Another week, another fifteen new modules for Metasploit. I continue to be amazed by the productivity of our open source exploit developer community. Thanks so much for your hard work and effort, folks!
New Module for Trusted Path Switcheroo
As I was going over this week's new modules, one that jumped out at me was Wei "sinn3r" Chen's implementation of a general Trusted Path insertion attack, Windows Service Trusted Path Privilege Escalation. I don't recall running into this attack scenario before, but of course, I don't live and breathe the Windows APIs like sinn3r does. Here's how it works, in a nutshell:
- First, find a Windows service that is run in the context of LocalSystem.
- Of those, find a service executable is in an unquoted directory path that contains a space. For example, if a system service runs C:\Program Files\FooCompany\bar.exe (without specifying quotes), you're in.
- Write your malicious executable to a path that mimics the path specifier up until the first space, and launch the service as normal. In the above example, we'd write our executable to C:\Program.exe, so it will be run with the command argument of "Files\FooCompany\bar.exe"
That's pretty much the long and the short of it. Of course, you need the rights to both write to (perhaps) an arbitrary directory and the rights to start and stop services, but Power Users (and better) tend to have those rights by default. If you want to check the paths of all your running Windows processes, the easiest way is probably just firing up a command shell, and running "wmic PROCESS get CommandLine" and eyeballing that for anything missing quotes.
Stack Cookie Bypass Technique
Metasploit exploit developer Juan Vazquez brings us another technical deep-dive into his strategies for bypassing stack cookie protections that he used to exploit CVE-2012-0549 in his module Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow. If you are just getting started in exploit development on your own, Juan's blog posts have been a treasure trove of practical, hands-on wisdom.
Here are the new modules -- for details and usage, follow the links to our Exploit Database.
- SMB Directory Listing Utility by hdm and mubix
- Plixer Scrutinizer NetFlow and sFlow Analyzer HTTP Authentication Bypass by sinn3r, Jonathan Claudius, MC, and Tanya Secker exploits CVE-2012-2626
- WebPageTest Directory Traversal by sinn3r and dun exploits OSVDB-83817
- NetDecision 4.2 TFTP Directory Traversal by juan vazquez and Rob Kraus exploits CVE-2009-1730
- TestLink v1.9.3 Arbitrary File Upload Vulnerability by Brendan Coles exploits an unreported vulnerability in TestLink
- PHP IRC Bot pbot eval() Remote Code Execution by juan vazquez, bwallHatesTwits, Jay Turla, and evilcry exploits Xan unreported vulnerability in pbot
- Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow by juan vazquez and Brian Gorenc exploits CVE-2012-0549
- Ubisoft uplay 2.0.3 Active X Control Arbitrary Code Execution by Ben Campbell, Richard Hicks, Tavis Ormandy, and phillips321 exploits OSVDB-84402
- GlobalSCAPE CuteZIP Stack Buffer Overflow by juan vazquez and C4SS!0 G0M3S exploits BID-46375
- Cyclope Employee Surveillance Solution v6 SQL Injection by sinn3r and loneferret exploits OSVDB-84517
- Novell ZENworks Asset Management Remote Execution by juan vazquez and Unknown exploits ZDI-11-342
- Windows Service Trusted Path Privilege Escalation by sinn3r takes advantage of unexpected behavior in Windows' CreateProcess function
- Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential by sinn3r, Jonathan Claudius, MC, and Tanya Secker exploits CVE-2012-3951
- NetDecision 4.2 TFTP Writable Directory Traversal Execution by juan vazquez and Rob Kraus exploits CVE-2009-1730
- OSX Gather Keychain Enumeration by ipwnstuff
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.