The Internet worm of November 2, 1988
The worm was the first of its kind. Never before had the then-fledgling Internet seen a worm, much less one with such impact and attention. It resulted in the first CFAA conviction, igniting the ethical and legal debate on security that continues to this day.
The Morris worm exploited a handful of vulnerabilities and misconfigurations. It shelled hosts via
rsh(1), exploited a debug mode in Sendmail, and even cracked user passwords. However, one of the most interesting vulns was a stack-based buffer overflow in the
fingerd daemon listening on port 79. It was perhaps the first buffer overflow exploited in the wild.
Today, November 2nd of the year 2018, you can exploit the same vulnerabilities leveraged by the Internet worm of 1988. We've added three modules to Metasploit: two exploits and one payload.
exploit/bsd/finger/morris_fingerd_bof is the
fingerd buffer overflow against 4.3BSD on VAX, complete with a custom reverse shell payload written in VAX assembly (excepting an encoder for the newline badchar).
exploit/unix/smtp/morris_sendmail_debug exploits the debug mode in Sendmail at the time, allowing the execution of arbitrary shell commands. Currently only
cmd/unix/generic payloads are supported.
And what's the point of fresh exploits if you can't test them? Check out the module documentation for the exploits with the
info -d command for details on how to set up your very own 4.3BSD environment in Docker.
The case of the Mysterious Backtrace™
As we continue our behind-the-scenes improvements to Metasploit’s core, our very own @wvu-r7 and @bcook-r7 teamed up to take on an issue that resulted in traceback errors cluttering the console. The issue stemmed from a change in how Ruby handled exceptions inside threads by default. We'd love to hear your feedback, so if you encounter similar errors, don't hesitate to reach out to us. The Metasploit Slack is the best way to reach out to the Metasploit developer community.
post/windows/escalate/unmarshalprovides a local privilege escalation via improperly handled serialization in Microsoft COM objects. Also known as UnmarshalPwn, CVE-2018-0824 was discovered by Nicolas Joly, exploited by Matthias Kaiser and Sanjay Gondaliya, and converted to a Metasploit module by first-time contributor Pratik Shah.
- Reduced created processes and artifacts when using the bypassuac_eventvwr local exploit by no longer relying on the cmd.exe process to launch the eventvwr.exe binary
exploit/windows/imap/mercury_loginto support automatic targeting of Windows x86 systems using an egg hunting technique
- Added 'Notes' to our module metadata; this is currently used for AKA references, so you can quickly find modules like MS17-010 by searching for 'ETERNALBLUE'
- Improved payload encoding with a variable-length XOR encoder that supports both x86 and x64 payloads to handle additional bad characters
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.