Weekly Metasploit Wrapup

Taking Care of Universal Business: the Handler’s Tale With a few exceptions, payloads have to have a handler. That’s the guy who waits with the car while your exploit runs into the liquor store. To run an exploit module, we have to select and configure a payload first. In some cases, Metasploit can do this for you automatically, by just guessing that you probably wanted the best payload for the target platform and architecture. Once the payload is set up, we have to have a way to talk to it — that’s the handler. For a reverse style payload like windows/meterpreter/reverse_tcp, Metasploit will open a listening socket on the attacker machine and wait for connections from the payload. For bind, style where the payload listens on the victim machine, Metasploit starts a loop attempting to connect to that listener. (When we talk about Metasploit payloads, we always call the payload the server and msfconsole the client, regardless of which direction the TCP session is going.) Once the connection is established, two things can happen. First, if the handler is expecting a stageless payload, msfconsole sets up an interactive session that you can use to control the payload, whether that’s a socket <-> terminal passthrough like a raw shell connection or the full-fledged client that meterpreter needs. If, on the other hand, the payload is staged, the handler needs to transmit more code for the first stage to read and run. When that’s done, everything proceeds the same as for a stageless payload. Either way, it is very important that the payload and the handler have matching settings. If a staged payload expects x86 shellcode and the handler thinks it is talking to a MIPS payload, the second stage will crash and you’ll lose your shell despite having successfully achieved code execution. Similarly, if the payload is staged and the handler is stageless, the server will either a) wait forever for shellcode that will never come or b) it will take whatever you type into the console as shellcode, which will certainly fail unless your binary typing skills are significantly better than mine. You usually don’t have to worry too much about any of this, because everything is taken care of for you automatically when you type run. Where it gets complicated is when you need to have multiple payloads or run multiple exploits using the same listener port. To accomplish that, it is often useful to have a handler independent of an exploit. Metasploit has exploit/multi/handler, which is a special exploit module that isn’t really an exploit, for exactly this purpose. All it does is allow you to configure a payload and run the handler for it. This week’s update introduces a new command, handler, which does all the same work as multi/handler (and in fact runs multi/handler in the background) all from a single command. This means you no longer have to move away from the context of the exploit you’re working in to set up a handler. Having independent handlers is also super useful for when you want create a payload outside of the current msfconsole. The perfect example here is when using something like veil to generate executables that bypass antivirus for manual delivery. When the payload is not associated with an exploit, you have to tell Metasploit the details that it would normally have from the exploit’s settings. Unfortunately, there are a couple of disadvantages with this. First, it’s error-prone. If the settings in your payload and handler don’t match, like I mentioned above, things will crash and you’ll be missing out on shells. Second, it requires multiple listening ports if you want to be able to handle multiple platforms or architectures. Sometimes that’s not a big deal, but when you’re dealing with organizations that have strong egress filtering, it can become an insurmountable hassle. This week’s update makes all reverse HTTP handlers use a single handler. This means you can run multi/handler (or the new handler command) to set up a single HTTP handler on port 443, with a real CA-signed certificate, and point staged and/or stageless meterpreters for any of the supported platforms all at the same place. This isn’t perfect yet. Native Linux Meterpreter and its up and coming replacement, Mettle, don’t yet support HTTP, so they can’t yet take advantage of the new handler. TCP payloads can theoretically do something similar, but the implementation will require changing the way stagers work, which is always challenging because of the extreme space restrictions they have to operate under and the fact that changing the staging protocol will make all existing stagers stop working. If you have ideas for how to accomplish that without breaking everyone’s existing payloads, I’d love to hear them. New Modules Auxiliary and post modules (1 new)Create an AWS IAM User by Javier Godinez, and Jon Hart Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:Pull Requsts 4.13.5…4.13.6Full diff 4.13.5…4.13.6 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Link: https://community.rapid7.com/community/metasploit/blog/2016/12/16/weekly-metasploit-wrapup

PyJFuzz – Python JSON Fuzzer

PyJFuzz is a small, extensible and ready-to-use framework used to fuzz JSON inputs , such as mobile endpoint REST API, JSON implementation, Browsers, cli executable and much more. Version 1.1.0 Homepage http://www.mseclab.com/ Github https://github.com/mseclab/PyJFuzz Author Daniele Linguaglossa ( @dzonerzy ) License MIT – (see LICENSE file) Installation Dependencies In order to work PyJFuzz need a single dependency, bottle , you can install it from automatic setup.py installation. Installation You can install PyJFuzz with the following command git clone https://github.com/mseclab/PyJFuzz.git && cd PyJFuzz && sudo python setup.py install Documentation and Examples CLI tool Once installed PyJFuzz will create both a python library and a command-line utility called pjf (screenshot below) Library PyJFuzz could also work as a library, you can import in your project like following from pyjfuzz.lib import * Classes The available object/class are the following: PJFServer – User to start and stop built-in HTTP and HTTPS servers PJFProcessMonitor – Used to monitor process crash, it will automatically restart proccess each time it crash PJFTestcaseServer – The testcase server is used in conjunction with PJFProcessMonitor, whenever a process crash the testcase server will register and store the JSON which cause the crash PJFFactory – It’s the main object used to do the real fuzz of JSON objects PJFConfiguration – It’s the configuration file for each of the available objects PJFExternalFuzzer – Used by PJFactory is a auxiliary class which provide an interface to other command line fuzzer such as radamsa PJFMutation – Used by PJFFactory provide all the mutation used during fuzzing session PJFExecutor – Provides an interface to interact with external process Examples Below some trivial example of how-to implement PyJFuzz powered program simple_fuzzer.py from argparse import Namespacefrom pyjfuzz.lib import *config = PJFConfiguration(Namespace(json={“test": ["1", 2, True]}, nologo=True, level=6))fuzzer = PJFFactory(config)while True: print fuzzer.fuzzed simple_server.py from argparse import Namespacefrom pyjfuzz.lib import *config = PJFConfiguration(Namespace(json={"test": ["1", 2, True]}, nologo=True, level=6, debug=True, indent=True))PJFServer(config).run()Sometimes you may need to modify standard non customizable settings such as HTTPS or HTTP server port, this can be done in the following way from argparse import Namespacefrom pyjfuzz.lib import *config = PJFConfiguration(Namespace(json={"test": ["1", 2, True]}, nologo=True, level=6, indent=True))print config.ports["servers"]["HTTP_PORT"] # 8080print config.ports["servers"]["HTTPS_PORT"] # 8443print config.ports["servers"]["TCASE_PORT"] # 8888config.ports["servers"]["HTTPS_PORT"] = 443 # Change HTTPS port to 443 Remember : When changing default ports, you should always handle exception due to needed privileges! Below a comprehensive list of all available settings / customization of PJFConfiguration object: Configuration table Name Type Description json dict JSON object to fuzz json_file str Path to a JSON file parameters list List of parameters to fuzz (taken from JSON object) techniques list <int> List of polyglot attack, used to generate fuzzed JSON, such as XSS, LFI etc. They are in the range 0-13 (Look techniques table ) level int Fuzzing level in the range 0-6 utf8 bool If true switch from unicode encode to pure byte representation indent bool Set whenever to indent the result object url_encode bool Set whenever to URLEncode the result object strong_fuzz bool Set whenever to use strong fuzzing (strong fuzzing will not maintain JSON structure, usefull for parser fuzzing) debug bool Set whenever to enable debug prints exclude bool Exclude from fuzzing parameters selected by parameters option notify bool Set whenever to notify process monitor when a crash occurs only used with PJFServer html str Path to an HTML directory to serve within PJFServer ext_fuzz bool Set whenever to use binary from "command" as an externale fuzzer cmd_fuzz bool Set whenever to use binary from "command" as fuzzer target content_type str Set the content type result of PJFServer (default application/json ) command list <str> Command to execute each paramester is a list element, you could use shlex.split from python Techniques table Index Description 0 XSS injection (Polyglot) 1 SQL injection (Polyglot) 2 LFI attack 3 SQL injection polyglot (2) 4 XSS injection (Polyglot) (2) 5 RCE injection (Polyglot) 6 LFI attack (2) 7 Data URI attack 8 LFI and HREF attack 9 Header injection 10 RCE injection (Polyglot) (2) 11 Generic templace injection 12 Flask template injection 13 Random character attack Screenshots Below some screenshot just to let you know what you should expect from PyJFuzz Built-in tool PyJFuzz is shipped with a built-in tool called PyJFuzz Web Fuzzer , this tool will provide an automatic fuzzing console via HTTP and HTTPS server, it can be used to easly fuzz almost any web browser even when you can’t control the process state! There are two switch used to launch this tool (–browser-auto and –fuzz-web), the first one perform automatic browser restart when a crash occur, the other one try to catch when a browser doesn’t make requests anymore. Both of them always save the testcases, below some screenshots. End Thanks for using PyJFuzz! Happy Fuzzing from mseclab Download PyJFuzz

Link: http://feedproxy.google.com/~r/PentestTools/~3/Sav7YMqS32A/pyjfuzz-python-json-fuzzer.html

[security bulletin] HPSBMU03684 rev.1 – HPE Version Control Repository Manager (VCRM), Multiple Remote Vulnerabilities

Posted by security-alert on Dec 16Note: the current version of the following document is available here:


Document ID: c05356363
Version: 1

HPSBMU03684 rev.1 – HPE Version Control Repository Manager (VCRM), Multiple
Remote Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-12-15

Link: http://seclists.org/bugtraq/2016/Dec/37

[SECURITY] [DSA 3736-1] libupnp security update

Posted by Sebastien Delafond on Dec 16————————————————————————-
Debian Security Advisory DSA-3736-1 security () debian org
https://www.debian.org/security/ Sebastien Delafond
December 16, 2016 https://www.debian.org/security/faq

Package : libupnp
CVE ID : CVE-2016-6255 CVE-2016-8863

Link: http://seclists.org/bugtraq/2016/Dec/36

CVE-2016-9277,CVE-2016-9966,CVE-2016-9967: Possible Privilege Escalation in telecom

Posted by unlimitsec on Dec 16Description of the potential vulnerability:Lack of appropriate exception handling in some receivers of the Telecom
application allows attackers crash the system easily resulting in a possible DoS attack
Affected versions: L(5.0/5.1), M(6.0)
Disclosure status: Privately disclosed.
The patch prevents system crashes by handling unexpected exceptions.

SVE-2016-7119, SVE-2016-7120,…

Link: http://seclists.org/bugtraq/2016/Dec/35