This update has something for everyone -- new exploits, new auxiliary modules, new post modules, and even new payloads. If quadfecta is a word, we totally hit it this week!
More Mac OSX 64-Bit Payloads
The parade of OSX 64-bit payloads continues, with five new 64-bit payloads added this week:
Nemo was responsible for last week's new 64-bit payloads, so huge thanks again to him for continuing to fill out Metasploit's payload offerings for Apple platforms. I'm looking forward to seeing how this whole OSX-as-a-target theme unfolds.
Exploit for Samba ZDI vulnerability
It's always handy to have fresh Samba exploits -- in local area networks, Samba is often found as a core intranet service so people in different organizations can easily share files across platforms. So, targets running Samba tend to be pretty high-value for pen-testers. Thanks especially to blasty, from whom Metasploit was able to port the exploit. If this attribution isn't correct, then I'm sure someone will let us know. (:
This particular vulnerability was apparently reported is was reported initially via TippingPoint's ZDI program back in March and fixed in April. So, while this isn't an 0-day in any meaningful sense, it's still technically difficult to pull off reliable Samba.
Local enumeration modules
This update features a couple local enumeration post modules by community contributor Barry Shteiman. The first, enum_db, goes through the Windows registry to pick up all kinds of information about all kinds of databases -- specifically, Oracle, Microsoft SQL, MySQL, and Sybase. The second paws through local installations of Apache Tomcat, and can turn up usernames, passwords, and roles, since they're stored in the clear in a known location. These are a very typical post-exploit chores, so automating this kind of thing as a post module is hugely useful. Thanks Sectorix!
Print Job Hijinks
Finally, we have a new auxiliary module, printjob_capture, from long time Metasploit contributor Chris John Riley. I kind of fell in love with this module module when it popped up in our pull queue, and immediately set about stealing print jobs here in the Metasploit office (with permission, of course). It's great fun and totally spooky -- you end up saving off a copy of the print job in an easy-to-read PS format, then handing off the print job to the real printer. The victim, of course, is none the wiser. I'm working up a screencast of this module in action, since producing a printjob as it comes off the tray of a real printer has some pretty excellent theatrical value.
All in all, not a bad haul -- here's the breakdown with the links to Metasploit's Exploit Database.
- Samba SetInformationPolicy AuditEventsInfo Heap Overflow by sinn3r, juan vazquez, Unknown, and blasty exploits ZDI-12-069
- phpMyAdmin 22.214.171.124 server_sync.php Backdoor by hdm exploits an PMASA-2012-5
- Dell iDRAC default Login by Cristiano Maruti exploits CVE-1999-0502
- Indusoft WebStudio NTWebServer Remote File Access by juan vazquez and Unknown exploits CVE-2011-1900
- Printjob Capture Service by Chris John Riley and todb
- Windows Gather Database Instance Enumeration by juan vazquez and Barry Shteiman
- Windows Gather Tomcat Server Enumeration by Barry Shteiman
It's not all gem updates, of course. We have a smattering of new modules for you, too. For details and usage on these, just follow the links to our Exploit Database.
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.