�ݺ�ߣ

New Shiny in the
Metasploit
Framework
egypt

Disclaimer
Most of this stuff is:
● Not my code
● Not my research
● Awesome in spite of my involvement

New Shiny in the Metasploit Framework

SVN is Dead
Our SVN server was constantly DDoS’d
● Sometimes unintentionally by dumb scrapers
SVN is kinda slow anyway
Big changes required lots more requests
Now we’re 100% on github
Yay two-and-a-half-nines!

Stable Updates
In an installer environment
● Updates about once per week
Development env is still easy to set up
● Tracks bleeding edge (master branch)

SAP
Several people’s research
● CJR did some fun stuff ~2011
● Mariano Nuñez
● Pulled together by nmonkee
Tons of highly valuable information

sap_smb_relay
Convince the SAP box to connect via UNC

SAPRouter
set Proxies sapni:192.0.2.1:3299

UPnP
HDM’s research
Tons of devices all over everywhere
Mostly ancient and never updated

libupnp
“Intel/Portable SDK for UPnP Devices”
Seven, count ‘em SEVEN vulns in one function
Actual libupnp code:
strncpy( TempBuf, ptr1, ptr3 - ptr1 );
Trigger with one UDP packet

IPMI
Intelligent Platform Management Interface
Dan Farmer, HDM
Protocol, run by “Baseband Mgmt Controllers”
● iDrac, iLo, lots of others
Spec requires cleartext password storage
Design-level auth bypass

multi/upnp/libupnp_ssdp_overflow
Remote root on SuperMicro BMCs
Old skewl ret2libc to call system(3)

Other Fun Embedded Stuff
Michael Messner’s research
14 exploits for consumer routers and such

WinRM / WinRS
thelightcosine’s research
psexec is so last year

PhpEXE
Mixin for PHP code execution bugs
For ARCH_PHP payloads, just returns payload
For others, drops a proper executable
● Then tries to unlink it

FileDropper
Convenience methods for cleaning up files
Works for exploits and post

Heap Spraying
corelanc0der’s research, implemented by
sinn3r
Uses JS to create many button elements
Fast, easy, reliable on IE and Firefox

ROP DB
XML format for describing ROP chains
Supported by mona.py

Mem Vuln Landscape has Changed
Mandatory ASLR, DEP
Sandboxing
Automatic, no-interaction updates

A Boatload of Browser 0-day
Pwn2own
Targeted Attacks
● FBI Firefox
At least 3 IE vulns used in the wild
Flash

A Boatload of JRE 0-day
So many vulns that Oracle basically disabled it

New Repositories!
rapid7/metasploit-javapayload
rapid7/meterpreter
Easier to build, maintain, and test

Mac OSX stuff
x64 payloads
● osx/x64/say

lol awk
Awk is a text processing utility
GNU likes to extend utilities
GNU Awk has a full TCP API
lolwut

Ruby Payloads
Created for the Rails XML and YAML bugs

Android Meterpreter
Kinda Proof-of-Concepty
● Requires APK installation
● Have to tap on a UI element
But still awesome
Most features work
● File manipulation
● Configuration stuff
● And Pivoting!

Demo
Android meterpreter in emulator

Python Meterpreter
Based on PHP
● But don’t judge

Auth’d Proxies
reverse_https_proxy

Mimikatz
In-memory password stealer
Cleartext creds for all the things

Demo
Stealing passwords with mimikatz

New Meterpreter API Stuff
netstat/arp commands
Victim-side DNS Resolution

General Meterpreter Improvements
Updated to VS2012
● Much easier to build
Fixed a bug with Reflective DLL Injection
Fixed x64 reverse_https
Fixed stability issues with sniffer on x64

CmdStagerEcho
Uses ‘echo -ne’

Better /bin/sh Command Encoding
Handles more badchar edge-cases

Stage Encoding
Adds randomness to second stage
Makes network IDS have to work for a living

DB Creds for AuthBrute Modules
Lets you easily reuse creds
Pop a box, steal creds with mimikatz
● Or one of the many post modules
smb_login with them

Questions
@egyp7
egypt@metasploit.com
#metasploit on FreeNode

�ݺ�ߣ

New Shiny in the Metasploit Framework

More Related Content

New Shiny in the Metasploit Framework