Java Payload Cleanup
If you've been watching the Metasploit source repository, you will have noticed some movement in Java Payload land -- specifically, PR#1217, which landed this week. Thanks to the refactoring efforts of Michael @mihi42 Schriel, testing by @Meatballs, and integration from James @egyp7 Lee, the Javapayload and Java Meterpreter projects can now more easily be hacked at with Eclipse, a preferred IDE for Java nerds. There's also a slew of new unit tests, so you have more assurance that your hackery won't break existing functionality. This is good news for you if you are a) more of a Java guy than a Ruby guy, and b) you want to make meaningful contributions to the Metasploit framework. Thanks a ton, guys!
ZDI Sport Fishing
This week also sees a trio of ZDI-derived Metasploit modules -- we have exploits now for ZDI-13-051, ZDI-13-052, and ZDI-13-053. They all target the HP Intelligent Management Center (IMC), and all three were initially reported to the Zero Day Initiative (ZDI). ZDI, if you weren't aware, is now part of HP's new HP Security Research (HPSR) group. Yes, that's a lot of acronyms.
ZDI-disclosed vulnerabilities are especially attractive for some exploit developers, including our own Juan Vazquez. By dint of being disclosed by ZDI, we know for sure that some money has already changed hands. This makes them de-facto "high value" vulnerabilities, and not just goofy crashes or exposed in unlikely, contrived attack scenarios. In addition, we know that there are organizations out there who put a premium on protecting against ZDI vulns. Those folks like to be able to use Metasploit modules to test the efficacy of their defenses, both pre- and post-patch.
This is all incidental to the fact that ZDI vulns are generally rewarding to research. It's like fishing in a pond that you know is stocked; it's a lot easier to be confident and be successful when you know for sure that there is an exploit worth catching there. If you're looking to get involved with exploit development on targets that aren't just toys or CTF targets, ZDI can provide a pretty rich target landscape.
Besides HP IMC, we of course have a passel of new modules. Passel? How about a clutch? No, a murder. Of course. Below is this week's murder of Metasploit modules.
- DLink DIR-645 / DIR-815 diagnostic.php Command Execution by juan vazquez and Michael Messner exploits OSVDB-92144
- Linksys WRT54GL apply.cgi Command Execution by juan vazquez and Michael Messner exploits OSVDB-89912
- HP System Management Homepage Local Privilege Escalation by agix exploits OSVDB-91990
- Nagios Remote Plugin Executor Arbitrary Command Execution by Rudolph Pereir and jwpari exploits CVE-2013-1362
- Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service by Matt "hostess" Andreko exploits OSVDB-92081
- HP Intelligent Management FaultDownloadServlet Directory Traversal by juan vazquez and rgod exploits ZDI-13-051
- HP Intelligent Management IctDownloadServlet Directory Traversal by juan vazquez and rgod exploits ZDI-13-053
- HP Intelligent Management ReportImgServlt Directory Traversal by juan vazquez and rgod exploits ZDI-13-052
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.