Another week, another fifteen new modules for Metasploit. I continue to be amazed by the productivity of our open source exploit developer community. Thanks so much for your hard work and effort, folks!

New Module for Trusted Path Switcheroo

As I was going over this week's new modules, one that jumped out at me was Wei "sinn3r" Chen's implementation of a general Trusted Path insertion attack, Windows Service Trusted Path Privilege Escalation. I don't recall running into this attack scenario before, but of course, I don't live and breathe the Windows APIs like sinn3r does. Here's how it works, in a nutshell:

  • First, find a Windows service that is run in the context of LocalSystem.
  • Of those, find a service executable is in an unquoted directory path that contains a space. For example, if a system service runs C:\Program Files\FooCompany\bar.exe (without specifying quotes), you're in.
  • Write your malicious executable to a path that mimics the path specifier up until the first space, and launch the service as normal.  In the above example, we'd write our executable to C:\Program.exe, so it will be run with the command argument of "Files\FooCompany\bar.exe"

That's pretty much the long and the short of it. Of course, you need the rights to both write to (perhaps) an arbitrary directory and the rights to start and stop services, but Power Users (and better) tend to have those rights by default. If you want to check the paths of all your running Windows processes, the easiest way is probably just firing up a command shell, and running "wmic PROCESS get CommandLine" and eyeballing that for anything missing quotes.

Stack Cookie Bypass Technique

Metasploit exploit developer Juan Vazquez brings us another technical deep-dive into his strategies for bypassing stack cookie protections that he used to exploit CVE-2012-0549 in his module Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow. If you are just getting started in exploit development on your own, Juan's blog posts have been a treasure trove of practical, hands-on wisdom.

New Modules

Here are the new modules -- for details and usage, follow the links to our Exploit Database.

Auxiliary modules

Exploit modules

Post modules

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see the most excellent release notes.