Firefox Payloads

Hey, remember last summer when it was reported that the FBI was allegedly targeting Firefox with an 0day to nab criminals? Turns out, perhaps whoever was really behind it wasn't thinking far enough outside the box, because Firefox has some built-in functionality for some pretty nifty trickery which should make life significantly easier for the penetration tester and social engineer-er.

As of this week, Metasploit features three new Firefox-specific payloads: a regular command execution payload, a shell bound to an arbitrary TCP port, and a reverse-TCP shell bind, all from the inestimable Joe Vennix. I won't spill the beans on the technical details too much here, because he should have a blog post out soon on this that goes into the nitty-gritty.

Of course, since Metasploit Framework is all full of open source goodness and light, you can peek in on the diffs yourself to see how it was implemented. Unlike some shadier organizations, we like sharing our Firefox exploitation techniques to move the state of the art of defense forward for everyone.

VirusTotal Checking on the Command Line

Meanwhile, Wei @_sinn3r Chen has put together some pretty awesomely cool tooling around testing arbitrary binaries and shellcode with VirusTotal. You might have caught Mark Russinovich's tweet about Process Explorer cross-referencing against VirusTotal hashes, which is both fun and useful, and we've been wanting to make that kind of thing easier for exploit devs, too. Again, expect a more in-depth blog post about this from Wei Real Soon now. In the meantime, check out Metasploit's VirusTotal Malware Sampler, pictured at right.

Unstable Modules

You know that I love each and every one of our open source contributors. Honestly, I do. You make Metasploit go. Sometimes, though, we get some new whiz-bang exploit or auxiliary that doesn't quite cut it, and no reasonable amount of work we can do here will get it over the line. Usually, it's because the original contributor loses interest or access in the target, and becomes unresponsive to needed improvements.

This week, I spent some time documenting what's actually supposed to happen with these modules, which is where the unstable Metasploit branch comes in. You're welcome to read up on the procedures we use to land unstable modules, which is quite thrilling. But that's not the point of this blog post.

The point is, git and GitHub makes it easy to be a pack rat about these kinds of things -- git means never having to delete half-finished content, ever. If you compare unstable to master, you can see some decent statistics on what's lurking down in unstable and how old some of it is. If you're half way proficient with the git command line, you can just checkout the unstable branch locally, head on down the unstable-modules directory, and see what's there.

This creates a great opportunity for someone who might want to contribute to Metasploit, but not sure of where to start. Nominally, most of the work is already done on a module by the time it hits the unstable graveyard -- it just needs a push to get over the finish line. So, new contributors are welcome to ply their necromancy and resurrect these modules and help them fulfill their destiny. If this sounds like something you'd like to do, just be sure to mention the unstable branch in your pull request so we can excise the old and busted version once you land your new hotness.

New Modules

Turns out, there are some more backdoors floating around the SOHO router landscape, so we have three new modules this week written by Matt Andreko which implement Eloi Vanderbeken's techniques used to discover and exploit them. You are cordially invited to read Matt's HOWTO blog post for more technical detail about his adventures in backdoored router exploitation.

With that, here are this week's haul of new Metasploit modules:

Exploit modules

SerComm Device Remote Code Execution by Eloi Vanderbeken and Matt "hostess" Andreko exploits OSVDB-101653

Auxiliary and post modules

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.