Hopping Meterpreter Through PHP

This week, Metasploit landed and shipped the new Reverse HTTP hop stager for Meterpreter payloads, which opens up yet another avenue for pivoting about the Internet to connect to your various and sundry Meterpreter shells. This is kind of a huge deal.

For starters, this obviously helps with crossing artificial borders between networks. You may have an engagement target that has a vulnerable web server in a DMZ that's running PHP, so you can use that machine as a quick and easy Meterpreter pivot point into the nominally "separate" network on the other side.

In addition, this kind of hopping behavior can help a lot with staying undetected by the pen-test target's IDS and IPS. Imagine that you know that a certain machine or range is on an exclusion list for alerting (which is all to often the case when IT security folks are having trouble tuning out false positives from certain devices). The enterprising attacker can take control of that purposely-ignored device, pop stand up a quick Nginx server with PHP and start rerouting all his otherwise suspicious traffic through there.

If you're interested in seeing this bad boy in action, you're invited to check a screencast of the payload:

Tons of thanks to Matt @scriptjunkie Weeks for his effort on this, and for casually mentioning this feature at a recent hacker BBQ here in Austin.

New Modules

We've four new exploits and one new auxiliary module this week for Metasploit users, including one for the long-anticipated, recently disclosed Yokogawa vulnerability, CVE-2014-3888.

Exploit modules

Auxiliary and post modules

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.

For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes.