NAT-PMP'ing is now easy

This week, we have three new modules and an accompanying Rex protocol parser for the NAT Port-Mapping Protocol (NAT-PMP), the ad-hoc router management protocol favored by Apple. Over the weekend, Rapid7 Lead Security Engineer and confessed protocol nerd Jon Hart forgot the password to a little-used Airport base station, so rather than merely resetting the device, he instead busted out a trio of Metasploit modules to make this kind of task easier in an unauthenticated way.

  • natpmp_map - the port-mapper for NAT-PMP. This instructs the router to forward external traffic to the named port to the supplied internal host and port.
  • natpmp_portscan - uses a neat technique to determine what external ports are mapped on a given NAT device
  • natpmp_external_address - discovers the external IP address of the NAT device.

Now, this won't get you magical internal network access over a NAT gateway -- these modules are designed to be run from the internal side of the network. That said, the use-case in a penetration test is pretty clear. All too often, pen testers will come across an office environment that's using consumer-grade gear for some specific business purpose (or is simply rogue). By leveraging these modules, the attacker can set up his own NAT-tunneled port maps without needing to know any kind of router authentication, which can expose devices to the greater network for further abuse. Pretty cool.

64-bit LoadLibrary Payload

Community contributors scriptjunkie and Stephen Fewer put together a 64-bit version of the LoadLibrary Payload, because (quoting the commit message) "it should exist." If you're not familiar with the LoadLibrary payload, there's a use case documented over on Room362, where Mubix describes the technique in some detail (his examples use the existing 32-bit LoadLibrary payload, but the idea is the same). Thanks guys!

New Modules and Scripts

Finally, here's the run down of this week's haul of new modules and scripts.

  • igss9_dataserver is a DoS attack against 7-Technologies IGSS 9 (CVE-2011-4050), submitted by jfa.
  • vmauthd_login is a VMWare authentication bruteforcer from TheLightCosine.
  • gitorious_graph is a command injection exploit against Gitorious (SA47663), submitted by joernchen
  • hp_easy_printer_care_xmlcachemgr a somewhat complicated exploit for HP's Easy Printer Care ActiveX control (CVE-2011-4786) submitted by Juan Vazquez
  • hp_nnm_ovbuildpath_textfile is a memory corruption exploit in HP OpenView Network Node Manager (CVE-2011-3167), added by Juan and sinn3r
  • download_exec is a Railgun-based post module for downloading arbitrary files using the standard URL moniker service (urlmon) from Internet Explorer, courtesy of RageLtMan.

In scripts, community contributor m-1-k-3 submitted auto_pass_the_hash.rc, which is a simple rc-script implementation of the tried-and-true Pass the Hash SMB authentication attack, and wmap_autotest.rc, an automated means to step through collected web pages using Efrain Torres' wmap plugin for all the heavy lifting.

Availability

For those of you who rely on the msfupdate command to track Framework development, you already have these sitting in your local checkout. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new Framework hotness today when you check for updates through the Software Updates menu under Administration.

For more details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.