Slowloris: SMB edition

Taking a page from the Slowloris HTTP DoS attack, the aptly named SMBLoris DoS attack exploits a vuln contained in many Windows releases (back to Windows 2000) and also affects Samba (a popular open source SMB implementation). Through creation of many connections to a target's SMB port, an attacker can exhaust all available memory on the target by sending a specific NBSS length header value over those connections, rendering the system unusable or crashed (if desired). And systems with SMB disabled are vulnerable to this attack too. Word is that Microsoft currently has no plans to issue a fix. Following the SMBLoris reveal at DEF CON (hat tip to the researchers at RiskSense!), Metasploit Framework now contains an exploit module for fulfilling your SMBLoris needs.

The Adventure of LNK

Think Windows shortcut files are a convenient way to reference a file from multiple places? How about as an attack vector to get remote code execution on a target? Affecting a wide range of Windows releases, a recently-landed exploit module might be just what you're looking for to give this vector a go. Microsoft did release a patch this past June, but we're gonna guess a lot of systems still haven't picked that up yet.

Would you like RCE with your PDF (reader)?

If so, Nitro's PDF reader might be your hookup. Many versions of both Pro and regular flavors of the reader are vulnerable, providing JavaScript APIs which allow writing a payload to disk and then executing it. Check out the new exploit module and enjoy some of that tasty RCE.

Jenkins, tell me your secrets...

If you periodically happen upon a target running Jenkins, we've got a new post module you might find useful. jenkins_gather will locate where Jenkins is installed on a system and then proceed to look for creds, tokens, SSH keys, etc., decrypting what it finds and conveniently adding it to your loot. It's been tested on a number of versions and platforms and is ready for you to give it a try.

And more!

We've also:

  • enabled ed25519 support with net-ssh
  • added better error handing for the Eternal Blue exploit module when it encounters a system that has SMB1 disabled (thx, @multiplex3r!)

New Modules

Exploit modules (2 new)

Auxiliary and post modules (2 new)

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.