The Android Exploit Mixin
If you're wondering the same thing, I suggest picking up the quite excellent Android Hacker's Handbook by Josh jduck Drake, Zach Lanier, Collin Mulliner, Pau Oliva Fora, Stephen A. Ridley, and Georg Wicherski. With this tome in hand, you can get down to the business of exploring Android as a target. We have a place to stash more exploit techniques now, we provided a functioning Meterpreter payload for Android devices, and many of the authors of the Handbook are already familiar with Metasploit module writing. With all these elements in place, I'm looking forward to a summer of Android exploits.
In other news, Metasploit contributor Anwar Mohamed has indicated that he's starting work on an iPhone version of Meterpreter, starting with a couple posts to the metasploit-hackers mailing list. If you're interested in helping out there, I'm sure he'd take it. After all, I don't want to give the impression that Metasploit is only interested in beating up on Android. We're happy to target pretty much any device that's hanging around on the Internet.
In addition to the above-mentioned Android file format exploit, we have a new exploit for the Easy File Management Web Server, as well as a handy new scanner module which tests for the OpenSSL ChangeCipherSpec vulnerability announced a couple weeks ago, and a slew of other auxiliary modules. Check 'em out below:
- Easy File Management Web Server Stack Buffer Overflow by Julien Ahrens, TecR0c, and superkojiman exploits OSVDB-107241
Auxiliary and post modules
- Chromecast YouTube Remote Control by wvu
- MongoDB NoSQL Collection Enumeration Via Injection by Brandon Perry
- Cisco SSL VPN Bruteforce Login Utility by Jonathan Claudius
- OpenSSL Server-Side ChangeCipherSpec Injection Scanner by juan vazquez, Craig Young, and Masashi Kikuchi exploits CVE-2014-0224
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.