What time is it?

If you want to run some scheduled task, either with schtasks or cron, you have to decide when to run that task. In both cases, the schedule is based on what time it is according to the victim system, so when you make that decision, it's super helpful to know what the victim thinks the current time is.

As of #7435, Meterpreter has a localtime command that gives you that information and then it's peanut butter jelly time.

Unicode

Windows uses UTF-16le to store hostnames (and pretty much everything else). For ASCII characters, you can convert to that format simply by inserting NULL bytes in between each ASCII byte. When you run into a hostname that uses characters for which there is no direct ASCII equivalent, conversion is a lot more complex. As of this weeek, that complexity works correctly for hostnames in Metasploit. This affects several things that use the SMB protocol, including smb_version, and the places where hostnames are displayed in msfconsole.

----- BENIGN CERTAIN -----

Along with Extra Bacon, the fun SNMP RCE bug for Cisco devices we mentioned here a couple months ago, the same dump included an information disclosure vulnerability in Cisco devices as well. The result is similar to what you get with Heartbleed - random memory contents that can sometimes contain credentials.

APK Injection

Android Application Packages (APK files) are very similar to JAR files. They're basically a zip archive with a certain directory structure. Android requries that APKs must be cryptographically signed before the system will allow you to install them. Earlier this year, we added the ability to use an existing APK as a template for your payload, but of course that makes the signature invalid. To fix it up, we re-sign with a new certificate.

As of this week, that certificate will match all of the metadata from the original template's signature which makes the installed app a bit less conscpicuous.

Local File Inclusion

In the world of PHP, Local File Includes or LFIs are a common vulnerability due to the nature of the language and how its include and require directives work. That class of vulnerability is a lot less common in other langauges, so it was a bit surprising when the details of CVE-2016-0752 came out. What was previously believed to be merely a local file read vulnerability in Ruby on Rails when the bug was first made public back in February, can actually be turned into a local file include vulnerability. This works because the file that Rails is reading is actually used as template that can contain. (Note that's ERB, not ERB.)

New Modules

This wrapup covers a few weeks, so the new module count is quite a bit higher than usual.

Exploit modules (9 new)

Auxiliary and post modules (6 new)

Get it

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.30...4.12.38

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.