Coming from August's Java 0-day release, there are three new Java exploits among the top 10 most searched Metasploit exploits and auxiliary modules in this month's trend list. The monthly statistics are drawn from our exploit database by analyzing webserver logs of searches on metasploit.com, not through Metasploit usage which is not tracked for privacy.
Check out the top searched exploits and modules below, annotated with Tod Beardley's excellent comments:
- Java 7 Applet Remote Code Execution: Of course, this is the reason why all the other Java modules leapt up in the rankings. In case you've been on safari for the last several weeks and haven't heard the story yet. Over a fateful weekend in August, Metasploit exploit devs Wei "sinn3r" Chen, Juan Vazquez, and contributor Josh "jduck" Drake got together on IRC and put together a Metasploit module to take advantage of the vulnerability reported privately to Oracle by Adam Gowdiak and James Forshow. Here's the twist: Nobody at the time knew about Adam's or James's private disclosure to Oracle -- this bug was instead spotted in the wild way before Oracle was planning to release their fix. So, we started the week with a new Java 0-day, and by the end of the week, after much speculation, Oracle did the right thing and accelerated their patch schedule. Interesting times, to say the least. New entry this month.
- Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. It's also got a great pile of language pack targets. All of Metasploit's exploits provide US English targeted shellcode, a few might provide Chinese, Spanish, French, or other popular languages; this one has targets in pretty much every language you've ever heard of. This exploit is also not ancient, so it's reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it. More on this topic at Microsoft's Security TechCenter. Down one place from #1 last month.
- MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This is the 2012 RDP Bug, where it was implied -- but never proven in public -- that a pre-auth bug in RDP can allow for remote code execution. This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution. So far, nobody's gotten RCE yet (in public), but the Metasploit module provides the most clues. More on this topic in an article on ZD Net. Down one place from #2 last month.
- Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026): A nine year old vulnerability that used to be the de-facto standard exploit for Windows machines - this is the RPC DCom bug, and it affects ancient NT machines. It was most notable in that it was used by the Blaster and Nachi worms to transit networks. It's now pretty much a case study in stack buffer overflows in Windows, so it's got a lot of historical value. If memory serves, this was the most reliable exploit in Metasploit v2. More info on that at Windows IT Pro. Same position as last month.
- Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040): A six year old vulnerability that's notable in that there's no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice. More on this topic in at Microsoft's Security TechCenter. Down 2 places from #3 last month.
- Microsoft Windows Authenticated User Code Execution (CVE-1999-0504): The PSExec module is a utility module -- given an SMB username and password with sufficient privileges on the target machine, the user can get a shell. It's not sexy, but it's super handy for testing payloads and setup. Even though it's a lowly #10, I'd bet it's the most-used module in classroom and test environments. More on this topic in the National Vulnerability Database. Up two places from #7 since last month.
- Java Signed Applet Social Engineering Code Execution: Like the Adobe PDF Embedded EXE Social Engineering module, this is a really solid go-to module for social engineering payloads. A simple Google search turns up dozens of demonstration videos from all around the world on how to use this module. Up one place from #8 since last month.
- PHP CGI Argument Injection: This exploits CVE-2012-1823, a vulnerability in the way PHP-CGI handles parameters passed on GET requests. The vulnerability was discovered during a capture-the-flag exercise at NullCon in January 2012, and the bug's life cycle is pretty thoroughly documented over at De Eindbazen. Here's the short story: this bug, which allows for command execution via GET requests to PHP-CGI installtions, has been knocking around PHP installations since 2004. It was first reported to PHP in January of 2012 (yes, eight years after it was introduced), subsequently leaked accidentally in May of 2012, and actively exploited shortly thereafter. More info on this on a blog at Serge Security. Up one place from #9 since last month.
- Java Applet Rhino Script Engine Remote Code Execution: This module from late November of 2011 used to be the go-to Java exploit for browser targets - of course, that all changed with the new Java 0-day we released this month. This module most likely jumped up the rankings as everyone and their brother pawed through the Metasploit Exploit DB for all things Java. We got a ton of coverage on the Java 0-day event, so that aura certainly skewed the numbers for this module, even when it was already pretty popular. New entry since last month.
- Adobe PDF Embedded EXE Social Engineering (CVE-2010-1240): This module exploits CVE-2010-1240 in Adobe Reader. The idea is that you can embed and execute a Meterpreter PE Executable in a PDF, and when the user opens the PDF, surprise shells! Since it's on this list, it's probably the most popular social engineering-style module. More on this topic in at the National Vulnerability Database. Same position as last month.
If you want to use any of these exploits right now, you can download Metasploit for free!