Weekly Metasploit Wrapup: And We're Back!

Hi folks. It's been a little while. I know, I know. Things have been a little wonky around here lately, as you no doubt have noticed. So, while this is nominally the Weekly Metasploit Wrapup, it's been a little more than a month since the Community Cutover on April 1st. That said, our blog platform now seems stable enough to resume writing these missives, so let's cover the highlights of what's been going on in the People's Republic of Metasploit since the last post.

If you just want to see the diffs, just check out the GitHub compare. Only about a thousand changes to go through for the last several weeks, so have a blast with that.

WordPress Exploitation Extravaganza

Metasploit now boasts over a dozen new WordPress-related exploits an auxiliary modules, most of which were contributed by Roberto espreto Soares, with hat tips to community committer Christian FireFart Mehlmauer for landing assistance. This avalanche of exploits illustrates rather obviously the problems historically associated with wordpress plugins, arguably to the point that this particular dead horse has truly been beaten into a soupy, dessicated mass.

So, we've had to rate limit the sheer volume of WordPress exploits that were hitting the Metasploit pull request queue, lest we accidentally become WordPressSploit. In fact, after I so cruelly dismissed a handful of new WordPress modules in this comment, that's precisely what Roberto did, and now he's chugging away on WPSploit, which can be used as a local add-on for all your WordPress plugin exploitation needs. All you need to do to track it is keep up a local clone of that repository, and symlink the auxiliary and exploit module directory structures in your local $HOME/.msf4 directory, and you can pick them up immediately. After all, who am I to be the sole arbiter of what's worthy of a Metasploit module?

This development over the last couple weeks illustrates the ease of forking and maintaining a customized build out of Metasploit Framework. After all, we have a permissive, open license, and given the collaborative power of GitHub, pretty much anyone with an interest can start building out their own sub-communities of exploit development. Yeah, that open source model is pretty powerful stuff, and WPSploit is already up to 18 additional modules.

Naturally, given the third of our three-clause license, Rapid7 neither endorses or promotes the use of this (or any other) side-repository of Metasploit modules, but I'm happy to let you know that it exists and that I'm happy about it.

Another Round of Flash Exploits

On the other side of the browser connection, we also have four new client-side Flash exploits contributed by our own Juan Vazquez, half of which were based on the research work of hdarwin89. This has been an area of interest for a while for Juan, especially given that there are more than a couple black market exploit kits that include a number of Flash exploits. Now that he's wrapped up the server side Java Remote Management Interface research, presented at last month's InfoSec SouthWest, Juan has dived head first into Flash exploitation research and development in order to better simulate the world of Internet crime.

Want to Help?

If you're the sort of person who reads this blog regularly, want to help out, and lives in Austin, Texas, USA (or can get here quickly), we have an internship open for working on the Metasploit family of products. Don't worry, all of Rapid7's internships are paid, and in fact, the last intern we picked up for Framework, William Vu, turned out to be an amazing new permanent hire, and is a huge reason why Metasploit Framework is now the in the top ten of all GitHub-hosted Ruby projects. So, this is definitely not a boring, go-get-me-coffee-and-then-do-all-this-horrible-gruntwork kind of internship; a successful applicant has every opportunity to make a name for themselves here on the forefront of open source, openly developed security software. For more details on the requirements, see the official job description here. And hey, I'd be happy to review your resume if you'd like. Hit me up on Twitter.

New Modules

Right, so like I said at the top, it's been about a month since the last Weekly Wrapup, so there are more than the usual on the "new" module list -- thirty-nine, to be precise, including the above-mentioned WordPress and Flash modules. Other highlights include a denial of service module for the much-ballyhooed HTTP.sys overflow (use with care, for you will bluescreen if successful!), a local exploit for the Apple OSX "rootpipe" bug (a patch for which was not backported to older versions of OSX), and a couple SOHO router/DOCSIS modem exploits.

You can check the release notes for the last three Metasploit Pro and Community updates over here.

Exploit modules

• D-Link/TRENDnet NCC Service Command Injection by Michael Messner, Peter Adkins, and Tiago Caetano Henriques exploits CVE-2015-1187
• Ceragon FibeAir IP-10 SSH Private Key Exposure by hdm and todb exploits CVE-2015-0936
• JBoss Seam 2 File Upload and Execute by vulp1n3 exploits CVE-2010-1871
• Novell ZENworks Configuration Management Arbitrary File Upload by Pedro Ribeiro exploits CVE-2015-0779
• Apple OS X Rootpipe Privilege Escalation by joev, wvu, and Emil Kvarnhammar exploits CVE-2015-1130
• Wordpress Creative Contact Form Upload Vulnerability by Gianni Angelozzi and Roberto Soares Espreto exploits OSVDB-113669
• Wordpress InBoundio Marketing PHP Upload Vulnerability by KedAns-Dz and Roberto Soares Espreto exploits OSVDB-119890
• Wordpress N-Media Website Contact Form Upload Vulnerability by Claudio Viviani and Roberto Soares Espreto
• Wordpress Reflex Gallery Upload Vulnerability by Roberto Soares Espreto and Unknown exploits OSVDB-88853
• Wordpress SlideShow Gallery Authenticated File Upload by Jesus Ramirez Pichardo and Roberto Soares Espreto exploits CVE-2014-5460
• Wordpress Work The Flow Upload Vulnerability by Claudio Viviani and Roberto Soares Espreto
• WordPress WPshop eCommerce Arbitrary File Upload Vulnerability by Roberto Soares Espreto and g0blin
• Adobe Flash Player casi32 Integer Overflow by juan vazquez and bilou exploits ZDI-14-365
• Adobe Flash Player copyPixelsToByteArray Method Integer Overflow by juan vazquez, Chris Evans, Nicolas Joly, and hdarwin exploits CVE-2014-0556
• Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory by juan vazquez, Nicolas Joly, and Unknown exploits CVE-2014-8440
• Adobe Flash Player ByteArray With Workers Use After Free by juan vazquez, Unknown, and hdarwin exploits CVE-2015-0313
• Solarwinds Firewall Security Manager 6.6.5 Client Session Handling Vulnerability by sinn3r, mr_me, and rgod exploits ZDI-15-107
• Windows Run Command As User by Ben Campbell and Kx499

Auxiliary and post modules

• Arris / Motorola Surfboard SBG6580 Web Interface Takeover by joev exploits CVE-2015-0966
• MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service by sinn3r and Bill Finlayson exploits CVE-2015-1635
• Android Browser File Theft by joev and Rafay Baloch
• Apple OSX/iOS/Windows Safari Non-HTTPOnly Cookie Theft by joev and Jouko Pynnonen exploits CVE-2015-1126
• Java RMI Registry Interfaces Enumeration by juan vazquez
• MS14-052 Microsoft Internet Explorer XMLDOM Filename Disclosure by sinn3r and Soroush Dalili exploits CVE-2013-7331
• SSL Labs API Client by Denis Kolegov and Francois Chagnon
• Embedthis GoAhead Embedded Web Server Directory Traversal by Matthew Daley and Roberto Soares Espreto exploits CVE-2014-9707
• Web-Dorado ECommerce WD for Joomla! search_category_id SQL Injection Scanner by bperry exploits CVE-2015-2562
• Gallery WD for Joomla! Unauthenticated SQL Injection Scanner by CrashBandicoot and bperry
• ManageEngine Desktop Central Login Utility by sinn3r
• Outlook Web App (OWA) / Client Access Server (CAS) IIS HTTP Internal IP Disclosure by Nate Power
• RIPS Scanner Directory Traversal by Roberto Soares Espreto and localh0t
• CP Multi-View Calendar Unauthenticated SQL Injection Scanner by Joaquin Ramirez Martinez and bperry
• Contus Video Gallery Unauthenticated SQL Injection Scanner by Claudio Viviani and bperry exploits CVE-2015-2065
• WordPress DukaPress Plugin File Read Vulnerability by Kacper Szurek and Roberto Soares Espreto exploits CVE-2014-8799
• WordPress GI-Media Library Plugin Directory Traversal Vulnerability by Roberto Soares Espreto and Unknown
• WordPress Mobile Edition File Read Vulnerability by Khwanchai Kaewyos and Roberto Soares Espreto
• Nessus RPC Interface Login Utility by void_in
• Gather Steam Server Information by Jon Hart
• Windows Gather Local SQL Server Hash Dump by Mike Manzotti and nullbind