DNS Module Split up
This week, we appear to have a whole bunch of new DNS-based enumeration and information gathering modules. In fact, this was actually more of a housekeeping chore, largely by longtime Metasploit contributor Carlos @darkoperator Perez. Darkoperator wrote most of the original enum_dns module as well.
enum_dns became a bit of a junk drawer of DNS functionality -- it did a whole bunch of everything for DNS. So, instead of just tacking on more and more over time, it's been split apart into several separate modules -- we now are shipping a bruteforce module (which tries to pick out hostnames and subdomains with a dictionary attack), a reverse lookup module (that pulls DNS names against a range of IPs), a service record (SRV) scanner, and a general information / profiler module.
Since these are all different functions in subtle ways, it makes sense to pick out these tasks specifically -- if you want to run them all together like you used to with enum_dns, you can just string them together with a resource file, but a lot of times, it's easier to divvy them up and take the results from one to feed another.
D-Link DIR-300 and DIR-600 Auth Bypass
I won't lie, I love authentication bypass modules. No no tricky offsets to calculate, no bad chars to figure out, no NX or DEP or anything to mitigate -- just straight up exercise-the-functionality style of exposure and exploitation. This week's update includes an "exploit" for D-Link routers, which are pretty common in home and small business environments, courtesy of Metasploit community contributor Michael @m-1-k-3 Messner. Turns out, the shipping command.php webapp on D-Link DIR-300 and DIR-600 routers doesn't actually require authentication. Whoops.
Sure, this is a home device, consumer gear. So who cares? Well, what kind of gear does your CFO use at home? Unless she's a super nerd that likes managing her own complicated subnetted home network, I'm guessing that high-value human targets use consumer gear with pretty default-ish configurations.
Now, these kinds of targets are often not in scope -- but one of the goals of Metasploit is to be able to simulate what a real attacker would do, and I guarantee you that Unit 61398 doesn't care about your stated and agreed upon scope. Modules like this should be used to at least start that conversation with your pentesting clients about this sort of vector.
- OpenEMR PHP File Upload Vulnerability by juan vazquez and Gjoko Krstic exploits OSVDB-90222
- Foxit Reader Plugin URL Processing Buffer Overflow by juan vazquez, Sven Krewitt, and rgod exploits OSVDB-89030
- Windows Manage User Level Persistent Payload Installer by Brandon McCann "zeknox" and Thomas McCarthy "smilingraccoon"
- BigAnt Server DUPF Command Arbitrary File Upload by juan vazquez and Hamburgers Maccoy exploits CVE-2012-6274
- BigAnt Server 2 SCH And DUPF Buffer Overflow by juan vazquez and Hamburgers Maccoy exploits CVE-2012-6275
- D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution by m-1-k-3 exploits OSVDB-89861
- Ruby on Rails Devise Authentication Password Reset by jjarmoc and joernchen exploits CVE-2013-0233
- DNS Brutefoce Enumeration by Carlos Perez
- DNS Basic Information Enumeration by Carlos Perez
- DNS Reverse Lookup Enumeration by Carlos Perez
- DNS Common Service Record Enumeration by Carlos Perez
- Ruby on Rails JSON Processor YAML Deserialization Scanner by hdm and jjarmoc exploits CVE-2013-0333
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see Tod's most excellent release notes. (Brandont, our usual release engineer, is out for a little while with a new kid. Congrats to you and Mrs. Dont!)