New in the latest Metasploit release are stageless HTTP and HTTPS payloads for Python for those times when you would rather have the whole thing in one file instead of having to stage it. For more on the advantages and quirks of stageless payloads, check out @OJ's post on the subject from when support was first added for Windows.
Does anybody remember that bash(1) bug from a little over a year ago? The one with environment variables getting executed as functions or something? Man, those celebrity bugs, they go off to rehab and everybody forgets about them. Well, Advantech forgot at least, since their EKI Modbus gateways use a vulnerable version of bash to serve cgi scripts. In all seriousness, Shellshock will be with us for a very long time, cropping up in production systems and embedded devices like this for many years to come. Despite the frequent comparison with Heartbleed because of the hype at the time, I personally think it's a much more useful bug. Full shell access is better than memory read access any day of the week.
So next time you're doing a pentest and you see something embedded, why not try a little Shellshock?
Another fun module for this wrapup is for an old vulnerability, but part of a theme I always enjoy. For some background, chkrootkit(1) is a Linux security tool intended to discover whether a system is compromised via certain artifacts such as files commonly left around by worms. One of the checks it does is for a file named /tmp/update. Unfortunately, due to some missing quotes, vulnerable versions of chkrootkit won't just check for existence of that file, but will run it instead. As root. Now, I'd be remiss not to mention that this was patched by all the major distributions in mid-2014 and it's the kind of thing you don't usually find on embedded devices. So in contrast to bash, which is installed by default on just about every kind of device you can think of, you're not going to run into it all that often. It's still a fun bug.
Thanks to the work of community contributors Jon Cave and Meatballs, meterpreter file downloads and uploads have improved considerably. While there is still some room for improvement in this area, it's now possible to upload and download files in the tens of megabytes range in a reasonable amount of time across all the meterpreter implementations. Interestingly, Python meterpreter was the fastest in my testing, pulling down a 32MB file in 19 seconds, or roughly 13.47Mb/s.
- Advantech Switch Bash Environment Variable Code Injection (Shellshock) by hdm exploits CVE-2014-6271
- F5 iControl iCall::Script Root Command Execution by Jon Hart and tom exploits CVE-2015-3628
- Atlassian HipChat for Jira Plugin Velocity Template Injection by sinn3r and Chris Wood exploits CVE-2015-5603
- Chkrootkit Local Privilege Escalation by Julien "jvoisin" Voisin and Thomas Stangner exploits CVE-2014-0476
- Joomla Content History SQLi Remote Code Execution by Asaf Orpani and xistence exploits CVE-2015-7858
- BisonWare BisonFTP Server Buffer Overflow by Jay Turla, localh0t, and veerendragg exploits CVE-1999-1510
- Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability by sinn3r, 1c239c43f521145fa8385d64a9c32243, and mr_me exploits ZDI-11-020
- Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Upload by sinn3r and mr_me exploits ZDI-15-550
Auxiliary and post modules
- Veeder-Root Automatic Tank Gauge (ATG) Administrative Client by Jon Hart
- Limesurvey Unauthenticated File Download by Christian Mehlmauer and Pichaya Morimoto
- Jenkins Domain Credential Recovery by sinn3r and Th3R3p0
- Konica Minolta FTP Utility 1.00 Directory Traversal Information Disclosure by Brad Wolfe, James Fitts, Jay Turla, and shinnai exploits CVE-2015-7603
- HTTP Git Scanner by Jon Hart and Nixawk
- OpenVPN Gather Credentials by Roberto Soares Espreto and rvrsh3ll
- Write Messages to Users by Jon Hart
As always, all the changes since the last wrapup can be had with a simple
msfupdate and the full diff is available on github: 4.11.5-2015111801...4.11.5-2015120901