Sharing is Caring
One of the nits we've all had to pick with Metasploit is that when you have a module that involves getting a client to connect to an evil SMB server to fetch a file, the strategy usually used involved generating the file with a module then serving that up on your own Samba or Windows share. This worked, of course, but what a hassle. Who wants to run two things? Nobody!
Well, those days are now behind us, thanks largely to the Herculean efforts of Metasploit community contributor Matthew 0x41414141 Hall. This last week, we landed #3074, one of the longest running pull requests we've had. SMB itself is pretty complicated, as anyone who's worked with this protocol can attest, so it's no wonder this took a year or so of gnashing and hacking.
Coding up a SMB file server in Metasploit-flavored Ruby was a huge feat, and I'm super happy that Matthew stuck with it. He worked with the Metasploit open source community (especially Juan there at the end), and hauled this thing over the finish line, all the while with an amazingly positive attitude.
So, now that we have the mixin, I'm sure there are a bunch of modules that could use a retrofit to use it. If you're looking for some way to contribute to the Framework, that'd be a fine place to start.
Since the last blog post, we've added two new exploits to the Metasploit Framework. The first is a Flash exploit from Juan Vazquez, who's taken on Flash reversing and exploitation as a personal mission in the light of the run of recent Flash 0-days. Since these bugs first became public when they were discovered as part of active attacks, it's important to test to ensure that your end-user constituency has a reasonable update schedule.
The other involves the sinister-sounding Nvidia Mental Ray Satellite Service. Turns out, this is not an orbital mind control platform, but rendering software used by tons of movie studios. So, more ground-based mind control, I guess.
The Metasploit module was implemented by Ben Meatballs Campbell, based on the research by Luigi Auriemma and Donato Ferrante. Incidentally, it uses 0x41414141's SMB file server mixin, so it's got that going for it now, which is nice.
Granted, this sort of rendering software suite isn't likely to come up in your average engagement, but if you're in the business of running this kind of gear, you'll probably want to double-check your network separation -- while it was disclosed a little while back, there's no indication from the vendor that there's been a patch.
But really, how often do movie studios get compromised, anyway? Probably no big deal, right?
- Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free by juan vazquez, Unknown, and hdarwin exploits CVE-2015-0311
- Nvidia Mental Ray Satellite Service Arbitrary DLL Injection by Ben Campbell, Donato Ferrante, and Luigi Auriemm