Fresh Web Libs
As we head into the holiday season here in the U.S., Metasploit core developers Tasos @Zap0tek Laskos and James @Egyp7 Lee finished up a refresh of the Metasploit fork of the Anemone libraries, which is what we use for basic web spidering. You can read up on it here. The Metasploit fork isn't too far off of Chris Kite's mainline distribution, but does account for Metasploit's Rex sockets, adds in a few more defaults for directory busting, and decorates up some of the classes to make them easier to get at from Metasploit modules.
This update also sees a slew of brand new web scanning libraries which Zapotek has been banging on for a while now. You may already be familiar with Tasos from Arachni fame -- another Ruby project that's specifically geared toward webapp security scanning and exploitation. These new libraries in Metasploit should make exploit development for web apps considerably easier, so expect to see more documentation and examples using these libraries in the coming weeks.
Attack of the SAP Modules
Meanwhile, we've been pawing over a sizable pile of auxiliary modules geared toward the discovery, use, and abuse of SAP NetWeaver services, all submitted initially by community contributor @nmonkee. SAP, apparently has a footprint of 100,000 companies world wide, so it shouldn't be too uncommon to run into a SAP installation on a client site. You can read about these new modules in some depth in a blog post over at MWR Labs.
If, like @nmonkee, you are sitting on a dozen or so modules focusing on a particular technology, we are of course happy to help you get those all cleaned up and committed to the mainline Metasploit distribution. If you'd like some assistance with reasonable disclosure of vulnerabilities, we're similarly here and ready to serve.
It's not just SAP and webscanning this week -- we've got a new ZDI exploit for Oracle and an exploit for Invision IP.Board, and another SCADA module (this one's a fuzzer for MODBUS, so that's fun). For more, check out Metasploit's Exploit Database.
- Invision IP.Board unserialize() PHP Code Execution by sinn3r, juan vazquez, and EgiX exploits CVE-2012-5692
- Oracle Database Client System Analyzer Arbitrary File Upload by juan vazquez and 1c239c43f521145fa8385d64a9c32243 exploits ZDI-11-018
- SAP /sap/bc/soap/rfc SOAP Service BAPI_USER_CREATE1 Function User Creation by Agnivesh Sathasivam and nmonkee exploits XXX-NOREF
- SAP /sap/bc/soap/rfc SOAP Service RFC_PING Login Brute Forcer by Agnivesh Sathasivam and nmonkee exploits XXX-NOREF
- SAP /sap/bc/soap/rfc SOAP Service RFC_PING Function Service Discovery by Agnivesh Sathasivam and nmonkee
- SAP /sap/bc/soap/rfc SOAP Service RFC_READ_TABLE Function Dump Data by Agnivesh Sathasivam and nmonkee
- SAP /sap/bc/soap/rfc SOAP Service SUSR_RFC_USER_INTERFACE Function User Creation by Agnivesh Sathasivam and nmonkee
- SAP /sap/bc/soap/rfc SOAP Service RFC_SYSTEM_INFO Function Sensitive Information Gathering by Agnivesh Sathasivam and nmonkee
- SAP /sap/bc/soap/rfc SOAP Service TH_SAPREL Function Information Disclosure by Agnivesh Sathasivam and nmonkee
- SAP Web GUI Login Brute Forcer by nmonkee
- Modbus Unit ID and Station ID Enumerator by EsMnemon
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.