With Hacker Summer Camp 2017 wrapped up and folks now recovering from it, why not grab a drink and read up on what's new with Metasploit?
Where there's smoke...
At least a few versions of open source firewall IPFire contain a post-auth RCE vulnerability, and we (well, you!) now have a module to help exploit that. Due to how an incoming Snort Oinkcode is processed via HTTP POST request, the IPFire software leaves itself open for shoving a payload in as the Oinkcode and having it executed. Like throwing water on an IPFire...
Synapse, a computer peripheral configuration application from popular peripheral device vendor Razer, contains an access control vulnerability in their rzpnk.sys driver. Exploiting this vuln allows privilege escalation, including reading and writing of other process' memory and remote code execution. And there's a new module for this. As of this writing, this vulnerability has not yet been patched (and considering Synapse will auto-install on peripheral connect—at least under Windows 10—there may be many susceptible targets out there!).
And we've landed a few new aux modules for your scanning pleasure: RDP and NNTP. While RDP is likely familiar to many readers, NNTP (Network News Transfer Protocol) might be less so. But you never know what a target might be running...
We've had some improvements to a couple of our Meterpreters to share.
- screen capture of HiDPI screen is now supported (and captures the full screen)
- new threads are now automatically setup to not throw a dialog box or crash notification on failure
- native-code Meterpreter now available
- microphone audio streaming is supported
Feed me, RSS!
Had a desire to follow what your sessions are up to via an RSS feed? If so, rejoice! There's now a new framework plugin for doing exactly that thanks to @mubix.
Rise of the robots.txt
In an effort to make framework's HttpServer a bit less leaky, @dbfarrow added the ability to serve up a canned 'plz no crawl/index my pagez' robot.txt response for clients who request it. And, for those clients who do request it and honor it, that canned response should be enough to shoo them off from accessing files HttpServer is hosting...
Exploit modules (5 new)
- IPFire proxy.cgi RCE by 0x09AL and h00die
- Metasploit RPC Console Command Execution by Brendan Coles
- VICIdial user_authorization Unauthenticated Command Execution by Brendan Coles
- Easy Chat Server User Registeration Buffer Overflow (SEH) by Aitezaz Mohsin and Marco Rivoli
- Razer Synapse rzpnk.sys ZwOpenProcess by Spencer McIntyre exploits CVE-2017-9769
Auxiliary and post modules (2 new)
- NNTP Login Utility by Brendan Coles exploits CVE-1999-0502
- Identify endpoints speaking the Remote Desktop Protocol (RDP) by Jon Hart
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub: