PHP Shells Rising from the Flames
Phoenix Exploit Kit is your standard run-of-the-mill crimeware system, written in PHP, whose creator apparently got popped by the FSB earlier this year. Like many exploit kits, it has a back door, this one allowing you to
eval whatever PHP code you like by sending it in a GET parameter (subtly named
'bdr'). Of course running arbitrary PHP allows us control of the underlying operating system to various degrees depending on configuration.
I love the idea of popping shells in malware. We've been doing it for a while, since way back in the day with
exploit/windows/ftp/sasser_ftpd_port, an exploit for the FTP server run on compromised machines by the sasser worm, and I was delighted to discover that I'm not the only one who finds exploits for malware to be hilarious.
MalSploitBase is a database of exploits for known vulns in evil things just like these. Even better, its code is available on github (https://github.com/misterch0c/malSploitBase) and the author encourages pull requests.
How come you never call anymore?
If you create child processes from your Meterpreter session, you often want to keep track of them and make sure they're not staying out too late or getting caught up with the wrong crowd. A new option to Meterpreter's
ps command makes that a little easier, giving you a nice printout of all the children of your current process.
Other Post stuff
A few fun new modules from an up-and-coming contributor h00die make persistence on Linux a bit easier in the latest release. One of the big advantages of having modules for doing persistence instead of dropping files manually is the ability to automate it. For example, putting
post/linux/manage/sshkey_persistence in your
AutoRunscript option for an exploit lets you automatically establish a way back in without having to think about it in the crucial first few minutes of having a shell.
And finally, for an exciting exfiltration extravaganza,
post/multi/manage/zip gives you a platform-agnostic way of zipping up a directory for simplified pilfering.
Exploit modules (5 new)
- Cron Persistence by h00die
- Service Persistence by h00die
- Phoenix Exploit Kit Remote Code Execution by CrashBandicot, and Jay Turla
- WebNMS Framework Server Arbitrary File Upload by Pedro Ribeiro
- Drupal CODER Module Remote Command Execution by Mehmet Ince, and Nicky Bloor
Auxiliary and post modules (3 new)
- Internet Explorer Iframe Sandbox File Name Disclosure Vulnerability by Yorick Koster
- SSH Key Persistence by h00die
- Multi Manage File Compressor by sinn3r
As always, you can update to the latest Metasploit Framework with a simple
msfupdate and the full diff since the last blog post is available on GitHub: 4.12.19...4.12.22