Metasploit update is out (15 new modules added)
The Metasploit® Framework is a free, open source penetration testingsolution developed by the open source community and Rapid7. It is the de-facto standard for penetration testing with more than one million unique downloads per year and the world’s largest, public database of quality assured exploits.
This new release covers the following
New Module for Trusted Path Switcheroo
As I was going over this week’s new modules, one that jumped out at me was Wei “sinn3r” Chen’s implementation of a general Trusted Path insertion attack, Windows Service Trusted Path Privilege Escalation. I don’t recall running into this attack scenario before, but of course, I don’t live and breathe the Windows APIs like sinn3r does. Here’s how it works, in a nutshell:
- First, find a Windows service that is run in the context of LocalSystem.
- Of those, find a service executable is in an unquoted directory path that contains a space. For example, if a system service runs C:\Program Files\FooCompany\bar.exe (without specifying quotes), you’re in.
- Write your malicious executable to a path that mimics the path specifier up until the first space, and launch the service as normal. In the above example, we’d write our executable to C:\Program.exe, so it will be run with the command argument of “Files\FooCompany\bar.exe”
That’s pretty much the long and the short of it. Of course, you need the rights to both write to (perhaps) an arbitrary directory and the rights to start and stop services, but Power Users (and better) tend to have those rights by default. If you want to check the paths of all your running Windows processes, the easiest way is probably just firing up a command shell, and running “wmic PROCESS get CommandLine” and eyeballing that for anything missing quotes.
Stack Cookie Bypass Technique
Metasploit exploit developer Juan Vazquez brings us another technical deep-dive into his strategies for bypassing stack cookie protections that he used to exploit CVE-2012-0549 in his module Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow. If you are just getting started in exploit development on your own, Juan’s blog posts have been a treasure trove of practical, hands-on wisdom.
New Modules
Here are the new modules — for details and usage, follow the links to Exploit Database.
Auxiliary modules
- SMB Directory Listing Utility by hdm and mubix
- Plixer Scrutinizer NetFlow and sFlow Analyzer HTTP Authentication Bypass by sinn3r, Jonathan Claudius, MC, and Tanya Secker exploits CVE-2012-2626
- WebPageTest Directory Traversal by sinn3r and dun exploits OSVDB-83817
- NetDecision 4.2 TFTP Directory Traversal by juan vazquez and Rob Kraus exploits CVE-2009-1730
Exploit modules
- TestLink v1.9.3 Arbitrary File Upload Vulnerability by Brendan Coles exploits an unreported vulnerability in TestLink
- PHP IRC Bot pbot eval() Remote Code Execution by juan vazquez, bwallHatesTwits, Jay Turla, and evilcry exploits Xan unreported vulnerability in pbot
- Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow by juan vazquez and Brian Gorenc exploits CVE-2012-0549
- Ubisoft uplay 2.0.3 Active X Control Arbitrary Code Execution by Ben Campbell, Richard Hicks, Tavis Ormandy, and phillips321 exploits OSVDB-84402
- GlobalSCAPE CuteZIP Stack Buffer Overflow by juan vazquez and C4SS!0 G0M3S exploits BID-46375
- Cyclope Employee Surveillance Solution v6 SQL Injection by sinn3r and loneferret exploits OSVDB-84517
- Novell ZENworks Asset Management Remote Execution by juan vazquez and Unknown exploits ZDI-11-342
- Windows Service Trusted Path Privilege Escalation by sinn3r takes advantage of unexpected behavior in Windows’ CreateProcess function
- Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential by sinn3r, Jonathan Claudius, MC, and Tanya Secker exploits CVE-2012-3951
- NetDecision 4.2 TFTP Writable Directory Traversal Execution by juan vazquez and Rob Kraus exploits CVE-2009-1730
Post modules
- OSX Gather Keychain Enumeration by ipwnstuff