Minecraft-Vectored Malware

Metasploit exploit developer Juan @_juan_vazquez_, while trawling the Internet for the next hot exploit, came across this pastie describing a Java exploit which takes advantage of a vulnerability in Java's Color Management classes. Turns out, this is also one of the vulns being exploited in McRat, a Trojan targeting Windows-based Minecraft players (that's what the "Mc" stands for).

McRat is compelling to potential victims because of its specificity and large potential victim pool. By targeting Minecraft players, attackers are specifically avoiding the browser vector, for starters. They're also playing on people's tendency to install non-work related software on work machines, so your victims, by default, are not going to get a lot of love from their IT departments. On top of this, they're more likely to ignore the blanket advice to "disable Java," because they may not be aware that disabling Java in the browser won't, in fact, impact their stand-alone Minecraft experience.

There's since been a patch for this vulnerability -- it looks like Oracle is moving ever faster to knock out patches for these things. They also appear to have abandoned their quarterly patch cycle for all practical purposes when it comes to actively exploited security issues. If you haven't updated yet to Java 7u17 (or 6u43), now's a good time. If you believe you've patched, you can use the new module, Java CMM Remote Code Execution, to make sure.

PHP Shell Games

Speaking of malicious attacker software, this week also sees a quartet of new modules from community contributor bwall. We are now shipping modules targeting Ra1NX, STUNSHELL (two for that one), and v0pCr3w's shell.

These kinds of hack-the-hacker modules can be particularly useful on a penetration testing engagement. Not only are you able to identify machines that were compromised before you got there, but you can turn around and use the existing compromises to extend your own control over the affected assets. As egypt likes to say in his Metasploit training classes, "there is no cheating in hacking." Of course, you will want to alert your client pretty much right away and advise them on their current compromised situation.


I have it on good authority that internationally renowned superhacker and MongoDB user HD Moore was (quote) "just looking at that code," and was bummed that he didn't spot the vulnerability before agix. So it goes with bug-hunting, you can't win 'em all, and there are plenty of smart, dedicated exploit developers in the world who have just as good a shot at uncovering exploits that other smart, dedicated exploit devs might miss the first time around. In this case, it was community contributor agix who discovered the vulnerability in MongoDB and proved it out with a Metasploit module. 10gen, the primary maintainers of MongoDB, turned out a patch nearly immediately, so if you're a MongoDB user, you'll want to pick that up pronto.

New Modules

Wow, this post ended up being all about exploit content. Here are the rest of the modules -- 10 new ones, including those detailed above. In fact, the only non-exploit we have this week is a post-exploitation module for sneaking UNC paths into Word documents, courtesy of community contributor Sphaz. Thanks everyone!


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.