might still be wondering what FireEye was talking about in their cryptic blog post. In other words, this experience just reaffirms to me that open and public exploits beat out secret and private warez kits every time. Today, we all know about the problem, we can all work toward solutions, and in the end, we can shut down this vector months ahead of anyone's schedule.
Update: Oracle has released Java 7u7 which appears effective against CVE-2012-4681. We're looking at it today to see if there's a bypass.
Meterpreter Arp and Netstat
In addition to the hoopla around Java, this release also includes two new commands for Meterpreter: netstat and arp. Both are similar to the Unix commands of the same name, providing information about current networking goings on. This kind of thing can be invaluable for figuring out the role of the current machine and for discovering new targets. Thanks to community contributor mephos for sending in the patch.
Here are the new modules -- for details and usage, follow the links to our Exploit Database.
- Zabbix Server Arbitrary Command Execution by juan vazquez and Nicob exploits CVE-2009-4498
- SAP NetWeaver HostControl Command Injection by juan vazquez and Michael Jordon exploits OSVDB-84821
- Java 7 Applet Remote Code Execution by sinn3r, juan vazquez, jduck, and Unknown exploits CVE-2012-4681
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.