WinRM, Part Two
In the last Metasploit update blog post, we talked about the work from Metasploit core contributors @TheLightCosine, @mubix and @_sinn3r on leveraging WinRM / WinRS. As of this update, Metasploit users can now execute WQL queries, execute commands, and inject and run shellcode.
Gee, WinRM, is there anything you can't do?
Of course, it's not quite the death knell for psexec, but the fact that 445/TCP is such a commonly blocked port between zones, while 5985/TCP might not be, makes WinRM a pretty promising vector for pentesters. For more detail on this, find a quiet place and read up on all the details on TheLightCosine's recent blog post, Abusing Windows Remote Management (WinRM) with Metasploit.
Digi ADDP and RealPort
This week's update features two new protocol libraries, ADDP and RealPort. The Advanced Device Discovery Protocol, aka ADDP, was implemented by core Metasploit contributor and known troublemaker HD Moore. You can read up on ADDP over at Digi International, who is responsible for promulgating this protocol. The TL;DR version is that ADDP is kind of like uPNP and Bonjour -- it's another multicast, UDP-based device discovery (and manipulation) protocol.
RealPort, also from Digi International, and also implemented by HD, is a TCP-based protocol used to "easily network-enable serial devices" -- you can read the source of that quote at Digi as well (PDF link). Hey, it's not only a proprietary protocol, but it's got some patent encumbrances as well, so it must be extra awesome.
Of course, we've also included a couple basic new modules to exercise the functionality (see the list at the end of this post). While ADDP is limited to the local broadcast domain (due to its reliance on multicast addressing), RealPort, being TCP, has no such limitation. Also keep in mind that devices with serial ports talking on open networks is pretty much the working definition of SCADA these days. So, for you pen testers that have clients with lots of serial-port-to-TCP devices, you will want to add 771/TCP to your default port scans. I'm looking at you, utility and transportation sectors.
Travis-CI and RSpec
Slowly but surely, the Metasploit Framework is coming under the sway of modern software engineering practices. For those of you who track our GitHub repository, you may have noticed that we're now shipping a few more RSpec tests in order to ensure that new changes don't trigger old regressions. We're also running a Travis-CI instance to check that new pull requests don't suddenly invalidate the existing tests. Actual, repeatable code testing and continuous integration practices are crucial aspects of any modern software engineering endevor, and of course Metasploit, as a major open source software project, ought to be no exception.
Does this herald the coming of over-complicated, politically-charged, soul-crushing change control on new code for Metasploit? Of course not! Not only would that be no fun at all, and would drive me to drink (more), it would also instantly alienate our most valuable contributors (spoiler alert: it's you).
We are merely trying to shift off the boring, automatable bits of software development to robots, so we can get to the fun, messy bits of hacking and experimentation. Often, new research means new functionality and refinement to existing core libraries of Metasploit, and those changes tend to have far-reaching impact. CI and BDD both offer some peace of mind that those changes are ultimately positive.
Want to help? This drive for testing coverage means that you guys have more opportunity to help out the project, even if you're not discovering 0-day or pawing over the whole Internet in seven hour increments. Take any hunk of Metasploit functionality, large or small, and write up some tests that exercise the code paths. I guarantee that you will either a) discover bugs that ought to be fixed, or b) produce a nice all-green report that everything's copacetic. Either way, everyone wins. Take a look at some existing tests to get started, and go to town.
Here's this week's set of new Metasploit modules, for your perusal on Metasploit's Exploit Database. We didn't have an update last week, so it's kind of a lot.
- Aladdin Knowledge System Ltd ChooseFilePath Buffer Overflow by sinn3r, juan vazquez, b33f, and shinnai exploits OSVDB-86723
- EMC Networker Format String by juan vazquez, Aaron Portnoy, and Luigi Auriemma exploits CVE-2012-2288
- HP Intelligent Management Center UAM Buffer Overflow by sinn3r, juan vazquez, and e6af8de8b1d4b2b6d5ba2610cbf9cd38 exploits ZDI-12-171
- WinRM VBS Remote Code Execution by thelightcosine
- Multi Gather pgpass Credentials by Zach Grace
- Bitweaver overlay_type Directory Traversal by sinn3r, David Aaron, and Jonathan Claudius exploits CVE-2012-5192
- Concrete5 Member List Enumeration by Chris John Riley
- NTP Clock Variables Disclosure by Ewerson (Crash) Guimaraes
- Digi ADDP Remote Reboot Initiator by hdm
- Digi ADDP Information Discovery by hdm
- Digi RealPort Serial Server Port Scanner by hdm
- Digi RealPort Serial Server Version by hdm
- Windows Manage Process Migration by thelightcosine
- WinRM Command Runner by thelightcosine
- WinRM WQL Query Runner by thelightcosine
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.