Meterpreter Unicode Improvements
Pentesting in places where English is not the primary language can sometimes be troublesome. With this week's update, it's a little bit easier. After Brent's work making Meterpreter's registry system support UTF-8, you can now do things like use the venerable
post/windows/gather/hashdump to steal hashes and other attributes of local users whose username contains non-ascii characters, e.g.:
msf > use post/windows/gather/hashdump msf post(hashdump) > setg session -1 session => -1 msf post(hashdump) > run [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 168de610cd477d23e9f7713684342744... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hints... bcook:"normal" mönkey:"blah"
In this week's episode of Authenticated Code Execution by Design, we have a couple of new SSH modules.
System administrators and attackers alike love to use services like SSH to get into and control systems. Sometimes, vendors use them for coordinating multiple systems performing the same task. Such is the case with ExaGrid backup storage devices. Each ExaGrid box uses SSH to talk to other ExaGrid devices on the network, presumably to keep an eye on disk usage and other metrics that such devices care about. To make things fun, this was accomplished by shipping the same passwordless private key on every device, so now Metasploit has that private key, too.
Going a little further back in time to last December, Juniper shipped a backdoored sshd on their ScreenOS devices after a compromise allowed attackers to modify it, allowing access with and username and the remarkably clever password
<<< %s(un='%s') = %u. I love it because it doesn't stand out in the output of strings(1). Well played, unknown blackhat backdoor creators, well played. Now you can easily scan for these backdoors with Metasploit.
Consistent options display
When you type
options in msfconsole, you get a nice table of the things your current module needs to know to do its job. Formerly, advanced and evasion options used a different layout that made it a lot harder to read, especially since there are usually a lot more of them than normal options. It has bothered me for a while and finally pissed me off enough to do something about it -- now all the option types give you the same kind of output.
Exploit modules (6 new)
- ATutor 2.2.1 Directory Traversal / Remote Code Execution by mr_me
- ExaGrid Known SSH Key and Default Password by egyp7 exploits CVE-2016-1561
- Apache Jetspeed Arbitrary File Upload by wvu, and Andreas Lindh exploits CVE-2016-0709
- PostgreSQL CREATE LANGUAGE Execution by Micheal Cottingham, Nixawk, and midnitesnake
- PCMAN FTP Server Buffer Overflow - PUT Command by Chris Higgins, and Jay Turla exploits OSVDB-94624
- Easy File Sharing HTTP Server 7.2 SEH Overflow by Starwarsfan2099
Auxiliary and post modules (7 new)
- Snare Lite for Windows Registry Access by Brendan Coles
- Redis Login Utility by Nixawk
- Juniper SSH Backdoor Scanner by hdm, and h00die exploits CVE-2015-7755
- AD Computer, Group and Recursive User Membership to Local SQLite DB by Stuart Morgan
- Windows Gather HeidiSQL Saved Password Extraction by h0ng10
- Generate CSV Organizational Chart Data Using Manager Information by Stuart Morgan
- Windows Post Manage WDigest Credential Caching by Kostas Lintovois
As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.19...4.11.20