Weekly Metasploit Update: Android(安卓)WebView Exploit
AndroidWebViewExploit,70%DevicesVulnerable
Thisweek,thebiggestnewsIthinkwehaveisthereleasethisweekofJoeVennixandJosh@jduckDrake'shotnew/oldAndroidWebViewexploit.I'vebeenrunningitforthelastdayorsooutontheInternet,withattractivepostersaroundtheRapid7offices(asseenhere)inanattempttopwnsomethinggood.I'vepoppedacoupleshells,IguessIdidn'tmakemyQRCodeattractiveenough.
Seriously,though,thisvulnerabilityiskindofahugedeal.I'mhopefulthatbypublishinganE-Z-2-UseMetasploitmodulethatexploitsit,wecanmaybepushsomevendorstowardensuringthatsingle-clickvulnerabilitieslikethisdon'tlastfor93+weeksinthewild.Don'tbelievemethatthisthingisthatold?Justtakealookatthemodule'sreferencesifyoudon'tbelieveme.
Itshouldbenotedthatthebugonly("only,"hesays!)affectsversionsofAndroidbelow4.2(earlyJellybean).Inacompletelyunsurprisingtwist,Ididaquicksurveyofthephonesavailabletodayontheno-contractrackatacouplebig-boxstores,andeveryonethatIsawwerevulnerableoutofthebox.Andyes,that'shereintheU.S.,notsomefar-awayplacelikeMoscow,Russia.ThislinesupwithwhatAndroidCentralreports,inthatwhileAndroid4.4(KitKat)hasachieved1.8%penetration,thesamechartindicatesthatover70%ofallAndroiddevicesouttherearevulnerabletothisbug,withtheplurariltyofdevicesat4.0and4.1.
There'salotmoretosayhere,soexpectmoreonthisinthecomingdays.We'veslappedtogetheraquickvideo,butfeelfreetomakeabetteroneandgraballtheInternetinfamyforyourself.Thevideoshouldopeninanewwindow.
Asyoucansee,theattackshownhere--QRcodeonaMetasploitexploit--isaprettydangeffectivewaytogetashellonatargetAndroiddevice,assumingyourQRmarketingskillsarebetterthanmine.
Incidentally,whodoyouleanontogetthispatched?Thebigboxretailerwhosoldittoyou?Themanufacturerofthephonehardware?Thecellphoneserviceprovider?Google?Itmayseemalittlespurious,butit'saquestionthat'sgoingtobeaskedbyjournalists,wonks,and(hopefully)consumerprotectiongroupsinthecomingweeks.
MassCheck!
Itemtwoonthisweek'sreleaseisWei@_sinn3rChen'sreworkofhowMetasploitexploitsusethe"check"functionality.Youcanreaduponitoveratsinn3r'sblogpostabouthowitallworks--really,goreadit,it'sgood.I'llwait.
Nowthatyou'vegotthebackgroundandit'soutinthisweek'srelease,younolongerneedtoguessathowmanyofyourin-scopeWindowsmachinesreallyarevulnerabletoMS08-067beforeyoutrytotagthem.ThisisnottosaythatMetasploitissuddenlyapropervulnerabilityscanner.We'renot,andneverreallywillbe.This"check"functionalityismuchmorefocusedontargetacquisitionthancompliancecheckingorriskmanagementoranythinglikethat.So,goodforpenetrationtesters,maybenotsogoodforyourday-to-dayvulnscanningduties.
MeterpreterClipboardMonitor
Alsoonthisrelease(dang,thisisaprettygoodonethisweek),isthenewclipboardmonitorfunctionalityforMeterpreter,thanksinlargeparttoOJ@TheColonialReeves.OJgotanicelittlewriteupoveratCSOOnlinewhereinTheColonialexplainshowtheclipboard-erasingprotectionsofKeePassarecompletelyobliterated.
Thismakesmesad,asI'manavidKeepassXuserandhavebeenforyearsandyears.Ohwell,IguessIjustbettermakesurethatI'mnotalreadyownedwhenIgocheckingTheFacebookformyfriendscat-and-babypictures.
But,alas,movingsecurityforwardisn'tjustaboutmeandwhatsoftwareIuse.Thefactofthematteris,passwordssuck.Period.You'releftwiththechoiceofa)keepingeasytorememberpasswordsinyourhead(easytoguess),b)useaclipboard-basedpasswordmanagerandhopenothing'swatchingyourclipboard,c)usesomehand-typingsystemofpasswordmanagementandhopeyou'renotgettingyourkeystrokeslogged,ord)useabrowser-basedautofillsystemandhopeyou'renotarecentvictimofauniversal,persistentXSSbug.Timetotakeanotherlookatyourtwo-factorauthentication(2FA)choices.
Incidentally,we'llhavemoreontheUXSSthinginthenextcoupleweeks.You'rewelcome,inadvance.
NewModules
IncludingtheWebViewexploittheabove,we'reshippingsixnewexploitsandsevennewauxiliaryandpostmodules.MostoftheauxmaterialthisweekrevolvesaroundIBMSametime,anenterprisesocial-media-in-a-boxoffering,allfromthecruelly-namedKicks4Kittens.
Exploitmodules
AndroidBrowserandWebViewaddJavascriptInterfaceCodeExecutionbyjoevandjduck
KloxoSQLInjectionandRemoteCodeExecutionbyjuanvazquezandUnknown
PandoraFMSRemoteCodeExecutionbyxistence
KingScadakxClientDownload.ocxActiveXRemoteCodeExecutionbyjuanvazquezandAndreaMicalizziexploitsZDI-14-011
WindowsTrackPopupMenuExWin32kNULLPagebyDanZentner,MatiasSoler,SethGibson,andSpencerMcIntyreexploitsCVE-2013-3881
WindowsCommandShellUpgrade(Powershell)byBenCampbell
Auxiliaryandpostmodules
IBMLotusSametimeWebPlayerDoSbyChrisJohnRileyandkicks4kittensexploitsCVE-2013-3986
DoliWamp'jqueryFileTree.php'TraversalGatherCredentialsbyBrendanColes
IBMLotusNotesSametimeUserEnumerationbykicks4kittens
IBMLotusNotesSametimeRoomNameBruteforcebykicks4kittens
IBMLotusSametimeVersionEnumerationbykicks4kittens
A10NetworksAXLoadbalancerDirectoryTraversalbyxistenceexploitsOSVDB-102657
WindowsGatherActiveDirectoryUserCommentsbyBenCampbell
Ifyou'renewtoMetasploit,youcangetstartedbydownloadingMetasploitforLinuxorWindows.Ifyou'realreadytrackingthebleeding-edgeofMetasploitdevelopment,thenthesemodulesarebutanmsfupdatecommandaway.ForreaderswhopreferthepackagedupdatesforMetasploitCommunityandMetasploitPro,you'llbeabletoinstallthenewhotnesstodaywhenyoucheckforupdatesthroughtheSoftwareUpdatesmenuunderAdministration.
Foradditionaldetailsonwhat'schangedandwhat'scurrent,pleaseseeBrandont'smostexcellentreleasenotes.
更多相关文章
- 代码中设置drawableleft
- android 3.0 隐藏 系统标题栏
- Android开发中activity切换动画的实现
- Android(安卓)学习 笔记_05. 文件下载
- Android中直播视频技术探究之—摄像头Camera视频源数据采集解析
- 技术博客汇总
- android 2.3 wifi (一)
- AndRoid Notification的清空和修改
- Android中的Chronometer