Each month we report the top ten searched exploit and auxiliary modules on metasploit.com. The statistics are drawn from our exploit database by analyzing webserver logs of searches, not through Metasploit usage which is not tracked to preserve privacy.
With the Java and Internet Explorer 0-days in August and September, this month's exploit trends from Metasploit really shook-up the status quo. And, just to make things more interesting, there are a couple exploits from April that came back for an encore at numbers 9 & 10.
Without further ado, here are September's Top Ten Exploits with commentary from Metasploit guru todb.
1. Java Atomic Reference Array Type Violation Vulnerablity (CVE-2012-0507): A returning entry from the April Top 10, this module makes its comeback because of all the Java 0day traffic from August. This was initially discovered in the wild as a Java 0-day, and this module represented the fevered work of sinn3r and Juan Vazquez, who turned out the first reliable public cross-platform exploit for the bug.The blog post "CVE-2012-0507 - Java Strikes Again" shows a screenshot of Meterpreter sessions on Windows, Ubuntu, and OSX systems. In fact, this may be the first publicly demonstrable Java exploit that just works against all three platforms for the vulnerable versions of Java -- no extra configuration or fingerprinting is needed. Returning entry from the April Top 10 Exploits.
2. Java 7 Applet Remote Code Execution: Over a fateful weekend in August, Metasploit exploit devs Wei "sinn3r" Chen, Juan Vazquez, and contributor Josh "jduck" Drake got together on IRC and put together a Metasploit module to take advantage of the vulnerability reported privately to Oracle by Adam Gowdiak and James Forshow. Here's the twist: Nobody at the time knew about Adam's or James's private disclosure to Oracle -- this bug was instead spotted in the wild way before Oracle was planning to release their fix. So, we started the week with a new Java 0-day, and by the end of the week, after much speculation, Oracle did the right thing and accelerated their patch schedule. Interesting times, to say the least. Down one place from #1 last month.
3. MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability: This bug started off with Eric Romang's blog post and ended up with a module being cooked up over a weekend by Eric, @binjo, and the Metasploit exploit dev team. This event, like the Java 0-day, had the net effect of speeding up the vendor's patch schedule. If there was no public, open exploit, would there have been a patch so rapidly? Was it connected with Java 0-day? Who's the primary source for these critical client-side bugs, anyway? These and other questions are still being speculated on and debated in the security industry and security press. New entry this month.
4. Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. It's also got a great pile of language pack targets. All of Metasploit's exploits provide US English targeted shellcode, a few might provide Chinese, Spanish, French, or other popular languages; this one has targets in pretty much every language you've ever heard of. This exploit is also not ancient, so it's reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it. More on this topic at Microsoft's Security TechCenter. Down two places from #2 since last month.
5. MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This is the 2012 RDP Bug, where it was implied -- but never proven in public -- that a pre-auth bug in RDP can allow for remote code execution. This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution. So far, nobody's gotten RCE yet (in public), but the Metasploit module provides the most clues. More on this topic in an article on ZD Net. Down two places from #3 since last month.
6. Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026): A nine year old vulnerability that used to be the de-facto standard exploit for Windows machines - this is the RPC DCom bug, and it affects ancient NT machines. It was most notable in that it was used by the Blaster and Nachi worms to transit networks. It's now pretty much a case study in stack buffer overflows in Windows, so it's got a lot of historical value. If memory serves, this was the most reliable exploit in Metasploit v2. More info on that at Windows IT Pro. Down two places from #4 since last month.
7. Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040): A six year old vulnerability that's notable in that there's no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice. More on this topic in at Microsoft's Security TechCenter. Down two places from #5 since last month.
8. Microsoft Windows Authenticated User Code Execution (CVE-1999-0504): The PSExec module is a utility module -- given an SMB username and password with sufficient privileges on the target machine, the user can get a shell. It's not sexy, but it's super handy for testing payloads and setup. Even though it's a lowly #10, I'd bet it's the most-used module in classroom and test environments. More on this topic in at the National Vulnerability Database. Down two places from #6 since last month.
9. Apache mod_isapi <= 2.2.14 Dangling Pointer: Another returning module from April, although why this one's back is a bit more of a mystery. Although this is an exploit in Apache, don't be fooled! It's only exploitable on Windows (so that knocks out the biggest chunk of Apache installs at the time of this module's release), and it's only a DoS. Again, kind of a mystery as to why it's so popular. Returning entry from the April Top 10 Exploits.
10. Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop: The third April comeback module, and still not sure why this module is popular -- it's a client side DoS. Historically, it's a neat DoS, since it demos a bug in Windows 7's kernel, but all the module does is crash Windows 7 clients after you get a user to connect to you. Returning Entry from the April Top 10 Exploits.
If you want to use any of these exploits right now, you can download Metasploit for free!