If you've been following along, you'll have noticed that we published just about a post a day here this week, which makes my job of bringing the weekly update to you, dear reader, that much easier. So, I'll keep this week's update pretty short. Here's a link farm covering what was discussed from Joe, OJ, sinn3r, and HD. They're all really fun and informative reads from fun and informative people, as you'd expect.
Mozilla FireFox Proxy Prototype RCE
Joe discusses a remote code execution vulnerability in Mozilla Firefox versions 31 through 34.
Using Host Tagging in Metasploit for Penetration Testing
sinn3r discusses a new-to-Framework feature that makes host tagging on engagements signficantly easier from the console.
Deep Dive Into Stageless Meterpreter Payloads
OJ discusses the new stageless Metepreter payloads, and why you might want to pick those rather than traditionally staged Meterpreter.
Meterpreter Survey 2015
HD discusses the results of the Metepreter survey held in February, where we're going with payload development, and what you can do to help.
Unicode Support in Meterpreter
Brent discusses the storied history of character encoding, and why you needn't care about it any more in Meterpreter sessions.
Kali Dev Docs
Also this week, we're deepening our commitment to the Kali Linux user community by overhauling our Metasploit Development Environment Setup docs. If you're a habitual Kali hacker, we now have a pretty well documented means to get you up to speed with a modern Metasploit dev environment. It's been a long time coming, and replaces the old http://r-7.co/MSF-DEV wiki completely.
Once the tires are sufficiently kicked on this collection of copy-pasta bashisms, we're going to get it all nicely packaged up as a one of those new-fangled DevOpsish deploy scripts, and it should work for pretty much any Debian-based distribution.
No, it's not a DNS Hijack
Finally, if all goes well over the next few days, you should see an entirely new platform for all our bloggery, discussion boards, and shameless trolling. You can see the note from Community Manager Maria Varmazis on the welcome page today. I'm pretty excited about the move, scheduled for March 31, 2015.
What this all means for you is, when you get the password reset message from rapid7.com, you can rest assured that it's (probably) not a phishing attempt, a DNS hijack, or a timezone-agnostic April Fool's joke. It's really us, I swear. I mean, what's more convincing than an unsigned, unauthenticated, unsolicited reset request, pointing to a website that's running an entirely different backend from what you're accustomed to? Totes legit. (:
In an effort to assure you that this is a real change and not a trick, I have signed this statement over on GitHub with my public key (as asserted by keybase.io). Feel free to verify it with your favorite GPG/PGP signature authentication scheme -- try curl that-raw-gist-link | gpg --verify.
Of course, maybe this is all part of the ruse. There is really no end to paranoia, if you care to delve deep enough.
Since the last Wrapup (diffs here), we have nine new modules: five exploits and four Post/Aux modules. Note that we've also renamed five WordPress-based exploit modules, so I've added those to a special section, since they will also appear to be "new." If you're using those in a scripted way, like a resource script or Task Chain or something, you'll want to update your script to pick the new ones. Otherwise, they're unchanged.
- Belkin Play N750 login.cgi Buffer Overflow by Marco Vaz and Michael Messner exploits CVE-2014-1635
- Exim GHOST (glibc gethostbyname) Buffer Overflow by Qualys, Inc. exploits CVE-2015-0235
- Powershell Remoting Remote Command Execution by Ben Campbell exploits CVE-1999-0504
Auxiliary and post modules
- WordPress WP EasyCart Plugin Privilege Escalation by Rob Carr exploits CVE-2015-2673
- WordPress WPLMS Theme Privilege Escalation by Evex and Rob Carr
- GitLab Login Utility by Ben Campbell
- GitLab User Enumeration by Ben Campbell
- Symantec Web Gateway Login Utility by sinn3r
- WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution by Sammy FORGIT and patrick exploits BID-53805
- Wordpress InfusionSoft Upload Vulnerability by g0blin and us3r777 exploits CVE-2014-6446
- WordPress cache_lastpostdate Arbitrary Code Execution by hdm and str0ke exploits CVE-2005-2612
- WordPress OptimizePress Theme File Upload Vulnerability by Mekanismen and United of Muslim Cyber Army
- WordPress W3 Total Cache PHP Code Execution by juan vazquez, hdm, Christian Mehlmauer, and Unknown exploits CVE-2013-2010