Browser Exploit Server
This release includes the much vaunted and anticipated BrowserExploitServer (BES) mixin, the brainchild of Metasploit exploit developer Wei @_sinn3r Chen. Metasploit, at its core, is designed to be both an exploit delivery system and exploit development system, so this new mixin should help tremendously with the latter. BES, in a nutshell, saves you, the exploit developer, a ton of time when it comes to common chores like operating system identification, browser identification, and plugin detection. It also adds some best-effort client vulnerability detection before firing off the exploit, which is handy if you need to keep your super-secret 0-day still super-secret.
There's a few other niceties in there as well, but I don't want to completely spoil the surprise. Sinn3r has written up some comprehensive documentation on using BrowserExploitServer as well as a bunch of refreshed hints on using HttpServer (which may or may not be an exploit). Note that it's on the module writer to decide which one is the right one to use; there are times where you may not want or need all the browser-y things that BES provides.
IPMI Exploiter's Diary
This week also sees the release for a proper exploit on one of the recently disclosed IPMI vulnerability; when the process of developing a reliable exploit has some particularly novel aspect, Metasploit exploit developer Juan Vazquez has a habit of churning out some really fasciniating notes on the process. If you haven't already, check out his blog post, Exploiting the Supermicro Onboard IPMI Controller. It's a pretty detailed look at the process he and discoverer HD Moore went through to get reliable code execution on these buggers, so if you're interested in that sort of thing, or especially if you're stuck on something similiar, posts like that one can really help you out.
Finally, the other exploit module this week is, in fact, the first from Meterpreter grandmaster OJ TheColonial Reeves. While cleaning up Meterpreter, he noticed that the KiTrap0D implementation on Meterpreter's 'getsystem' function could be a little flakey. By default, Meterpreter supports a number of methods for privilege escalation to SYSTEM privileges, and attempts each one of them in order until one succeeds or they have all failed. While KiTrap0D is a fine strategy for this, it did occasionally crash the Meterpreter getsystem function, or worse, BSOD the box. Needless to say, the getsystem call shouldn't result in this kind of behavior and so the decision was made to change getsystem so that it doesn't make use of exploits like this. As a result, KiTrap0D was removed from getsystem, and turned around into a regular local exploit module.
Including the two exploit modules mentioned above, we have seven new modules this week. And yes, that's a compressed file memory bomb DoS module. No, it's not from 1988.
- Supermicro Onboard IPMI close_window.cgi Buffer Overflow by juan vazquez and hdm exploits CVE-2013-3623
- Windows SYSTEM Escalation via KiTrap0D by HD Moore, OJ Reeves, Pusscat, and Tavis Ormandy exploits MS10-015
Auxiliary and post modules
- Gzip Memory Bomb Denial Of Service by info and joev
- Typo3 Login Bruteforcer by Christian Mehlmauer
- Wordpress Scanner by Christian Mehlmauer
- OSX Screen Capture by Peter Toth
- OSX VPN Manager by Peter Toth
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.