Derbycon After-Action Report
As many of you know, last week and weekend was the fourth annual Derbycon -- a mid-sized gathering of security professionals from around the world, held in Louisville, Kentucky. A merge conflict* of Metasploit movers and shakers were there, and it's always nice to see friends, peers, and adversaries all gathered in the same place to swap info, both professional and personal. If you missed it -- which is likely, given the readership of this blog would outstrip all reasonable resources of the venue -- you can catch a ton of the talks generously provided by Irongeek. Of special interest to Metasploit users and developers would be James Egypt Lee's tour of the New Shiny in Metasploit Framework, and there's tons of good material from other Metasploit contributors. Look for the talks presented by Brandon Perry, Carlos DarkOperator Perez, Brandon zeknox McCann and Royce r3dy Davis, Jon Cran, and of course many, many others. There's hours upon hours of content there.
Of course, this is all a long way around of saying that I didn't write a weekly update blog post last week, so today's installment will cover roughly the last thirteen days of Metasploit movement.
If this is the first time you're hearing about Shellshock, the Bash Bug, a Bug called Bash, Bashbleed, Heartshock.... well, you should probably just head on over to Jen Ellis's delightful write up of the bash bruhaha. Also, you're very, very behind, but that's okay. I won't judge.
Now that you're refreshed, you'll no doubt wonder where the Metasploit elves are on this. Well, we've published six new Metasploit modules that exercise Shellshock. Remember, the bug is in bash, and is absolutely not tied to just one application or protocol, so I can guarantee this is not the end of the story. The situation with bash is evolving on a daily basis, and we're keeping pace with the new developments as they surface so penetration testers, auditors, QA folks, IT administrators, and all the rest can validate their defenses and mitigations.
For ease of use, here's the list of new bash-related modules:
- Pure-FTPd External Authentication Bash Environment Variable Code Injection by Frank Denis, Spencer McIntyre, and Stephane Chazelas exploits CVE-2014-6271
- Apache mod_cgi Bash Environment Variable Code Injection by wvu, juan vazquez, Stephane Chazelas, and lcamtuf exploits CVE-2014-6278 and CVE-2014-6271
- OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection by joev, Stephane Chazelas, juken, and mubix exploits CVE-2014-6271
- Dhclient Bash Environment Variable Injection by egyp7 and Stephane Chazelas exploits CVE-2014-6271
- Apache mod_cgi Bash Environment Variable RCE Scanner by wvu, Stephane Chazelas, and lcamtuf exploits CVE-2014-6278 and CVE-2014-6271
- DHCP Client Bash Environment Variable Code Injection by Ramon de C Valle, Stephane Chazelas, apconole, and scriptjunkie exploits CVE-2014-6271
Tons of thanks to all the researchers and contributors that helped on these.
(The image of Hulk addressing bash via bash techniques by Acegiak)
Other New Modules
Over the last couple weeks, we've added a great pile of new modules -- 16 all together. Of course, bash-related modules take center stage, commanding six modules all by itself, as indicated above. The non-bash modules are listed below. Note that the PXE Exploit Server module isn't technically new -- it's replacing the deprecated file location for the old PXE Exploit Server (for details, just see PR3923).
- HP Network Node Manager I PMD Buffer Overflow by juan vazquez and d(-_-)b exploits ZDI-14-305
- ManageEngine OpManager and Social IT Arbitrary File Upload by Pedro Ribeiro exploits CVE-2014-6034
- GetSimpleCMS PHP File Upload Vulnerability by Ahmed Elhady Mohamed exploits OSVDB-93034
- Advantech WebAccess dvs.ocx GetColor Buffer Overflow by juan vazquez and Unknown exploits ZDI-14-255
- EMC AlphaStor Device Manager Opcode 0x75 Command Injection by juan vazquez, Anyway, Brent Morris, Mohsan Farid, and Preston Thornburn exploits ZDI-13-033
- PXE Exploit Server by scriptjunkie
Auxiliary and post modules
- WordPress custom-contact-forms Plugin SQL Upload by Christian Mehlmauer and Marc-Alexandre Montpas
- AlienVault Authenticated SQL Injection Arbitrary File Read by Chris Hebert exploits OSVDB-106815
- UDP Empty Prober by Jon Hart
- ManageEngine DeviceExpert User Credentials by Brendan Coles and Pedro Ribeiro exploits CVE-2014-5377