Since we Last Left Our Heroes...
Wow, it's been a busy couple weeks here, post-DefCon/Black Hat. As you no doubt have noticed, we released Metasploit 4.10, which brings some major architectural changes to how our brute force login scanners are written, run, and logged -- you can read up on all that over at Dave TheLightCosine Maloney's delightful documentation, Creating Metasploit Framework LoginScanners to see how to write and use the new login and credential APIs.
Along with this, we've also converted the Metasploit Framework into a fully-fledged Rails::Application, which itself is kind of huge. This should allow for much easier integration with other Ruby projects -- most notably, testing frameworks (let's cut down on regressions and bitrot) and opens the door for a gem-based distribution system for modules and module packs (yes, this is as rad as it sounds). If you're interested in the guts of how Metasploit Framework works now, take a look at Luke KronicDeth Imhoff's blog post about this significant upgrade.
A Great Big Pile of HOWTO
Also during 4.10, we've been revisiting a lot of the documentation of how to write specific kinds of Metasploit modules -- and by "we," I mean Wei sinn3r Chen, the world-reknowned and -feared superhacker with over 200 direct credits on Metasploit modules and input on well over a thousand. If you're just starting your exploit dev career, or if you've been at it for a while, these resources will be crazy valuable for you. The latest material includes:
- How to get started with writing an exploit
- How to get started with writing an auxiliary module
- How to get started with writing a post module
Sinn3r goes on to provide a lot of detail for major types of modules, such as web browser exploits and file format exploits, as well as typical chunks of modules, such as the check() method and using Railgun, Meterpreter's interface with the Windows core API. If you're troubled or confused about some area of Metasploit module writing after reading these, then feel free to offer suggestions and ask questions on our open source developer's Freenode channel, #metasploit.
Distributed, Reflective Denial of Service with NTP
Earlier this week, we also released five new auxiliary modules that can be used to audit your NTP infrastructure, This is Kind of a Big Deal -- given these common exposures in NTP and the nature of UDP-based communications, it can become trivially easy for an attacker to start flooding victims by using these mis-configured devices as amplification stations, leading to a distributed, reflective denial of service (DRDoS) attack.
DRDoS events are slightly different than just regular DDoS events. Instead of an attacker controlling a network of compromised and/or controlled hosts, the attacker uses the reflective and amplication "features" of spoofable services. The old "Smurf" attack is a classic example of this attack, where I pretend to be you and ping the broadcast address of some other network, resulting in lots of reply messages sent your way that you didn't ask for. In this way, one ICMP ping packet from me could turn into a few hundred ping response packets for you.
The ICMP Smurf attack rarely works any more - pipes are bigger and broadcast domains that respond to ping are few. People just don't respond to ping like they used to. NTP, on the other hand, is the Network Time Protocol, used to keep computers in sync, is listening all over the place, and is kind of hugely important for things like authentication and certificate revocation, so it's definitely a critical chunk of Internet architecture. Turns out, vulnerable NTP servers are also plenty available for attackers -- as Jon wrote, Rapid7's Project Sonar has identified over 65,000 hosts that appear to be capable of aiding attackers in amplified, reflective attacks.
For lots more detail on these vectors, and advice on how to protect your own network, check out Jon's blog post on R7-2014-12: NTP Amplication Attacks.
Since the release of Metasploit 4.10, we've added 20 new modules, including the aforementioned NTP scanners, as well as a command injection exploit for Yokogawa-manufactured Human Interface Stations (discussed at DefCon by yours truly and Jim CipherLaw Denaro) and of course a whole pile of other tools for your pen-test bag of tricks. Enjoy!
- Gitlab-shell Code Execution by Brandon Knight exploits CVE-2013-4490
- ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection by Pedro Ribeiro exploits CVE-2014-3996
- VMTurbo Operations Manager vmtadmin.cgi Remote Command Execution by Emilio Pinna exploits CVE-2014-5073
- HybridAuth install.php PHP Code Execution by Brendan Coles and Pichaya Morimoto exploits OSVDB-109838
- MQAC.sys Arbitrary Write Privilege Escalation by Matt Bergin and Spencer McIntyre exploits CVE-2014-4971
- VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation by Jay Smith and Matt Bergin exploits CVE-2014-2477
- VirtualBox 3D Acceleration Virtual Machine Escape by juan vazquez, Florian Ledoux, and Francisco Falcon exploits CVE-2014-0983
Auxiliary and post modules
- JBoss JMX Console Beanshell Deployer WAR Upload and Deployment by us3r777 exploits CVE-2010-0738
- Yokogawa BKBCopyD.exe Client by Unknown
- Wordpress XMLRPC DoS by Christian Mehlmauer and Nir Goldshlager
- IP Board Login Auxiliary Module by Christopher Truncer
- NTP Mode 7 PEER_LIST DoS Scanner by Jon Hart
- NTP Mode 7 PEER_LIST_SUM DoS Scanner by Jon Hart
- NTP Mode 6 REQ_NONCE DRDoS Scanner by Jon Hart
- NTP Mode 7 GET_RESTRICT DRDoS Scanner by Jon Hart
- NTP Mode 6 UNSETTRAP DRDoS Scanner by Jon Hart
- SSDP ssdp:all M-SEARCH Amplification Scanner by xistence
- Linux Gather Gnome-Commander Creds by David Bloom
For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes, as well as last week's release notes. which covers the period immediately following the 4.10 release.