Browser Autopwn Version 2
Hey all! If you haven't been following the Metasploit development over the last few weeks, you know that we've been pretty busy getting Browser Autopwn Version 2 (BAPv2) out the door and into Metasploit Framework. This project was, and is, driven by our own beloved Wei _sinn3r Chen, and it's one of those projects around here that I'm really personally very excited about.
If you want to jump into all the implementation details and history, I suggest bopping over to his pair of blog posts, Browser Autopwn v2 part 1 and part 2. It won't hurt my feelings. This update blog will be here when you get back.
The thing about Browser Autopwn is that it makes client-side attacks work nearly exactly as you'd see in the movies, or in a real, criminal campaign. With just a few keystrokes and minimal prep time, you can use this system as an endpoint for all sorts of penetration testing engagements. Check it out:
[*] Searching BES exploits, please wait... [*] Starting exploit modules... [*] Starting listeners... [*] Time spent: 7.019844157
If you're familiar with the old Browser Autopwn, the absolute first thing you'll notice is that startup time is lickety-split quick: in less than 10 seconds and basically no configuration, you've got yourself a nice smorgasbord of exploits for multi-platform Firefox, some Android browsers, Flash plugins, and vanilla Internet Explorer. Of course, mixing up the exploit list is pretty easy these days too, so if you know you don't care about mobile -- or only care about mobile -- you can make that happen trivially through the many configurable options.
Thanks loads to sinn3r, Juan, and everyone out there in open source land that made this possible.
Speaking of open source land, we have a brand new community committer on Metasploit Framework. Usually, when this kind of event happens, it's involving someone who's already a fixture around the framework, and it's sometimes surprising to learn they didn't have committer rights already. Void_in is no exception. If you've spent any time at all on the Metasploit Community message boards, you know that this dude is a freaking question answering, problem solving, confidence building machine. I suspect he literally might be a machine, given the amount of time he's selflessly volunteered on the project. He has limitless compassion and respect for newbies, both in the Metasploit sense and the security-in-general sense, and has been splitting time between the boards and the GitHub pull queue.
Void_in is a super helpful fellow, I'm excited to have him on board to make Metasploit that much better an experience for both old graybeards and fresh new penetration testers.
This time around, we have nine new exploits, and seven new auxiliary modules for your next testing engagement. As usual, you can check the diff since the last wrapup blog post for the complete skinny on what's changed.
- Accellion FTA getStatus verify_oauth_token Command Execution by hdm exploits CVE-2015-2857
- D-Link Cookie Command Execution by Michael Messner and Peter Adkins
- Adobe Flash Player ByteArray Use After Free by sinn3r, juan vazquez, and Unknown exploits CVE-2015-5119
- Adobe Flash opaqueBackground Use After Free by sinn3r, juan vazquez, and Unknown exploits CVE-2015-5122
- SysAid Help Desk Administrator Portal Arbitrary File Upload by Pedro Ribeiro exploits CVE-2015-2994
- SysAid Help Desk 'rdslogs' Arbitrary File Upload by Pedro Ribeiro exploits CVE-2015-2995
- Western Digital Arkeia Remote Code Execution by xistence
- VNC Keyboard Remote Code Execution by xistence
- Apple OS X DYLD_PRINT_TO_FILE Privilege Escalation by joev and Stefan Esser
Auxiliary and post modules
- SysAid Help Desk Administrator Account Creation by Pedro Ribeiro exploits CVE-2015-2993
- SysAid Help Desk Arbitrary File Download by Pedro Ribeiro exploits CVE-2015-2997
- SysAid Help Desk Database Credentials Disclosure by Pedro Ribeiro exploits CVE-2015-2998
- Mac OS X Safari file:// Redirection Sandbox Escape by joev exploits ZDI-15-228
- Accellion FTA 'statecode' Cookie Arbitrary File Read by hdm exploits CVE-2015-2856
- HTTP Client Automatic Exploiter 2 (Browser Autopwn) by sinn3r
- Windows Post Kill Antivirus and Hips by Jerome Athias, Marc-Andre Meloche (MadmanTM), Nikhil Mittal (Samratashok), and OJ Reeves