Meterpreter Extended API
This week, we've got some new hotness for Meterpreter in the form of OJ TheColonial Reeves' new Extended API (extapi) functionality. So far, the extended API is for Windows targets only (hint: patches accepted), and here's the rundown of what's now available for your post-exploitation delight:
- Clipboard Management: This allows for reading and writing from the target's clipboard. This includes not only text, like you'd expect, but a seamless download of files and images as well. Useful for grabbing interesting but temporary data such as passwords or files copies from remote sources.
- Service Management: Meterpreter users are familiar with the overview provided by regular 'ps', but the service management interface allows for more detailed readouts of running services; most notably, DACLs, load order group, the start up status, and if that service can interact with the desktop.
- Window Management: Gives the ability to easily enumerate all open Windows. This can help penetration testers discover if a particular target is worth VNC'ing in on at the moment.
In addition to all this, the Extended API structure makes it a handy place to start prototyping new Meterpreter functionality for Meterpreter hackers who aren't named OJ. It's pretty well organized from the get-go and doesn't require refactoring to core Meterpreter functionality to get something put together and demo-able quickly. So, if you've got an idea of what you'd like to see Meterpreter make easier that's relevant to your particular pen-testing workflow, this is a great place to start.
New HttpServer / HttpClient HOWTO
Not too long ago, we announced Wei @_sinn3r Chen's Browser Exploit Server, a nice Ruby mixin that consolidates a lot of the grunt work behind developing exploits. This week, Wei has fleshed out more of the exploit dev documentation with a nice, compact HOWTO-style guide on writing modules that leverage the strengths of the revised HttpServer and HttpClient mixins, so read up on it here.
I've been bugging sinn3r to put together some YouTube videos on the process of exploit dev as well, complete with the requisite thumpa-thumpa music, but you are welcome to beat him to it by following his documentation for your next browser exploit. The kids love the YouTube, and watching exploit devs type is apparently an effective teaching technique for some.
SAP for People Closer to GMT
If you missed last week's SAP hacking webcast by Juan Vazquez, Christian Kirsch, and yours truly, we'll be hosting it again live next week. You can register here, and it'll be held mid-afternoon for those of you who are observing a European time zone. We hear SAP is big over there, so we'll be getting online early in the AM here in Austin to make sure you all can participate in our overview of the state of the art of SAP reconniscance and exploitation with Metasploit.
It's an even split this week between exploit and non-exploit modules, with eight total. Rails has another DoS that we exercise this week, thanks to sinn3r's Rails Action View auxiliary module which exploits CVE-2013-6414; now would be a fine time to check your Rails version and update accordingly to get the fix.
- Up.Time Monitoring Station post2file.php Arbitrary File Upload by Denis Andzakovic exploits OSVDB-100423
- WordPress OptimizePress Theme File Upload Vulnerability by Mekanismen and United of Muslim Cyber Army
- vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection by juan vazquez and Orestis Kourides exploits CVE-2013-3522
- Kaseya uploadImage Arbitrary File Upload by Thomas Hibbert exploits OSVDB-99984
Auxiliary and post modules
- Ruby on Rails Action View MIME Memory Exhaustion by joev, sinn3r, and Toby Hsieh exploits CVE-2013-6414
- vBulletin Password Collector via nodeid SQL Injection by sinn3r, juan vazquez, and Orestis Kourides exploits CVE-2013-3522
- Cisco ASA ASDM Bruteforce Login Utility by Jonathan Claudius
- Windows Gather Skype, Firefox, and Chrome Artifacts by Joshua Harper
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.