3

I am new in the field and trying to pentest a php web app locally stored on my host pc using metasploit from a kali vm. I have run some scanners like wmap,OpenVAS and Nessus and found some vulnerabilities but i have trouble finding the matching exploits to use in msf. I have tried 'search cve-xxxx-xxxx' and even on google using 'cve-xxxx-xxxx metasploit' etc but had no results. Are there any suggestions on how to proceed? For example a critical one found is CVE-2014-3515 however i was unable to find an exploit.

metavaronos
  • 145
  • 2
  • 9
  • 2
    Here’s a [writeup by Stefan Esser on CVE-2014-3515](https://www.sektioneins.de/blog/14-08-27-unserialize-typeconfusion.html). It does also contain a proof of concept. – Gumbo Nov 28 '14 at 14:27

2 Answers2

4

CVE is only the vulnerability report, it doesn't necessarily mean that it is exploitable. Also, we are very fortunate that even if exploitable, not all vulnerabilities have publicly available exploits, and especially ones that are available within the Metasploit framework. Otherwise we would have lots of script-kiddies running around armed and dangerous!

On the question of CVE-2014-3515 - this is something that is listed as "exploitable using common tools" - meaning that you can create a PHP script that exploits the vulnerability, e.g. you don't need specially crafted shellcode or a compiled binary. Looking at the original detailed report of the vulnerability on php.net, it is relatively easy to create an exploit, given that one has a solid understanding of the PHP programming language, which most scripties don't have. \o/

Milen
  • 1,148
  • 6
  • 12
  • I agree with most of what you said, however, if a vulnerability is not exploitable, how can it have a CVE assigned to it? There was someone somewhere who figured out how to exploit the vulnerability or it would not be considered a "vulnerability." – Maumee River Nov 28 '14 at 13:36
  • 3
    Thanks for the comment, it's something that many have concerns about - isn't a lot of this vulnerability-but-not-exploitable just smoke and mirrors. There are vulnerabilities that are potentially exploitable, but hard to demonstrate in real life (e.g. require very specific knowledge of the target, e.g. memory locations), or weaknesses that are not exploitable in the traditional sense - e.g. server or service information disclosure that could help or aid an attacker. These are still vulnerabilities, although might not be directly exploitable, but can nevertheless be useful to build an attack. – Milen Nov 28 '14 at 13:41
  • This list is critical PHP 5.5.x < 5.5.14 Multiple Vulnerabilities: -(CVE-2014-0207, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487) -(CVE-2014-3478) -(CVE-2014-3515) -(CVE-2014-3981) -(CVE-2014-4049) -(CVE-2014-4721) -(Bug #67072) -(Bug #67349) -(Bug #67397) Your suggestion makes sense i just dont get why it says "CPE: cpe:/a:php:php Exploit Available: true Exploit Ease: Exploits are available" since i have to make one of my own,and if there are where can i get them. Also of the given cve's only the one i mentioned seems like a possible exploitable threat. – metavaronos Nov 28 '14 at 18:18
  • 1
    In his comment above Gumbo mentioned the website where a proof of concept exploit for that particular CVE is published (https://www.sektioneins.de/blog/14-08-27-unserialize-typeconfusion.html). Looks well documented, so you should be set. – Milen Nov 29 '14 at 01:06
  • So there is no such a place as a db of nessus with the available exploits that say there are. You just need to find them by google searching etc? – metavaronos Nov 29 '14 at 09:44
  • There is, but I AFAIK it's far from 100% automated. Tenable have instructions on how to configure Metasploit/NESSUS integration, and run NESSUS scans from within Metasploit, and then look up the available Metasploit modules: http://www.tenable.com/blog/using-nessus-and-metasploit-together – Milen Nov 29 '14 at 11:00
0

When you're reviewing vulnerabilities in Nessus, if you view the "detailed vulnerability summary" it will tell you if there is a "public exploit available" for the vulnerability. If there is a public exploit available Nessus will tell you which module from within Metasploit to use. (I use Nessus enterprise on a daily basis).

As Milen said, just because the vulnerability is known and there is a CVE assigned to it, there will not always be an associated public available exploit with Metasploit or other pen testing tools.

Maumee River
  • 384
  • 1
  • 3
  • I use Nessus Home 2.5.7 i think it's the only one free and all i get from my detailed vulnerability summary for that is this: Vulnerability Information CPE: cpe:/a:php:php Exploit Available: true Exploit Ease: Exploits are available Patch Pub Date: 2014/06/26 Vulnerability Pub Date: 2014/06/26 So i would like to know where can i find those available exploits – metavaronos Nov 28 '14 at 18:05