Just a quick update this week for some new Metasploit modules. We're holding off on the usual Framework and Pro enhancements as we button up the next point release for Metasploit Pro, Express, and Community Editions. That said, we do have a few neat new modules that I wanted to hilight, so let's take a look.
Hacking the Hackers
This week's haul includes something a little unusual -- an exploit for Poison Ivy, a blackhat-favored Remote Administration Tool (RAT). Community contributor Gal Badishi wrote the poisonivy_bof module which implements a vulnerability discovered by Andrzej Dereszowski in Poison Ivy 2.3.2. Given that this version has been current since 2008 or so, I don't expect a fix any time soon -- besides, if you happen to find it listening (Poison Ivy binds to TCP/3460 by default), it's a pretty good bet the owner of the computer doesn't know it's running.
As a pen-tester, retaking ownership of a machine that's already been compromised is a great story to be able to tell your client -- it really underlines the importance of offensive security testing in live environments. Finding listening RATs and backdoors and the like is one thing, but to be able to turn them around and immediately use them to gather more information on the target network is pretty ninja.
Function Prototype Mismatching, Explained
Earlier this week, Metasploit's Juan Vazquez provided a ton of details on implementing vulnerability researcher Andrea "rgod" Micalizzi vulnerability in IBM's Rational ClearQuest CQOle ActiveX control, over in his blog post, It isn't Always about Buffer Overflow. I'm getting spoiled by these technical deep dives into how Juan and sinn3r write up these exploits, and a more than a little jealous that they get to spend all their time producing Metapsloit awesomeness. The described exploit is in this week's update, so have fun poking at it.
Return of WPAD
This week's update also has a new auxiliary module from community contributor "et" which a implements the WPAD man-in-the-middle (MITM) attack. I'm a little surprised we didn't already have this attack knocking around, since it can be such a handy way to redirect client victims to your custom phishing site. In fact, Metasploit contributor James "egypt" Lee's travel laptop is named "wpad," so if you happen to be on a network near him, be careful with your proxy settings. (:
If you're not familiar with how the WPAD MITM works, some guy at some company wrote up the attack with a demo a few years ago. It's an okay read.
Here are the new modules -- for details and usage, follow the links to our Exploit Database.
- WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal by Dillon Beresford exploits EDB-19526
- Novell ZENworks Configuration Management Preboot Service Remote File Access by Luigi Auriemma and juan exploits CVE-2012-2215
- WPAD.dat File Server by et impliments the WPAD MITM attack
- Java Applet Field Bytecode Verifier Cache Remote Code Execution by sinn3r, juan vazquez, Stefan Cornelius, littlelightlittlefire, and mihi exploits CVE-2012-1723
- Basilic 1.5.14 diff.php Arbitrary Command Execution by sinn3r, juan, and lcashdollar exploits BID-54234
- Hastymail 2.1.1 RC1 Command Injection by juan vazquez and Bruno Teixeira exploits CVE-2011-4542
- Tiki Wiki 8.3 unserialize() PHP Code Execution by juan vazquez and EgiX exploits CVE-2012-0911
- IBM Rational ClearQuest CQOle Remote Code Execution by juan vazquez and rgod exploits CVE-2012-0708
- AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution by juan and rgod exploits CVE-2011-2657
- Umbraco CMS Remote Command Execution by juan vazquez and Toby Clarke exploits Ubraco bug #18192
- Poison Ivy 2.3.2 C&C Server Buffer Overflow by juan vazquez, Andrzej Dereszowski, and Gal Badishi exploits an unclassified vulnerability in Poison Ivy
- autoexploit.rc by sinn3r and m-1-k-3 allows exploit automation, including dry runs and checks.
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.