Skip navigation
All Places > Metasploit > Blog
1 2 3 4 5 Previous Next


700 posts

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year, we’re highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them.


Breaking Records and Breaking Business

2016 brought plenty of turmoil, and InfoSec was no exception:

  • Largest data breach: Largest breach ever, affecting more than 1 billion Yahoo users. And they were not alone: Oracle, LinkedIn, the Department of Justice, SnapChat, Verizon, DropBox, the IRS --- many organizations experienced, or discovered (or finally revealed the true extent of...), massive breaches this year.
  • Record-breaking denial of service attacks: law enforcement efforts targeting DDoS-as-a-Service providers are encouraging, but Mirai achieved record-breaking DDoS attacks this year. It turns out those easy-to-take-for-granted devices joining the Internet of Things in droves can pack quite a punch.
  • Ransomware: the end of 2015 saw a meteoritic rise in the prevalence of ransomware, and this continued in 2016. Healthcare and other targeted industries have faced 2-4x as many related attacks this year, some via increased coverage of ransomware in exploits kits, but mostly through plain old phishing.


Businesses and individuals continue to face new and increasing threats in keeping their essential systems and data secure. A static defense will not suffice: they must increase in both awareness and capability regularly in order to form a robust security program.


Metasploit Framework has grown in many ways during 2016, both through the broader community and through Rapid7 support. Let's look back through some of the highlights:


More exploits

A surprisingly wide range of exploits were added to Metasploit Framework in 2016:

  • Network management: NetGear, OpenNMS, webNMS, Dell, and more
  • Monitoring and backup: Nagios XI, Exagrid
  • Security: ClamAV, TrendMicro, Panda, Hak5 Pineapple, Dell SonicWall, Symantec -- and Metasploit itself!
  • Mainframes, SCADA dashboards
  • Exploit Kits: Dark Comet, Phoenix
  • ExtraBACON; StageFright
  • Content management/web applications: Joomla, TikiWiki, Ruby on Rails, Drupal, Wordpress forms
  • Docker, Linux kernel, SugarCRM, Oracle test suite, Apache Struts, exim, Postgres, and many more!


More flexibility

Metasploit Framework provides many supporting tools, aside from those designed to get a session on a target. These help in collecting information from a wide variety of systems, staying resilient to unknown and changing network environments, and looking like you belong.


Some expansions to the toolbox in 2016 included:


By the Numbers

Nearly 400 people have contributed code to Metasploit Framework during its history. And speaking of history: Metasploit Framework turned 13 this year! Long long ago, in a console (probably not too) far away:


Metasploit Framework 2.2 - 30 exploits


Has much changed in the last 12 years? Indeed!


Metasploit Framework 4.13.8 - 1607 exploits


In 2016, Metasploit contributors added over 150 new modules. Metasploit Framework's growth is powered by Rapid7, and especially by the community of users that give back by helping the project in a variety of ways, from landing pull requests to finding flags.


Topping the list of code contributors in 2016: Wei Chen (sinn3r), Brent Cook, William Vu (wvu), Dave Maloney (thelightcosine), h00die, OJ Reeves, nixawk, James Lee (egypt), Jon Hart, Tim Wright, Brendan Watters, Adam Cammack, Pedro Ribeiro, Josh Hale (sn0wfa11), and Nate Caroe (TheNaterz).


The Metasploit Framework GitHub project is approaching 4700 forks, and ranks in the top 10 for Ruby projects once again. It's also the second most starred security project on GitHub. None of this would have been possible if not for the dedication and drive of the Metasploit community. Together, we can continue to highlight flaws in existing systems, and better test the essential software of tomorrow. John Locke voiced in 1693 what open source security supporters continue to know well today: "The only fence against the world is a thorough knowledge of it."


So what about you?

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year, we’re highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them.




Towards the end of November, the Tor community was shaken up by the revelation of an previously unknown vulnerability being actively exploited against pedo^H^H^H^H Tor Browser users. Some further drama unfolded regarding who the source for the exploit may be, and I received questions from several reporters who wanted every single detail I could give them. While I did not participate in commenting at the time, I'll say everything I will ever say about it now:


- Yes, I'm aware of a very similar exploit which targeted Firefox

- No, I didn't write it


Largely lost among all the noise are the nuances of the vulnerability and the exploit itself, which I know the author put his heart and soul into. If anonymous entrants are ever retroactively awarded Pwnies, I'd like to put his unsaid name into the hat. In this part of the 12 Days of HaXmas, I wanted to offer a high level overview to some of the more interesting parts of both the vulnerability--which in my opinion doesn't fit cleanly into any classic category--and the exploit. I'm not going to dive into all of the gory details for a couple of reasons. Firstly, timing. Had this been leaked earlier in the year, I might have been able to do the analysis part some justice. Second, while verbose technical expositions certainly have their place, a blog is not the right spot. The content might take take another 12 days to cover, and for those seeking to learn from it, I feel your own analysis of the exploit coupled with lots of dirty work in a debugger would be your best option. In that case, hopefully this can offer you some direction along the way.


The Discovery


It would be remiss of me if I didn't begin by pointing out that no fuzzer was used in the discovery of this vulnerability. The only tools employed were the Woboq Code Browser (Woboq Code Browser - Explore C++ code on the web), WinDBG, a sharp mind, and exhaustive effort. The era of low-hanging fruit is largely over in my opinion. Don't be the gorilla, be the lemur, climb that tree.


The Vulnerability


In the following snippet from nsSMILTimeContainer.cpp, the pointer p is initialized to the beginning of the mMilestoneEntries array.


  // Called when the container time is changed with respect to the document
  // time. When this happens time dependencies in other time containers need to
  // re-resolve their times because begin and end times are stored in container
  // time.
  // To get the list of timed elements with dependencies we simply re-use the
  // milestone elements. This is because any timed element with dependents and
  // with significant transitions yet to fire should have their next milestone
  // registered. Other timed elements don't matter.
  const MilestoneEntry* p = mMilestoneEntries.Elements();
  uint32_t queueLength = mMilestoneEntries.Length();
  while (p < mMilestoneEntries.Elements() + mMilestoneEntries.Length()) {
    mozilla::dom::SVGAnimationElement* elem = p->mTimebase.get();
    MOZ_ASSERT(queueLength == mMilestoneEntries.Length(),
               "Call to HandleContainerTimeChange resulted in a change to the "
               "queue of milestones");


Now, consider the following two examples:


Exhibit One

  Exhibit One
    <svg id='foo'>
        <animate id='A' begin='1s' end='10s' />
        <animate begin='A.end + 5s' dur='15s' />


Exhibit Two

  Exhibit Two
    <svg id='foo'>
        <animate id='A' begin='1s' end='10s' />
    <svg id='bar'>
        <animate begin='A.end + 5s' dur='15s' /> 


In these examples, for each <svg> element that uses <animate>, an nsSMILTimeContainer object is assigned to it in order to perform time book keeping for the animations (<animateTransform> or <animateMotion> will also have the same behavior).  The epoch of each container is the time since the creation of the <svg> element it is assigned to relative to the creation of the page.  The nsSMILTimeContainer organizes each singular event in an animation with an entry for each in the mMilestoneEntries member array. See: nsSMILTimeContainer.h - DXR


In Exhibit One, the mMilestoneEntries array will contain four entries: one for both the beginning and ending of 'A', in addition to another two, one being relative to A's completion (A.end + 5s), and the other demarcating the end of the animation, in this case 30 seconds (A.end + 5s + 15s).


In Exhibit Two we see two independent <svg> elements.  In this example, two separate nsSMILTimeContainer objects will be created, each of course having it's own mMilestoneEntries array.


The exploit makes a single call to the function pauseAnimation(), which in turn triggers entry into the NotifyTimeChange() method.  nsSMILTimeContainer::NotifyTimeChange() proceeds to iterate through all entries in the mMilestoneEntries array, retrieving each individual entries nsSMILTimedElement object, after which it calls the object's HandleContainerTimeChange() method.  After some time, this method will end up making a call to the NotifyChangedInterval() method of of the nsSMILTimedElement object.  In NotifyChangedInterval(), HandleChangedInterval() will be entered if the animation being processed has a milestone relative to another animation.  In Exhibit Two, bar's beginning is relative to the element A belonging to foo, so HandleChangedInterval() will be called.


Within HandleChangedInterval(), a call to nsSMILTimeValueSpec::HandleChangedInstanceTime() will inevitably be made.  This method determines if the current animation element and the one it has a dependency on are contained within the same nsSMILTimeContainer object.  If so, as is the case with Exibit One, the pauseAnimations() function basically lives up to it's name and pauses them.  In Exhibit Two, the animations do not share the same nsSMILTimeContainer object, so additional bookkeeping is required in order to maintain synchronization.  This occurs, with subsequent calls to nsSMILTimedElement::UpdateInstanceTime() and nsSMILTimedElement::UpdateCurrentInterval() being made, and nothing too interesting is to be seen, though we will be revisiting it very shortly.


Deeper down the rabbit hole ...


What about the case of three or more animation elements with relative dependencies? Looking at the exploit, we see four animations split unequally among two containers.  We can modify Exhibit Two using details gleaned from the exploit to arrive at the following example.


Exhibit Three

  Exhibit Three
     var foo = document.getElementById('foo');
    <svg id='foo'>
        <animate id='A' begin='1s' end='5s' />
        <animate id='B' begin='10s' end='C.end' dur='5s' />
    <svg id='bar'>
        <animate id='C' begin='0s' end='A.end/> 


In this example, C's ending is relative to A's end, so we end up in nsSMILTimedElement::UpdateCurrentInterval() again, except that a different branch is followed based on the example's milestones:


if (mElementState == STATE_ACTIVE) {
  // The interval is active so we can't just delete it, instead trim it so
  // that begin==end.
  if (!mCurrentInterval->End()->SameTimeAndBase(*mCurrentInterval->Begin()))
    NotifyChangedInterval(mCurrentInterval, false, true);
  // The transition to the postactive state will take place on the next
  // sample (along with firing end events, clearing intervals etc.)


NotifyChangedInterval() is called to resolve any milestones relative to other animations for C.  Within foo, B has milestones relative to C in bar.  This results in a recursive branch along the same code path which ultimately hits UpdateCurrentInterval(), which in turn sets the state of the nsSMILTimedElement.  mElementState can be one of four possible values:




all of which perfectly describes their own respective meanings.  In Exhibit Three, B's beginning is set to occur after it's ending is set (C.end == A.end == 5s).  Since it will never start, the code marks it as STATUS_POSTACTIVE.  This results in the following code within the UpdateCurrentInterval() method creating a new interval and setting it as current.


if (GetNextInterval(GetPreviousInterval(), mCurrentInterval,
                    beginTime, updatedInterval)) {

  if (mElementState == STATE_POSTACTIVE) {

               "In postactive state but the interval has been set");
    mCurrentInterval = new nsSMILInterval(updatedInterval);
    mElementState = STATE_WAITING;


With this occurring, UpdateCurrentInterval() now makes a call to the RegisterMilestone() method.  This was not the case in Exhibit Two.  With a new interval having been created, the method will add a new entry in the mMilestoneEntries array of containerA's nsSMILTimeContainer object, resulting in the array being freed and reallocated elsewhere, leaving the pointer p from nsSMILTimeContainer::NotifyTimeChange() referencing invalid memory.


Exploitation Overview


Just because the pointer p in NotifyTimeChange() can be forced to point to free memory doesn't mean it's all over.  Firefox overwrites freed memory with 0x5a5a5a5a, which effectively mitigates a lot of classic UaF scenarios.  Secondly, there is no way to allocate memory in the freed region after the milestone array is relocated.  Given these conditions, it's becoming clear that the vulnerability cannot be exploited like a classic use-after-free bug.  If you forced me to categorize it and come up with a new buzz word as people are so apt to in this industry, I might call it a dangling index, or an iterator run-off.  Regardless of silly names, the exploit utilizes some artful trickery to overcome the hurdles inherent in the vulnerability.  As I mentioned at the offset, for the sake of brevity, I'm going to be glossing over a lot of the details with regards to heap determinism (the terms "heap grooming" and "heap massaging" irritate me more than the word "moist").


In the first step, the exploit defragments the heap by spraying 0x80 byte blocks of ArrayBuffers, and another 0x80 of milestone arrays.  Each of the milestone arrays is filled to capacity, and then one additional element is added to each.  This causes the arrays to be reallocated elsewhere, leaving 0x80 holes.  After filling these holes with vulnerable milestone arrays, assuming the <b>last element</b> of the array is the one that triggers the vulnerability, there is now a high probability that the next iteration of the NotifyTimeChange() loop will point within one of the 0x80 ArrayBuffer's that were allocated first.  It is important that the last element be the one to trigger the bug, as otherwise, the memory would be freed and overwritten before an attacker could take advantage of it.


The next obstacle in the process is bypassing the object reference count which, under normal circumstances, would cause the loop to exit.  Even if this were a full technical exposition, I'd leave this part as an exercise to the reader because of reasons.  I invite you to figure it out on your own, because it's both quite clever and critical to the success of the exploit.  Those pesky reasons though.  Seasoned exploitation engineers will see it quickly, and astute students will have truly learned when they unravel the knot.


I'd like to think that this is a good hint, but the only certainty is that it comes up on my 3 AM debugging session playlist a lot


In any case, after the exploit does it's thing, the exit condition of the loop


while (p < mMilestoneEntries.Elements() + mMilestoneEntries.Length()) 


will never be reached, and instead the loop will continue to iterate infinitely.  While this is great news, it also means that an attacker is unable to continue executing code.  The solution to this is one of the more brilliant aspects of this exploit, that being the use of a Javascript worker thread.


  var worker = new Worker('cssbanner.js');


With the worker thread, Javascript can continue being executed while the infinite loop within the main thread keeps spinning.  In fact, it's used to keep tabs on a lot of magical heap manipulation happening in the background, and to selectively exit the loop when need be.  From here, the exploit leverages a series of heap corruptions into a r/w primitive, and bypasses ASLR by obtaining the base address of xul.dll from said corruptions by parsing the files DOS header in memory.  This, along with resolving imports, is the main purpose of the PE(b,a) function in the leaked exploit.


With ASLR defeated, all that lies ahead is defeating Data Execution Prevention, as the Tor browser doesn't feature any sort of sandbox technology.  The exploit handles this beautifully by implementing an automatic ROP chain generation function, which can locate the addresses of required gadgets amongst multiple versions of Firefox/Tor browser.  After constructing the chain, the following shellcode is appended (I've converted all addresses to base 16 for readability and added comments):


ropChain[i++] = 0xc4819090;   // add esp, 800h
ropChain[i++] = 0x0800;
ropChain[i++] = 0x5050c031;   // xor eax, eax ; push eax ; push eax
ropChain[i++] = 0x5b21eb50;   // push eax ; jmp eip+0x23 ; pop ebx
ropChain[i++] = 0xb8505053;   // push ebx ; push eax ; push eax
ropChain[i++] = CreateThread; // mov eax, kernel32!CreateThread
ropChain[i++] = 0xb890d0ff;   // call eax
ropChain[i++] = arrBase + 0x2040;   // mov eax, arrBase+0x2040
ropChain[i++] = 0x5f58208b;   // mov esp, dword ptr [eax] ; pop eax ; pop edi
ropChain[i++] = 0xbe905d58;   // pop eax ; pop ebp
ropChain[i++] = 0xffffff00;   // mov esi, 0xffffff00
ropChain[i++] = 0x000cc2c9;   // ret 0x0c
ropChain[i++] = 0xffffdae8;   // call eip+0x21
ropChain[i++] = 0x909090ff;   // placeholder for payload address


The shellcode basically allocates stack space and makes a call to CreateThread with the address of the final payload, which is obtained via the jmp eip+x023 ; pop ebx line, as it's argument.  It next performs stack cleanup and exits the current infinite NotifyTimeChange() loop to ensure clean process continuation.  At least, it's supposed to.  Initial findings I've read from other researchers seem to indicate that it does not continue cleanly when used against Tor browser.  I need to investigate this myself at the first lull in the holiday festivities.


"I hope I managed to prove that exploiting buffer overflows should be an art"

                                                                                         - Solar Designer


That wraps this up for now. Check back for updates in the future as I continue analysis on it. If you have questions about anything, feel free to ask either here or find me on Twitter @iamwilliamwebb. Happy holidays!




Original leaked exploit: [tor-talk] Javascript exploit


Weekly Metasploit Wrapup

Posted by egypt Employee Dec 16, 2016

Taking Care of Universal Business: the Handler's Tale


With a few exceptions, payloads have to have a handler. That's the guy who waits with the car while your exploit runs into the liquor store.


To run an exploit module, we have to select and configure a payload first. In some cases, Metasploit can do this for you automatically, by just guessing that you probably wanted the best payload for the target platform and architecture. Once the payload is set up, we have to have a way to talk to it -- that's the handler. For a reverse style payload like windows/meterpreter/reverse_tcp, Metasploit will open a listening socket on the attacker machine and wait for connections from the payload. For bind, style where the payload listens on the victim machine, Metasploit starts a loop attempting to connect to that listener. (When we talk about Metasploit payloads, we always call the payload the server and msfconsole the client, regardless of which direction the TCP session is going.)


Once the connection is established, two things can happen. First, if the handler is expecting a stageless payload, msfconsole sets up an interactive session that you can use to control the payload, whether that's a socket <-> terminal passthrough like a raw shell connection or the full-fledged client that meterpreter needs. If, on the other hand, the payload is staged, the handler needs to transmit more code for the first stage to read and run. When that's done, everything proceeds the same as for a stageless payload.


Either way, it is very important that the payload and the handler have matching settings. If a staged payload expects x86 shellcode and the handler thinks it is talking to a MIPS payload, the second stage will crash and you'll lose your shell despite having successfully achieved code execution. Similarly, if the payload is staged and the handler is stageless, the server will either a) wait forever for shellcode that will never come or b) it will take whatever you type into the console as shellcode, which will certainly fail unless your binary typing skills are significantly better than mine.


You usually don't have to worry too much about any of this, because everything is taken care of for you automatically when you type run. Where it gets complicated is when you need to have multiple payloads or run multiple exploits using the same listener port. To accomplish that, it is often useful to have a handler independent of an exploit. Metasploit has exploit/multi/handler, which is a special exploit module that isn't really an exploit, for exactly this purpose. All it does is allow you to configure a payload and run the handler for it.


This week's update introduces a new command, handler, which does all the same work as multi/handler (and in fact runs multi/handler in the background) all from a single command. This means you no longer have to move away from the context of the exploit you're working in to set up a handler.


Having independent handlers is also super useful for when you want create a payload outside of the current msfconsole.


The perfect example here is when using something like veil to generate executables that bypass antivirus for manual delivery. When the payload is not associated with an exploit, you have to tell Metasploit the details that it would normally have from the exploit's settings.


Unfortunately, there are a couple of disadvantages with this. First, it's error-prone. If the settings in your payload and handler don't match, like I mentioned above, things will crash and you'll be missing out on shells. Second, it requires multiple listening ports if you want to be able to handle multiple platforms or architectures. Sometimes that's not a big deal, but when you're dealing with organizations that have strong egress filtering, it can become an insurmountable hassle.


This week's update makes all reverse HTTP handlers use a single handler. This means you can run multi/handler (or the new handler command) to set up a single HTTP handler on port 443, with a real CA-signed certificate, and point staged and/or stageless meterpreters for any of the supported platforms all at the same place.


This isn't perfect yet. Native Linux Meterpreter and its up and coming replacement, Mettle, don't yet support HTTP, so they can't yet take advantage of the new handler. TCP payloads can theoretically do something similar, but the implementation will require changing the way stagers work, which is always challenging because of the extreme space restrictions they have to operate under and the fact that changing the staging protocol will make all existing stagers stop working. If you have ideas for how to accomplish that without breaking everyone's existing payloads, I'd love to hear them.


New Modules


Auxiliary and post modules (1 new)


Get it


As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

The Metasploitable3 Capture The Flag Competition has been underway for about a week now and the submissions have been pouring in!  We're very excited to see so many great submissions. We're reviewing as fast as we can so if you don't hear back from us right away, don't worry, you will.  For all valid submissions we will update this blog post and subsequent ones with the leaderboard. For any questions submitted we will get back with you as fast as we can, and for any invalid solutions submitted we will write back and let you know the reason. Got a question? Send it to capturetheflag [at] rapid7 [dot] com.


Some of the flags are a little bit tricky and have been causing the most questions, so we wanted to add a little clarity.


Firstly, all flags will be in the same design. If you see a flag that looks different than others, it's probably not a flag.  Additionally, all the real flags are .PNGs.


There is also one flag where we lost some of the data, if you find one half flag, it counts. And don't forget, flags found in C:\Vagrant or the virtual box console don't count.


Now that some housekeeping is out of the way, let's get on with the current results!!


So far we have had 155 submissions from 31 individuals!  One rock-star submitter went BONKERS over the weekend and found 11 flags in 2 days.There's definitely still time to get submissions in and take over the leaderboard though!


The Joker is the most common flag found and the Ace of Hearts has been the most tricky flag to find with 10 invalid submissions


Top Submitters



Card Counts



Great stuff everyone! Keep those submissions coming in!


Metasploit Wrapup

Posted by egypt Employee Dec 9, 2016

Finding stuff


For a very long time, msfconsole's search command has used a union of the results of all search terms. This means that if you do something like search linux firefox, you'll get a list of all modules that mention linux, regardless of the application they target, and all modules that mention firefox, regardless of their platform. Most people are probably expecting the intersection, i.e. you probably wanted to see only the modules that target Firefox on Linux. So now that's what happens.


The exception is when you have two or more of a single keyword operator, like search arch:x86 arch:mips. That will still get you the union of those two, since arguably it makes more sense to see results for both in this case.


Stealing stuff


This release brings a new post module from Geckom: post/osx/gather/enum_messages, a module for gathering messages from the Messages app in OS X. With the ability to connect your phone to the Messages app, this module provides an easy way to steal 2FA tokens and other goodies from a connected phone, assuming you have an active session on the target machine.


The module supports a few operations: DBFILE for grabbing the SQLite DB directly, READABLE for collecting messages in a human readable format, LATEST for collecting only the latest message, and ALL for doing all of the above.

Here's an example of what to expect:

msf > use post/osx/gather/enum_messages
msf post(enum_messages) > set session -1
session => -1
msf post(enum_messages) > run

[+] [redacted]:56791 - Messages DB found: /Users/[redacted]/Library/Messages/chat.db
[+] [redacted]:56791 - Found Messages file: /Users/[redacted]/Library/Messages/chat.db
[*] [redacted]:56791 - Looting /Users/[redacted]/Library/Messages/chat.db database
[*] [redacted]:56791 - Generating readable format
[*] [redacted]:56791 - Retrieving latest messages
[+] [redacted]:56791 - Latest messages:

[+] [redacted]:56791 - messages.db stored as: /Users/[redacted]/.msf4/loot/20161207151127_default_[redacted]_messages.db_947304.db
[+] [redacted]:56791 - messages.txt stored as: /Users/[redacted]/.msf4/loot/20161207151127_default_[redacted]_messages.txt_801211.txt
[+] [redacted]:56791 - latest.txt stored as: /Users/[redacted]/.msf4/loot/20161207151127_default_[redacted]_latest.txt_986021.txt
[*] Post module execution completed
msf post(enum_messages) >


That's all there is to it! You can change the user to retrieve messages from by setting the USER option, or you can let the module work against the current user. If you want to retrieve more than three messages, you can change that with MSGCOUNT.


New Modules


Exploit modules (2 new)

Auxiliary and post modules (2 new)


Get it


As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

UPDATE: Leaderboard can be found on this new post! Plus, some notes that may be helpful.


Exciting news! Rapid7 is hosting a month-long, world-wide capture the flag(s) competition!


Rapid7 recently released Metasploitable3, the latest version of our attackable, vulnerable environment designed to help security professionals, students, and researchers alike hone their skills and practice their craft. If you are unfamiliar with Metasploitable3, you can get up to speed with this blog post announcing its release. For an additional challenge in Metasploitable3, we’ve hidden several flags in the virtual machine that penetration testers can find to demonstrate their prowess.


To honor the release of this new tool – and to have a little fun – we’re hosting a month-long competition to see who can find the most Metasploitable flags! The competition will be very simple, and easy for anyone to participate in. For our leaderboard winners, we’ll be giving out some great prizes as well as some Metasploit T-Shirts for others who submit a captured flag.


Here’s how it works.

  1. Download and install Metasploitable3.
  2. Dig in! Find those flags!
  3. Complete a simple write-up (see format below or template here), providing proof you’ve found one and you’ll be added to the leaderboard. (Note: We may ask your permission to publish the write-up after the competition closes.)
  4. We’ll keep a running tally of the leaderboard at the bottom of this blog post.
  5. On December 31st we’ll announce the winners!



There are currently 15 flags hidden in Metasploitable3, with more being added. When you find a flag, take a screenshot of it.  Put it in a doc with the following information:

  • How did you get access to the machine?
  • How did you spot the file?
  • How did you extract the file?

Note: In some cases, the files are easy to find so please describe the extraction process. A template can be found here.


Please note: in the spirit of friendly competition, please only submit flags that have been found from a running metasploitable3 instance, not the vagrant folders used to build the instance


Then email capturetheflag [at] and we’ll review and add you to the leader board.  At the end of the month the top 3 people with the most submitted flags accepted will receive prizes. In the case of a tie, a set of subjective measures will be used to select the winners. The measure will be: creativity of methods used to obtain the flags and strength of the write-up. We reserve the right to award bonus prizes. And one note for our beloved Rapid7 employees: You are welcome to play along, but standings will be tracked separately and awarded accordingly.



1st Place: Hak5 Pineapple

2nd Place: LAN Turtle or Lock Pick Set

3rd Place: LAN Turtle or Lock Pick Set


The first 25 to submit a flag will get a Metasploit T-Shirt! We reserve the right to award bonus prizes.


Any questions? Feel free to comment below or email community [at] and we’ll get back to you. Happy Hunting!



Get all the updates here: Metasploitable3 CTF Competition: Update and Leaderboard!





Official Rules: Terms & Conditions


The Metasploitable3 Capture the Flags competition is open to anyone. No purchase is necessary to participate. Eligibility is dependent on following the entry rules outlined in this guide.


To Enter: Locate and screenshot flags found in Metasploitable3 and send a written submission detailing 1) how you got access to the machine; 2) how you spotted the file; 3) how you extracted the file, to capturetheflag [at]


A template can be found here or by searching for “Metasploitable3 CTF” on Partial or incomplete submissions WILL NOT BE ACCEPTED as an entry and shall not be eligible for any prize. All submissions will be reviewed by Rapid7 for adherence to these Official Rules. Rapid7 may ask for permission to publish written submissions after the contest close.


The leaderboard competition will open on Wednesday, December 7, 2016 at 12:00:01 ET and close on Saturday, December 31, 2016 at 11:59:59 ET. Entries submitted after this time may be eligible for additional prizes determined by Rapid7. In the event of a tie, Rapid7 will evaluate submissions to select the first place winner. A set of subjective measures will include 1) creativity of methods used to obtain the flags and 2) strength of the written submission. Rapid7 reserves the right to award bonus prizes.


The leaderboard will be updated regularly with the final submissions being added by Tuesday, January 3, 2017 at 11:59:59 ET.


Prizes/Odds of Winning: Only the prizes listed below will be awarded in the competition. Odds of winning depend on the number of eligible entries submitted by the close date. Prize is not transferable or redeemable for cash. Rapid7 reserves the right to make equivalent substitutions as necessary, due to circumstances not under its control. Please allow 3-4 weeks for delivery of any prize.


Leaderboard Prizes


Three (3) Prizes


Leaderboard Position


Approx. Value

1st place

Hak5 Pineapple (Nano Basic)


2nd place            

LAN Turtle OR Lock Pick Set


3rd place

LAN Turtle OR Lock Pick Set




Additional Prizes


Twenty-five (25) Prizes

The first 25 people to submit a flag will get a Metasploit T-Shirt (approx. value: $10) available from the online Rapid7 Retail Store. Rapid7 reserves the right to award additional T-shirt prizes.



Competition host is Rapid7 LLC, 100 Summer St, Boston, MA 02110.


By entering the competition, you agree to these terms and conditions. Employees and the immediate families of Rapid7 may not participate.


If you have any concerns or questions related to these terms and conditions, please email capturetheflag [at]


Metasploit Weekly Wrapup

Posted by egypt Employee Dec 2, 2016

Terminal velocity


The terminal/shell interface has been around for decades and has a rich and storied history. Readline is the main library for shells like msfconsole to deal with that interface, but it's also possible for commandline tools to print ANSI escape sequences that the terminal treats specially.


When a shell like msfconsole has asynchronous output going to the terminal at unpredictable times, such as when a new session connects, that output can clobber the current prompt. That makes it hard to tell what you're typing and slows you down.


These short videos, created by @jennamagius, the contributor who submitted this patch, illustrate the issue and the new behavior:






The old behavior has annoyed me for a long time and I'm super glad to see that typing into a prompt can still be usable when you have a ton of shells flying in.


New Modules


Exploit modules (4 new)


Auxiliary and post modules (1 new)


Get it


As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.


Metasploit Wrapup

Posted by egypt Employee Nov 18, 2016

Everything old is new again


As you probably already know, hardware manufacturers are not always great at security. Today we'll be picking on Netgear, who produce a WiFi router called the WNR2200. This cute little device, brand new out of the box on store shelves today, runs Linux 2.6.15 with Samba 3.0.24. For those of you keeping score at home, those versions were released in 2007. Way back in 2007, Samba had a pre-auth heap buffer overflow vulnerability in the LsarLookupSids RPC call, for which Metasploit has had an exploit since shortly after the bug's disclosure.


Unfortunately for people who like shells, the exploit only worked on x86 targets, so popping these new routers with old exploits wasn't feasible. Until now. Thankfully, JanMitchell came to the rescue, porting it to MIPS for all your ridiculously-old-software-on-a-brand-new-router hacking needs.


Steal all the things


A few weeks ago, we talked about stealing AWS metadata. This update adds a post module (post/multi/gather/awks_keys) that will extract credential and other valuable AWS information from a compromised machine with aws console/cli installed and configured with credentials. These credentials can be used to access all of an AWS user's resources he/she has access to.


Book keeping


There won't be a release next week because of the Thanksgiving holiday here in the US. Automated nightly installers for the open source framework will still be automatically built nightly as you might expect.


New Modules


Exploit modules (8 new)


Auxiliary and post modules (6 new)


Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.38...4.12.42


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Test Your Might With The Shiny New Metasploitable3


Today I am excited to announce the debut of our shiny new toy - Metasploitable3.


Metasploitable3 is a free virtual machine that allows you to simulate attacks largely using Metasploit. It has been used by people in the security industry for a variety of reasons: such as training for network exploitation, exploit development, software testing, technical job interviews, sales demonstrations, or CTF junkies who are looking for kicks, etc :-)


If you are already a Metasploitable fan, you would have noticed that we haven't had a new vulnerable image since 2012. To be honest, when James and I took over the project, we didn't even know who was maintaining it anymore. So we decided to do something about it.


After months of planning and building the vulnerable image from scratch, we have something for you all to play :-) Unlike its predecessor, Metasploitable3 has these cool features:


It is Open Source


Screen Shot 2016-11-11 at 4.22.43 PM.pngDuring development, we recognized one of the drawbacks of Metasploitable2 was maintenance. We figured since we want everyone in the community to play, the community should have the power to influence and contribute. This also allows the vulnerable image to constantly evolve, and hopefully will keep the VM fun to play.


Metasploitable3 can be found as a Github repository here.


Keep in mind, instead of downloading a VM like before, Metasploitable3 requires you to issue a few commands and build for Virtual Box (VMWare will be supported in the future soon). To do so, your machine must install the following requirements:



To build automatically:


  1. Run the script if using bash. If you are using Windows, run build_win2008.ps1.
  2. If the command completes successfully, run "vagrant up".
  3. The the build process takes anywhere between 20 to 40 minutes, depending on your system and Internet connection. After it's done, you should be able to open the VM within VirtualBox and login. The default username is "vagrant" with password "vagrant".


To build manually, please refer to the README documentation.


If you are on Windows, you can also follow these videos to set up Metasploitable3 (Thanks Jeremy Druin)


If you have experience in making vulnerable images, or would like to suggest a type of exploitation scenario for Metasploitable3, your feedback is welcome!


It is for People with Different Skills Levels


kung_fu.jpgMetasploitable2 back then was more of a test environment heavily for Metasploit. It was straight-forward to play, and it didn't take long to find the right exploit to use, and get a high privileged shell.


But you see, we want to make you try a little harder than that :-)


First off, not every type of vulnerability on Metasploitable3 can be exploited with a single module from Metasploit, but some can. Also by default, the image is configured to make use of some mitigations from Windows, such as different permission settings and a firewall.


For example, if you manage to exploit a service in the beginning, you will most likely be rewarded with a lower privileged shell. This part shouldn't be too difficult for young bloods who are new to the game. But if you want more than that, higher privileged services tend to be protected by a firewall, and you must figure out how to get around that.


For special reasons, the firewall can be disabled if you set the MS3_DIFFICULTY environment variable:


$ MS3_DIFFICULTY=easy vagrant up


If the image is already built, you can simply open a command prompt and do:


$ netsh advfirewall set allprofiles state off


It Has Flags


flag.jpgOne very common thing about performing a penetration test is going after corporate data. Well, we can't shove any real corporate data in Metasploitable3 without any legal trouble, therefore we have introduced flags throughout the whole system. They serve as "data you want to steal", and each is in the form of a poker card image of a Rapid7/Metasploit developer, and is packaged in one of more of these ways:


  • Obfuscation
  • Strict permission settings
  • File attributes
  • Embedded files


Getting your hands on these flags exercises your post exploitation muscle, and may require some level of reverse engineering knowledge.


A hint about these flags can be found from one of the services. In the future, we will be publishing more blog posts about how to find these flags.


(Special thanks to Marilyn Marti for the excellent art work!)


It is Expandable


network.pngIn real world penetration testing, a lot of it involves being able to break into one machine, and leverage the information stolen from there against the next one. Stolen passwords and hashes are perfect examples for this.


Instead of just having one virtual machine, our plan is to also have the capability to build multiple vulnerable images, and create a network of them. This allows the audience to have the opportunity to practice more post exploitation techniques, pivoting, and break into the next box.


Although our first image is Windows, the planning part of the Linux version has already begun. If you would like to jump on this train, please feel free to leave a comment on Github, or contribute.


And that's what our new toy is all about :-)


Last but not least, if you are trying out Metasploitable3 without Metasploit, either you are Neo from the Matrix, or you are nuts. Metasploit consists of thousands of modules, including exploits, auxiliary, post modules, and payloads that allows you to succeed in many kinds of attack scenarios. If you don't have this in your toolkit, please feel free to grab it here.


Weekly Metasploit Wrapup

Posted by egypt Employee Oct 28, 2016

What time is it?


If you want to run some scheduled task, either with schtasks or cron, you have to decide when to run that task. In both cases, the schedule is based on what time it is according to the victim system, so when you make that decision, it's super helpful to know what the victim thinks the current time is.


As of #7435, Meterpreter has a localtime command that gives you that information and then it's peanut butter jelly time.







Windows uses UTF-16le to store hostnames (and pretty much everything else). For ASCII characters, you can convert to that format simply by inserting NULL bytes in between each ASCII byte. When you run into a hostname that uses characters for which there is no direct ASCII equivalent, conversion is a lot more complex. As of this weeek, that complexity works correctly for hostnames in Metasploit. This affects several things that use the SMB protocol, including smb_version, and the places where hostnames are displayed in msfconsole.


----- BENIGN CERTAIN -----


Along with Extra Bacon, the fun SNMP RCE bug for Cisco devices we mentioned here a couple months ago, the same dump included an information disclosure vulnerability in Cisco devices as well. The result is similar to what you get with Heartbleed - random memory contents that can sometimes contain credentials.


APK Injection


Android Application Packages (APK files) are very similar to JAR files. They're basically a zip archive with a certain directory structure. Android requries that APKs must be cryptographically signed before the system will allow you to install them. Earlier this year, we added the ability to use an existing APK as a template for your payload, but of course that makes the signature invalid. To fix it up, we re-sign with a new certificate.


As of this week, that certificate will match all of the metadata from the original template's signature which makes the installed app a bit less conscpicuous.


Local File Inclusion


In the world of PHP, Local File Includes or LFIs are a common vulnerability due to the nature of the language and how its include and require directives work. That class of vulnerability is a lot less common in other langauges, so it was a bit surprising when the details of CVE-2016-0752 came out. What was previously believed to be merely a local file read vulnerability in Ruby on Rails when the bug was first made public back in February, can actually be turned into a local file include vulnerability. This works because the file that Rails is reading is actually used as template that can contain. (Note that's ERB, not ERB.)


New Modules


This wrapup covers a few weeks, so the new module count is quite a bit higher than usual.


Exploit modules (9 new)



Auxiliary and post modules (6 new)



Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.30...4.12.38


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Pokemon Go started it.


The crusty old house cell phone, which we had years ago ported from a genuine AT&T land line to a T-Mobile account, suddenly caught the attention of my middle son.

  "Hey Dad, can I use that phone to catch Pokemon at the park?"


"Sure! Have fun, and don't come back until sundown!"

A few minutes later, he had hunted down his first Pikachu, which apparently required running around the block in Texas summer heat a few times. Sweat-soaked but proud, he happily presented his prize. I could get used to this! The kids were getting out of the house, exploring the neighborhood, having fun, and I was getting a little peace and quiet. Then one day, Pokemon Go stopped working, stating that it did not support 'rooted' phones.


First some back story. Our 'house phone' role is generally filled by the most-working last-gen reject device that is too old to be useful as a daily driver, but too new to throw away. In this case, it was a Google Nexus 4. I have always preferred the Google phones over other third parties for a number of reasons:


  • They're cheap if you get the last generation (and sometimes the current).
  • They usually lead the pack when it comes to software updates and hackability.


However, given the industry's appetite for quick turnarounds and obsolescence cycles, (and in spite of Google's generally good support) this phone is end-of-life, and has not received an official firmware update in over a year. In fact, this phone is the amalgamation of two Nexus 4's, combined into a frankenstein assemblage of the most-working screen, battery, and charging ports of the original pair.


Since it has been a year and a half since Google released a firmware for this phone, I had it running the next-best thing: Cyanogenmod 13, which backported Android 6 to this hardware. Now, this junker phone is up-to-date as much as

the Android Open Source Project (AOSP) allows. But, there was now a show-stopper: you now can't run Pokemon Go on rooted phones using Cyanogenmod. Technically, there is a new set of hacks, but this is a cat-and-mouse game, but there comes a time in your life when you just want things to work. And they were already hooked.


Why did Niantic decide to impose this restriction after several months of unrestricted access? It comes down to cheaters. People were rooting their phones specifically to fake GPS coordinates to get rare Pokemon, grow eggs, etc. Since having root access is also required to install non-stock firmware, in this guilty-until-proven-innocent model, we basically get to choose between two possibilities: get up-to-date software but sacrifice the ability to run some applications, or run increasingly out-of-date 'official' software, for the sake of satisfying a DRM or anti-cheating scheme.


In the end, I decided that the stock firmware still allowed upgrading a lot of the key components via the Google's Play Store, the real core around which an increasing amount of the software in the Android ecosystem relies. Sure, I'm not getting the latest advances in encrypted filesystems, kernel hardening, or process isolation in the latest versions of Android, but it's a tradeoff. Maybe the phone will have died completely by the time the next exploitable bug in libstagefright rears its head.


But, maybe it already has.


It took over a year for enough of the moving parts for a reliable exploit for CVE-2015-3864, one of the 'StageFright' series of vulnerabilities, to come together within Metasploit. The exploit needed new payloads, new techniques, and a number of independent research projects to become useful outside of the proof-of-concept realm. In the end, it works very well, even better than the Metaphor exploit from earlier this year, and can be easily targeted to any vulnerable Nexus phone.


Ironically, the very openness of the Google Nexus ecosystem made porting the exploit to those firmware builds particularly easy. In contrast, Samsung firmware, which contains many proprietary additions to the base Android system, and is not open-source, is harder to target simply because it is harder to examine. In spite of this, it was still possible to target Samsung phones as well. Effectively, with enough effort, any firmware is exploitable. It is just a question of time.


When you think of exploits in the StageFright family, think of the vector: someone sends a special text message and take over a phone without anyone even reading it. You get an email, and without opening it, code is already executed on your device. It's a simple concept, but the fix is not nearly as straightforward.


Automatic parsing of metadata in media files is a commonly-researched and targeted vulnerability in many different products. Adobe flash has had nasty vulnerabilities in its MP3 metadata parsing code earlier this year. Apple iOS has

been vulnerable a number of times to similar attacks. Just last month, similar vulnerabilities in Android's libutils library were found, which could be attacked in a similar way.


The exploit that we included in Metasploit for CVE-2015-3864 only targets one vector (web browser) and one file type (MP4 video files). However, there are many other vectors and file types that could also be exploited in the same family, that were discovered around the same time period as CVE-2015-3864. Not only that, but more vectors and file types have been found since the original round of StageFright branded vulnerabilities were hot in the news, and quietly patched.


Of course, none of these patches have made it into the official firmware for my Nexus 4. I even had to do a double-take in researching this article, since Wikipedia claimed Android 5.1.1 was last updated 2 months ago, while I knew the phone hadn't gotten an over-the-air update in some time. To really know if you're up-to-date, you have to look at the build number, Nexus 4 being on LMY48T while the latest is LMY49M. It's unlikely that the average consumer with a phone running Android '5.1.1' would be able to know difference between a vulnerable or up-to-date build number, much less the average business with a bring-your-own-device policy.


The choice between running the software you want, like Pokemon Go, and the quick road to obsolete devices in the Android ecosystem, at best forces users to make a choice between security and functionality. The theoretical exploit chains being patched this year can easily turn into next year's reliable Metasploit module.


Maybe it's time to bring back to a land line.


Weekly Metasploit Wrapup

Posted by egypt Employee Oct 7, 2016

Silence is golden


Taking screenshots of compromised systems can give you a lot of information that might otherwise not be readily available. Screenshots can also add a bit of extra spice to what might be an otherwise dry report. For better or worse, showing people that you have a shell on their system often doesn't have much impact. Showing people screenshots of their desktop can evoke a visceral reaction that can't be ignored. Plus, it's always hilarious seeing Microsoft Outlook open to the phishing email that got you a shell. In OSX, this can be accomplished with the module post/osx/capture/screenshot. Prior to this week's update, doing so would trigger that annoying "snapshot" sound, alerting your victim to their unfortunate circumstances. After a small change to that module, the sound is now disabled so you can continue hacking on your merry way, saving the big reveal for some future time when letting them know of your presence is acceptable.


Check your sums before you wreck your sums


Sometimes you just want to know if a particular file is the same as what you expect or what you've seen before. That's exactly what checksums are good at. Now you can run several kinds of checksums from a meterpreter prompt with the new checksum command. Its first argument is the hash type, e.g. "sha1" or "md5", and the rest are remote file names.


Metadata is best data, everyone know this


As more and more infrastructure moves to the cloud, tools for dealing with the various cloud providers become more useful.


If you have a session on an AWS EC2 instance, the new post/multi/gather/aws_ec2_instance_metadata can grab EC2 metadata, which "can include things like SSH public keys, IPs, networks, user names, MACs, custom user data and numerous other things that could be useful in EC2 post-exploitation scenarios." Of particular interest in that list is custom user data. People put all kinds of ridiculous things in places like that and I would guess that there is basically 100% probability that the EC2 custom field has been used to store usernames and passwords.


Magical ELFs


For a while now, msfvenom has been able to produce ELF library (.so) files with the elf-so format option. Formerly, these only worked with the normal linking system, i.e., it works when an executable loads it from /usr/lib or whatever but due to a couple of otherwise unimportant header fields, it didn't work with LD_PRELOAD. For those who are unfamiliar with LD_PRELOAD, it's a little bit of magic that allows the linker to load up a library implicitly rather than as a result of the binary saying it needs that library. This mechanism is often used for debugging, so you can stub out functions or make them behave differently when you're trying to track down a tricky bug.


It's also super useful for hijacking functions. This use case provides lots of fun shenanigans you can do to create a userspace rootkit, but for our purposes, it's often enough simply to run a payload so a command like this:

LD_PRELOAD=./ /bin/true

will result in a complete mettle session running inside a /bin/true process.


New Modules


Exploit modules (1 new)

Auxiliary and post modules (3 new)s


Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.28...4.12.30


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.


Weekly Metasploit Wrapup

Posted by egypt Employee Sep 30, 2016

Extra Usability


Commandline tools in general are powerful, but come with a learning curve. When you've been using a tool for a long time, that curve becomes a status quo that embeds itself in your fingers. That isn't always a good thing because it tends to make you blind to how things can be better and it takes an effort of introspection to notice inefficiencies. Even then, you weigh those inefficiencies against the effort required to improve.


An example of that is msfconsole's route command, which gets a bit of a spruce up this week. Instead of showing help output when given no arguments, it now shows the current routing table. In addition, it now supports using a session id of "-1" to indicate the most recent session, just like you can do for the SESSION option in post modules.


Extra privilege escalation


In the last few years, privilege escalation has become more important in the Windows world but it has always been a staple on Unix operating systems. This update brings two privilege escalation modules, one for the Linux kernel and one for NetBSD's /usr/libexec/mail.local, for your rooting pleasure.


Extra Meta Metasploitation


2ENTk2K2.pngAs I mentioned in the last wrapup, we've landed @justinsteven's modules for attacking Metasploit from Metasploit. The first, metasploit_static_secret_key_base, exploits the way Rails cookies are serialized and the fact that an update would step on the randomly generated secret key with a static one. Check out the full detailsif you're interested in how that works.


The second, metasploit_webui_console_command_execution, isn't a vulnerability as such. Rather, it takes advantage of the fact that admin users can run msfconsole in the browser, and therefore run commands on the server. This is the sort of thing that can't be patched without just removing the functionality altogether; it's literally a feature, not a bug. Authenticated administrators can do administrator things, as you might expect.


Extra Android Exploit


Stagefright_bug_logo.pngAt Derbycon last week, long-time friend of the Metasploit family, @jduck, released his latest version of Stagefright, an exploit for Android's libstagefright. He demo'd exploiting a Nexus device, but lots of other stuff is vulnerable too. Due to the rampant fragmentation in the Android world, this year-old bug is probably going to be showing up on new phones sitting on store shelves for quite a while yet.


Extra Bacon


And last but not least, this week brings a module for exploiting EXTRABACON, the Cisco ASA vulnerability made public by the Shadowbroker leak a few weeks ago. The bug is a buffer overflow in SNMP object id strings. The module does exactly what the Equation Group exploit does -- it disables authentication on the victim device and allows you to login to ssh or telnet with no password. This module was a collaboration between lots of folks and improves on the coverage in the original exploit, even adding targets for some 9.x devices that the advisory says are not affected.


This democratization of exploits through open source continues to show that being open and transparent leads to better exploits, more public knowledge, and better patches.


New Modules


Exploit modules (7 new)


Auxiliary and post modules (1 new)

Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.25...4.12.28


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

A number of important security issues were resolved in Metasploit (Pro, Express, and Community editions) this week. Please update as soon as possible.



Issue 1: Localhost restriction bypass

    (affects versions 4.12.0-2016061501 through 4.12.0-2016083001)


On initial install, the Metasploit web interface displays a page for setting up an initial administrative user. After this initial user is configured, you can login and use the Metasploit web UI for the first time. Since this initial screen is unauthenticated, it can only be accessed via a local user (e.g. hitting the localhost hostname or loopback IP address


Until the most current release, the initial setup page access restriction does not work properly in Metasploit 4.12.0 releases. Instead, on initial install, the page for setting up the initial administrative user is accessible from all addresses on the host running Metasploit.  An attacker might be able to 'race' a fresh Metasploit installation and become the first to create an administrative user.



For users who are planning on using Metasploit with the web interface, it is important to isolate the machine from hostile networks until initial configuration is complete, or be sure to use the latest Metasploit installer in which this issue is resolved.


Thanks to Brandon Perry for discovering and reporting this issue.


Issue 2: Predictable session cookies

    (affects versions 4.12.0-2016061501 through 4.12.0-2016083001)


Metasploit uses a randomized secret key to protect session cookies from forgeries. On installation, it randomizes the secret key and stores it in a local configuration file.


As of Metasploit 4.12.0, the update packages inadvertently include a static version of this secret key file, which overwrites the randomly-generated one. The effect of this is that some Metasploit installations will all have the same hard-coded base session token, leading to forgeable session cookies, allowing an unauthenticated user to perform remote code execution via another object deserialization bug.



On startup, Metasploit will identify 'bad' static secret keys that may be installed, and if found, the base secret key is regenerated. If this fix is needed, and if a user is applying the latest update via the web UI, the UI may appear to hang during the update, though it will complete successfully in the background. In this case, simply refresh the web UI after 10-20 minutes. If it loads a login screen, the update applied successfully.


Users who updated from 4.11.0 or earlier builds are not affected, but are still encouraged to update.


Thanks to Justin Steven for discovering and reporting this issue.


Issue 3: `config.action_dispatch.cookies_serializer` is set to `:hybrid`

    (affects versions 4.12.0-2016061501 through 4.12.0-2016083001)


Metasploit versions 4.11.x and earlier use the default 'marshal' cookie type, which is vulnerable to remote object instantiation / remote code injection for a user who has the ability to generate a signed session cookie.



The Metasploit 4.12.0 point release switched to the 'hybrid' type, which gives an update path for users to the safer 'json' type. The latest release switches entirely to 'json' cookie serialization method.


Thanks to Justin Steven for discovering and reporting this issue.


Weekly Metasploit Wrapup

Posted by egypt Employee Sep 16, 2016

Security is hard


I usually focus exclusively on the Metasploit Framework here on these wrapups, but this week is a little special. This week the Metasploit commercial products (Pro, Express, and Community) come with a fix for a couple of vulnerabilities. You heard that right, remotely exploitable vulns in Metasploit. Our lovely engineering manager, Brent Cook, helpfully wrote up the details yesterday.


TL;DR - Three bugs, two of which work together: 1) the filter restricting the creation of the first admin account to localhost was broken. As has always been the case having an admin account on Metasploit lets you run commands on the server. And 2) the randomly generated session key got stepped on by a static one whenever updates were applied, so the same key was used for every Metasploit installation. Because of 3) session cookies are serialized ruby, so that's code exec, too.


Security is hard and even experts like us screw it up some times. But in true Metasploit fashion, we're not content to just patch the vuln. There is currently a Pull Request in review that will get you shells on Metasploit if you know credentials. Since it's Authenticated Code Execution by Design, it will work even without this vulnerability as long as you can steal a username and password. Expect that to land soon and be in the next wrapup. And while you're waiting, go double check to make sure you did the initial account setup on your Metasploit installs.


Download improvements


It's a bit of a hassle if a download gets interrupted, especially if the file is large. Thanks to first-time contributor cayee, you can now continue an interrupted download with Meterpreter's new download -c.


Module documentation


We've been pumping out better documentation for individual modules for a few months now, since the introduction of info -d, which gives you nice pretty markdown.


If you have wanted to contribute but didn't know what you wanted to work on, this is a great place to get started. Check out the Module Documentation milestone for a list of the modules we think are the highest priority. Github won't let you assign a ticket to someone who isn't part of the Metasploit organization, so leave a comment on one of those issues to claim it so others don't duplicate your work.


New Modules

Exploit modules (1 new)

Auxiliary and post modules (4 new)

Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.22...4.12.25


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Filter Blog

By date: By tag: