The Internet worm of November 2, 1988

Today marks the 30th anniversary of the Morris worm. We were hit by a wave of nostalgia, so here's a little history and a module-trip down memory lane courtesy of wvu:

The worm was the first of its kind. Never before had the then-fledgling Internet seen a worm, much less one with such impact and attention. It resulted in the first CFAA conviction, igniting the ethical and legal debate on security that continues to this day.

The Morris worm exploited a handful of vulnerabilities and misconfigurations. It shelled hosts via rsh(1), exploited a debug mode in Sendmail, and even cracked user passwords. However, one of the most interesting vulns was a stack-based buffer overflow in the fingerd daemon listening on port 79. It was perhaps the first buffer overflow exploited in the wild.

Today, November 2nd of the year 2018, you can exploit the same vulnerabilities leveraged by the Internet worm of 1988. We've added three modules to Metasploit: two exploits and one payload.

exploit/bsd/finger/morris_fingerd_bof is the fingerd buffer overflow against 4.3BSD on VAX, complete with a custom reverse shell payload written in VAX assembly (excepting an encoder for the newline badchar).

exploit/unix/smtp/morris_sendmail_debug exploits the debug mode in Sendmail at the time, allowing the execution of arbitrary shell commands. Currently only cmd/unix/reverse an cmd/unix/generic payloads are supported.

And what's the point of fresh exploits if you can't test them? Check out the module documentation for the exploits with the info -d command for details on how to set up your very own 4.3BSD environment in Docker.

The case of the Mysterious Backtrace™

As we continue our behind-the-scenes improvements to Metasploit’s core, our very own @wvu-r7 and @bcook-r7 teamed up to take on an issue that resulted in traceback errors cluttering the console. The issue stemmed from a change in how Ruby handled exceptions inside threads by default. We'd love to hear your feedback, so if you encounter similar errors, don't hesitate to reach out to us. The Metasploit Slack is the best way to reach out to the Metasploit developer community.

New exploits

  • post/windows/escalate/unmarshal provides a local privilege escalation via improperly handled serialization in Microsoft COM objects. Also known as UnmarshalPwn, CVE-2018-0824 was discovered by Nicolas Joly, exploited by Matthias Kaiser and Sanjay Gondaliya, and converted to a Metasploit module by first-time contributor Pratik Shah.
  • exploit/bsd/finger/morris_fingerd_bof(see above)
  • exploit/unix/smtp/morris_sendmail_debug (see above)

Improvements

  • Reduced created processes and artifacts when using the bypassuac_eventvwr local exploit by no longer relying on the cmd.exe process to launch the eventvwr.exe binary
  • Updated exploit/windows/imap/mercury_login to support automatic targeting of Windows x86 systems using an egg hunting technique
  • Added 'Notes' to our module metadata; this is currently used for AKA references, so you can quickly find modules like MS17-010 by searching for 'ETERNALBLUE'
  • Improved payload encoding with a variable-length XOR encoder that supports both x86 and x64 payloads to handle additional bad characters

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.