Hopping Meterpreter Through PHP
This week, Metasploit landed and shipped the new Reverse HTTP hop stager for Meterpreter payloads, which opens up yet another avenue for pivoting about the Internet to connect to your various and sundry Meterpreter shells. This is kind of a huge deal.
For starters, this obviously helps with crossing artificial borders between networks. You may have an engagement target that has a vulnerable web server in a DMZ that's running PHP, so you can use that machine as a quick and easy Meterpreter pivot point into the nominally "separate" network on the other side.
In addition, this kind of hopping behavior can help a lot with staying undetected by the pen-test target's IDS and IPS. Imagine that you know that a certain machine or range is on an exclusion list for alerting (which is all to often the case when IT security folks are having trouble tuning out false positives from certain devices). The enterprising attacker can take control of that purposely-ignored device, pop stand up a quick Nginx server with PHP and start rerouting all his otherwise suspicious traffic through there.
If you're interested in seeing this bad boy in action, you're invited to check a screencast of the payload:
Tons of thanks to Matt @scriptjunkie Weeks for his effort on this, and for casually mentioning this feature at a recent hacker BBQ here in Austin.
We've four new exploits and one new auxiliary module this week for Metasploit users, including one for the long-anticipated, recently disclosed Yokogawa vulnerability, CVE-2014-3888.
- Gitlist Unauthenticated Remote Command Execution by Brandon Perry and drone exploits CVE-2014-4511
- Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload by Christian Mehlmauer and Marc-Alexandre Montpas
- Oracle Event Processing FileUploadServlet Arbitrary File Upload by juan vazquez and rgod exploits ZDI-14-106
- Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow by juan vazquez and Redsadic exploits CVE-2014-3888
Auxiliary and post modules
- Windows Gather Skype Saved Password Hash Extraction by hdm and mubix
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.