Entries in Metasploit (7)


Goot Root?

Why is Linux safer than Windows? Because linux-tpreter hasn't been updated.  That is always a favorite joke I hear among the community.  Today with the update of Metasploit 4.2, I saw a module that I had always ment to check out.  Post Sudo Upgrade on a shell.

Thanks to this module by todb, post/multi/manage/sudo, getting privledge escalation on an Ubuntu host with point, click, pwn!


Goot Root? 




Let's up the Ante

The Metasploit team is giving an incentive for the community for exploits, CASH!

The Metasploit team is excited to announce a new incentive for community exploit contributions: Cash! Running until July 20th, our Exploit Bounty program will pay out $5,000 in cash awards (in the form of American Express gift cards) to any community member that submits an accepted exploit module for an item from our Top 5 or Top 25 exploit lists. This is our way of saying thanks to the open source exploit development community and encouraging folks who may not have written Metasploit modules before to give it a try.

We at HackMiami love the framework and both Express and Pro versions.  We also love the exploit development community and we love CASH!


Hack Miami will add to $25 to the winners of the Top 5 list bringing the total cash to $525.

TOP 5 List ($500 $525 bounty)


CVE Description Owner
2011-1807 Google Chrome before 11.0.696.71 does not properly handle blobs execution of arbitrary code.
2011-1218 Lotus Notes - Autonomy Keyview(.zip attachment)
2011-1206 IBM Tivoli Directory Server
2011-0657 Vulnerability in DNS Resolution Could Allow Remote Code Execution
2011-0041 Vulnerability in GDI+ Could Allow Remote Code Execution


We also recognize being quick and knocking out exploit on demand. 

Hack Miami will add to $25 to the first person who gets any of the 30 exploits into the trunk.


Good Luck All... Happy Coding!


Using Metasploit to remove Malware

So I have a family member who loves malware however it is not like us who like to research and understand it.  He likes to goto websites ("I never went to that site.") and click every link possible as fast as he can.

As a result, he has a great collection of malware. 

He has gotten every version of FakeAV known.  Here is how I use Metasploit to remove it.


Step 1:  Generate a windows meterpreter executable and rename it "explorer.exe".  Most malware do not allow any AV or Malwarebytes to run.  Renaming the file "explorer.exe" will allow it to get through on the malware's whitelist.

Step 2: Run our executable on the infected machine and connect back/bind to the meterpreter session.  Since Meterpreter does not touch disk and injects itself into memory this is a great way to get a foothold onto the machine. 

Step 3: Escalate to SYSTEM.  Windows 7 is no longer a problem thanks to @Dave_Rel1k and @KevinMitnick UACBypass.  I love this script/post exploit module.  Go to @Derbycon!

Step 4: Reward yourself... I recommend Crown Royal with a splash of Ginger Ale.  YMMV

Step 5: Now that you are SYSTEM, type "ps".  Some of these things are not like the other.  Some of these things just don't belong.

Step 6: Identify the PID number next to the rouge processes and "kill ####"

Step 7: At this point, you should have broken the hold on the system that the malware had.  Install 

Step 8: Run some scans and remove the naughty objects.  I also recommend something AV/Malware Related... McAfee, Microsoft Security thingy, anything....  Check NSSLabs for some recommendations.

Step 9: Give the computer back to your family member and wait till next week when he finds a new site that he didn't visit and runs a file he never ran!




virusscan_bypass.rb: Now with a lame security bulletin

@mubix shared a link with me earlier this morning.  Security Bulletin - VSE 8.7 and earlier Metasploit payload attack

After my research and loss of faith in Anti-Virus technology, I decided to look at this further.


Let's look at the Bulletin. 

McAfee is aware of a publicly disclosed attack that could disable VSE running on a customer’s machine.

There was an update to the Metasploit Framework on Christmas Eve that added a script from Mert SARICA that silently kills McAfee VirusScan as well as some other fun options.  This was in revision 11411.

This isn't an attack but something an attacker could do once you click on that email link that promised you a gazillion dollars from some guy who needs your help transferring his dead cat's fortune out of a war torn condominium complex. 

This attack is not a standalone attack, but acts as a payload to be chained via another attack.

Once again, at this point you are owned and Game Over already!

  The attack was disclosed in a public tool.

While this is a Metasploit script, the only tool I see is the one who QA'ed the DAT file (6209).

Mitigating Factors

  • McAfee has released a DAT file (6209) which detects the Metasploit plug-in used to run this attack.


Updated to the latest version!

I am protected....  NOT! WTF?


The target machine is Windows XP Pro SP3... Fresh install, OS patched, installed McAfee AV and updated.

I generated a meterpreter executable and copied it to the desktop.  Great On-Access Protection!

I ran the executable and now I have a session.  Let's list the processes running.

I found with a pid of 916 we have McShield.exe.

Running as an Administrator, I run the script.  This will upload an executable to the target and add it to the exclusion list.  I am going to choose to kill McAfee all together. 

It should be noted that McTray.exe was also killed so we don't get the tray icon.  However on the target machine, the user would only see the tray icon silently disappear. We can confirm that McAfee is McGone by looking at the process list. 

We now have full control of the target machine however probably don't want it since it has been owned and now has the Zeus Trojan. 

On a reboot, McAfee is back however it requires a reboot.  Trying to load McAfee again before the reboot results in a notification of ownage!

Let's recap the timeline.

Script was added 12/24: Merry Christmas

Security Bulletin was issued 12/30: Happy New Year

On 1/5 the scipt still kills McAfee AV


How can you protect yourself?  Do you load Symantec?

Watch Mubix uninstall Symantec's SEP.

All of this was released in 2010 and prior.  I can't wait to see what 2011 brings.

Welcome to 2011, the year of the #FAIL... again.


UPDATE 01/06/2010

It looks like the virusscan_bypass.rb scipt had a bug that caused the termination of the McShield Icon and the error box.  The script has been updated. 

Download the latest revision here: 11478

I grabbed it this morning and tested it out.

We have our process list before running the script.

We run the script as the local administrator.

Now we check the process list again.

Now for the sweep.  Show me the Shield!  Survey says:



Metasploit Pro + Bypass Win UAC FTW!


So before I left for the holidays, I was on a pentest.

I had a meterpreter session and went to collect the evidence and I saw an error!

I realized on this Windows 7 x64 machine, I was unable to elevate to NT AUTHORITY\SYSTEM.

UAC +1

Since it was the end of the day I put this in my "Do when I return from Holiday Pile!" and left to celebrate the New Years.

January 1st, dave_rel1k posted on Twitter "Happy New Year everyone! Here is a nice new addition to bypass UAC through meterpreter."

I downloaded this mana from heaven and installed it.

*Read the Instructions Included

I fired up Metasploit Pro (this works with the Framework as well.)  I dropped to the console and ran getsystem.  UAC was working.  Time to run bypassuac!

The script ran creating a 2nd meterpreter session.  The 2nd session was accessible by both the console and the Metasploit Pro application.

Interacting with the 2nd session, I ran my privilege escalation attempt again. +1 to ME!

For those keeping score, UAC +1, ME +1

Collecting my system evidence again rewarded me with the dump of the hashes.

+ 1 to ME and I will steal UAC's point along with those hashes!

For those keeping score UAC 0, ME +3


How about a nice game of chess?