Stable is for Suckers!

Today on the Freenode IRC channel #metasploit, a user was asking about our old SVN repository for "unstable" Metasploit modules. He was lamenting its loss, since we recently shut down our SVN services (described in this blog post on May 22, 2013).

Fear not, danger-seekers! "Unstable" does live on in the form of a GitHub branch. You can check it out at https://github.com/rapid7/metasploit-framework/tree/unstable, and take a look at the unstable-modules directory. Most of the modules in there ran into some kind of trouble in testing or are too unreliable to package up and ship in Metasploit proper. But who knows? Opening up the unstable-modules directory is like buying a mystery box at auction, so you might find a lost treasure, or a mass of half-rotten comicbooks. If you're interested in that sort of thing, just be sure to check the history of the module in question to understand what all happened with it. This is usually pretty easy by reading the commit history and contacting the original author.

Another source for interesting-but-unshipped modules is Rob @mubix Fuller's Q Repository. Oftentimes, things that don't quite fit with the Metasploit main distro will end up here. I am totally on board with someone other than Rapid7 maintaining alternate streams of free, open source, unencumbered Metasploit modules. After all, why should we have all the fun spreading open source cheer around the Internet?

If you're after these modules for reasons beyond mere intellectual curiosity -- like, you actually want to use them -- all you need to do is create a directory structure like $HOME/.msf4/modules/auxiliary/test (or exploits/test, post/test, etc), and drop them in. You can change the name "test" to whatever you like, but you must declare what sort of module it is in the path. When you run msfconsole, those modules will be scooped up, and ready to use. Naturally, your mileage may vary, and there is certainly no guarantee that these modules are safe and appropriate for your network, but hey, stable is for suckers!

Heavy-handed UPnP Mitigation

Hey, remember that time HD Moore talked about all the zillions of UPnP devices that have broken implementations and vulnerable to remote exploitation? Yeah, that was pretty fun. Of course, it's less funny if you are responsible for some of these devices in your network. Is the ownership of these devices in your network unclear? Are they business critical, or not? Sometimes, it's hard to tell.

In my more Lawful Evil moments, it occurs to me that pretty much the fastest way to ferret out ownership of a device is to kick it offline and then find out who squawks. To that end, we have a Denial of Service module that kicks MiniUPnP 1.0 devices offline by exercising CVE-2013-0229, thanks to community contributor Dejan Lukan's implementation of HD's vulnerability discovery.

DoSes certainly can attract attention to a problem implementation. If the device is important enough to keep online, it's probably important enough to protect through some mind of mitigating strategy. Should you really DoS critical industrial control equipment that happens to have a single-packet kill vulnerability? Maybe the better question to ask is, "Is it better to wait for a bad guy to knock this industrial control gear offline on his schedule, or should I do it on my schedule?" Something to think about, anyway.

GNU AWK Bind and Reverse Shells

Once upon a time, the advice to system administrators hardening DMZ-based servers was to yank useful developer tools from those machines, since post-compromise, an attacker could use them to extend control. What this meant, at the time, was that you wouldn't want to have gcc or some other compiler installed on your web server, because you don't want to allow attackers to compile shells and backdoors and stuff like that locally. You'd also want to remove (or at least limit) interpreters like Perl or Python, for largely the same reasons.

I'm not entirely convinced that this is realistic advice; it would be difficult for a system administrator to perform job functions without some kind of programming help. And in this day and age of DevOps, where configuration management is increasingly the job of interpreted languages, the benefits of stripping system tools off a server may just not stack up to the cost of not having them there when you need them legitimately.

That all said, if you happen to run into a CentOS / RedHat based system that is configured by a paranoid, you might want to check if GNU awk is installed (as it is by default). If so, you could leverage this particular flavor of awk and use its built-in socket capabilities to open either a bind shell or reverse shell, thanks to the two new payloads provided by community contributors Roberto Soares and Ulisses Castro. It's at the very least novel, and may avoid IPS/IDS string checkers that are looking for the more traditional Perl and bash-based sockets. And hey, is there really a good reason why I need to be able to bind to a socket with just awk?

New Modules

We've got seven new Metasploit modules this week, not counting the aforementioned AWK payloads. Enjoy!

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.