Today marks the first Metasploit update of the new year, and it's been a little while since the last, so there's a bumper crop of new modules; eighteen to be precise.
Internet Explorer 0-day and Browser Autopwn
While we didn't ship an update over the holidays, that didn't stop @_sinn3r, @_juan_vazquez_, @eromang, @yomuds, and @binjo from tearing into the latest public 0-day for Microsoft Internet Explorer 8. For the details on exploit development, take a look at sinn3r's fantastico write up. As with all complex and interesting exploits, there's always some touch up after the initial release, and ie_cbutton_uaf is no exception. It's now a component of Metasploit's Browser Autopwn meta-module.
If you aren't familiar, Browser Autopwn is a throw-everything-at-it approach to client exploitation, and it's been a part of Metasploit for several years now. Here's a video of one of the earlier incarnations by the guys over at pauldotcom, and the usual use hasn't changed a whole lot since then (however, many more exploits are now included). As you can see, all you need to do is fire it up, let all the exploits set themselves up, then await your target. If he's running IE8, you can be sure that ie_cbutton_uaf will pop a shell for you, since as of this writing, there's still no hotfix available.
Every once in a while, you might find your self in an argument with a network engineer about the security implications of ping. Yes, good old, reliable, required by RFC792 ICMP Type 8 ping. What harm could there be in allowing computers to ping arbitrary hosts on the Internet?
Well, this update includes community contributor @ChrisJohnRiley's delightful ICMP Exfiltration Service module. What this does is set up a listener to catch data tunneled out of a target site over good old, reliable, required by RFC792 ICMP Type 8 ping. The data being exfiltrated out is then saved off as loot, for use in your report demonstrating the security implications of allowing ping from the desktop.
If you're dealing with a client that doesn't care about exfiltration, then first, you should get them to read Iftach Ian Amit's paper from January of 2012, and then remind them that if they spent any time at all on splitting their DNS infrastructure, implementing egress firewall rules, or implementing a BYOD policy, then they are implicitly buying into to exfiltration awareness anyway.
Windows Post Modules
Also this week, we see three new post modules from community contributor @zeknox. I'm a fan of post modules; they're usually pretty easy to write and test, and often end up automating off an otherwise troublesome pen-testing chore. Of the bunch, my favorite is the Windows NetLM Downgrade Attack; this is a sneaky way to snag cleartext passwords from a user by forcing a machine to use the weak LM hashing algorithm when authenticating to SMB servers. This comes in handy, of course, when you control the SMB server in question. For more on this technique, see Brandon's write-up over on Pentestgeek.com, or the original scenario described by Dave Howard.
For those of you on Metasploit Pro and Express, you should also see significant improvements in your report generation. All Standard Reports there have been updated to use disk virtualization. Instead of holding the report generation objects in memory, they are now written to disk as needed. The main goal of this change was to allow the generation of reports against datasets of any arbitrary size. Very large numbers of hosts or other objects that previously caused report generation to crash are now handled with the greatest of ease. Additional gravy: report generation now uses about 25% less memory and takes 13% less time on average!
Last update had just the one new module. We make up for that this week, with eighteen. Here they are.
- Netwin SurgeFTP Remote Command Execution by sinn3r and Spencer McIntyre
- Foswiki MAKETEXT Remote Command Execution by juan vazquez and Brian Carlson exploits CVE-2012-6329
- TWiki MAKETEXT Remote Command Execution by juan vazquez and George Clark exploits CVE-2012-6329
- WordPress Asset-Manager PHP File Upload Vulnerability by James Fitts and Sammy FORGIT exploits OSVDB-82653
- WordPress WP-Property PHP File Upload Vulnerability by James Fitts and Sammy FORGIT exploits OSVDB-82656
- Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability by sinn3r, juan vazquez, eromang, and mahmud ab rahman exploits CVE-2012-4792
- InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow by juan vazquez, Alexander Gavrun, Dmitriy Pletnev, and James Fitts exploits ZDI-12-168
- IBM Lotus iNotes dwa85W ActiveX Buffer Overflow by juan vazquez and Gaurav Baruah exploits ZDI-12-132
- IBM Lotus Notes Client URL Handler Command Injection by juan vazquez, Moritz Jodeit, and Sean de Regge exploits ZDI-12-154
- IBM Lotus QuickR qp2 ActiveX Buffer Overflow by juan vazquez and Gaurav Baruah exploits ZDI-12-134
- RealPlayer RealMedia File Handling Buffer Overflow by suto exploits CVE-2012-5691
- Microsoft SQL Server Database Link Crawling Command Execution by Antti Rantasaari and Scott Sutherland "nullbind"
Auxiliary and Post modules
- SVN wc.db Scanner by Stephen Haywood
- SAPRouter Admin Request by Chris John Riley, Ian de Villiers, Joris van de Vis, Mariano Nunez, and nomnkee
- ICMP Exfiltration Service by Chris John Riley
- Windows Gather Spark IM Password Extraction by Brandon McCann "zeknox" and Thomas McCarthy "smilingraccoon"
- Windows Gather Local Admin Search by Brandon McCann "zeknox", Royce Davis "r3dy", and Thomas McCarthy "smilingraccoon"
- Windows NetLM Downgrade Attack by Brandon McCann "zeknox" and Thomas McCarthy "smilingraccoon"
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see Brandon Turner's most excellent release notes.