Last month, I talked about community contributor Michael @m-1-k-3 Messner's nifty D-Link authentication bypass, and made the case that having Metasploit modules for consumer-grade access points is, in fact, useful and important.
Well, this week's update has a pile of new modules from m-1-k-3, all of which are targeting these kinds of consumer-grade networked devices: We now have a Linksys E1500 / E2500 remote command exec exploit, a Linksys 1500 directory traversal exploit, a directory traversal module for TP-Link's TL-WA701ND access point, a password extractor for the DLink DIR-645, and a directory traversal module for NetGear's weird single-purpose cordless phone device.
That's right, we have a Metasploit module for a cordless phone. The era of there being a difference between your "electronic devices" and your "computer devices" is coming to a close. What I said last month about these sorts of devices being in scope for a pen-test still stands -- if they're not in scope today, they really ought to be, at least for key personnel. Criminals don't particularly care about your scope doc.
Thanks loads, m-1-k-3, for your work on these!
Who shot who in the what now?
This week's update includes a .mailmap file which consolidates the identities of contributors. For example, you can now see easily that the majority of contributors are, of course, not Rapid7 employees. This speaks to the power of the open source model of security software development that we employ here; even if Rapid7 tomorrow decided to pull the plug on this whole Metasploit thing and prohibited us from working on it, Metasploit will live on.
Technically, .mailmap helps consolidate "identities" to "humans," so things like 'git shortlog' and 'git blame' / 'git praise' are more meaningful. I use this data all the time to be able to determine who's committing what, and I'm sure third-party sites like Ohloh are doing the same.
The information used to populate the .mailmap was collected from git commit messages, so if you have personal info in there that you don't want, then a) be more careful with your own git config files, and b) let me know and I'll excise or anonymize or whatever.
Rake DB tests
I've talked about our slouching into the modern era of Ruby development before, and Rapid7 Metasploit Pro developer Luke @KronicDeth Imhoff has been valiantly championing that cause. The latest major change has been bringing the ability to "rake db" directly in Metasploit Framework, as of Pull Request #1592. This allows for all the usual database migrations, rollbacks, and drops that Rails developers are accustomed to having available. It also allows for direct testing of a lot of database-backed functionality, so this also strikes another blow for TDD.
Incidentally, if you are the sort to open a pull request on Metasploit, check out Luke's Verification Steps. This kind of initial documentation is massively useful for reviewers, as it really helps to demonstrate why your change is needed, what you think intended functionality is, and gives hints on how to test that your change is actually successful.
Msfupdate: Adios SVN
This is your final warning. If you're on an SVN checkout for Metasploit, you want to upgrade now. 'msfupdate' no longer will update over SVN; it will tell you to get your act together and exit out with code 0x11. This has been warned about since November of 2012. The SVN server is still up, so you can use regular svn commnads to get a checkout going (or edit your own version of msfupdate), but really, honest and true, you need to either (a) get a binary install for Metasploit, which comes with both Framework and Metasploit Community / Pro, or (b) get a local git clone of the source and track along with that. Both mechanisms are described at http://r-7.co/MSF-UP.
We've got fourteen new modules this week -- half exploits, half aux/post. Enjoy!
- Mutiny Remote Command Execution by juan vazquez and Christopher Campbell exploits CVE-2012-3001
- Apache Struts ParametersInterceptor Remote Code Execution by Meder Kydyraliev, Richard Hicks, and mihi exploits CVE-2011-3923
- Cool PDF Image Stream Buffer Overflow by juan vazquez, Chris Gabriel, and Francis Provencher exploits CVE-2012-4914
- KingView Log File Parsing Buffer Overflow by juan vazquez, Carlos Mario Penagos Hollman, and Lucas Apa exploits CVE-2012-4711
- Sami FTP Server LIST Command Buffer Overflow by Doug Prostko and superkojiman exploits OSVDB-90815
- HP Intelligent Management Center Arbitrary File Upload by juan vazquez and rgod exploits ZDI-13-050
- ActFax 5.01 RAW Server Buffer Overflow by juan vazquez, Craig Freyman, and corelanc0d3r exploits OSVDB-89944
- Axigen Arbitrary File Read and Delete by juan vazquez and Zhao Liang exploits CVE-2012-4940
- DLink DIR 645 Password Extractor by Michael Messner and Roberto Paleari exploits OSVDB-90733
- Linksys E1500/E2500 Remote Command Execution by m-1-k-3 exploits OSVDB-89912
- Linksys E1500 Directory Traversal Vulnerability by m-1-k-3 exploits OSVDB-89911
- Netgear SPH200D Directory Traversal Vulnerability by m-1-k-3 exploits BID-57660
- TP-Link Wireless Lite N Access Point Directory Traversal Vulnerability by m-1-k-3 exploits CVE-2012-5687
- Linux Manage Download and Exececute by Joshua D. Abraham
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.