Skip navigation
All Places > Metasploit > Blog > Authors egypt
1 2 3 Previous Next

Metasploit

45 Posts authored by: egypt Employee
egypt

Metasploit Weekly Wrapup

Posted by egypt Employee Dec 2, 2016

Terminal velocity

 

The terminal/shell interface has been around for decades and has a rich and storied history. Readline is the main library for shells like msfconsole to deal with that interface, but it's also possible for commandline tools to print ANSI escape sequences that the terminal treats specially.

 

When a shell like msfconsole has asynchronous output going to the terminal at unpredictable times, such as when a new session connects, that output can clobber the current prompt. That makes it hard to tell what you're typing and slows you down.

 

These short videos, created by @jennamagius, the contributor who submitted this patch, illustrate the issue and the new behavior:

 

GoldenThoroughHummingbird.gif

 

LivelyDefiniteArrowana.gif

 

The old behavior has annoyed me for a long time and I'm super glad to see that typing into a prompt can still be usable when you have a ton of shells flying in.

 

New Modules

 

Exploit modules (4 new)

 

Auxiliary and post modules (1 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Metasploit Wrapup

Posted by egypt Employee Nov 18, 2016

Everything old is new again

 

As you probably already know, hardware manufacturers are not always great at security. Today we'll be picking on Netgear, who produce a WiFi router called the WNR2200. This cute little device, brand new out of the box on store shelves today, runs Linux 2.6.15 with Samba 3.0.24. For those of you keeping score at home, those versions were released in 2007. Way back in 2007, Samba had a pre-auth heap buffer overflow vulnerability in the LsarLookupSids RPC call, for which Metasploit has had an exploit since shortly after the bug's disclosure.

 

Unfortunately for people who like shells, the exploit only worked on x86 targets, so popping these new routers with old exploits wasn't feasible. Until now. Thankfully, JanMitchell came to the rescue, porting it to MIPS for all your ridiculously-old-software-on-a-brand-new-router hacking needs.

 

Steal all the things

 

A few weeks ago, we talked about stealing AWS metadata. This update adds a post module (post/multi/gather/awks_keys) that will extract credential and other valuable AWS information from a compromised machine with aws console/cli installed and configured with credentials. These credentials can be used to access all of an AWS user's resources he/she has access to.

 

Book keeping

 

There won't be a release next week because of the Thanksgiving holiday here in the US. Automated nightly installers for the open source framework will still be automatically built nightly as you might expect.

 

New Modules

 

Exploit modules (8 new)

 

Auxiliary and post modules (6 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.38...4.12.42

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Oct 28, 2016

What time is it?

 

If you want to run some scheduled task, either with schtasks or cron, you have to decide when to run that task. In both cases, the schedule is based on what time it is according to the victim system, so when you make that decision, it's super helpful to know what the victim thinks the current time is.

 

As of #7435, Meterpreter has a localtime command that gives you that information and then it's peanut butter jelly time.

 

DancingBannana.gif

 

 

Unicode

 

Windows uses UTF-16le to store hostnames (and pretty much everything else). For ASCII characters, you can convert to that format simply by inserting NULL bytes in between each ASCII byte. When you run into a hostname that uses characters for which there is no direct ASCII equivalent, conversion is a lot more complex. As of this weeek, that complexity works correctly for hostnames in Metasploit. This affects several things that use the SMB protocol, including smb_version, and the places where hostnames are displayed in msfconsole.

 

----- BENIGN CERTAIN -----

 

Along with Extra Bacon, the fun SNMP RCE bug for Cisco devices we mentioned here a couple months ago, the same dump included an information disclosure vulnerability in Cisco devices as well. The result is similar to what you get with Heartbleed - random memory contents that can sometimes contain credentials.

 

APK Injection

 

Android Application Packages (APK files) are very similar to JAR files. They're basically a zip archive with a certain directory structure. Android requries that APKs must be cryptographically signed before the system will allow you to install them. Earlier this year, we added the ability to use an existing APK as a template for your payload, but of course that makes the signature invalid. To fix it up, we re-sign with a new certificate.

 

As of this week, that certificate will match all of the metadata from the original template's signature which makes the installed app a bit less conscpicuous.

 

Local File Inclusion

 

In the world of PHP, Local File Includes or LFIs are a common vulnerability due to the nature of the language and how its include and require directives work. That class of vulnerability is a lot less common in other langauges, so it was a bit surprising when the details of CVE-2016-0752 came out. What was previously believed to be merely a local file read vulnerability in Ruby on Rails when the bug was first made public back in February, can actually be turned into a local file include vulnerability. This works because the file that Rails is reading is actually used as template that can contain. (Note that's ERB, not ERB.)

 

New Modules

 

This wrapup covers a few weeks, so the new module count is quite a bit higher than usual.

 

Exploit modules (9 new)

 

 

Auxiliary and post modules (6 new)

 

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.30...4.12.38

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Oct 7, 2016

Silence is golden

 

Taking screenshots of compromised systems can give you a lot of information that might otherwise not be readily available. Screenshots can also add a bit of extra spice to what might be an otherwise dry report. For better or worse, showing people that you have a shell on their system often doesn't have much impact. Showing people screenshots of their desktop can evoke a visceral reaction that can't be ignored. Plus, it's always hilarious seeing Microsoft Outlook open to the phishing email that got you a shell. In OSX, this can be accomplished with the module post/osx/capture/screenshot. Prior to this week's update, doing so would trigger that annoying "snapshot" sound, alerting your victim to their unfortunate circumstances. After a small change to that module, the sound is now disabled so you can continue hacking on your merry way, saving the big reveal for some future time when letting them know of your presence is acceptable.

 

Check your sums before you wreck your sums

 

Sometimes you just want to know if a particular file is the same as what you expect or what you've seen before. That's exactly what checksums are good at. Now you can run several kinds of checksums from a meterpreter prompt with the new checksum command. Its first argument is the hash type, e.g. "sha1" or "md5", and the rest are remote file names.

 

Metadata is best data, everyone know this

 

As more and more infrastructure moves to the cloud, tools for dealing with the various cloud providers become more useful.

 

If you have a session on an AWS EC2 instance, the new post/multi/gather/aws_ec2_instance_metadata can grab EC2 metadata, which "can include things like SSH public keys, IPs, networks, user names, MACs, custom user data and numerous other things that could be useful in EC2 post-exploitation scenarios." Of particular interest in that list is custom user data. People put all kinds of ridiculous things in places like that and I would guess that there is basically 100% probability that the EC2 custom field has been used to store usernames and passwords.

 

Magical ELFs

 

For a while now, msfvenom has been able to produce ELF library (.so) files with the elf-so format option. Formerly, these only worked with the normal linking system, i.e., it works when an executable loads it from /usr/lib or whatever but due to a couple of otherwise unimportant header fields, it didn't work with LD_PRELOAD. For those who are unfamiliar with LD_PRELOAD, it's a little bit of magic that allows the linker to load up a library implicitly rather than as a result of the binary saying it needs that library. This mechanism is often used for debugging, so you can stub out functions or make them behave differently when you're trying to track down a tricky bug.

 

It's also super useful for hijacking functions. This use case provides lots of fun shenanigans you can do to create a userspace rootkit, but for our purposes, it's often enough simply to run a payload so a command like this:

LD_PRELOAD=./mettle.so /bin/true

will result in a complete mettle session running inside a /bin/true process.

 

New Modules

 

Exploit modules (1 new)

Auxiliary and post modules (3 new)s

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.28...4.12.30

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Sep 30, 2016

Extra Usability

 

Commandline tools in general are powerful, but come with a learning curve. When you've been using a tool for a long time, that curve becomes a status quo that embeds itself in your fingers. That isn't always a good thing because it tends to make you blind to how things can be better and it takes an effort of introspection to notice inefficiencies. Even then, you weigh those inefficiencies against the effort required to improve.

 

An example of that is msfconsole's route command, which gets a bit of a spruce up this week. Instead of showing help output when given no arguments, it now shows the current routing table. In addition, it now supports using a session id of "-1" to indicate the most recent session, just like you can do for the SESSION option in post modules.

 

Extra privilege escalation

 

In the last few years, privilege escalation has become more important in the Windows world but it has always been a staple on Unix operating systems. This update brings two privilege escalation modules, one for the Linux kernel and one for NetBSD's /usr/libexec/mail.local, for your rooting pleasure.

 

Extra Meta Metasploitation

 

2ENTk2K2.pngAs I mentioned in the last wrapup, we've landed @justinsteven's modules for attacking Metasploit from Metasploit. The first, metasploit_static_secret_key_base, exploits the way Rails cookies are serialized and the fact that an update would step on the randomly generated secret key with a static one. Check out the full detailsif you're interested in how that works.

 

The second, metasploit_webui_console_command_execution, isn't a vulnerability as such. Rather, it takes advantage of the fact that admin users can run msfconsole in the browser, and therefore run commands on the server. This is the sort of thing that can't be patched without just removing the functionality altogether; it's literally a feature, not a bug. Authenticated administrators can do administrator things, as you might expect.

 

Extra Android Exploit

 

Stagefright_bug_logo.pngAt Derbycon last week, long-time friend of the Metasploit family, @jduck, released his latest version of Stagefright, an exploit for Android's libstagefright. He demo'd exploiting a Nexus device, but lots of other stuff is vulnerable too. Due to the rampant fragmentation in the Android world, this year-old bug is probably going to be showing up on new phones sitting on store shelves for quite a while yet.

 

Extra Bacon

Kevin_Bacon_2_SDCC_2014.jpg

And last but not least, this week brings a module for exploiting EXTRABACON, the Cisco ASA vulnerability made public by the Shadowbroker leak a few weeks ago. The bug is a buffer overflow in SNMP object id strings. The module does exactly what the Equation Group exploit does -- it disables authentication on the victim device and allows you to login to ssh or telnet with no password. This module was a collaboration between lots of folks and improves on the coverage in the original exploit, even adding targets for some 9.x devices that the advisory says are not affected.

 

This democratization of exploits through open source continues to show that being open and transparent leads to better exploits, more public knowledge, and better patches.

 

New Modules

 

Exploit modules (7 new)

 

Auxiliary and post modules (1 new)

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.25...4.12.28

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Sep 16, 2016

Security is hard

 

I usually focus exclusively on the Metasploit Framework here on these wrapups, but this week is a little special. This week the Metasploit commercial products (Pro, Express, and Community) come with a fix for a couple of vulnerabilities. You heard that right, remotely exploitable vulns in Metasploit. Our lovely engineering manager, Brent Cook, helpfully wrote up the details yesterday.

 

TL;DR - Three bugs, two of which work together: 1) the filter restricting the creation of the first admin account to localhost was broken. As has always been the case having an admin account on Metasploit lets you run commands on the server. And 2) the randomly generated session key got stepped on by a static one whenever updates were applied, so the same key was used for every Metasploit installation. Because of 3) session cookies are serialized ruby, so that's code exec, too.

 

Security is hard and even experts like us screw it up some times. But in true Metasploit fashion, we're not content to just patch the vuln. There is currently a Pull Request in review that will get you shells on Metasploit if you know credentials. Since it's Authenticated Code Execution by Design, it will work even without this vulnerability as long as you can steal a username and password. Expect that to land soon and be in the next wrapup. And while you're waiting, go double check to make sure you did the initial account setup on your Metasploit installs.

 

Download improvements

 

It's a bit of a hassle if a download gets interrupted, especially if the file is large. Thanks to first-time contributor cayee, you can now continue an interrupted download with Meterpreter's new download -c.

 

Module documentation

 

We've been pumping out better documentation for individual modules for a few months now, since the introduction of info -d, which gives you nice pretty markdown.

 

If you have wanted to contribute but didn't know what you wanted to work on, this is a great place to get started. Check out the Module Documentation milestone for a list of the modules we think are the highest priority. Github won't let you assign a ticket to someone who isn't part of the Metasploit organization, so leave a comment on one of those issues to claim it so others don't duplicate your work.

 

New Modules

Exploit modules (1 new)

Auxiliary and post modules (4 new)

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.22...4.12.25

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Sep 2, 2016

PHP Shells Rising from the Flames

 

Phoenix Exploit Kit is your standard run-of-the-mill crimeware system, written in PHP, whose creator apparently got popped by the FSB earlier this year. Like many exploit kits, it has a back door, this one allowing you to eval whatever PHP code you like by sending it in a GET parameter (subtly named 'bdr'). Of course running arbitrary PHP allows us control of the underlying operating system to various degrees depending on configuration.

 

I love the idea of popping shells in malware. We've been doing it for a while, since way back in the day with exploit/windows/ftp/sasser_ftpd_port, an exploit for the FTP server run on compromised machines by the sasser worm, and I was delighted to discover that I'm not the only one who finds exploits for malware to be hilarious.

 

MalSploitBase is a database of exploits for known vulns in evil things just like these. Even better, its code is available on github (https://github.com/misterch0c/malSploitBase) and the author encourages pull requests.

 

How come you never call anymore?

 

If you create child processes from your Meterpreter session, you often want to keep track of them and make sure they're not staying out too late or getting caught up with the wrong crowd. A new option to Meterpreter's ps command makes that a little easier, giving you a nice printout of all the children of your current process.

 

Other Post stuff

 

A few fun new modules from an up-and-coming contributor h00die make persistence on Linux a bit easier in the latest release. One of the big advantages of having modules for doing persistence instead of dropping files manually is the ability to automate it. For example, putting post/linux/manage/sshkey_persistence in your AutoRunscript option for an exploit lets you automatically establish a way back in without having to think about it in the crucial first few minutes of having a shell.

 

And finally, for an exciting exfiltration extravaganza, post/multi/manage/zip gives you a platform-agnostic way of zipping up a directory for simplified pilfering.

 

New Modules

 

Exploit modules (5 new)

Auxiliary and post modules (3 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.19...4.12.22

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Jul 22, 2016

Windows Privilege Escalation

 

In the long long ago, Windows users pretty much universally had local Administrator accounts. While that's still true in less mature environments, I think we have done a pretty good job as an industry of convincing folks to reduce users' privileges. Back in those days, privilege escalation exploits weren't all that useful because every exploit, executable, and Word macro already gave you the highest privileges. Today that's less true.

 

Even worse for the enterprising hacker, modern browser exploitation frequently gives you the lowest possible privileges, even without the ability to read or write files outside of certain directories or interact with processes other than your own, due to sandboxing. One major advantage of kernel vulnerabilities is the fact that they skip right out of those sandboxes straight to NT AUTHORITY\SYSTEM.

 

Two Windows vulnerabilities, one patched in February and the second in March, get exploits this week for your privilege escalating pleasure.

 

Test Our Mettle

 

Over the years there have been several iterations of Meterpreter for a POSIX environment, with limited success. As of this week, we're shipping a new contender for the throne of unix payloads: Mettle. It's a ground-up implementation of the Meterpreter protocol and featureset for multiple architectures and POSIX platforms. One of the barriers to such a payload has been the fact that it requires packaging up a static libc and any libraries it will need on target. This is in contrast to Windows where the extreme adherence to backwards compatibility through the ages means that things like socket functions in ws2_32.dll can be relied upon pretty universally, which just isn't remotely true of all the various unices. Android's Bionic libc was the most recent, but several issues have made it clear we needed something else. Mettle uses musl, a small, highly portable, optimized libc. While we're currently only testing Linux, musl's portability will give us the ability to expand to other things like Solaris and BSD in the future.

 

The old implementation will continue to live side-by-side with the new one for a while, but once Mettle has the main required features, the Bionic-based POSIX Meterpreter will be allowed to retire to a beach somewhere to drink margaritas and complain about kids these days.

 

New Modules

 

Exploit modules (5 new)

Auxiliary and post modules (3 new)

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.11...4.12.14

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Jul 8, 2016

House keeping

 

Since the last Wrapup, we've been continuing our long-running project of breaking up some of the old cobweb-encrusted parts of the framework codebase into smaller pieces that are easier to deal with. A few things, lib/sshkey and lib/bit-struct in particular, that for historical reasons were just slightly modified copies of a gem, have been pulled out entirely in favor of the upstream release. A bunch of other things have been pulled out into their own repositories, making the whole codebase a little tidier.

 

NBNS and BadTunnel

 

NBNS is the NetBIOS Name Service, which Windows uses to do fast local translations of hostnames to IP addresses. Like DNS, being able to lie about answers gives an attacker the ability to act as a Man-in-the-Middle. Unlike DNS, Requests are sent broadcast to the local subnet. That means that listening for these requests and spoofing replies gets you a MitM stance on whatever they were requesting, a longstanding hacker favorite. This is also a downside because it means you have to be on the same local network as the victim to see those requests and know how to reply. However, all of this happens over UDP which routers don't mind forwarding on to different subnets. You just need to guess the transaction ID, a 16-bit number. As it turns out 16-bit numbers aren't that big and you can just spam packets until it works. You still need to know the hostname, though. Enter WPAD.

 

Hackers have loved Windows Proxy Automatic Discovery, or WPAD, forever. For those unfamiliar with it, it's an HTTP service that hosts a small piece of javascript for determining whether a given URL should go through a proxy. Windows uses this by default not just with all requests from Internet Explorer, but everything that uses the WinInet API.

One way to convince a client that you are their WPAD server is to respond to the NBNS lookup for a host with that name. Metasploit and other tools like Responder.py have been providing that handy service for years to great effect. But now with you don't need to be on the same subnet. Now you can just spam replies for WPAD for a few seconds until you get lucky and suddenly you can be in the middle of all HTTP requests by claiming to be their proxy. And it gets better. If you can somehow convince someone to send any NetBIOS traffic your way, you can do the same across NAT, thanks to BadTunnel.

 

Have fun storming the castle.

 

Chained exploits

 

Nagios is a nifty monitoring tool that has basically become the defacto standard. They also produce a proprietary commercial frontend called Nagios XI. That frontend has a SQL injection vuln that can lead to authentication bypass. The bypass gives you access to a command injection. The command injection lets you run sudo without a password. Nothing but net.

 

Expect a more detailed write up on this one.

 

New Modules

 

Exploit modules (6 new)

Auxiliary and post modules (5 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.7...4.12.11

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Jun 16, 2016

Steal all the passwords

 

I talk a lot about Authenticated Code Execution, but of course that's not the only thing that authenticated access can get you. This week's update comes with a couple of modules for using known credentials to extract more credentials. The first is for Symantec Brightmail, an email filtering gateway that comes with a management interface for administrators. Any account with read access is allowed to look at the encrypted LDAP credentials stored in Brightmail. Fortunately for us, the encryption is reversible and the system also kindly uses a known key. The second module is for Canon multi-function printers, because of course your printer needs to store a bunch of plaintext passwords; I mean, why wouldn't it? This one also requires authentication, but it's a printer, so of course there's a default that no one ever changes.

 

Payload options in jobs output

 

To see the stuff running in the background, msfconsole has a jobs command. There are some pertinent pieces of info you usually want to see in that display, but a console interface makes it kinda tough to view it all because of the limited column width. A recent feature, the ability to control the URI a reverse_http payload calls back to with the LURI option, puts extra pressure on that limited space. To make that a little easier, payload options are now all condensed into a single column, so instead of seperate LPORT, LHOST, and LURI columns, you just have "Payload opts":

 

 

msf exploit(ie_cbutton_uaf) > jobs

Jobs
====

  Id  Name                                       Payload                           Payload opts
  --  ----                                       -------                           ------------
  0   Exploit: windows/browser/adobe_flash_pcre  windows/meterpreter/reverse_http  http://10.6.0.65:8080/index.php
  1   Exploit: windows/browser/ie_cbutton_uaf    windows/meterpreter/reverse_tcp   tcp://10.6.0.65:8181


msf exploit(ie_cbutton_uaf) > jobs -v

Jobs
====

  Id  Name                                       Payload                           Payload opts                     URIPATH   Start Time                 Handler opts
  --  ----                                       -------                           ------------                     -------   ----------                 ------------
  0   Exploit: windows/browser/adobe_flash_pcre  windows/meterpreter/reverse_http  http://10.6.0.65:8080/index.php  /flash    2016-06-16 13:50:31 -0500  http://0.0.0.0:8080/index.php
  1   Exploit: windows/browser/ie_cbutton_uaf    windows/meterpreter/reverse_tcp   tcp://10.6.0.65:8181             /cbutton  2016-06-16 13:51:00 -0500 

 

Gifts that keep on giving

Shellshock is one of my favorite bugs of all time. It's simple to exploit, results in RCE, and is in a thing that everyone takes for granted. The latest incarnaiton of it is in IPFire, an open source Linux firewall, but I'm sure we'll see it again.

 

New Modules

 

Exploit modules (6 new)

Auxiliary and post modules (4 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.5...4.12.7

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee May 20, 2016

Check the computer, the mainframe computer

 

This week's update comes with our first ever exploit module for z/OS, the operating system used by mainframes, from our friend Bigendian Smalls who also built the payloads. The module in question is an example of authenticated code execution by design, which takes advantage of a design feature allowing users to submit jobs via uploading files to an FTP daemon.

 

So all we have to do is load it anywhere into the credit union mainframe, and it'll do the rest.

 

More movie hacking

 

Also this week, we have a module straight out of the movies. Long-time contributor nstarke brings us another fun RCE-by-design exploit, this time for a TP-Link surveillance camera. From a network perspective it's just another embedded Linux system, of course, but having root on one of these things means you can potentially steal surveillance video or even replace the feed with old benign images while you steal those diamonds from under the nose of that hapless security guard.

 

Operations center with video surveillance monitors

 

 

Documenting modules

 

Our friendly neighborhood exploit dev, sinn3r, recently put together a really handy system for writing module documentation in markdown. I haven't mentioned it in a Wrapup yet because I'm working on a bigger announcement, but for now it will suffice to say that markdown docs are super fun and easy to write, and that figuring out how a module is supposed to work has never been easier. From msfconsole, just type info -d and you'll get the full knowledge base for the given module.

 

We've already added supporting documentation for several modules, including the new mainframe exploit module mentioned above. If you've ever wanted to contribute, but don't feel like you want to write code, this is a great place to get started.

 

New Modules

 

Exploit modules (3 new)

 

New Modules

Auxiliary and post modules (2 new)

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.26...4.12.2

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee May 11, 2016

Resolve, v. transitive

 

Sometimes the biggest things that make working with a tool fun are the small things. One of those things is the recent addition of a resolve command for Meterpreter. It does what it sounds like: it resolves a hostname to an IP address on the victim system, taking advantage of the local DNS. Of course, that's not a huge thing, but it is pretty convenient.

 

Strut, v. intransitive

 

This update also comes with a fun exploit for Apache Struts, a web framework for webby things. It's a Model-View-Controller framework for Java web applications, somewhat similar to Rails in the ruby world. Bugs in frameworks like this can end up lasting a lot longer than in applications, as all the things that depend on it have to be updated too.

 

Magick, n.

 

Also in this update is a shiny new exploit module for the latest Branded Vulnerability(tm), ImageTragick. In this case though, it can actually get you shells. As the advisory explains, this is a command injection vulnerability in the way image metadata is passed to a conversion utility. It's tough to gauge how useful this will be since it depends a lot on how applications use ImageMagick, but the potential is pretty shiny. If you've found something that uses it in a vulnerable way, it sure would be keen if you'd let us know and even more awesome would be a module for it in a new Pull Request.

 

Committer, n.

 

In great open-source-land news, we've added a new committer! As Tod mentioned the last time this happened, new committers don't come along very often and when they do it's usually surprising to learn that they aren't already committers because they've been around for quite a while. Mubix has been a long-time friend of the Metasploit family, helping out with code review, module development, and lots of testing. He has also helped countless people learn about Metasploit features with his fabulous Metasploit Minute series with Hak5.

 

5907607001_b3954dfaa9_b.jpgThe open source community has always been integral to Metasploit. Adding new Committers increases the Bus Factor of the project. Non-Rapid7 Committers are super important for the vitality of the project and help cement the relationship between Rapid7 and the community.

 

Also, Mubix is a personal friend of mine and I think he's a hoopy frood who really knows where his towel is. I'm excited to see how he'll use his new-found powers.

 

In fact, he's already landed his first Pull Request, which brings me to...

 

Portfwd, n.

 

Some of the most fun you can have with Meterpreter is by sending your evil packets through it. One way to do that is the portfwd command, which allows you to do what it sounds like -- forward connections from one port to another. This works pretty similarly to portfwarding in SSH, except that previously, it was only possible to listen on the attack platform and forward connections to the victim's network. As of this update, you can go the other direction as well. By setting up a reverse forward, you can tell Meterpreter to listen on the victim system and have it forwarded back to the network where Metasploit is running. For the latest in fun stuff happening in Meterpreter land, I recommend checking out OJ's recent bloggery on the subject.

 

New Modules

 

Exploit modules (3 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.23...4.11.26

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Apr 27, 2016

I did some security research on industrial control systems for a while. It was a fun and rewarding experience in which I found tons of usually very simple bugs. Security in that sector was nascent, with the technology being brought forward from the dark ages of everything being on serial. Things are a bit different today, in no small part due to the fine work of many security researchers convincing vendors to step up their game and buyers learning how to ask the right questions before a purchase. SCADA gear is increasingly moving toward modern operating systems with modern security protections. This is very much a Good Thing (tm).

 

Nevertheless, software is hard. From last week's graph, you already know that the more software you have, the more likely that some of it is broken. Further, there's a lot of super old code in ICS.

 

Enter Adventech WebAccess Dashboard Viewer, "a fully web-based HMI and SCADA software package for industrial automation." It's basically a web application written in ASPX that lets you twiddle valves and flip switches. Like many web apps, it offers the ability to upload files, and like many web apps, it stores them in the web root and doesn't really care what those files are. Which, of course, means a very simple path to arbitrary code execution.

 

Maybe someday we'll get rid of newb mistakes. Not today, though.

 

New Modules

 

Exploit modules (1 new) * Advantech WebAccess Dashboard Viewer Arbitrary File Upload by Zhou Yu, and rgod exploits ZDI-16-128

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.21...4.11.22

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Apr 21, 2016

(In)security Appliances

 

IT management is a tough job with lots of moving parts. To deal with that reality, IT administrators use a lot of tools and automation to help keep an eye on all the devices they are responsible for, some custom, some off the shelf, and some big-box enterprisy stuff. What the sales rep won't tell you, though, is that every line of code you add to your network is more complexity. And as complexity increases, so does the risk of bugs. I made you a handy graph to illustrate what that looks like.

 

Untitled presentation.png

 

There are lots of statistics out there about bug density, all of which are flawed in some ways of course, but it really comes down to the more code you expose to the network, the higher the probability of there being an exploitable bug in that code. IT management tools and security appliances are no exception to that rule.

 

All of that is what makes vulnerabilities in these things possible (and even likely) but what makes them fun is they are often the custodians of some of the most important data on a network. An inventory management system will have... wait for it... a list of targets, probably with the name of the human associated with each of them which also gives you an idea of what kind of data they'll be holding. A patch/update management solution will most likely have a simple way to deploy executables (ostensibly to patch something) to lots of boxes all at once, an example of authenticated remote code execution by design on a massive scale. In other words, a thing you want to pwn.

 

This week we have another example of this class: Dell's KACE K1000 systems are intended to "[s]treamline IT asset management, secure network-connected devices, and service end-user systems more efficiently." Which all sounds to me like marketing-speak for pop boxes, steal data.

 

If you have any of these sorts of things in your network, it might be a good idea to make sure only IT staff can talk to it. Bob in finance doesn't need to see all that stuff.

 

If you are a pentester, anything that says "Administration" or "System Management" in its <title> tag is probably already a priority, so nothing I've said here is news to you.

 

New Modules

 

Exploit modules (3 new)

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.20...4.11.21

 

The bug image in my awesome graph is CC-By-SA MesserWoland.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Apr 15, 2016

Meterpreter Unicode Improvements

 

Pentesting in places where English is not the primary language can sometimes be troublesome. With this week's update, it's a little bit easier. After Brent's work making Meterpreter's registry system support UTF-8, you can now do things like use the venerable post/windows/gather/hashdump to steal hashes and other attributes of local users whose username contains non-ascii characters, e.g.:

 

msf > use post/windows/gather/hashdump
msf post(hashdump) > setg session -1
session => -1
msf post(hashdump) > run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 168de610cd477d23e9f7713684342744...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

bcook:"normal"
mönkey:"blah"

SSH Backdoors

 

In this week's episode of Authenticated Code Execution by Design, we have a couple of new SSH modules.

System administrators and attackers alike love to use services like SSH to get into and control systems. Sometimes, vendors use them for coordinating multiple systems performing the same task. Such is the case with ExaGrid backup storage devices. Each ExaGrid box uses SSH to talk to other ExaGrid devices on the network, presumably to keep an eye on disk usage and other metrics that such devices care about. To make things fun, this was accomplished by shipping the same passwordless private key on every device, so now Metasploit has that private key, too.

Going a little further back in time to last December, Juniper shipped a backdoored sshd on their ScreenOS devices after a compromise allowed attackers to modify it, allowing access with and username and the remarkably clever password <<< %s(un='%s') = %u. I love it because it doesn't stand out in the output of strings(1). Well played, unknown blackhat backdoor creators, well played. Now you can easily scan for these backdoors with Metasploit.

Consistent options display

 

When you type options in msfconsole, you get a nice table of the things your current module needs to know to do its job. Formerly, advanced and evasion options used a different layout that made it a lot harder to read, especially since there are usually a lot more of them than normal options. It has bothered me for a while and finally pissed me off enough to do something about it -- now all the option types give you the same kind of output.

New Modules

 

Exploit modules (6 new)

Auxiliary and post modules (7 new)

Get it

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.19...4.11.20

Filter Blog

By date: By tag: