Skip navigation
All Places > Metasploit > Blog > 2014 > February
2014

I Got 99 Problems but a Limited Charset Ain't One

 

In this week's Metasploit weekly update, we begin with OJ TheColonial Reeves' new optimized sub encoding module (opt_sub.rb). As the name implies, this encoder takes advantage of the SUB assembly instruction to encode a payload with printable characters that are file path friendly. Encoders like this are incredibly useful for developing a memory corruption exploit that triggers a file path buffer overflow, where you typically have a pretty limited character set to work with.

 

For those who are curious about how this works, we'll explain this with a basic demonstration. Say you want to put 0x41424344 (ASCII "DCBA") on the stack, the encoder begins with the string that you want to decode in a register (in this case, EDX):

 

PUSH EDX ; EDX=0x61616161 (ASCII "aaaa")












 

And then it will use EAX to do the decoding:

 

POP EAX  ; Now EAX has a copy too












 

In order to get 0x41424344, the encoder uses the SUB instruction:

 

SUB EAX, 0x61616162 ; EAX now should be 0xFFFFFFFF
SUB EAX, 0x50505050 ; EAX now should be 0xAFAFAFAF
SUB EAX, 0x6e6d6c6b ; EAX now should be 0x41424344












 

After that, the encoder simply does a PUSH and write that value on the stack:

 

PUSH EAX












 

And it repeats the same trick until a payload is fully decoded on the stack. A payload is often a few hundred bytes large, so if you try to do this manually with a hex calculator, you know it's pretty painful. To be honest, I'm glad OJ did this.

 

In a real world scenario, you should see an ESP alignment before the decoding (A SUB ESP, CONST instruction). The purpose for that is to make sure the decoded payload can be found after the decoder. So before your decoder runs, it looks like this in memory:

optsub-encoder-end-before.png

And here's after decoding:

optsub-encoder-end-after.png

 

To read more about the encoder, it's best to read the documentation here:

https://github.com/rapid7/metasploit-framework/pull/3001

 

Also, kudos to Offensive Security for coming up with this encoding technique. I heard there's a guy named "ryujin" over there who's pure evil :-)

 

Another Powershell Payload? Yes, Please.

 

Another addition to the weekly update is a reverse Powershell payload from our friends Dave Kennedy of TrustedSec, and Ben Campbell (who ported the code to Metasploit). Powershell is a framework for Microsoft Windows that allows system administrators to perform task automation through scripting on top of .Net. Penetration testers, on the other hand, can use this technology to write payloads and post-exploitation for security assessments. It's easy to write, but one of my favorite things about Powershell scripts is that many antivirus products don't really seem to detect them, so if you're not taking advantage of this in your pentests, you're missing out :-)

 

The following demonstrates the new Powershell payload in action:

 

Screen Shot 2014-02-25 at 11.12.58 AM.png

 

If You Build it, Bugs Will Come

 

Other changes in this week's update include some minor bug fixes:

 

  • We added a file path check for the sqlmap.rb module. By default we don't actually ship sqlmap, so you may need to grab it from here, and then specify the SQLMAP_PATH datastore option in the Metasploit module.
  • API documentation for ldap.rb. Because the more documentation, the better.
  • The EXITFUNC datastore option is now a OptEnum instead of OptString. If you're a GUI user, it should be a drop-down menu instead of an input box.
  • Fix for a URL path bug in the Dexter (CasinoLoader) SQL injection exploit against Windows platforms.
  • More target coverage for the Ultra Minit HTTP buffer overflow exploit. Also improved reliability by fixing an issue with bad characters, and running the payload as a new thread instead of the request handler.
  • Fix for a URL path bug in the vtiger_soap_upload module (vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload).

 

If you are new to Metasploit, you can get started by downloading a copy of it for either Linux or Windows. If you're a Metasploit user, then please go ahead and run msfupdate to make sure you have the latest changes. For other users who are on packaged updates, including Metasploit Community, Metasploit Pro, and Kali, you can install this update from the Software Updates Menu under Administration.

 

For additional details on the weekly release notes, you may find them here.

"It's Like Chat Roulette for Hackers"

Dr_-Evil-One-Million-Dollars.png

The coolest thing this week... wait, let me start again.

 

The coolest thing this year is Wei sinn3r Chen's brand new amazesauce, humbly named webcam_chat. I know he just posted all about it yesterday, but I just want to reiterate how useful and hilarious this piece of post-exploit kit really is.

 

First off, it's entirely peer-to-peer. The communication channel is strictly between you and the compromised host; you're not bouncing your webcam stuff through Google Hangouts or GoToMeeting or anything like that. So already, you're kinda sorta OTR (off the record). True, the initial connection is mediated through an Internet-based service (which you can optionally set up yourself with the -s option), but the video is straight up mano a mano.

 

Second, as sinn3r intimated, permanent pen-testing staff can use this WebRTC component to gently... re-educate users about how not to get popped by real criminals. This is helpful when you can't get a meeting with your CEO about how he really shouldn't carve out firewall exceptions for his iPad. Not naming names.

 

This is not to mention the pure lulz factor of being able to play at "Hollywood Hacker." How many movies and TV shows feature a shadowy evil genius who can inexplicably pop up on whatever monitor the hero happens to be looking at, who then proceeds to make his demands known? There are literally Brazilians of examples. And that's a lot.

 

Of course, and hopefully this goes without saying, actually using a sudden video chat in production may carry with it some... slight privacy concerns. So if you happen to go down this road of being very hands-on with your target endpoints, please make sure that you have all the permission that you need ahead of time. Nothing kills a pen-test program faster than sudden wiretap statute violations. This is not to dissuade you from using this (and record_mic, by the way) -- you should totally use them, with the advice and consent of your chosen target organization.

 

I am just beside myself with joy that this landed. Yeah, the Android WebView attack was cool, sure... but, WEBCHAT. You can't beat that with a stick.

 

Massive thanks to the brilliant folks over at WebRTC for producing and releasing such an amazing open source technology. You guys are the real heros. Keep these off-the-shelf invasive technologies coming!

 

Meterpreter is so easy a _____ can compile it!

Also this week, we saw a great HOWTO video from OJ TheColonial Reeves on how drop dead easy it is to download and compile Meterpreter on your own.  The procedure documented here is pretty much exactly what I do when I'm testing changes to Meterpreter, and quite close to what we use in our in-house build process here at Rapid7.

 

If you're some kind of Victorian literate that prefers reading words that don't move, and you want to know how to roll your own Meterpreter binaries, then see OJ's accompanying blog over at Buffered.IO.  The video is only four minutes and change, though, and the music is catchy. But hey, if you hate technology, then that's your thing. Don't let me tell you how to absorb information.

 

New Modules

This week's release sees six new modules, including the mighty post module to enumerate Active Directory servicePrincipalNames, from serial AD enumerator Ben Meatballs Campbell. But, if I had to choose -- and I don't want to, because I love all Metasploit modules equally and unreservedly -- then I'd have to say that Meatballs' MediaWiki exploit is probably the hottest of the bunch.

 

MediaWiki has patches available (at least according to the OSVDB entry but there are zillions of MediaWiki installations, run by people who aren't slavish about security, so this is one of those platforms that you're a) likely to see on an engagement and b) you're like to see an old version live in production. Many IT organizations farm out that whole "Knowledgebase" infrastructure to individual business units and take a hands-off approach to them in the enterprise, so a penetration tester should have a good time hunting these down and snarfing decent intelligence via Metasploit shells.

 

Watering hole attack, anyone?

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

im-watching-you.jpgDuring a recent business trip in Boston, Tod and I sat down in a bar with the rest of the Metasploit team, and shared our own random alcohol-driven ideas on Metasploit hacking. At one point we started talking about hacking webcams. At that time Metasploit could only list webcams, take a snapshot, stream (without sound), or record audio using a meterpreter... normally that should be enough for most cases, but hey, wouldn't it be cool if you could actually chat with the compromised user face-to-face? You never know, right? Maybe you're monitoring one particular user during a penetration test, and you notice all kinds of unsafe things he's doing, and you have the urge to jump in and go "hey, I am watching you!" and lecture him about security? Yeah, you can do that now. But obviously the possibilities are endless with this new capability, so as always I encourage you to use your imagination :-)

 

The technology we're borrowing to achieve video chatting is called Web Real-Time Communications, or WebRTC for short. WebRTC is a free, open source project (hooray for open source!) that enables web browsers to do voice calling, video chat, and file sharing with simply JavaScript APIs and HTML5. Many applications or websites have already implemented WebRTC. To experience its awesomeness, you can go to sites like Webcam Toy and try it yourself.

 

Anyways, back to Metasploit hacking. So what we've done here is we implemented WebRTC as a Windows meterpreter feature. If you wish to chat with a compromised user, simply issue a command like the following:

 

meterpreter > webcam_chat 
[*] Video chat session initialized.

 

A couple of things will happen under the hood when you use the "webcam_chat" command:

 

  1. It will first find a suitable browser on the remote machine: Chrome (version 23 or newer) or Firefox (version 22 or newer). Unfortunately Internet Explorer doesn't support WebRTC natively, so we'll see what Microsoft wants to do.
  2. Once a suitable browser is found on the remote machine, it will open that, and then initialize the video session.
  3. On your box (attacker), Metasploit will also find a suitable browser (again Chrome or Firefox), and then it will try to join the video session. When you're about to join, your browser will ask you to allow the webcam to turn on. Obviously you need to click yes/allow/share.
  4. And now let the fun begin.

 

Demonstrations

 

As an attacker, your interface has the basic features like a YouTube video. You can full-screen (either yours or the remote user's), mute, and control volume (default at 50%). It looks like this:

 

vid_session_example.png

 

The remote user's interface is different. It does not let the user do full-screen or volume control (but if they know how to use the Developer's Tools, I guess they will figure out, except normally I don't think you need to worry about it from average users), and the GUI looks something kind of like this:

 

vid_session_example_2.png

Defeat webcam privacy invasion

 

I know what you're thinking. It kind of sucks if someone breaks into your computer, and it's really creepy if they're using your webcam. Well, on the subject of how to prevent illegal hacking is a multi-billion dollar question, and as far as I can tell nobody has quite figured out the perfect solution. I can tell you what to do or buy all kinds of things within your budget, but if you so insist on clicking on a "Please download this file and run it to accept your free trip to Hawaii", then there isn't much we can do about it. Wait, that's not true -- I can run the "webcam_chat" command to get in your face and yell at you to stop clicking on things :-)

 

If you're concerned about people spying on you with your webcam, there IS something you can do about it. Nothing fancy, instead of doing your normal silly things with the webcam facing you, how about you simply cover it up? If you're feeling fancy, you can always buy one of those webcam covers like the following from Amazon:

 

webcam_cover.jpg

 

Play Time!

 

To try out the new WebRTC-based video chatting feature, people tracking the Metasploit open source development can simply run the msfupdate utility. If you're an user of Metasploit Pro or Kali Linux, you will receive this new toy in the next weekly update, the week of February 19th, 2014. If you've never tried Metasploit before, don't miss out the fun. Download a copy today.

Shellcode is an exercise in trade-offs.

 

To be really flexible and fit in the most exploits, shellcode must be small.  On the other side of the scale, there are certain features that you need or want, each adding to the size. For instance, doing DNS resolution in the first stage payload is useful, but (in Windows) requires adding 80 bytes to the stager. So we have to balance size, which is very important for compatibility with some exploits that have limited buffers to work with, with features and reliability, which are important for world domination.

 

Metasploit's existing stagers are usually small enough, and our encoders get rid of bad characters for you, so it doesn't make sense to spend a lot of time writing your own payloads or optimizing to get rid of pesky bytes. Sometimes, though, a few bytes can make a big difference.  For example, the exploit for MS08-067, ms08_067_netapi.rb has a buffer size of 400 bytes; we'll come back to this in a moment.

 

block_api

block_api is a brilliant piece of kit that rummages through MZ headers looking for the function we want to call so that finding a pointer to, say, "InternetOpenA" which is portable and reliable on all versions of Windows. Because all of our Windows payloads use it, a win here can make all our Windows payloads a little bit smaller.

 

The first win comes from the fact that x86 has several ways of addressing memory. This is the original code:

   add eax, edx           ; Add the modules base address
   mov eax, [eax+120]     ; Get export tables RVA

 

The mov instruction here is using the "mov reg, r/m" form, which allows us to do some simple math on a register (adding 120) without having to store the result. The "r/m" argument is a little more flexible, though. It was intended to be able to reference tables and can take "[ base + scale*index + disp32 ]", where base would normally be the beginning of the table, scale would be the size of its elements, index would be the index of the element you want, and disp32 the offset within that element.

 

Armed with this knowledge, both of the above instructions can be condensed into one:

  mov eax, [eax+edx+120]    ; Get export tables RVA

for a one-byte saving. Every byte is sacred, after all.

 

The second reduction comes from the fact that the designers of x86 intended the ECX register to be used as a loop counter and thus added several instructions that treat it specially. jecxz is one that allows us to jump without having to explicitly test a register. By using ECX for our EAT pointer instead of EAX, we can turn this:

  test eax, eax          ; Test if no export address table is present
  jz get_next_mod1       ; If no EAT present, process the next module

into this:

  jecxz get_next_mod1    ; If no EAT present, process the next module

saving another 2 bytes.

 

reverse_http(s)

 

That's all great for improving your shellcode golf score, but the big win came in the reverse_http and reverse_https payloads.

 

The first thing I noticed about reverse_http is that it used the time-honored tradition of jmp'ing ahead, then call'ing backwards and popping the return address to get the address of a string on the stack (in this case, it was the hostname and URI to callback to). Then it would store that value in a register and later push it as an argument to a function. Since the call instruction already puts the value on the stack, I simply rearranged it to be in the argument setup instead of beforehand, e.g. something like this pseudocode:

 

  jmp get_uri
got_uri:
  pop ebx
  push eax
  push eax
  push ebx
  call ...
get_uri:
  call got_uri
  db "/12345", 0x00

 

became this:

  push eax
  push eax
  jmp get_uri
got_uri:
  call ...
get_uri:
  call got_uri
  db "/12345", 0x00

 

If we have an instruction like this:

  mov esi, eax

and we don't need eax to keep its value (in this case we don't), we can replace this it with

  xchg esi, eax

and save another byte.

 

The next savings came from a need for zeros. In almost every function call made in reverse_http(s), we need a zero (or a NULL) for at least one argument.  In fact, we need zero so often that it makes sense to just save it in a register and use it over and over. Previously this was ad-hoc, done at the beginning of each function with a different register. By zeroing one register at the beginning and using it throughout the payload, we can save even more space.

 

Before this change, reverse_https was 368 bytes unencoded. Encoding with x86/call4_dword_xor knocks it up to 392 bytes. With x86/jmp_call_additive, it is 397 bytes. With the added stuff that ms08_067_netapi needs for fixing up the stack, it comes to 404 and 409, respectively. If you'll recall, that's too large for ms08_067_netapi. The encoders that produce decoding stubs with less overhead also produce badchars for this exploit, so shikata_ga_nai encoding (for instance) will not work.

 

After this change, reverse_https is 350 bytes unencoded. With all of ms08_067_netapi's restrictions, we can now encode it to a size that will fit. And there was much rejoicing.

 

Happy hacking.

Android WebView Exploit, 70% Devices Vulnerable

Redacted For Your Protection (not to keep secrets, really)

This week, the biggest news I think we have is the release this week of Joe Vennix and Josh @jduck Drake's hot new/old Android WebView exploit. I've been running it for the last day or so out on the Internet, with attractive posters around the Rapid7 offices (as seen here) in an attempt to pwn something good. I've popped a couple shells, I guess I didn't make my QR Code attractive enough.

 

Seriously, though, this vulnerability is kind of a huge deal. I'm hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don't last for 93+ weeks in the wild. Don't believe me that this thing is that old? Just take a look at the module's references if you don't believe me.

 

It should be noted that thVideo of QR Code delivered exploite bug only ("only," he says!) affects versions of Android below 4.2 (early Jellybean). In a completely unsurprising twist, I did a quick survey of the phones available today on the no-contract rack at a couple big-box stores, and every one that I saw were vulnerable out of the box. And yes, that's here in the U.S., not some far-away place like Moscow, Russia. This lines up with what Android Central reports, in that while Android 4.4 (KitKat) has achieved 1.8% penetration, the same chart indicates that over 70% of all Android devices out there are vulnerable to this bug, with the plurarilty of devices at 4.0 and 4.1.

 

There's a lot more to say here, so expect more on this in the coming days. We've slapped together a quick video, but feel free to make a better one and grab all the Internet infamy for yourself. The video should open in a new window.

 

 

As you can see, the attack shown here -- QR code on a Metasploit exploit -- is a pretty dang effective way to get a shell on a target Android device, assuming your QR marketing skills are better than mine.

 

Incidentally, who do you lean on to get this patched? The big box retailer who sold it to you? The manufacturer of the phone hardware? The cell phone service provider? Google? It may seem a little spurious, but it's a question that's going to be asked by journalists, wonks, and (hopefully) consumer protection groups in the coming weeks.

 

Mass Check!

Item two on this week's release is Wei @_sinn3r Chen's rework of how Metasploit exploits use the "check" functionality. You can read up on it over at sinn3r's blog post about how it all works -- really, go read it, it's good.  I'll wait.

 

Now that you've got the background and it's out in this week's release, you no longer need to guess at how many of your in-scope Windows machines really are vulnerable to MS08-067 before you try to tag them.  This is not to say that Metasploit is suddenly a proper vulnerability scanner.  We're not, and never really will be. This "check" functionality is much more focused on target acquisition than compliance checking or risk management or anything like that. So, good for penetration testers, maybe not so good for your day-to-day vuln scanning duties.

 

Meterpreter Clipboard Monitor

Also on this release (dang, this is a pretty good one this week), is the new clipboard monitor functionality for Meterpreter, thanks in large part to OJ @TheColonial Reeves. OJ got a nice little writeup over at CSO Online wherein TheColonial explains how the clipboard-erasing protections of KeePass are completely obliterated.

 

This makes me sad, as I'm an avid KeepassX user and have been for years and years. Oh well, I guess I just better make sure that I'm not already owned when I go checking The Facebook for my friends cat-and-baby pictures.

 

But, alas, moving security forward isn't just about me and what software I use. The fact of the matter is, passwords suck. Period. You're left with the choice of a) keeping easy to remember passwords in your head (easy to guess), b) use a clipboard-based password manager and hope nothing's watching your clipboard, c) use some hand-typing system of password management and hope you're not getting your keystrokes logged, or d) use a browser-based autofill system and hope you're not a recent victim of a universal, persistent XSS bug. Time to take another look at your two-factor authentication (2FA) choices.

 

Incidentally, we'll have more on the UXSS thing in the next couple weeks. You're welcome, in advance.

New Modules

 

Including the WebView exploit the above, we're shipping six new exploits and seven new auxiliary and post modules. Most of the aux material this week revolves around IBM Sametime, an enterprise social-media-in-a-box offering, all from the cruelly-named Kicks4Kittens.

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

As a pentester for Rapid7 I use Metasploit a lot. I think one of the most overlooked features in Metasploit is the ability to create resource scripts. What are resource scripts you ask? “A resource file is essentially a batch script for Metasploit; using these files you can automate common tasks – H.D. Moore.”

 

There are several resource scripts included with Metasploit, one of which is port_cleaner.  If you’re like me you have had times when, after importing NMAP scan data, a bunch of cruft for closed and filtered ports shows up.  Well, port_cleaner cleans the cruft out and makes dealing with the data much easier.

 

Now to the real reason for this blog post; how to leverage the power of resource scripts.  I was on an assessment a while ago where my customer wanted to know which of its web servers were running weak SSL ciphers and the SSLv2 protocol. Like you, SSLScan is usually my go to tool for this task. I wanted to switch things up a bit. I use Metasploit’s database as a data repository for anything related to my penetration tests. So I started thinking, how can I get my SSLScan data into Metasploit? My first thought was to write a parser that would take SSLScan’s output and import it into Metasploit’s database. Well, this approach would help me get to my end goal (having the data in Metasploit), but it would require an additional step to get it there. There had to be a better way. My friends, Resource Scripts are that better way!

 

The true power of resource scripts lie in the ability to use most, if not all, of the functions available within Metasploit. In my case, @TheLightCosine has already written an awesome SSL scanner class in Metasploit. My goal was to leverage that scanner to identify weak SSL ciphers and protocol versions and dump the data into Metasploit’s database for reference and reporting.

 

My first concern was to figure out how to access the SSL scanner function via my resource script. Because resource scripts run in the context of the framework, you can access functions simply by calling them. The example below shows how this works. From within my resource script, I call the Rex::SSLScan::Scanner which creates a new scanner object for me to work with.

 

sslscanner-image.png

Creating a new SSLScan Scanner object for later use.

 

With that figured out, how might I run the scanner against all the hosts in my workspace that have SSL enabled? Never fear framework.db.workspace.services is here. I simply loop over each service entry looking for port 443 or https then sick the scanner on them.


host-lookup.png

Looping over services in workspace


Once I have the results I’m looking for, I use framework.db.report_note to store the data in my workspace. This allows me to later search the notes table for any hosts that have SSL notes associated with them.

 

 

db-note.png

Storing SSLScan data in notes table.

 

I hope this has shown you some of the power you can wield with resource scripts. A 5-minute investment on a resource script can save a ton of time in the end.

 

Additional references:

My SSL scan resource script-

https://gist.github.com/parzamendi-r7/bf216a71be19025fd51d

 

List of resource scripts included with Metasploit -

https://github.com/rapid7/metasploit-framework/tree/master/scripts/resource


Six Ways to Automate Metasploit-

https://community.rapid7.com/community/metasploit/blog/2011/12/08/six-ways-to-au tomate-metasploit

Meterpreter ADSI support

We ended up skipping last week's update since upwards of 90% of Rapid7 folks were Shanghaied up to Boston, in the dead of winter, with only expense-reportable booze too keep us warm at night. So, with much fanfare comes this week's update, featuring the all new ADSI interface for Meterpreter, via OJ TheColonial Reeves' Extended API.

 

Lucky for us, and you, Carlos DarkOperator Perez was not ensconced in Boston, but in (what I can only assume is) sunny Puerto Rico. Between (again, as I imagine his lifestyle to be) frosty tropical cocktails on the beach, he wrote up a delightful overview on how to use OJ's new ADSI hotness, descriptively titled, Enumeration using the Meterpreter ADSI Extended API Commands. It's a thorough HOWTO, so if you're interested in that sort of thing (and seriously, who isn't?), I encourage you to check it out.

 

Thanks heaps, OJ and Carlos! Great work!

 

MSFTidy Your Modules

For quite a while now, we've been gently reminding, tearfully pleading, and angrily demanding that all Metasploit modules take a quick pass through msftidy.rb, aka MSFTidy, aka our style checker for modules. Some of the checks are more cosmetic, such as ensuring that you're using soft tabs rather than hard tabs. Some make sure you're not setting up for threading bugs by modifying the datastore at runtime. Some protect against vulnerabilities in other libraries (notably, Nokogiri's terrible habit of shipping vulnerable libxml2 binaries). We've had a handy method to run MSFTidy as a pre-commit hook for a while now -- see this pull request from about a year ago. But alas, I cannot force people out on the Internet to run my delightful pre-commit checks, and it's clear to me now that few actually do.

 

So, starting this week, our good buddy Travis-CI will do our dirty work for us by running msftidy.rb on any new Pull Request. It looks like PR #2948 was the first to fall victim to our new automated style fascism enforcement -- sorry @juushya! All the checks are worth validating, if only to save the sanity of future exploit developers. MSFTidy ensures that modules have some kind of predictable layout that's familiar to anyone who takes the time to learn the format. We've been hewing closer and closer to the Ruby style guide, and it's for a reason -- the less time future exploit devs have to spend on figuring out what the heck you're trying to express in your code, the more time they have to fix your bugs and extend your modules with new features. Of course, Metasploit is ultimately community driven, so if you have some strongly held and defensible believe that something in msftidy shouldn't be checked (the line length limits are contentious), then feel free to express your opinion in the form of a Pull Request. We're happy to discuss basically everything about Metasploit development here in the People's Republic.

 

New Modules

We've seven new modules this week -- Juan has been busy with Apache Structs and Apache Tomcat, which are always a nice targets to go after since they're pretty popular webapp server components. In addition, we have one module which just struck me funny: @Xistence's ManageEngine Support Center directory traversal module. This is a ticketing system, basically, where users can attach files to their bug reports (like you'd expect). Problem is, they can "attach" local files on the ManageEngine machine as well -- and on Windows, Support Center runs as SYSTEM by default. So, yeah. Any local file on the entire system, just there for the attaching. Oops.

 

If you run ManageEngine's software in your environment, then you really ought to consider patching.

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

scan_all_the_things.jpeg.jpgOne of the most popular requests I've received from professional penetration testers is that they often need to be able to break into a network as fast as possible, and as many as possible during an engagement. While Metasploit Pro or even the community edition already gives you a significant advantage in speed and efficiency, there is still quite a large group of hardcore Framework users out there, so we do whatever we can to improve everybody's hacking experience. A new trick we'd like to introduce today is the modified "check" command, which allows you to quickly identify vulnerable, or likely exploitable machines in a more accurate manner.

 

However, you should also understand that Metasploit isn't a real vulnerability scanner even though it has checks. For your vulnerability scanning needs, we recommend using a real scanner like Nexpose (or whatever it is you prefer), and import the results to Metasploit.

 

New Check Command Usage

 

Before these changes, users could only run the check command one host at a time, which made it less practical against a large network. You could write resource scripts to overcome this problem, but in reality not everybody is equipped with hands-on programming experience in Ruby and the Metasploit API. Well, this is no longer a challenge starting today. What you can do now is being able to check a range of hosts with whatever exploit or auxiliary module you're using, and you can specify the number of threads needed to perform this task. A very basic usage is demonstrated below:

 

msf> use exploit/windows/smb/ms08_067_netapi 
msf exploit(ms08_067_netapi) > set rhost 192.168.0.123
rhost => 192.168.0.123
msf exploit(ms08_067_netapi) > check

 

Or it can be as simple as the following without the need to specify the RHOST or RHOSTS datastore option (auxiliary scanning modules use RHOSTS):

 

msf> use exploit/windows/smb/ms08_067_netapi 
msf exploit(ms08_067_netapi) > check 192.168.0.100-192.168.0.120

 

The default thread count is 1, but this is configurable. How many threads you can create depends on your system, so we advice you play around with it a little bit with a process monitor tool and decide for yourself. Here's an example of running a multi-threaded check to make the module scan faster:

 

msf exploit(ms08_067_netapi) > set THREADS 10
THREADS => 10
msf exploit(ms08_067_netapi) > check 192.168.1.1/24

 

Please note that all checks now are also less verbose than before by default, but if you prefer to be more well informed about what's happening, you can always set the VERBOSE datastore option to true.

 

New CheckCode Definitions

 

While adding this new feature to Metasploit, we also spent quite a lot of time redefining check codes and tweaking hundreds of existing modules and other files as an effort to allow users to better understand what the check is telling them, and use the module with more confidence. Please take your time to read the new guidelines before you decide to exploit anything:

 

  • Exploit::CheckCode::Unknown - The module fails to retrieve enough information from the target machine, such as due to a timeout or some kind of connection issue.
  • Exploit::CheckCode::Safe - The check fails to trigger the vulnerability, or even detect the service.
  • Exploit::CheckCode::Detected - The target is running the service in question, but the check fails to determine whether the target is vulnerable or not.
  • Exploit::CheckCode::Appears - This is used if the vulnerability is determined based on passive reconnaissance. For example: version, banner grabbing, or simply having the resource that's known to be vulnerable. There is no solid proof whether the target machine is actually exploitable or not.
  • Exploit::CheckCode::Vulnerable - The check is able to actually take advantage of the bug, and obtain some sort of hard evidence. For example: for a command execution type bug, it's able to execute a command and obtain an expected output. For a directory traversal, read a file from the target, etc. This level of check is pretty aggressive in nature, but normally shouldn't be DoSing the host as a way to prove the vulnerability.
  • Exploit::CheckCode::Unsupported - The module does not support the check method.

 

Module Developers

 

If you're interested in Metasploit module development, please also read our guidelines on how to write a check() method here.

 

And that's it for today. Current Metasploit users can simply run msfupdate and you shall receive these changes. However, to maximize your lightning-fast pwn power, feel free to try out Metasploit Pro or the community edition (free), and watch our recently-made video from David 'TheLightCosine' Maloney on "From Framework to Pro: How to Use Metasploit Pro in Penetration Tests."

Filter Blog

By date: By tag: