Welcome to another edition of the increasingly inaccurately named Weekly Wrap up! I'm egypt and I'll be your host. Since the last one of these, a lot of work has landed on the Framework. I talked about some of it with a bit of a yearly wrapup at my Derbycon talk. We also had a fun time at the Metasploit Townhall.
One of the recent things I didn't cover is the super cool BusyBox work by Javier Vicente Vallejo. For those who aren't familiar, BusyBox is a small, usually statically compiled, shell environment for resource-constrained systems like SOHO routers (which we've talked about quite a bit here on the Metasploit blog). From the official website:
BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system.
BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.
BusyBox is used all over the place with all sorts of different configurations and, as a result of its modular design, many deployments are stripped down to the bare minimum requirements of a given system. That means significant environment-specific limitations from a post-exploitation perspective. Having a collection of tools for working with it after you've compromised a device can save a lot of time over figuring out what particular handicaps a given busybox has been compiled with.
We also released our shiny new Omnibus installer, with support for Windows, Linux, and OSX, for your Open Source installation pleasure.
As always, feel free to check the diffs from the last blog checkpoint, over on GitHub.
- Watchguard XCS Remote Command Execution by Daniel Jensen
- Watchguard XCS FixCorruptMail Local Privilege Escalation by Daniel Jensen
- Endian Firewall Proxy Password Change Command Injection by Ben Lincoln exploits CVE-CVE-2015-5082
- CMS Bolt File Upload Vulnerability by Roberto Soares Espreto and Tim Coen
- w3tw0rk / Pitbul IRC Bot Remote Code Execution by Jay Turla exploits OSVDB-120384
- Apple OS X Entitlements Rootpipe Privilege Escalation by joev and Emil Kvarnhammar exploits CVE-2015-3673
- MS15-100 Microsoft Windows Media Center MCL Vulnerability by sinn3r exploits CVE-2015-2509
- Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow by Muhamad Fadzil Ramli and Shankar Damodaran
- ManageEngine OpManager Remote Code Execution by xistence
- Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability) by Ben Campbell and Vozzie
- MS15-078 Microsoft Windows Font Driver Buffer Overflow by juan vazquez, Cedric Halbronn, Eugene Ching, and Mateusz Jurczyk exploits CVE-2015-2433
- Windows Registry Only Persistence by Donny Maasland
- ManageEngine EventLog Analyzer Remote Code Execution by xistence
Auxiliary and post modules
- UPnP IGD SOAP Port Mapping Utility by Jon Hart and St0rn
- WordPress All-in-One Migration Export by James Golovich and Rob Carr
- WordPress Mobile Pack Information Disclosure Vulnerability by Nitin Venkatesh and Roberto Soares Espreto
- WordPress NextGEN Gallery Directory Read Vulnerability by Roberto Soares Espreto and Sathish Kumar
- WordPress Subscribe Comments File Read Vulnerability by Roberto Soares Espreto and Tom Adams
- LLMNR Query by Jon Hart
- mDNS Query by Jon Hart
- Portmapper Amplification Scanner by xistence
- SMB Group Policy Preference Saved Passwords Enumeration by Joshua D. Abraham
- Android Meterpreter Browsable Launcher by sinn3r
- Android Mercury Browser Intent URI Scheme and Directory Traversal Vulnerability by joev, sinn3r, and rotlogix
- Android Screen Capture by timwr
- Android Root Remove Device Locks (root) by timwr
- BusyBox Enumerate Connections by Javier Vicente Vallejo
- BusyBox Enumerate Host Names by Javier Vicente Vallejo
- BusyBox Jailbreak by Javier Vicente Vallejo
- BusyBox Ping Network Enumeration by Javier Vicente Vallejo
- BusyBox DMZ Configuration by Javier Vicente Vallejo
- BusyBox DNS Configuration by Javier Vicente Vallejo
- BusyBox SMB Sharing by Javier Vicente Vallejo
- BusyBox Download and Execute by Javier Vicente Vallejo
- Windows Gather Active Directory Groups by Stuart Morgan
- Forward SSH Agent Requests To Remote Pageant by Ben Campbell and Stuart Morgan