hdm recently provided a new exploit module for a type confusion vulnerability that exists in Ghostscript versions 9.21 and earlier, allowing remote code execution on the target. And to "kick it up a notch", this exploit got itself a snazzy logo which also contains the exploit:
(spoiler alert: it's called GhostButt)
Forever and a day
From mr_me comes a one-two punch in the form of two exploits which target an EOL'd Trend Micro appliance. Certain versions of the Threat Discovery Appliance contain both authentication bypass and command injection vulnerabilities, which can be used to gain access to the appliance and run whatevs, respectively. And because this product is no longer supported by Trend Micro, these vulns are expected to be "forever day".
HTA RCE FTW
If you're looking for remote code execution via an MS Office document vuln, nixawk's exploit module might fit the bill nicely. This new addition allows Framework users to easily craft a doc file containing an OLE object which references an HTML Application (HTA). When the target opens this document, the HTA is accessed over the network (Framework acting as the server, of course), and remote code execution is back on the menu.
Mercurial SCM users with ssh access can now move about more freely thanks to a new exploit module from claudijd. By targeting weak repo validation in HG server's customizable hg-ssh script, users can use this module to break out of their restricted shell and execute arbitrary code. Give it a go and enjoy your new-found freedom...!
But wait, there's more!
Rounding out our tech updates, bcook-r7 has given us a polite push forward and "flipped the switch" so that the POSIX Meterpreter used by Framework is now providing Mettle as its payload. Not only does Mettle weigh-in at ~1/2 the size of the old POSIX Meterpreter, it also provides more functionality. Additionally, it's being actively worked on these days, unlike the old POSIX Meterpreter. Yes, plz!
The Summer of Code is upon us!
We are excited to welcome Tabish Imran, B.N. Chandrapal, and Taichi Kotake to the Metasploit community as 2017 Google Summer of Code students. We thank everyone who took the time to participate; it was a fierce competition, with over 30 applicants. Look forward to seeing the great projects these students create this summer!
Exploit modules (6 new)
- WePresent WiPG-1000 Command Injection by Matthias Brun
- Mercurial Custom hg-ssh Wrapper Remote Code Exec by claudijd
- Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution by Roberto Suggi Liverani and mr_me exploits CVE-2016-7547
- Ghostscript Type Confusion Arbitrary Command Execution by hdm and Atlassian Security Team exploits CVE-2017-8291
- Microsoft Office Word Malicious Hta Execution by sinn3r, DidierStevens, Haifei Li, Nixawk, ryHanson, vysec, and wdormann exploits CVE-2017-0199
- Disk Sorter Enterprise GET Buffer Overflow by Daniel Teixeira
Auxiliary and post modules (1 new)
- Upload and Execute by egyp7
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub: