Let's Curbstomp Windows!
This week, we've got two new exploits for everyone's favorite punching bag, Microsoft Windows. First up, we'll take on Microsoft Internet Explorer. MSIE has a long and storied history of browser bugs, but truth be told, they're really pretty hard to exploit reliably these days. If you don't believe me, take a look at the hoops we had to jump through to get reliable exploits together for MS13-069.
MS13-069 was released on September 10, 2013 to address at least 10 vulnerabilies, one of them being CVE-2013-2305. This is the "Caret Use-After-Free" vulnerability, discovered and reported to Microsoft by friend of the show, corelanc0d3r. This module, written by Wei sinn3r Chen, is pretty well commented and, for extra points, uses a custom ROP chain. So, if you're looking to start your stylish and dangerous career as a MSIE bug hunder, you'd do worse than to study the notes on this module.
The other Windows exploit is for MS13-071, which patched the Windows Theme system for Windows versions prior to Windows 7. This module is particularly neat because while it's file format exploit, it comes with the option of firing up your own UNC server from within Metasploit. This was written by The World's Friendliest Exploit Dev, Juan Vazquez, and he discusses it at length in his blog post, where he discusses the path to remote code execution in detail.
Serving up file format exploits over a temporary SMB share point is pretty new (and requires you to run Metasploit as root on a non-Windows system, like Kali Linux), so it's only supported in this module on an experimental basis. If this kind of thing turns out to be useful, we can look at promoting the code involved to the SMB server mixin proper, as well as getting a better WebDAV server running as well.
We're also kicking off a Twitter hashtag-based contest for some sweet Metasploit T-shirts (because we seriously have a huge pile of these since our last design contest), and a pair of stylish (read: bright orange) Beats By Dre noise-cancelling headphones, perfect for use with Metasploit's microphone spying modules. You can read up on the details over on the Infosec Community blog post, by Rapid7 community manager Patrick Hellen.
Including the two discussed above, we've got nine new modules this week, all of them exploits.
- Raidsonic NAS Devices Unauthenticated Remote Command Execution by juan vazquez and Michael Messner exploits OSVDB-90221
- GLPI install.php Remote Command Execution by Tristan Leiter exploits CVE-2013-5696
- Western Digital Arkeia Remote Code Execution by xistence
- OpenEMR 4.1.1 Patch 14 SQLi Privilege Escalation Remote Code Execution by xistence exploits OSVDB-97482
- CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow by MC exploits OSVDB-68330
- MS13-069 Microsoft Internet Explorer Caret Use-After-Free by sinn3r and corelanc0d3r exploits MS13-069
- A-PDF WAV to MP3 v1.0.0 Buffer Overflow by Dr_IDE, d4rk-h4ck3r, and dookie exploits OSVDB-67241
- MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution by juan vazquez and Eduardo Prado exploits MS13-071
- PCMAN FTP Server Post-Authentication STOR Command Stack Buffer Overflow by Christian (Polunchis) Ramirez and Rick (nanotechz9l) Flores exploits OSVDB-94624
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.