New Adobe Reader ROP Gadgets

This week, Juan Vazquez put together a neat one-two exploit punch that involves a somewhat recent Adobe Reader vulnerability (disclosed back in mid-May) and a sandbox escape via a OS privilege escalation bug. I won't give away the surprise there -- he'll have a blog post about it up in a few hours.  Part of the work, though, resulted in some new entries in Metasploit's RopDB; specifically, for Adobe Reader versions 9, 10, and 11.

If you're not already familiar with the RopDB that ships with Metasploit, you can brush up by reading Wei @_sinn3r Chen's write up about ROP chaining from way back in October, 2012, then follow up with his 2013 refresh.  Hopefully, these chains prove to be useful for exploit developers for a while, which should make turnaround for future (and recent past) Reader vulnerabilities quicker and easier.

YouTube Broadcasting

We have a fun module this week just in time for Xmas from Wei @_sinn3r Chen, the multi-platform YouTube broadcaster. To use it, simply point to a YouTube video ID (for example, XAg5KjnAhuU), fire it off on your compromised clients (Windows, Linux, or Mac), and amaze at the full-screen display of the video on your target's active desktops.

The most obvious use of such a module, of course, is for laughs, as you surprise your victims with sudden Rick Astley or Nyan Cat videos.  However, there is bona fide usefulness here, too. The real reason sinn3r popped this module out is that it makes for a great "payload" for a surprise training session. Imagine that you've kicked off a social engineering campaign against your own userbase, and you've gathered your sessions through straight user error (no exploits, no sneakiness, no nothing).  Now, instead of just handing off a report to your HR department head, you can also, on the spot, conduct some training on the compromised folks by immediately showing them what they did wrong.

It's super easy to record instructional videos and slap them up on YouTube; if you use YouTube's privacy settings to mark your video as 'unlisted', they won't get indexed, which makes them about as private as a limited-audience Gists or PasteBins. Not bad, and certainly easier than packing up a whole video payload or setting up your own streaming service.

To me, this seems like a pretty powerful mechanism to train naughty users into how to do the right thing. People get inurred to nastygrams from their IT and HR department really quickly, but a sudden 30 second video ad that tells them that what they just did was unsafe behavior can have a more immediate impact, especially if it's entertaining.

Finally, full-video post-exploit payloads are a hallmark of Hollywood hacking, as described in the original feature request, so this kind of thing can be really useful for regular training sessions or demos; who cares about passing hashes and dumping session credentials; show me funny cat videos and I'm sure to renew your engagement contract!

New Modules

Including those mentioned above, we've got eight new modules this week; six exploits, and two post modules. Four of the six exploits are client-side, which reminds me: Like every year now, we fully expect to see an avalanche of new out-of-the box laptops, desktops, phones, and tablets to hit the Internet Christmas morning. If you've been building out machines for your loved ones, do take a second to confirm that you've got your latest client-side patches all squared away before wrapping them up.

Exploit modules

Auxiliary and post modules

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.