SAP SAPpy SAP SAP

We've been all SAP all the time here in the Independent Nations of Metasploit, and expect to be for the rest of the week. You might recall that Metasploit exploit dev, Juan Vazquez published his SAP survey paper a little while back; on Tuesday, we did a moderated twitter chat on the hashtag #pwnSAP with the major SAP-focused Metasploit contributors Bruno Morrison, Chris John Riley, and Dave Hartley; and today (Thursday, December 5), Juan and I will be hosting a webcast on the various and sundry SAP exposures that Metasploit covers, and There Will Be Demos and Q&A, so it should be fun.

The whole thing has been pretty eye-opening for me; there's been a bunch of movement in the research over the last 18-24 months or so, and I'm delighted that so many talented people are making noise about this in the form of Metasploit modules. Hopefully all this will raise some awareness of the risks and exposures involved with running huge, complex, interconnected systems like ERP in general.

Silverlight Exploit

In other (non-SAP) news, this week, we're shipping our first ever Silverlight exploit, which exploits MS12-022 (aka, CVE-2013-0074). That's exciting. Use your DNS MITM attacks to jack the Netflix domains, wait for Orange is the New Black fans to connect, and profit!

It's important to know that the vulnerability is in Silverlight proper, and not IE, so while our exploit targets Microsoft Internet Explorer only today, the vulnerability is actually cross-platform. So, now that we've done this groundwork of demoing how to write a Silverlight exploit in Metasploit, all we need now is some enterprising young researcher to port this to a working Apple implementation. Have at it!

New Modules

I know, I know, last week we kind of cheated you out of your usual complement of new modules, thanks to the the Ruby float bug. To make it up to you, we have 14 new modules this week, including the Silverlight module mentioned above. Have at it! There's a lot of neat new attacks in there, so thanks again to our beloved community contributors for their efforts on these.

Exploit modules

Auxiliary and post modules

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.