Steal all the passwords
I talk a lot about Authenticated Code Execution, but of course that's not the only thing that authenticated access can get you. This week's update comes with a couple of modules for using known credentials to extract more credentials. The first is for Symantec Brightmail, an email filtering gateway that comes with a management interface for administrators. Any account with read access is allowed to look at the encrypted LDAP credentials stored in Brightmail. Fortunately for us, the encryption is reversible and the system also kindly uses a known key. The second module is for Canon multi-function printers, because of course your printer needs to store a bunch of plaintext passwords; I mean, why wouldn't it? This one also requires authentication, but it's a printer, so of course there's a default that no one ever changes.
Payload options in
To see the stuff running in the background,
msfconsole has a
jobs command. There are some pertinent pieces of info you usually want to see in that display, but a console interface makes it kinda tough to view it all because of the limited column width. A recent feature, the ability to control the URI a reverse_http payload calls back to with the
LURI option, puts extra pressure on that limited space. To make that a little easier, payload options are now all condensed into a single column, so instead of seperate LPORT, LHOST, and LURI columns, you just have "Payload opts":
msf exploit(ie_cbutton_uaf) > jobs Jobs ==== Id Name Payload Payload opts -- ---- ------- ------------ 0 Exploit: windows/browser/adobe_flash_pcre windows/meterpreter/reverse_http http://10.6.0.65:8080/index.php 1 Exploit: windows/browser/ie_cbutton_uaf windows/meterpreter/reverse_tcp tcp://10.6.0.65:8181 msf exploit(ie_cbutton_uaf) > jobs -v Jobs ==== Id Name Payload Payload opts URIPATH Start Time Handler opts -- ---- ------- ------------ ------- ---------- ------------ 0 Exploit: windows/browser/adobe_flash_pcre windows/meterpreter/reverse_http http://10.6.0.65:8080/index.php /flash 2016-06-16 13:50:31 -0500 http://0.0.0.0:8080/index.php 1 Exploit: windows/browser/ie_cbutton_uaf windows/meterpreter/reverse_tcp tcp://10.6.0.65:8181 /cbutton 2016-06-16 13:51:00 -0500 ``` ## <span>Gifts that keep on giving</span> Shellshock is one of my favorite bugs of all time. It's simple to exploit, results in RCE, and is in a thing that everyone takes for granted. The latest incarnaiton of it is in IPFire, an open source Linux firewall, but I'm sure we'll see it again. ## New Modules _Exploit modules_ _(6 new)_ * [IPFire Bash Environment Variable Injection (Shellshock)](https://www.rapid7.com/db/modules/exploit/linux/http/ipfire_bashbug_exec) by Claudio Viviani, and h00die exploits CVE-2014-6271 * [IPFire proxy.cgi RCE](https://www.rapid7.com/db/modules/exploit/linux/http/ipfire_proxy_exec) by Yann CAM, and h00die * [Magento 2.0.6 Unserialize Remote Code Execution](https://www.rapid7.com/db/modules/exploit/multi/http/magento_unserialize) by Netanel Rubin, agix, and mr_me exploits CVE-2016-4010 * [Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution](https://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_rest_exec) by Nixawk exploits CVE-2016-3087 * [HP Data Protector Encrypted Communication Remote Command Execution](https://www.rapid7.com/db/modules/exploit/windows/misc/hp_dataprotector_encrypted_comms) by Ian Lovering, and Jon Barg exploits CVE-2016-2004 * [Poison Ivy 2.1.x C2 Buffer Overflow](https://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_21x_bof) by Jos Wetzels _Auxiliary and post modules_ _(4 new)_ * [PhoenixContact PLC Remote START/STOP Command](https://www.rapid7.com/db/modules/auxiliary/admin/scada/phoenix_command) by Tijl Deneut exploits CVE-2014-9195 * [Symantec Messaging Gateway 10 Exposure of Stored AD Password Vulnerability](https://www.rapid7.com/db/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds) by Fakhir Karim Reda exploits CVE-2016-2203 * [Jenkins Server Broadcast Enumeration](https://www.rapid7.com/db/modules/auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum) by Adam Compton, and Matt Schmidt * [Canon IR-Adv Password Extractor](https://www.rapid7.com/db/modules/auxiliary/scanner/printer/canon_iradv_pwd_extract) by Deral "Percentx" Heiland, Dev Mohanty, Pete "Bokojan" Arzamendi, and William Vu ## Get it As always, you can update to the latest Metasploit Framework with a simple `msfupdate` and the full diff since the last blog post is available on GitHub: [4.12.5...4.12.7](https://github.com/rapid7/metasploit-framework/compare/4.12.5...4.12.7) To install fresh, check out the open-source-only [Nightly Installers](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers), or the [binary installers](https://www.rapid7.com/products/metasploit/download.jsp) which also include the commercial editions.