Skip navigation
All Places > Metasploit > Blog
1 2 3 4 5 Previous Next


695 posts

Metasploit Weekly Wrapup

Posted by egypt Employee Dec 2, 2016

Terminal velocity


The terminal/shell interface has been around for decades and has a rich and storied history. Readline is the main library for shells like msfconsole to deal with that interface, but it's also possible for commandline tools to print ANSI escape sequences that the terminal treats specially.


When a shell like msfconsole has asynchronous output going to the terminal at unpredictable times, such as when a new session connects, that output can clobber the current prompt. That makes it hard to tell what you're typing and slows you down.


These short videos, created by @jennamagius, the contributor who submitted this patch, illustrate the issue and the new behavior:






The old behavior has annoyed me for a long time and I'm super glad to see that typing into a prompt can still be usable when you have a ton of shells flying in.


New Modules


Exploit modules (4 new)


Auxiliary and post modules (1 new)


Get it


As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.


Metasploit Wrapup

Posted by egypt Employee Nov 18, 2016

Everything old is new again


As you probably already know, hardware manufacturers are not always great at security. Today we'll be picking on Netgear, who produce a WiFi router called the WNR2200. This cute little device, brand new out of the box on store shelves today, runs Linux 2.6.15 with Samba 3.0.24. For those of you keeping score at home, those versions were released in 2007. Way back in 2007, Samba had a pre-auth heap buffer overflow vulnerability in the LsarLookupSids RPC call, for which Metasploit has had an exploit since shortly after the bug's disclosure.


Unfortunately for people who like shells, the exploit only worked on x86 targets, so popping these new routers with old exploits wasn't feasible. Until now. Thankfully, JanMitchell came to the rescue, porting it to MIPS for all your ridiculously-old-software-on-a-brand-new-router hacking needs.


Steal all the things


A few weeks ago, we talked about stealing AWS metadata. This update adds a post module (post/multi/gather/awks_keys) that will extract credential and other valuable AWS information from a compromised machine with aws console/cli installed and configured with credentials. These credentials can be used to access all of an AWS user's resources he/she has access to.


Book keeping


There won't be a release next week because of the Thanksgiving holiday here in the US. Automated nightly installers for the open source framework will still be automatically built nightly as you might expect.


New Modules


Exploit modules (8 new)


Auxiliary and post modules (6 new)


Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.38...4.12.42


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Test Your Might With The Shiny New Metasploitable3


Today I am excited to announce the debut of our shiny new toy - Metasploitable3.


Metasploitable3 is a free virtual machine that allows you to simulate attacks largely using Metasploit. It has been used by people in the security industry for a variety of reasons: such as training for network exploitation, exploit development, software testing, technical job interviews, sales demonstrations, or CTF junkies who are looking for kicks, etc :-)


If you are already a Metasploitable fan, you would have noticed that we haven't had a new vulnerable image since 2012. To be honest, when James and I took over the project, we didn't even know who was maintaining it anymore. So we decided to do something about it.


After months of planning and building the vulnerable image from scratch, we have something for you all to play :-) Unlike its predecessor, Metasploitable3 has these cool features:


It is Open Source


Screen Shot 2016-11-11 at 4.22.43 PM.pngDuring development, we recognized one of the drawbacks of Metasploitable2 was maintenance. We figured since we want everyone in the community to play, the community should have the power to influence and contribute. This also allows the vulnerable image to constantly evolve, and hopefully will keep the VM fun to play.


Metasploitable3 can be found as a Github repository here.


Keep in mind, instead of downloading a VM like before, Metasploitable3 requires you to issue a few commands and build for Virtual Box (VMWare will be supported in the future soon). To do so, your machine must install the following requirements:



To build automatically:


  1. Run the script if using bash. If you are using Windows, run build_win2008.ps1.
  2. If the command completes successfully, run "vagrant up".
  3. The the build process takes anywhere between 20 to 40 minutes, depending on your system and Internet connection. After it's done, you should be able to open the VM within VirtualBox and login. The default username is "vagrant" with password "vagrant".


To build manually, please refer to the README documentation.


If you are on Windows, you can also follow these videos to set up Metasploitable3 (Thanks Jeremy Druin)


If you have experience in making vulnerable images, or would like to suggest a type of exploitation scenario for Metasploitable3, your feedback is welcome!


It is for People with Different Skills Levels


kung_fu.jpgMetasploitable2 back then was more of a test environment heavily for Metasploit. It was straight-forward to play, and it didn't take long to find the right exploit to use, and get a high privileged shell.


But you see, we want to make you try a little harder than that :-)


First off, not every type of vulnerability on Metasploitable3 can be exploited with a single module from Metasploit, but some can. Also by default, the image is configured to make use of some mitigations from Windows, such as different permission settings and a firewall.


For example, if you manage to exploit a service in the beginning, you will most likely be rewarded with a lower privileged shell. This part shouldn't be too difficult for young bloods who are new to the game. But if you want more than that, higher privileged services tend to be protected by a firewall, and you must figure out how to get around that.


For special reasons, the firewall can be disabled if you set the MS3_DIFFICULTY environment variable:


$ MS3_DIFFICULTY=easy vagrant up


If the image is already built, you can simply open a command prompt and do:


$ netsh advfirewall set allprofiles state off


It Has Flags


flag.jpgOne very common thing about performing a penetration test is going after corporate data. Well, we can't shove any real corporate data in Metasploitable3 without any legal trouble, therefore we have introduced flags throughout the whole system. They serve as "data you want to steal", and each is in the form of a poker card image of a Rapid7/Metasploit developer, and is packaged in one of more of these ways:


  • Obfuscation
  • Strict permission settings
  • File attributes
  • Embedded files


Getting your hands on these flags exercises your post exploitation muscle, and may require some level of reverse engineering knowledge.


A hint about these flags can be found from one of the services. In the future, we will be publishing more blog posts about how to find these flags.


(Special thanks to Marilyn Marti for the excellent art work!)


It is Expandable


network.pngIn real world penetration testing, a lot of it involves being able to break into one machine, and leverage the information stolen from there against the next one. Stolen passwords and hashes are perfect examples for this.


Instead of just having one virtual machine, our plan is to also have the capability to build multiple vulnerable images, and create a network of them. This allows the audience to have the opportunity to practice more post exploitation techniques, pivoting, and break into the next box.


Although our first image is Windows, the planning part of the Linux version has already begun. If you would like to jump on this train, please feel free to leave a comment on Github, or contribute.


And that's what our new toy is all about :-)


Last but not least, if you are trying out Metasploitable3 without Metasploit, either you are Neo from the Matrix, or you are nuts. Metasploit consists of thousands of modules, including exploits, auxiliary, post modules, and payloads that allows you to succeed in many kinds of attack scenarios. If you don't have this in your toolkit, please feel free to grab it here.


Weekly Metasploit Wrapup

Posted by egypt Employee Oct 28, 2016

What time is it?


If you want to run some scheduled task, either with schtasks or cron, you have to decide when to run that task. In both cases, the schedule is based on what time it is according to the victim system, so when you make that decision, it's super helpful to know what the victim thinks the current time is.


As of #7435, Meterpreter has a localtime command that gives you that information and then it's peanut butter jelly time.







Windows uses UTF-16le to store hostnames (and pretty much everything else). For ASCII characters, you can convert to that format simply by inserting NULL bytes in between each ASCII byte. When you run into a hostname that uses characters for which there is no direct ASCII equivalent, conversion is a lot more complex. As of this weeek, that complexity works correctly for hostnames in Metasploit. This affects several things that use the SMB protocol, including smb_version, and the places where hostnames are displayed in msfconsole.


----- BENIGN CERTAIN -----


Along with Extra Bacon, the fun SNMP RCE bug for Cisco devices we mentioned here a couple months ago, the same dump included an information disclosure vulnerability in Cisco devices as well. The result is similar to what you get with Heartbleed - random memory contents that can sometimes contain credentials.


APK Injection


Android Application Packages (APK files) are very similar to JAR files. They're basically a zip archive with a certain directory structure. Android requries that APKs must be cryptographically signed before the system will allow you to install them. Earlier this year, we added the ability to use an existing APK as a template for your payload, but of course that makes the signature invalid. To fix it up, we re-sign with a new certificate.


As of this week, that certificate will match all of the metadata from the original template's signature which makes the installed app a bit less conscpicuous.


Local File Inclusion


In the world of PHP, Local File Includes or LFIs are a common vulnerability due to the nature of the language and how its include and require directives work. That class of vulnerability is a lot less common in other langauges, so it was a bit surprising when the details of CVE-2016-0752 came out. What was previously believed to be merely a local file read vulnerability in Ruby on Rails when the bug was first made public back in February, can actually be turned into a local file include vulnerability. This works because the file that Rails is reading is actually used as template that can contain. (Note that's ERB, not ERB.)


New Modules


This wrapup covers a few weeks, so the new module count is quite a bit higher than usual.


Exploit modules (9 new)



Auxiliary and post modules (6 new)



Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.30...4.12.38


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Pokemon Go started it.


The crusty old house cell phone, which we had years ago ported from a genuine AT&T land line to a T-Mobile account, suddenly caught the attention of my middle son.

  "Hey Dad, can I use that phone to catch Pokemon at the park?"


"Sure! Have fun, and don't come back until sundown!"

A few minutes later, he had hunted down his first Pikachu, which apparently required running around the block in Texas summer heat a few times. Sweat-soaked but proud, he happily presented his prize. I could get used to this! The kids were getting out of the house, exploring the neighborhood, having fun, and I was getting a little peace and quiet. Then one day, Pokemon Go stopped working, stating that it did not support 'rooted' phones.


First some back story. Our 'house phone' role is generally filled by the most-working last-gen reject device that is too old to be useful as a daily driver, but too new to throw away. In this case, it was a Google Nexus 4. I have always preferred the Google phones over other third parties for a number of reasons:


  • They're cheap if you get the last generation (and sometimes the current).
  • They usually lead the pack when it comes to software updates and hackability.


However, given the industry's appetite for quick turnarounds and obsolescence cycles, (and in spite of Google's generally good support) this phone is end-of-life, and has not received an official firmware update in over a year. In fact, this phone is the amalgamation of two Nexus 4's, combined into a frankenstein assemblage of the most-working screen, battery, and charging ports of the original pair.


Since it has been a year and a half since Google released a firmware for this phone, I had it running the next-best thing: Cyanogenmod 13, which backported Android 6 to this hardware. Now, this junker phone is up-to-date as much as

the Android Open Source Project (AOSP) allows. But, there was now a show-stopper: you now can't run Pokemon Go on rooted phones using Cyanogenmod. Technically, there is a new set of hacks, but this is a cat-and-mouse game, but there comes a time in your life when you just want things to work. And they were already hooked.


Why did Niantic decide to impose this restriction after several months of unrestricted access? It comes down to cheaters. People were rooting their phones specifically to fake GPS coordinates to get rare Pokemon, grow eggs, etc. Since having root access is also required to install non-stock firmware, in this guilty-until-proven-innocent model, we basically get to choose between two possibilities: get up-to-date software but sacrifice the ability to run some applications, or run increasingly out-of-date 'official' software, for the sake of satisfying a DRM or anti-cheating scheme.


In the end, I decided that the stock firmware still allowed upgrading a lot of the key components via the Google's Play Store, the real core around which an increasing amount of the software in the Android ecosystem relies. Sure, I'm not getting the latest advances in encrypted filesystems, kernel hardening, or process isolation in the latest versions of Android, but it's a tradeoff. Maybe the phone will have died completely by the time the next exploitable bug in libstagefright rears its head.


But, maybe it already has.


It took over a year for enough of the moving parts for a reliable exploit for CVE-2015-3864, one of the 'StageFright' series of vulnerabilities, to come together within Metasploit. The exploit needed new payloads, new techniques, and a number of independent research projects to become useful outside of the proof-of-concept realm. In the end, it works very well, even better than the Metaphor exploit from earlier this year, and can be easily targeted to any vulnerable Nexus phone.


Ironically, the very openness of the Google Nexus ecosystem made porting the exploit to those firmware builds particularly easy. In contrast, Samsung firmware, which contains many proprietary additions to the base Android system, and is not open-source, is harder to target simply because it is harder to examine. In spite of this, it was still possible to target Samsung phones as well. Effectively, with enough effort, any firmware is exploitable. It is just a question of time.


When you think of exploits in the StageFright family, think of the vector: someone sends a special text message and take over a phone without anyone even reading it. You get an email, and without opening it, code is already executed on your device. It's a simple concept, but the fix is not nearly as straightforward.


Automatic parsing of metadata in media files is a commonly-researched and targeted vulnerability in many different products. Adobe flash has had nasty vulnerabilities in its MP3 metadata parsing code earlier this year. Apple iOS has

been vulnerable a number of times to similar attacks. Just last month, similar vulnerabilities in Android's libutils library were found, which could be attacked in a similar way.


The exploit that we included in Metasploit for CVE-2015-3864 only targets one vector (web browser) and one file type (MP4 video files). However, there are many other vectors and file types that could also be exploited in the same family, that were discovered around the same time period as CVE-2015-3864. Not only that, but more vectors and file types have been found since the original round of StageFright branded vulnerabilities were hot in the news, and quietly patched.


Of course, none of these patches have made it into the official firmware for my Nexus 4. I even had to do a double-take in researching this article, since Wikipedia claimed Android 5.1.1 was last updated 2 months ago, while I knew the phone hadn't gotten an over-the-air update in some time. To really know if you're up-to-date, you have to look at the build number, Nexus 4 being on LMY48T while the latest is LMY49M. It's unlikely that the average consumer with a phone running Android '5.1.1' would be able to know difference between a vulnerable or up-to-date build number, much less the average business with a bring-your-own-device policy.


The choice between running the software you want, like Pokemon Go, and the quick road to obsolete devices in the Android ecosystem, at best forces users to make a choice between security and functionality. The theoretical exploit chains being patched this year can easily turn into next year's reliable Metasploit module.


Maybe it's time to bring back to a land line.


Weekly Metasploit Wrapup

Posted by egypt Employee Oct 7, 2016

Silence is golden


Taking screenshots of compromised systems can give you a lot of information that might otherwise not be readily available. Screenshots can also add a bit of extra spice to what might be an otherwise dry report. For better or worse, showing people that you have a shell on their system often doesn't have much impact. Showing people screenshots of their desktop can evoke a visceral reaction that can't be ignored. Plus, it's always hilarious seeing Microsoft Outlook open to the phishing email that got you a shell. In OSX, this can be accomplished with the module post/osx/capture/screenshot. Prior to this week's update, doing so would trigger that annoying "snapshot" sound, alerting your victim to their unfortunate circumstances. After a small change to that module, the sound is now disabled so you can continue hacking on your merry way, saving the big reveal for some future time when letting them know of your presence is acceptable.


Check your sums before you wreck your sums


Sometimes you just want to know if a particular file is the same as what you expect or what you've seen before. That's exactly what checksums are good at. Now you can run several kinds of checksums from a meterpreter prompt with the new checksum command. Its first argument is the hash type, e.g. "sha1" or "md5", and the rest are remote file names.


Metadata is best data, everyone know this


As more and more infrastructure moves to the cloud, tools for dealing with the various cloud providers become more useful.


If you have a session on an AWS EC2 instance, the new post/multi/gather/aws_ec2_instance_metadata can grab EC2 metadata, which "can include things like SSH public keys, IPs, networks, user names, MACs, custom user data and numerous other things that could be useful in EC2 post-exploitation scenarios." Of particular interest in that list is custom user data. People put all kinds of ridiculous things in places like that and I would guess that there is basically 100% probability that the EC2 custom field has been used to store usernames and passwords.


Magical ELFs


For a while now, msfvenom has been able to produce ELF library (.so) files with the elf-so format option. Formerly, these only worked with the normal linking system, i.e., it works when an executable loads it from /usr/lib or whatever but due to a couple of otherwise unimportant header fields, it didn't work with LD_PRELOAD. For those who are unfamiliar with LD_PRELOAD, it's a little bit of magic that allows the linker to load up a library implicitly rather than as a result of the binary saying it needs that library. This mechanism is often used for debugging, so you can stub out functions or make them behave differently when you're trying to track down a tricky bug.


It's also super useful for hijacking functions. This use case provides lots of fun shenanigans you can do to create a userspace rootkit, but for our purposes, it's often enough simply to run a payload so a command like this:

LD_PRELOAD=./ /bin/true

will result in a complete mettle session running inside a /bin/true process.


New Modules


Exploit modules (1 new)

Auxiliary and post modules (3 new)s


Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.28...4.12.30


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.


Weekly Metasploit Wrapup

Posted by egypt Employee Sep 30, 2016

Extra Usability


Commandline tools in general are powerful, but come with a learning curve. When you've been using a tool for a long time, that curve becomes a status quo that embeds itself in your fingers. That isn't always a good thing because it tends to make you blind to how things can be better and it takes an effort of introspection to notice inefficiencies. Even then, you weigh those inefficiencies against the effort required to improve.


An example of that is msfconsole's route command, which gets a bit of a spruce up this week. Instead of showing help output when given no arguments, it now shows the current routing table. In addition, it now supports using a session id of "-1" to indicate the most recent session, just like you can do for the SESSION option in post modules.


Extra privilege escalation


In the last few years, privilege escalation has become more important in the Windows world but it has always been a staple on Unix operating systems. This update brings two privilege escalation modules, one for the Linux kernel and one for NetBSD's /usr/libexec/mail.local, for your rooting pleasure.


Extra Meta Metasploitation


2ENTk2K2.pngAs I mentioned in the last wrapup, we've landed @justinsteven's modules for attacking Metasploit from Metasploit. The first, metasploit_static_secret_key_base, exploits the way Rails cookies are serialized and the fact that an update would step on the randomly generated secret key with a static one. Check out the full detailsif you're interested in how that works.


The second, metasploit_webui_console_command_execution, isn't a vulnerability as such. Rather, it takes advantage of the fact that admin users can run msfconsole in the browser, and therefore run commands on the server. This is the sort of thing that can't be patched without just removing the functionality altogether; it's literally a feature, not a bug. Authenticated administrators can do administrator things, as you might expect.


Extra Android Exploit


Stagefright_bug_logo.pngAt Derbycon last week, long-time friend of the Metasploit family, @jduck, released his latest version of Stagefright, an exploit for Android's libstagefright. He demo'd exploiting a Nexus device, but lots of other stuff is vulnerable too. Due to the rampant fragmentation in the Android world, this year-old bug is probably going to be showing up on new phones sitting on store shelves for quite a while yet.


Extra Bacon


And last but not least, this week brings a module for exploiting EXTRABACON, the Cisco ASA vulnerability made public by the Shadowbroker leak a few weeks ago. The bug is a buffer overflow in SNMP object id strings. The module does exactly what the Equation Group exploit does -- it disables authentication on the victim device and allows you to login to ssh or telnet with no password. This module was a collaboration between lots of folks and improves on the coverage in the original exploit, even adding targets for some 9.x devices that the advisory says are not affected.


This democratization of exploits through open source continues to show that being open and transparent leads to better exploits, more public knowledge, and better patches.


New Modules


Exploit modules (7 new)


Auxiliary and post modules (1 new)

Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.25...4.12.28


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

A number of important security issues were resolved in Metasploit (Pro, Express, and Community editions) this week. Please update as soon as possible.



Issue 1: Localhost restriction bypass

    (affects versions 4.12.0-2016061501 through 4.12.0-2016083001)


On initial install, the Metasploit web interface displays a page for setting up an initial administrative user. After this initial user is configured, you can login and use the Metasploit web UI for the first time. Since this initial screen is unauthenticated, it can only be accessed via a local user (e.g. hitting the localhost hostname or loopback IP address


Until the most current release, the initial setup page access restriction does not work properly in Metasploit 4.12.0 releases. Instead, on initial install, the page for setting up the initial administrative user is accessible from all addresses on the host running Metasploit.  An attacker might be able to 'race' a fresh Metasploit installation and become the first to create an administrative user.



For users who are planning on using Metasploit with the web interface, it is important to isolate the machine from hostile networks until initial configuration is complete, or be sure to use the latest Metasploit installer in which this issue is resolved.


Thanks to Brandon Perry for discovering and reporting this issue.


Issue 2: Predictable session cookies

    (affects versions 4.12.0-2016061501 through 4.12.0-2016083001)


Metasploit uses a randomized secret key to protect session cookies from forgeries. On installation, it randomizes the secret key and stores it in a local configuration file.


As of Metasploit 4.12.0, the update packages inadvertently include a static version of this secret key file, which overwrites the randomly-generated one. The effect of this is that some Metasploit installations will all have the same hard-coded base session token, leading to forgeable session cookies, allowing an unauthenticated user to perform remote code execution via another object deserialization bug.



On startup, Metasploit will identify 'bad' static secret keys that may be installed, and if found, the base secret key is regenerated. If this fix is needed, and if a user is applying the latest update via the web UI, the UI may appear to hang during the update, though it will complete successfully in the background. In this case, simply refresh the web UI after 10-20 minutes. If it loads a login screen, the update applied successfully.


Users who updated from 4.11.0 or earlier builds are not affected, but are still encouraged to update.


Thanks to Justin Steven for discovering and reporting this issue.


Issue 3: `config.action_dispatch.cookies_serializer` is set to `:hybrid`

    (affects versions 4.12.0-2016061501 through 4.12.0-2016083001)


Metasploit versions 4.11.x and earlier use the default 'marshal' cookie type, which is vulnerable to remote object instantiation / remote code injection for a user who has the ability to generate a signed session cookie.



The Metasploit 4.12.0 point release switched to the 'hybrid' type, which gives an update path for users to the safer 'json' type. The latest release switches entirely to 'json' cookie serialization method.


Thanks to Justin Steven for discovering and reporting this issue.


Weekly Metasploit Wrapup

Posted by egypt Employee Sep 16, 2016

Security is hard


I usually focus exclusively on the Metasploit Framework here on these wrapups, but this week is a little special. This week the Metasploit commercial products (Pro, Express, and Community) come with a fix for a couple of vulnerabilities. You heard that right, remotely exploitable vulns in Metasploit. Our lovely engineering manager, Brent Cook, helpfully wrote up the details yesterday.


TL;DR - Three bugs, two of which work together: 1) the filter restricting the creation of the first admin account to localhost was broken. As has always been the case having an admin account on Metasploit lets you run commands on the server. And 2) the randomly generated session key got stepped on by a static one whenever updates were applied, so the same key was used for every Metasploit installation. Because of 3) session cookies are serialized ruby, so that's code exec, too.


Security is hard and even experts like us screw it up some times. But in true Metasploit fashion, we're not content to just patch the vuln. There is currently a Pull Request in review that will get you shells on Metasploit if you know credentials. Since it's Authenticated Code Execution by Design, it will work even without this vulnerability as long as you can steal a username and password. Expect that to land soon and be in the next wrapup. And while you're waiting, go double check to make sure you did the initial account setup on your Metasploit installs.


Download improvements


It's a bit of a hassle if a download gets interrupted, especially if the file is large. Thanks to first-time contributor cayee, you can now continue an interrupted download with Meterpreter's new download -c.


Module documentation


We've been pumping out better documentation for individual modules for a few months now, since the introduction of info -d, which gives you nice pretty markdown.


If you have wanted to contribute but didn't know what you wanted to work on, this is a great place to get started. Check out the Module Documentation milestone for a list of the modules we think are the highest priority. Github won't let you assign a ticket to someone who isn't part of the Metasploit organization, so leave a comment on one of those issues to claim it so others don't duplicate your work.


New Modules

Exploit modules (1 new)

Auxiliary and post modules (4 new)

Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.22...4.12.25


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.


Weekly Metasploit Wrapup

Posted by egypt Employee Sep 2, 2016

PHP Shells Rising from the Flames


Phoenix Exploit Kit is your standard run-of-the-mill crimeware system, written in PHP, whose creator apparently got popped by the FSB earlier this year. Like many exploit kits, it has a back door, this one allowing you to eval whatever PHP code you like by sending it in a GET parameter (subtly named 'bdr'). Of course running arbitrary PHP allows us control of the underlying operating system to various degrees depending on configuration.


I love the idea of popping shells in malware. We've been doing it for a while, since way back in the day with exploit/windows/ftp/sasser_ftpd_port, an exploit for the FTP server run on compromised machines by the sasser worm, and I was delighted to discover that I'm not the only one who finds exploits for malware to be hilarious.


MalSploitBase is a database of exploits for known vulns in evil things just like these. Even better, its code is available on github ( and the author encourages pull requests.


How come you never call anymore?


If you create child processes from your Meterpreter session, you often want to keep track of them and make sure they're not staying out too late or getting caught up with the wrong crowd. A new option to Meterpreter's ps command makes that a little easier, giving you a nice printout of all the children of your current process.


Other Post stuff


A few fun new modules from an up-and-coming contributor h00die make persistence on Linux a bit easier in the latest release. One of the big advantages of having modules for doing persistence instead of dropping files manually is the ability to automate it. For example, putting post/linux/manage/sshkey_persistence in your AutoRunscript option for an exploit lets you automatically establish a way back in without having to think about it in the crucial first few minutes of having a shell.


And finally, for an exciting exfiltration extravaganza, post/multi/manage/zip gives you a platform-agnostic way of zipping up a directory for simplified pilfering.


New Modules


Exploit modules (5 new)

Auxiliary and post modules (3 new)


Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.19...4.12.22


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

William Webb

Metasploit Weekly Wrapup

Posted by William Webb Employee Aug 12, 2016

Las Vegas 2016 is in The Books


This week's wrap-up actually covers two weeks thanks in large part to the yearly pilgrimage to Las Vegas.  I myself elected not to attend, but I'm told everyone had a great time.  Many on the team are still recuperating, but I'd wager that they all enjoyed seeing you there as well.  Here's to everyone's speedy recovery.




Centreon Web UserAlias Command Execution


Our first new module this go-around exploits a remote command execution vulnerability in Centreon Web via a pre-auth SQL injection.  The bug, originally discovered by Nicolas Chatelain, is detailed in a nice writeup here:  The short version is that they don't escape "\", they call 'echo' via exec(), and very bad things happen.  Luckily the bug was promptly fixed in late 2014 and doesn't affect current versions, but, if for some reason you haven't updated by now, you should probably look into it.


Polycom Command Shell Authorization Bypass


Next, we have a module that managed to slip through the cracks for about 4 years now.  Sorry.  It targets an authorization bypass vulnerability in older firmware releases for the Polycom HDX line of video conferencing endpoints.  The original vulnerability discovery was made by Paul Haas in 2012 and publicly disclosed in January of 2013.  You can check out his original advisory here  Paul released a module at the time, but for some reason it wasn't incorporated into Metasploit Framework.  That's all changed thanks to h00die, who has ported the module to work with newer versions of the framework.  While bugs this old are often not that exciting, it's reasonable to assume that firmware for video equipment may be one of the last things on the mind of many IT administrators when considering a maintenance strategy for their organization, making this one a bit more interesting.


Drupal RESTWS Moule Remote PHP Code Execution


In other SQL injection news, we recently landed a module by Mehmet Ince targeting a remote code execution vulnerability in the Drupal 7.x RESTWS Module.  RESTWS versions below 2.6 in the 2.x series and 1.7 in the 1.x series are affected by the issue.  Despite resulting in arbitrary code execution on any host running the affect module, the bug is fairly simple, and exploitation couldn't be easier thanks to Mehmet's module:




Internet Explorer 11 VBScript Memory Corruption


Last week, some jerk wrote a module for CVE-2016-0189, which exploits a memory corruption vulnerability within Internet EXplorer 11's VBScript engine.  The module was based off the original PoC publicized by Theori, who provided an excellent writeup on their efforts reversing this interesting bug from patches here  In a nutshell, the exploit leverages some logical errors into a write primitive and uses this to enable execution of arbitrary VBScript.  While Internet Explorer 11 on Windows 10 isn't that popular, and VBScript is akin to a Lovecraftian horror that would drive one to insanity should they even contemplate it, vulnerabilities such as these are quite interesting to work with, especially given that mitigations against common browser exploit vectors such as Use-after-Free's continue to improve.



Utility Module Goodness


Our last two modules this week aren't exactly exploits, but they do provide some awesome auxiliary capabilities.  For one, we landed an incredibly useful SMB Delivery module by Andrew Smith and Russel Van Tuyl.  Hosting payloads via an SMB share is sometimes the best option available for delivery depending on the situation.  In the past, authors have had to roll their own SMB functionality into their Metasploit modules.  This module greatly simplifies that process. Finally, Robert Kugler submitted a module that lets one recover the installation password for recent versions of Avira Antivirus.


Weekly Metasploit Wrapup

Posted by egypt Employee Jul 22, 2016

Windows Privilege Escalation


In the long long ago, Windows users pretty much universally had local Administrator accounts. While that's still true in less mature environments, I think we have done a pretty good job as an industry of convincing folks to reduce users' privileges. Back in those days, privilege escalation exploits weren't all that useful because every exploit, executable, and Word macro already gave you the highest privileges. Today that's less true.


Even worse for the enterprising hacker, modern browser exploitation frequently gives you the lowest possible privileges, even without the ability to read or write files outside of certain directories or interact with processes other than your own, due to sandboxing. One major advantage of kernel vulnerabilities is the fact that they skip right out of those sandboxes straight to NT AUTHORITY\SYSTEM.


Two Windows vulnerabilities, one patched in February and the second in March, get exploits this week for your privilege escalating pleasure.


Test Our Mettle


Over the years there have been several iterations of Meterpreter for a POSIX environment, with limited success. As of this week, we're shipping a new contender for the throne of unix payloads: Mettle. It's a ground-up implementation of the Meterpreter protocol and featureset for multiple architectures and POSIX platforms. One of the barriers to such a payload has been the fact that it requires packaging up a static libc and any libraries it will need on target. This is in contrast to Windows where the extreme adherence to backwards compatibility through the ages means that things like socket functions in ws2_32.dll can be relied upon pretty universally, which just isn't remotely true of all the various unices. Android's Bionic libc was the most recent, but several issues have made it clear we needed something else. Mettle uses musl, a small, highly portable, optimized libc. While we're currently only testing Linux, musl's portability will give us the ability to expand to other things like Solaris and BSD in the future.


The old implementation will continue to live side-by-side with the new one for a while, but once Mettle has the main required features, the Bionic-based POSIX Meterpreter will be allowed to retire to a beach somewhere to drink margaritas and complain about kids these days.


New Modules


Exploit modules (5 new)

Auxiliary and post modules (3 new)

Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.11...4.12.14


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.


Weekly Metasploit Wrapup

Posted by egypt Employee Jul 8, 2016

House keeping


Since the last Wrapup, we've been continuing our long-running project of breaking up some of the old cobweb-encrusted parts of the framework codebase into smaller pieces that are easier to deal with. A few things, lib/sshkey and lib/bit-struct in particular, that for historical reasons were just slightly modified copies of a gem, have been pulled out entirely in favor of the upstream release. A bunch of other things have been pulled out into their own repositories, making the whole codebase a little tidier.


NBNS and BadTunnel


NBNS is the NetBIOS Name Service, which Windows uses to do fast local translations of hostnames to IP addresses. Like DNS, being able to lie about answers gives an attacker the ability to act as a Man-in-the-Middle. Unlike DNS, Requests are sent broadcast to the local subnet. That means that listening for these requests and spoofing replies gets you a MitM stance on whatever they were requesting, a longstanding hacker favorite. This is also a downside because it means you have to be on the same local network as the victim to see those requests and know how to reply. However, all of this happens over UDP which routers don't mind forwarding on to different subnets. You just need to guess the transaction ID, a 16-bit number. As it turns out 16-bit numbers aren't that big and you can just spam packets until it works. You still need to know the hostname, though. Enter WPAD.


Hackers have loved Windows Proxy Automatic Discovery, or WPAD, forever. For those unfamiliar with it, it's an HTTP service that hosts a small piece of javascript for determining whether a given URL should go through a proxy. Windows uses this by default not just with all requests from Internet Explorer, but everything that uses the WinInet API.

One way to convince a client that you are their WPAD server is to respond to the NBNS lookup for a host with that name. Metasploit and other tools like have been providing that handy service for years to great effect. But now with you don't need to be on the same subnet. Now you can just spam replies for WPAD for a few seconds until you get lucky and suddenly you can be in the middle of all HTTP requests by claiming to be their proxy. And it gets better. If you can somehow convince someone to send any NetBIOS traffic your way, you can do the same across NAT, thanks to BadTunnel.


Have fun storming the castle.


Chained exploits


Nagios is a nifty monitoring tool that has basically become the defacto standard. They also produce a proprietary commercial frontend called Nagios XI. That frontend has a SQL injection vuln that can lead to authentication bypass. The bypass gives you access to a command injection. The command injection lets you run sudo without a password. Nothing but net.


Expect a more detailed write up on this one.


New Modules


Exploit modules (6 new)

Auxiliary and post modules (5 new)


Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.7...4.12.11


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Rapid7 announced the end of life of Metasploit Pro 32-bit versions for both Windows and Linux operating systems on July 5th, 2017.  This announcement applies to all editions: Metasploit Pro, Metasploit Express and Metasploit Community.  After this date Metasploit 32-bit platforms will not receive product or content updates. Metasploit Framework will continue to provide installers and updates for the 32-bit versions.


MilestoneDescription      Date                
End-of-life announcement dateThe date that the end-of-life date has been announced to the general public.July 5th, 2016
Last date of available installersThe last date Rapid7 will generate 32-bit installers. After this date, Rapid7 will continue to provide updates until the last date of support.July 5th, 2016
Last date of supportThe last date to receive service and support for the product.  After this date, all support services for the product are unavailable, and the product becomes obsolete.July 5th, 2017



Product Migrations

Customers are encouraged to migrate to Metasploit 64-bit versions of the product, installation files can be found in the following link.  When upgrading to there maybe changes to system requirements including memory, please view the System requirements to see if your current system meets the minimum requirements.  To migrate to a newer platform you create a platform independent backup and restore it on the new system.  Please see this page to learn how to determine if you need to migrate, how to do a backup/restore, and about other related topics.


More Information


Weekly Metasploit Wrapup

Posted by egypt Employee Jun 16, 2016

Steal all the passwords


I talk a lot about Authenticated Code Execution, but of course that's not the only thing that authenticated access can get you. This week's update comes with a couple of modules for using known credentials to extract more credentials. The first is for Symantec Brightmail, an email filtering gateway that comes with a management interface for administrators. Any account with read access is allowed to look at the encrypted LDAP credentials stored in Brightmail. Fortunately for us, the encryption is reversible and the system also kindly uses a known key. The second module is for Canon multi-function printers, because of course your printer needs to store a bunch of plaintext passwords; I mean, why wouldn't it? This one also requires authentication, but it's a printer, so of course there's a default that no one ever changes.


Payload options in jobs output


To see the stuff running in the background, msfconsole has a jobs command. There are some pertinent pieces of info you usually want to see in that display, but a console interface makes it kinda tough to view it all because of the limited column width. A recent feature, the ability to control the URI a reverse_http payload calls back to with the LURI option, puts extra pressure on that limited space. To make that a little easier, payload options are now all condensed into a single column, so instead of seperate LPORT, LHOST, and LURI columns, you just have "Payload opts":



msf exploit(ie_cbutton_uaf) > jobs


  Id  Name                                       Payload                           Payload opts
  --  ----                                       -------                           ------------
  0   Exploit: windows/browser/adobe_flash_pcre  windows/meterpreter/reverse_http
  1   Exploit: windows/browser/ie_cbutton_uaf    windows/meterpreter/reverse_tcp   tcp://

msf exploit(ie_cbutton_uaf) > jobs -v


  Id  Name                                       Payload                           Payload opts                     URIPATH   Start Time                 Handler opts
  --  ----                                       -------                           ------------                     -------   ----------                 ------------
  0   Exploit: windows/browser/adobe_flash_pcre  windows/meterpreter/reverse_http  /flash    2016-06-16 13:50:31 -0500
  1   Exploit: windows/browser/ie_cbutton_uaf    windows/meterpreter/reverse_tcp   tcp://             /cbutton  2016-06-16 13:51:00 -0500 


Gifts that keep on giving

Shellshock is one of my favorite bugs of all time. It's simple to exploit, results in RCE, and is in a thing that everyone takes for granted. The latest incarnaiton of it is in IPFire, an open source Linux firewall, but I'm sure we'll see it again.


New Modules


Exploit modules (6 new)

Auxiliary and post modules (4 new)


Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.5...4.12.7


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Filter Blog

By date: By tag: