Updates to the ROPDB
Hey, remember last week when we shipped that unpatched MSIE exploit? Yeah, good times. Well, first off, it's patched now, so get yourself revved up to at least MS13-080 to protect against CVE-2013-3893. That said, the story's not quite over yet.
Just about a year ago, Wei sinn3r Chen and Juan Vazquez put together the Return-Oriented Programming Database, or ROPDB. This innovation provides exploit writers a fairly generic mechanism to come up with useful ROP chains from a stock of known-good DLLs.
Fast-forward to today. If you'll remember from sinn3r's exploit for MS13-080, the in-the-wild exploit was using an Office DLL to avoid tripping up on DEP (Data Execution Prevention) -- in other words, to skip past DEP by using a ROP chain. This week, you'll find new options for using ROP chains found in shipping versions of Office 2007 and Office 2010. Turns out, many-to-most users of Internet Explorer also tend to have a version of Office installed, so exploiting MSIE bugs by using Office's shipped version of hxds.dll is a pretty safe bet. Incidentally, hxds.dll is a registered handler for "ms-help://" URI scheme, so it's available from MSIE-land.
In addition to this, the other ROP chains were reviewed and updated, so you should find some more reliability in the already-shipping chains for msfvcrt.dll and java.dll.
In other MSIE exploit news, you may have seen the report about another 0-day that was floating around for a month, also patched by MS13-080. The fact that it was known to vendors and some researchers to be circulating in the wild for a whole month with no fixit, no public alert, and no Metasploit module to let defenders test their defenses is a little disconcerting, but never mind all that -- we have a line on a sample for CVE-2013-3897 as well, so expect that to be released here Real Soon Now.
We're shipping six new modules this week -- 5 exploits, and the one bruteforcer auxiliary module for Sentry Switched CDU. If you watch the open source diffs, you'll notice that community contributor Christian FireFart Mehlmauer apparently got sick and tired of seeing the "rport" and "peer" methods defined in about 50 different modules, and did some housekeeping. Thanks FireFart!
- GestioIP Remote Command Execution by bperry
- ClipBucket Remote Code Execution by Gabby and xistence
- FlashChat Arbitrary File Upload by Brendan Coles and x-hayben21
- Siemens Solid Edge ST4 SEListCtrlX ActiveX Remote Code Execution by juan vazquez and rgod exploits OSVDB-93696
- HP LoadRunner magentproc.exe Overflow by juan vazquez and Unknown exploits CVE-2013-4800
Auxiliary and post modules
- Sentry Switched CDU Bruteforce Login Utility by Karn Ganeshen
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.