This week, Metasploit exploit devs Wei "sinn3r" Chen and Juan Vazquez finished up Metasploit RopDB. This advancement allows for drop-in ROP chains in new exploits, without all that mucking around with copying and pasting mysterious binary blobs from one exploit to the next. For the details on how to use it and what to expect in the API, see sinn3r's most excellent blog post. What all this does is bottle up ROP wisdom in a central repository, so chains can be added and modified easily without having to touch the dozens of modules that might rely on them, and generally makes exploit development -- especially browser exploit development -- that much more quick and painless. Thanks guys!
Refreshed Sample Modules
Speaking of copy-pasting code, often, when people ask about writing Metasploit modules, the advice most often given is to look around the modules tree to find one that kind of does what you want. Then, ta-da, copy and paste it into your new module, and go from there. Sadly, though, that advice means that new modules will sometimes have code that's cargo culted in for no apparent reason.
This week, Metasploit core developer James "Egypt" Lee refreshed our aging sample modules hidden deep (well, two levels) within the documentation subdirectory -- if you want to know the bare minimum (and bare correctness) for sample module format, that is a fine place to look. Incidentally, the gentleman hackers over at Corelan Team provide mona.py, a python script that can help you pump out new Metasploit modules as well. Mona.py is quite versatile and goes farther than our own samples do, in that it can create some specialized file format style exploit modules as well.
Local Privilege Escalation Exploits Modules
This week also sees some new additions to the local privilege exploitation landscape, using the new local exploitation techniques. Rob "mubix" Fuller converted the venerable Windows Escalate UAC Protection Bypass (by David "ReL1k" Kennedy, mubix, and mitnick) to a local exploit (as opposed to the older post-exploit module), as well as added a new UAC Execute RunAs by mubix exploit. In addition, Matteo Memelli and Spencer McIntyre committed MS11-080 AfdJoinLeaf Privilege Escalation, which elevates the user to a SYSTEM context.
Local exploits have been available for a little while now in Metasploit Framework, and their use is catching on. The distinction from a post exploitation module is subtle, but important. If you want to perform some task via an exploit session, then you probably want a Post module. For example, the recent GPG key enumeration module from community contributor Dhiru Kholia leaps to mind. You're doing useful things, but you're not running any shellcode on the target.
On the other hand, if you want run a configurable payload, then you definitely want a local exploit like the ones mentioned above. I expect most of the "escalate" post modules are better suited as local exploit modules, now that the capability has been cooking for a while. So, if you have a favorite in there, now is a fine time to convert it.
Coming Soon: Mobile Vulnerabilities
As you no doubt heard, the guys over at Mobilisafe joined the Rapid7 family (syndicate? No, let's go with "family") this week. This means we all get to get smarter about exploring and exploiting mobile vulnerabilities. We already have payloads for ARM platforms, and Mobilisafe maintains a pretty sweet list of vulnerable devices, so it should be just connecting the dots to get some Metasploit module love all up in your Android or iOS gadget, right?
Well, it's a teensy bit more complicated that that, of course. We're building out a mobile device lab here in the labyrinthine Metasploit Software and Pizza Delivery Headquarters, where we can tackle some of the persistence problems that we tend to run into with exploiting mobile vulnerabilities. In the meantime, if you have ideas for some nice mobile Metasploit exploits, get thee to our Pull Request queue and we'd love to see what you're up to.
Here's the list of new modules this week. For info on usage, just follow the links to Metasploit's Exploit Database.
- PhpTax pfilez Parameter Exec Remote Code Injection by sinn3r and Jean Pascal Pereira
- QNX QCONN Remote Command Execution Vulnerability by Brendan Coles, David Odell, and Mor!p3r
- Avaya IP Office Customer Call Reporter ImageUpload.ashx Remote Command Execution by juan vazquez and rgod exploits ZDI-12-106
- Windows Escalate UAC Execute RunAs by mubix
- Windows Escalate UAC Protection Bypass by David Kennedy "ReL1K", mitnick, and mubix
- MS11-080 AfdJoinLeaf Privilege Escalation by Matteo Memelli and Spencer McIntyre exploits MS11-080
- Avaya WinPMD UniteHostRouter Buffer Overflow by juan vazquez, Abdul-Aziz Hariri, and Abysssec exploits OSVDB-73269
- InduSoft Web Studio Arbitrary Upload Remote Code Execution by juan vazquez and Luigi Auriemma exploits ZDI-11-330
Auxiliary and post modules
- Authentication Capture: PostgreSQL by Dhiru Kholia
- Multi Gather GnuPG Credentials Collection by Dhiru Kholia
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.