Steal all the passwords

I talk a lot about Authenticated Code Execution, but of course that's not the only thing that authenticated access can get you. This week's update comes with a couple of modules for using known credentials to extract more credentials. The first is for Symantec Brightmail, an email filtering gateway that comes with a management interface for administrators. Any account with read access is allowed to look at the encrypted LDAP credentials stored in Brightmail. Fortunately for us, the encryption is reversible and the system also kindly uses a known key. The second module is for Canon multi-function printers, because of course your printer needs to store a bunch of plaintext passwords; I mean, why wouldn't it? This one also requires authentication, but it's a printer, so of course there's a default that no one ever changes.

Payload options in jobs output

To see the stuff running in the background, msfconsole has a jobs command. There are some pertinent pieces of info you usually want to see in that display, but a console interface makes it kinda tough to view it all because of the limited column width. A recent feature, the ability to control the URI a reverse_http payload calls back to with the LURI option, puts extra pressure on that limited space. To make that a little easier, payload options are now all condensed into a single column, so instead of seperate LPORT, LHOST, and LURI columns, you just have "Payload opts":

msf exploit(ie_cbutton_uaf) > jobs

Jobs
====

  Id  Name                                       Payload                           Payload opts
  --  ----                                       -------                           ------------
  0   Exploit: windows/browser/adobe_flash_pcre  windows/meterpreter/reverse_http  http://10.6.0.65:8080/index.php
  1   Exploit: windows/browser/ie_cbutton_uaf    windows/meterpreter/reverse_tcp   tcp://10.6.0.65:8181


msf exploit(ie_cbutton_uaf) > jobs -v

Jobs
====

  Id  Name                                       Payload                           Payload opts                     URIPATH   Start Time                 Handler opts
  --  ----                                       -------                           ------------                     -------   ----------                 ------------
  0   Exploit: windows/browser/adobe_flash_pcre  windows/meterpreter/reverse_http  http://10.6.0.65:8080/index.php  /flash    2016-06-16 13:50:31 -0500  http://0.0.0.0:8080/index.php
  1   Exploit: windows/browser/ie_cbutton_uaf    windows/meterpreter/reverse_tcp   tcp://10.6.0.65:8181             /cbutton  2016-06-16 13:51:00 -0500  
```  

## <span>Gifts that keep on giving</span>

Shellshock is one of my favorite bugs of all time. It's simple to exploit, results in RCE, and is in a thing that everyone takes for granted. The latest incarnaiton of it is in IPFire, an open source Linux firewall, but I'm sure we'll see it again.

## New Modules

_Exploit modules_ _(6 new)_

*   [IPFire Bash Environment Variable Injection (Shellshock)](https://www.rapid7.com/db/modules/exploit/linux/http/ipfire_bashbug_exec) by Claudio Viviani, and h00die exploits CVE-2014-6271
*   [IPFire proxy.cgi RCE](https://www.rapid7.com/db/modules/exploit/linux/http/ipfire_proxy_exec) by Yann CAM, and h00die
*   [Magento 2.0.6 Unserialize Remote Code Execution](https://www.rapid7.com/db/modules/exploit/multi/http/magento_unserialize) by Netanel Rubin, agix, and mr_me exploits CVE-2016-4010
*   [Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution](https://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_rest_exec) by Nixawk exploits CVE-2016-3087
*   [HP Data Protector Encrypted Communication Remote Command Execution](https://www.rapid7.com/db/modules/exploit/windows/misc/hp_dataprotector_encrypted_comms) by Ian Lovering, and Jon Barg exploits CVE-2016-2004
*   [Poison Ivy 2.1.x C2 Buffer Overflow](https://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_21x_bof) by Jos Wetzels

_Auxiliary and post modules_ _(4 new)_

*   [PhoenixContact PLC Remote START/STOP Command](https://www.rapid7.com/db/modules/auxiliary/admin/scada/phoenix_command) by Tijl Deneut exploits CVE-2014-9195
*   [Symantec Messaging Gateway 10 Exposure of Stored AD Password Vulnerability](https://www.rapid7.com/db/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds) by Fakhir Karim Reda exploits CVE-2016-2203
*   [Jenkins Server Broadcast Enumeration](https://www.rapid7.com/db/modules/auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum) by Adam Compton, and Matt Schmidt
*   [Canon IR-Adv Password Extractor](https://www.rapid7.com/db/modules/auxiliary/scanner/printer/canon_iradv_pwd_extract) by Deral "Percentx" Heiland, Dev Mohanty, Pete "Bokojan" Arzamendi, and William Vu

## Get it

As always, you can update to the latest Metasploit Framework with a simple `msfupdate` and the full diff since the last blog post is available on GitHub: [4.12.5...4.12.7](https://github.com/rapid7/metasploit-framework/compare/4.12.5...4.12.7)

To install fresh, check out the open-source-only [Nightly Installers](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers), or the [binary installers](https://www.rapid7.com/products/metasploit/download.jsp) which also include the commercial editions.