Yo Dawg, I Heard You Like 0-Day


As you may have heard, on Monday we rolled out a special update to Metasploit to include the new Internet Explorer use-after-free exploit, aka, CVE-2012-4969. Last night, while scrolling through my RSS feed for security news, I saw this NetworkWorld story about how someone is using this vulnerability to install Poison Ivy, a RAT / backdoor. Of course, astute readers of this blog will know that Poison Ivy itself is vulnerable to a stack buffer overflow condition.


Let's think about this for a second. Internet criminals are using an unpatched IE vulnerability to deliver software which is controlled by software that also has an unpatched vulnerability.


So, if you happen across a vulnerable client during a penetration test, it would behoove you to check to see if anyone is connected to Poison Ivy's listening socket, TCP/3460. From there, you should be able to discover if any /other/ assets that are in scope for your test are already controlled. Exact details of how to accomplish that are left as an exercise for the reader. (:


By the way, if you haven't yet had a chance to test the Metasploit module for the Internet Explorer vulnerability, here's a video of Eric Romang taking it for a spin. Huge thanks again to Eric and @binjo for throwing in on all this. Getting the word out on these high-value bugs really does kill their usability for the bad guys.


New Modules


Of course, there's more in this update than just a refresh of the MSIE exploit. Egypt has a nice new local exploit for Linux's udev, discovered by kcope, which is pretty nifty. So, here's the list -- for details and usage, follow the links to our Exploit Database.


Exploit modules


Auxiliary modules





If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see the most excellent release notes.