Skip navigation
All Places > Metasploit > Blog > 2016 > July
2016
egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Jul 22, 2016

Windows Privilege Escalation

 

In the long long ago, Windows users pretty much universally had local Administrator accounts. While that's still true in less mature environments, I think we have done a pretty good job as an industry of convincing folks to reduce users' privileges. Back in those days, privilege escalation exploits weren't all that useful because every exploit, executable, and Word macro already gave you the highest privileges. Today that's less true.

 

Even worse for the enterprising hacker, modern browser exploitation frequently gives you the lowest possible privileges, even without the ability to read or write files outside of certain directories or interact with processes other than your own, due to sandboxing. One major advantage of kernel vulnerabilities is the fact that they skip right out of those sandboxes straight to NT AUTHORITY\SYSTEM.

 

Two Windows vulnerabilities, one patched in February and the second in March, get exploits this week for your privilege escalating pleasure.

 

Test Our Mettle

 

Over the years there have been several iterations of Meterpreter for a POSIX environment, with limited success. As of this week, we're shipping a new contender for the throne of unix payloads: Mettle. It's a ground-up implementation of the Meterpreter protocol and featureset for multiple architectures and POSIX platforms. One of the barriers to such a payload has been the fact that it requires packaging up a static libc and any libraries it will need on target. This is in contrast to Windows where the extreme adherence to backwards compatibility through the ages means that things like socket functions in ws2_32.dll can be relied upon pretty universally, which just isn't remotely true of all the various unices. Android's Bionic libc was the most recent, but several issues have made it clear we needed something else. Mettle uses musl, a small, highly portable, optimized libc. While we're currently only testing Linux, musl's portability will give us the ability to expand to other things like Solaris and BSD in the future.

 

The old implementation will continue to live side-by-side with the new one for a while, but once Mettle has the main required features, the Bionic-based POSIX Meterpreter will be allowed to retire to a beach somewhere to drink margaritas and complain about kids these days.

 

New Modules

 

Exploit modules (5 new)

Auxiliary and post modules (3 new)

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.11...4.12.14

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Jul 8, 2016

House keeping

 

Since the last Wrapup, we've been continuing our long-running project of breaking up some of the old cobweb-encrusted parts of the framework codebase into smaller pieces that are easier to deal with. A few things, lib/sshkey and lib/bit-struct in particular, that for historical reasons were just slightly modified copies of a gem, have been pulled out entirely in favor of the upstream release. A bunch of other things have been pulled out into their own repositories, making the whole codebase a little tidier.

 

NBNS and BadTunnel

 

NBNS is the NetBIOS Name Service, which Windows uses to do fast local translations of hostnames to IP addresses. Like DNS, being able to lie about answers gives an attacker the ability to act as a Man-in-the-Middle. Unlike DNS, Requests are sent broadcast to the local subnet. That means that listening for these requests and spoofing replies gets you a MitM stance on whatever they were requesting, a longstanding hacker favorite. This is also a downside because it means you have to be on the same local network as the victim to see those requests and know how to reply. However, all of this happens over UDP which routers don't mind forwarding on to different subnets. You just need to guess the transaction ID, a 16-bit number. As it turns out 16-bit numbers aren't that big and you can just spam packets until it works. You still need to know the hostname, though. Enter WPAD.

 

Hackers have loved Windows Proxy Automatic Discovery, or WPAD, forever. For those unfamiliar with it, it's an HTTP service that hosts a small piece of javascript for determining whether a given URL should go through a proxy. Windows uses this by default not just with all requests from Internet Explorer, but everything that uses the WinInet API.

One way to convince a client that you are their WPAD server is to respond to the NBNS lookup for a host with that name. Metasploit and other tools like Responder.py have been providing that handy service for years to great effect. But now with you don't need to be on the same subnet. Now you can just spam replies for WPAD for a few seconds until you get lucky and suddenly you can be in the middle of all HTTP requests by claiming to be their proxy. And it gets better. If you can somehow convince someone to send any NetBIOS traffic your way, you can do the same across NAT, thanks to BadTunnel.

 

Have fun storming the castle.

 

Chained exploits

 

Nagios is a nifty monitoring tool that has basically become the defacto standard. They also produce a proprietary commercial frontend called Nagios XI. That frontend has a SQL injection vuln that can lead to authentication bypass. The bypass gives you access to a command injection. The command injection lets you run sudo without a password. Nothing but net.

 

Expect a more detailed write up on this one.

 

New Modules

 

Exploit modules (6 new)

Auxiliary and post modules (5 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.7...4.12.11

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Rapid7 announced the end of life of Metasploit Pro 32-bit versions for both Windows and Linux operating systems on July 5th, 2017.  This announcement applies to all editions: Metasploit Pro, Metasploit Express and Metasploit Community.  After this date Metasploit 32-bit platforms will not receive product or content updates. Metasploit framework will continue to provide installers and updates for the 32-bit versions.

 

MilestoneDescription      Date                 
End-of-life announcement dateThe date that the end-of-life date has been announced to the general public.July 5th, 2016
Last date of supportThe last date to receive service and support for the product.  After this date, all support services for the product are unavailable, and the product becomes obsolete.July 5th, 2017
Last date of available installersThe last date Rapid7 will generate 32-bit installers. After this date, Rapid7 will continue to provide updates until the last date of support.July 5th, 2016

 

 

Product Migrations

Customers are encouraged to migrate to Metasploit 64-bit versions of the product, installation files can be found in the following link.  When upgrading to there maybe changes to system requirements including memory, please view the System requirements to see if your current system meets the minimum requirements.  To migrate to a newer platform you create a platform independent backup and restore it on the new system, steps for migration can be found here.

 

More Information

 

For Metasploit Pro and Express customers, contact support@rapid7.com or your account manager for assistance.

 

For Metasploit Community customers, submit your inquiries to the community discussion forum.

 

For more information about Rapid7 End-Of-Life Policy, go to:

http://www.rapid7.com/docs/end-of-life-policy.pdf

Filter Blog

By date: By tag: