Let's Make Meterpreter
Metasploit, as you know, is quite near and dear to my heart. But, but it's not mine -- it's yours. This week, we're taking a survey of what features and functionality you want to see, and it's directed specifically to the open source community of both users and developers. If you're purely a Metasploit Pro user, feel free to give your feedback as well, of course. I won't stop you, but we expect this one to skew heavy to the open source crowd.
Also, I'm intensely lazy, and I hate writing technical roadmaps, much to the consternation of my management here at Rapid7. So, to that end, I'm asking for you to help me shirk my responsibilities as a Visionary Thought Leader, and take just three to six minutes to dream a little of where you'd like to take Meterpreter and the other post-exploit payloads. I believe we can do some really interesting, scary, fun things in there to advance the state of the art of penetration testing. We already have some good ideas of where to go in terms of stability and maintainability, thanks to Brent Cook's Maxing Meterpreter's Mettle initiative, so it's time to start thinking about pure functionality.
So, do me a solid, help me help you by punching the SurveyMonkey, and please don't tell my boss that you did this for me. It'll be just between us. Thanks. I owe you one.
This week, we've seen a surge in WordPress modules landing for Metasploit, all shepherded in by Rob Carr with help from our resident WordPress savant, Christian FireFart Mehlmauer. Among these modules includes a handy, generic WordPress Admin Console exploit module, for use after you happen to get a privilege escalation through some other means. With it, you can drop the PHP Meterpreter payload, or any of about a dozen other compatible payloads, including the usual connect-back shells, listening shells, or download/exec command injections.
We have quite a collection of WordPress-based modules these days -- about thirty all together. Does this mean that WordPress is just an inherently insecure web publishing platform? Absolutely not! The vulnerabilities exploited by the vast majority of these modules are introduced by certain WordPress plugins, of which there are tens of thousands. Not every one of them has undergone a thorough security audit. Of course, nearly all of them are free and open source, so where were you on that security audit, anyway? It's all our responsibility, after all.
In the end, we do only have 30-ish modules, which accounts for less than 0.1% of all the plugins available. Of course, the WP plugins the Metasploit community does care about tend be pretty popular on their own -- the recent Photo Gallery exploit targets the plugin of the same name, which had about 600,000 downloads.
Generally, the use case for these exploits is to target that one internal WordPress server that HR or Finance or someone else set up on the company network, and that installation isn't maintained by the official IT organization, never gets updated, and basically ends up sitting there, unaccounted for, offering a more privileged path to the corporate network for the intrepid pen-tester. The lesson to be learned is that if you're going to take on some shadow-IT functions, you need to keep abreast of the latest patches and vulnerabilities, just like a real IT department. WordPress is fun and pretty easy to use, but you need to be careful with this stuff. This goes quintuple if your WordPress site is on the Internet.
Since last week's blog post, we have 3 new exploits and 1 new auxiliary module. The only non-WordPress module this week comes from Juan Vazquez, who implemented an exploit for a ZDI-disclosed bug in HP's Client Automation software.
- HP Client Automation Command Injection by juan vazquez and Ben Turner exploits ZDI-15-038
- WordPress Admin Shell Upload by Rob Carr
- WordPress Holding Pattern Theme Arbitrary File Upload by Alexander Borg and Rob Carr exploits CVE-2015-1172
Auxiliary and post modules
- WordPress Ultimate CSV Importer User Table Extract by James Hooker and Rob Carr