When it rains, it pours. We released Metasploitable Version 2 , published a technique for scanning vulnerable F5 gear , and put out a module to exploit MySQL's tragically comic authentication bypass problem, all in addition to cooking up this week's update. So, kind of a busy week around here. You're welcome. (:
Encrypted Java Meterpreter
This week's update features Michael Schierl's much anticipated cryptographic update to Java Meterpreter. Now, when using the default Java Meterpreter payload, users can specify an "AESPassword" option, which will encrypt all post-exploit communication with the Java Meterpreter payload. To illustrate, post-exploitation packet captures will go from this, to this.
This should make life a little more challenging for our IDS/IPS signature writing friends, and make Java Meterpreter sessions a little more reliable for penetration testers.
Once we've kicked this new encryption mode around for a couple weeks and make sure everything's copacetic there, I expect to have this option enabled by default for Java exploits.
Ye Olde Tyme Vulnerabilitys
This week's update also features something old -- specifically, open source contributor Patrick's modules for Microsoft Data Access Components (MDAC) vulnerabilites from yesteryear. Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow and Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution both target older IIS installations - issues MS02-065 and MS98-004, respectively. Veteran penetration testers will recognize these Microsoft bulletin numbers from countless vulnerability reports. Just seeing MS98-004 mentioned in a new module makes me misty for the old days.
Having exploits handy for older vulnerabilities like this can be hugely useful. While it might be a foregone conclusion today that there is no way to secure a given NT 4.0 machine effectively, these modules make it much easier to actually prove it to your client.
Other New Modules
Finally, we have a slew of new modules -- thanks again to our community of open source security contributors for the diverse set of exploits this week.
- MySQL Authentication Bypass Password Dump by TheLightCosine and jcran exploits CVE-2012-2122
- Symantec Web Gateway 220.127.116.11 ipchange.php Command Injection by juan vazquez and Unknown exploits CVE-2012-0297
- Symantec Web Gateway 18.104.22.168 Arbitrary PHP File Upload Vulnerability by juan vazquez and Unknown exploits CVE-2012-0299
- Snort 2 DCE/RPC preprocessor Buffer Overflow by 0a29406d9794e4f9b30b3c5d6702c708, Carsten Maartmann-Moe, Neel Mehta, and Trirat Puttaraksa exploitsVE-2006-5276
- MS11-093 Microsoft Windows OLE Object File Handling Remote Code Execution by juan vazquez and Luigi Auriemma exploits MS11-093
- Samsung NET-i Viewer Multiple ActiveX BackupToAvi() Remote Overflow by juan vazquez and Luigi Auriemma exploits OSVDB-81453
- Tom Sawyer Software GET Extension Factory Remote Code Execution by juan vazquez, Elazar Broad, and rgod exploits CVE-2011-2217
- MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability by sinn3r and Yorick Koster exploits MS12-005
- Sielco Sistemi Winlog Buffer Overflow 2.07.14 by m-1-k-3 exploits BID-53811
- Multi Gather Skype User Data Enumeration by Carlos Perez is a collects Skype user information in a post-exploitation context.
- Modbus Client Utility by EsMnemon demonstrates remote Modbus control
- Modbus Version Scanner by EsMnemon scans for Modbus services, commonly associated with SCADA systems
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.