Rapid7 Blog

Pearce Barry  

Metasploit developer, usually... :)

AUTHOR STATS:

6

Metasploit Wrapup

To celebrate this first day of Autumn[1], we've got a potpourri of "things Metasploit" for you this week. And it might smell a bit like "pumpkin spice"... Or it might not. Who knows? Winter is Coming If you're looking to…

To celebrate this first day of Autumn[1], we've got a potpourri of "things Metasploit" for you this week. And it might smell a bit like "pumpkin spice"... Or it might not. Who knows? Winter is Coming If you're looking to finish filling your storehouse before the cold sets in, we've got a couple of new gatherer modules to help. This new Linux post module can locate and pull TOR hostname and private key files for TOR hidden services on a target system. If containers are more your thing, this new *nix post module will gather all users' Docker creds from a hosting target. And while your DB is getting stocked up with creds, don't forget to add Fall2017 to your password list[2] ('cause, you know...people). Uniting People Last week, some of the Metasploit team joined Rapid7 customers from around the country for Rapid7’s annual UNITED Summit in Boston. Brent Cook offered an overview of what’s next for Metasploit Framework, Wei Chen and James Barnett led an introduction to CTF competitions, and the Metasploit team hosted UNITED’s inaugural CTF for attendees. 62 teams competed for prizes and bragging rights—and for some of them, UNITED marked their first-ever flag capture. Congrats to the winners and first-timers! Thanks to everyone who joined us to share knowledge, drop shells, and log face-time in Boston! Good Things Come in Threes Today marks the third appearance of the Metasploit Town Hall at DerbyCon. The Town Hall is an interactive panel discussion centered around the current state (and trajectory) of Metasploit, with questions and feedback welcomed. If you're out at Derby this year, drop on by and be a part of the conversation! Want MOAR? Check out our YouTube channel for additional Metasploit-related content, including recent (and past!) recordings of the Metasploit team's bi-monthly sprint demo meetings. At best, you'll find out about new Metasploit work and features in progress. At worst, they aren't really long videos. ¯\_(ツ)_/¯ New Modules Auxiliary and post modules (2 new) Linux Gather TOR Hidden Services by Harvey Phillips Multi Gather Docker Credentials Collection by Flibustier Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.16.6...4.16.7 Full diff 4.16.6...4.16.7 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. Spring for our friends in the Southern Hemisphere! ↩︎ Spring2017 for our friends in the Southern Hemisphere! ↩︎

Metasploit Wrapup

It's been a hot minute since the last Metasploit Wrapup. So why not take in our snazzy new Rapid7 blog makeover and catch up on what's been goin' down! You can't spell 'Struts' without 'trust' Or perhaps you can! With the all the current news…

It's been a hot minute since the last Metasploit Wrapup. So why not take in our snazzy new Rapid7 blog makeover and catch up on what's been goin' down! You can't spell 'Struts' without 'trust' Or perhaps you can! With the all the current news coverage around an Apache Struts vulnerability from earlier this year (thanks to its involvement in a consumer credit reporting agency data breach), there's a new Struts vuln getting attention. Due to how untrusted, user-provided data is handled during deserialization, it's possible to achieve remote code execution on vulnerable versions of Struts (which reportedly go back to 2008!). Struts devs were quick to release a patch to address the new vuln, while Metasploit dev @wvu was quick to create an exploit module for Framework. For additional details and musings, check out this blog post from R7's Tod Beardsley, Director of Research. Better living through Meterpreter There've been a number of substantial improvements to Meterpreter going on, some of which have been released since the last wrapup post. Transport-agnostic encryption (wat?) Colloquially referred to as CryptTLV (because, well, it encrypts the TLV message payloads between Framework and Meterpreter), this new mechanism has a couple of immediate benefits for MSF users: Doesn't require OpenSSL (reducing Meterpreter payload size by roughly 80%!) Operates at the packet payload level, allowing it work across various transports types (TCP, UDP, so on...) There's some more work coming along in this vein. Stay tuned. Playing a 'pivotal' role It's what you do once you have your foothold on a multi-homed system connected to a private network: you pivot. Which leads to further discovery, moving around, and sometimes more pivoting. We've recently upgraded this key Meterpreter feature with the following: Works over named pipes More performant than the existing tunnelling mechanism (and latency doesn't compound as you make additional pivots!) Traffic is encrypted with CryptTLV Definitely worth taking for a spin, so let us know what you think! And SO MANY NEW MODULES! Seriously, there's a bunch of neat stuff that's been added. Check out the New Modules list below, where you'll find stuff to help you with all the following: scanning credential gathering container detection privilege escalation remote code execution denial of service C2 server software exploitation (Tod gets the credit on this) New Modules Exploit modules (9 new) Docker Daemon - Unprotected TCP Socket Exploit by Martin Pizala QNAP Transcode Server Command Execution by 0x00string, Brendan Coles, and Zenofex VMware VDP Known SSH Key by phroxvs exploits CVE-2016-7456 Malicious Git HTTP Server For CVE-2017-1000117 by NOBODY exploits CVE-2017-1000117 IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution by Brendan Coles and SecuriTeam exploits CVE-2017-1092 Apache Struts 2 REST Plugin XStream RCE by wvu and Man Yue Mo exploits CVE-2017-9805 Windows Escalate UAC Protection Bypass (Via COM Handler Hijack) by Matt Nelson, OJ Reeves, and b33f Gh0st Client buffer Overflow by Professor Plum PlugX Controller Stack Overflow by Professor Plum Auxiliary and post modules (6 new) BIND TKEY Query Denial of Service by Alejandro Parodi, Ezequiel Tavella, Infobyte Research Team, and Martin Rocha exploits CVE-2016-2776 Asterisk Gather Credentials by Brendan Coles TeamTalk Gather Credentials by Brendan Coles Identify Cisco Smart Install endpoints by Jon Hart Linux Gather Container Detection by James Otten Multi Gather Maven Credentials Collection by elenoir Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.15.6...4.16.6 Full diff 4.15.6...4.16.6 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Metasploit Wrapup

Slowloris: SMB edition Taking a page from the Slowloris HTTP DoS attack, the aptly named SMBLoris DoS attack exploits a vuln contained in many Windows releases (back to Windows 2000) and also affects Samba (a popular open source SMB implementation). Through creation of many connections…

Slowloris: SMB edition Taking a page from the Slowloris HTTP DoS attack, the aptly named SMBLoris DoS attack exploits a vuln contained in many Windows releases (back to Windows 2000) and also affects Samba (a popular open source SMB implementation). Through creation of many connections to a target's SMB port, an attacker can exhaust all available memory on the target by sending a specific NBSS length header value over those connections, rendering the system unusable or crashed (if desired). And systems with SMB disabled are vulnerable to this attack too. Word is that Microsoft currently has no plans to issue a fix. Following the SMBLoris reveal at DEF CON (hat tip to the researchers at RiskSense!), Metasploit Framework now contains an exploit module for fulfilling your SMBLoris needs. The Adventure of LNK Think Windows shortcut files are a convenient way to reference a file from multiple places? How about as an attack vector to get remote code execution on a target? Affecting a wide range of Windows releases, a recently-landed exploit module might be just what you're looking for to give this vector a go. Microsoft did release a patch this past June, but we're gonna guess a lot of systems still haven't picked that up yet. Would you like RCE with your PDF (reader)? If so, Nitro's PDF reader might be your hookup. Many versions of both Pro and regular flavors of the reader are vulnerable, providing JavaScript APIs which allow writing a payload to disk and then executing it. Check out the new exploit module and enjoy some of that tasty RCE. Jenkins, tell me your secrets... If you periodically happen upon a target running Jenkins, we've got a new post module you might find useful. jenkins_gather will locate where Jenkins is installed on a system and then proceed to look for creds, tokens, SSH keys, etc., decrypting what it finds and conveniently adding it to your loot. It's been tested on a number of versions and platforms and is ready for you to give it a try. And more! We've also: enabled ed25519 support with net-ssh added better error handing for the Eternal Blue exploit module when it encounters a system that has SMB1 disabled (thx, @multiplex3r!) New Modules Exploit modules (2 new) LNK Code Execution Vulnerability by Uncredited and Yorick Koster exploits CVE-2017-8464 Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution by sinn3r, Brendan Coles, and mr_me exploits CVE-2017-7442 Auxiliary and post modules (2 new) SMBLoris NBSS Denial of Service by thelightcosine Jenkins Credential Collector by thesubtlety Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.15.4...4.15.6 Full diff 4.15.4...4.15.6 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Metasploit Wrapup

With Hacker Summer Camp 2017 wrapped up and folks now recovering from it, why not grab a drink and read up on what's new with Metasploit?Where there's smoke...At least a few versions of open source firewall IPFire contain a post-auth RCE vulnerability, and…

With Hacker Summer Camp 2017 wrapped up and folks now recovering from it, why not grab a drink and read up on what's new with Metasploit?Where there's smoke...At least a few versions of open source firewall IPFire contain a post-auth RCE vulnerability, and we (well, you!) now have a module to help exploit that. Due to how an incoming Snort Oinkcode is processed via HTTP POST request, the IPFire software leaves itself open for shoving a payload in as the Oinkcode and having it executed. Like throwing water on an IPFire...Razer's edgeSynapse, a computer peripheral configuration application from popular peripheral device vendor Razer, contains an access control vulnerability in their rzpnk.sys driver. Exploiting this vuln allows privilege escalation, including reading and writing of other process' memory and remote code execution. And there's a new module for this. As of this writing, this vulnerability has not yet been patched (and considering Synapse will auto-install on peripheral connect—at least under Windows 10—there may be many susceptible targets out there!).Scanner LightlyAnd we've landed a few new aux modules for your scanning pleasure: RDP and NNTP. While RDP is likely familiar to many readers, NNTP (Network News Transfer Protocol) might be less so. But you never know what a target might be running...Mo' MeterpreterWe've had some improvements to a couple of our Meterpreters to share.Windows Meterpreterscreen capture of HiDPI screen is now supported (and captures the full screen)new threads are now automatically setup to not throw a dialog box or crash notification on failuremacOS/OSX Meterpreternative-code Meterpreter now availablemicrophone audio streaming is supportedFeed me, RSS!Had a desire to follow what your sessions are up to via an RSS feed? If so, rejoice! There's now a new framework plugin for doing exactly that thanks to @mubix.Rise of the robots.txtIn an effort to make framework's HttpServer a bit less leaky, @dbfarrow added the ability to serve up a canned 'plz no crawl/index my pagez' robot.txt response for clients who request it. And, for those clients who do request it and honor it, that canned response should be enough to shoo them off from accessing files HttpServer is hosting...New ModulesExploit modules (5 new)IPFire proxy.cgi RCE by 0x09AL and h00dieMetasploit RPC Console Command Execution by Brendan ColesVICIdial user_authorization Unauthenticated Command Execution by Brendan ColesEasy Chat Server User Registeration Buffer Overflow (SEH) by Aitezaz Mohsin and Marco RivoliRazer Synapse rzpnk.sys ZwOpenProcess by Spencer McIntyre exploits CVE-2017-9769Auxiliary and post modules (2 new)NNTP Login Utility by Brendan Coles exploits CVE-1999-0502Identify endpoints speaking the Remote Desktop Protocol (RDP) by Jon HartGet itAs always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:Pull Requsts 4.15.0...4.15.4Full diff 4.15.0...4.15.4To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Metasploit Weekly Wrapup

Ghost...what??? hdm recently provided a new exploit module for a type confusion vulnerability that exists in Ghostscript versions 9.21 and earlier, allowing remote code execution on the target. And to "kick it up a notch", this exploit got itself a snazzy…

Ghost...what??? hdm recently provided a new exploit module for a type confusion vulnerability that exists in Ghostscript versions 9.21 and earlier, allowing remote code execution on the target. And to "kick it up a notch", this exploit got itself a snazzy logo which also contains the exploit: (spoiler alert: it's called GhostButt) Forever and a day From mr_me comes a one-two punch in the form of two exploits which target an EOL'd Trend Micro appliance. Certain versions of the Threat Discovery Appliance contain both authentication bypass and command injection vulnerabilities, which can be used to gain access to the appliance and run whatevs, respectively. And because this product is no longer supported by Trend Micro, these vulns are expected to be "forever day". HTA RCE FTW If you're looking for remote code execution via an MS Office document vuln, nixawk's exploit module might fit the bill nicely. This new addition allows Framework users to easily craft a doc file containing an OLE object which references an HTML Application (HTA). When the target opens this document, the HTA is accessed over the network (Framework acting as the server, of course), and remote code execution is back on the menu. Feeling constrained? Mercurial SCM users with ssh access can now move about more freely thanks to a new exploit module from claudijd. By targeting weak repo validation in HG server's customizable hg-ssh script, users can use this module to break out of their restricted shell and execute arbitrary code. Give it a go and enjoy your new-found freedom...! But wait, there's more! Rounding out our tech updates, bcook-r7 has given us a polite push forward and "flipped the switch" so that the POSIX Meterpreter used by Framework is now providing Mettle as its payload. Not only does Mettle weigh-in at ~1/2 the size of the old POSIX Meterpreter, it also provides more functionality. Additionally, it's being actively worked on these days, unlike the old POSIX Meterpreter. Yes, plz! The Summer of Code is upon us! We are excited to welcome Tabish Imran, B.N. Chandrapal, and Taichi Kotake to the Metasploit community as 2017 Google Summer of Code students. We thank everyone who took the time to participate; it was a fierce competition, with over 30 applicants. Look forward to seeing the great projects these students create this summer! New Modules Exploit modules (6 new) WePresent WiPG-1000 Command Injection by Matthias Brun Mercurial Custom hg-ssh Wrapper Remote Code Exec by claudijd Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution by Roberto Suggi Liverani and mr_me exploits CVE-2016-7547 Ghostscript Type Confusion Arbitrary Command Execution by hdm and Atlassian Security Team exploits CVE-2017-8291 Microsoft Office Word Malicious Hta Execution by sinn3r, DidierStevens, Haifei Li, Nixawk, ryHanson, vysec, and wdormann exploits CVE-2017-0199 Disk Sorter Enterprise GET Buffer Overflow by Daniel Teixeira Auxiliary and post modules (1 new) Upload and Execute by egyp7 Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.14.12...4.14.15 Full diff 4.14.12...4.14.15 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Weekly Metasploit Wrapup

I gave at the officeThe office can be a popular place when it comes to giving. From selling kids' cookies/candy to raising awareness for a charity, the opportunity to 'give at the office' is definitely a thing. And now, thanks to Office macros, Metasploit…

I gave at the officeThe office can be a popular place when it comes to giving. From selling kids' cookies/candy to raising awareness for a charity, the opportunity to 'give at the office' is definitely a thing. And now, thanks to Office macros, Metasploit offers a new way to give (and receive!) at 'the Office'.These days, using malicious macros in office productivity programs is still a common attack vector. Designed with a handful of word-processing programs in mind (including some open source), Metasploit can now generate documents which utilize macros to execute an injected payload. Once a target receives and opens one of these documents (with macros enabled), the payload is executed, and now you have a shell or Meterpreter session (or whatever your payload is). Who says it's better to give than to receive?When the sequel is better than the originalIn the vein of "creative ways to achieve code execution on a MS SQL server", here's a new one which doesn't write to disk and works on a number of MS SQL versions. By setting up a stored procedure (with some pre-built .NET assembly code Metasploit provides) on the target, one can then issue a query containing an encoded payload, which will be executed as native shellcode by the stored procedure (woo!). Valid credentials with a certain level of privilege are required to use this new module, then you're good to go.Logins, logins, everywhere...We've had a couple of good login-related fixes recently, including a fix to properly honor USER_AS_PASS and USER_FILE options when running a login scanner. Also of note is a fix to the owa_login module to properly handle valid credentials when a user doesn't have a mailbox setup. And if you'd rather skip logins entirely, grab yourself a misfortune cookie and check out the new authentication bypass RomPager module.New ModulesExploit modules (4 new)AlienVault OSSIM/USM Remote Code Execution by Mehmet Ince and Peter LappMicrosoft Office Word Malicious Macro Execution by sinn3rPiwik Superuser Plugin Upload by FireFartMicrosoft SQL Server Clr Stored Procedure Payload Execution by Lee Christensen, Nathan Kirk, and OJ ReevesAuxiliary and post modules (1 new)Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass by Jan Trencansky, Jon Hart, and Lior Oppenheim exploits CVE-CVE-2014-9222Get itAs always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:Pull Requests 4.13.21...4.13.25Full diff 4.13.21...4.13.25To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now