WinRM Exploit Library
For the last couple weeks, Metasploit core contributor David @TheLightCosine Maloney has been diving into Microsoft's WinRM services with @mubix and @_sinn3r. Until these guys started talking about it, I'd never heard WinRM. If you're also not in the Windows support world day-to-day, you can read up on it at Microsoft or Wikipedia to get the gist of things. The short story is, WinRM's purpose is to provide a "firewall-friendly" way for machines to interoperate. I don't know about you, but when Microsoft uses a term like "firewall-friendly," I read, "remote pwnage over the Internet."
As a result of this research, we have a delightful new core exploit library to start exercising WinRM functionality in native Ruby, and we're shipping some groundwork-laying modules for discovering WinRM services and bruteforcing authentication over the same this week.
But wait, there's more! I and a few others here in Austin last week got to see a demo of the more advanced techniques TheLightCosine is using to muscle his way into a Meterpreter session over WinRM vectors. Those modules are getting the finishing touches now for general availability, so the next Metasploit Update should see Part Two of this research project. As a result, penetration testers will be able to start leveraging unprotected WinRM-based support infrastructure for command-execution hijinks. Fun times!
Yo Dawg, I Heard you Liked Metasploit Exploits
Also, this week we have a new local privilege escalation vulnerability for Metasploit 4.3.0 and prior. We don't remember if it was todb or egypt who first introduced this bug, but community contributor 0a2940 was more than happy to exploit it.
It's a pretty fun exploit, but to be honest, the chances you'll encounter this bug in the real world are pretty slim. The victim needs to be actively using the pcap_log plugin at the time of attack, and you need to be on an un-NAT'ed network segment common to the victim in order to have a decent shot at success.
That said, this module is a good object lesson of why you shouldn't have a root user pass tainted data to a predictable location in /tmp. 0a2940's exploit demos this exceedingly well, and incidentally also shows that you can barf all kind of nulls and other unprintables in the middle of /etc/passwd and not affect its availability one bit. Hooray for resilient text file formats!
In addition to those mentioned above, here's the breakdown of new modules in this week's update. Follow the links to Metasploit's Exploit Database for more info on exposure and usage.
- ClanSphere 2011.3 Local File Inclusion Vulnerability by sinn3r and blkhtc0rp exploits OSVDB-86720
- ManageEngine DeviceExpert 5.6 ScheduleResultViewer FileName Traversal by sinn3r and rgod exploits OSVDB-80262
- ManageEngine SecurityManager Plus 5.5 Directory Traversal by sinn3r and blkhtc0rp exploits OSVDB-86563
- WinRM Authentication Method Detection by thelightcosine
- WinRM Login Utility by thelightcosine exploits CVE-1999-0502
- ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection by sinn3r, egyp7, and xistence exploits BID-56138
- HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow by juan vazquez and Luigi Auriemma exploits ZDI-12-114
- HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow by juan vazquez and Luigi Auriemma exploits ZDI-12-115
- Metasploit pcap_log Local Privilege Escalation by 0a29406d9794e4f9b30b3c5d6702c708 exploits BID-54472
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.