The new Metasploit exploit trends are out, where we give you a list of the top 10 most searched Metasploit exploit and auxiliary modules from our exploit database (DB). These stats are collected by analyzing searches on metasploit.com in our webserver logs, not through usage of Metasploit, which we do not track for privacy reasons.
In June 2012, we also have three new entries on the list, and seven existing contenders. Here they are, annotated with Tod Beardley's excellent comments:
- Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. It’s also got a great pile of language pack targets. All of Metasploit’s exploits provide US English targeted shellcode, a few might provide Chinese, Spanish, French, or other popular languages; this one has targets in pretty much every language you’ve ever heard of. This exploit is also not ancient, so it’s reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it. More on this topic at Microsoft’s Security TechCenter. Same position as last month.
- MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This is the 2012 RDP Bug, where it was implied -- but never proven in public -- that a pre-auth bug in RDP can allow for remote code execution. This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution. So far, nobody’s gotten RCE yet (in public), but the Metasploit module provides the most clues. More on this topic in an article on ZD Net. Same position as last month.
- Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040): A six year old vulnerability that’s notable in that there’s no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice. More on this topic in at Microsoft’s Security TechCenter. Same position as last month.
- Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026): A nine year old vulnerability that used to be the de-facto standard exploit for Windows machines - this is the RPC DCom bug, and it affects ancient NT machines. It was most notable in that it was used by the Blaster and Nachi worms to transit networks. It’s now pretty much a case study in stack buffer overflows in Windows, so it’s got a lot of historical value. If memory serves, this was the most reliable exploit in Metasploit v2. More info on that at Windows IT Pro. Up 2 places from #6 since last month.
- MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption (CVE-2012-1875): This module was mentioned in the IE Zero-Day Exploits blog post along with the XML Core Services bug, CVE-2012-1889. Also like the XML Core services bug, this bug was being actively exploited in the wild in June of 2012. Unlike the XML Core Services bug, though, this one had a patch. I suspect there was some confusion about which bug was patched and which wasn't, given the modules were released close together and both were mentioned in the same post. Regardless, given the recency of these modules, it's not surprising to see them leap into the top ten for June. New entry since last month.
- Microsoft XML Core Services MSXML Uninitialized Memory Corruption (CVE-2012-1889): This vulnerability was recently profiled in Wei "sinn3r" Chen's blog post, New Critical Microsoft IE Zero-Day Exploits. As the title suggests, this module exploits an unpatched vulnerability in Internet Explorer, so that's pretty exciting just in and of itself. In addition, this Metasploit module is the first (and still only) safe and reliable method to test the efficacy of whatever mitigation strategy your client workstations might have implemented. New entry since last month.
- Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop (CVE-2010-0017, MSB-MS10-006): Not sure why this module is popular -- it’s a client side DoS. Historically, it’s a neat DoS, since it demos a bug in Windows 7’s kernel, but all the module does is crash Windows 7 clients after you get a user to connect to you. More info on that at The H Security. Same position as last month.
- Microsoft Windows Authenticated User Code Execution (CVE-1999-0504): The PSExec module is a utility module -- given an SMB username and password with sufficient privileges on the target machine, the user can get a shell. It’s not sexy, but it’s super handy for testing payloads and setup. Even though it’s a lowly #10, I’d bet it’s the most-used module in classroom and test environments. More on this topic in at the National Vulnerability Database. Up 2 from #10 since last month.
- MySQL Authentication Bypass Password Dump (CVE-2012-2122): This module was featured in HD Moore's June blog post, CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL. It's a fun, recent module that exploits a bug in a popular application in a way that's super-easy to explain, so it's no wonder that this module has all the features of a crowd-pleaser. New entry since last month.
- Adobe PDF Embedded EXE Social Engineering (CVE-2010-1240): This module exploits CVE-2010-1240 in Adobe Reader. The idea is that you can embed and execute a Meterpreter PE Executable in a PDF, and when the user opens the PDF, surprise shells! Since it’s on this list, it’s probably the most popular social engineering-style module. More on this topic in at the National Vulnerability Database. Down 2 places from #8 since last month.