It's been a hot minute since the last Metasploit Wrapup. So why not take in our snazzy new Rapid7 blog makeover and catch up on what's been goin' down!
You can't spell 'Struts' without 'trust'
Or perhaps you can! With the all the current news coverage around an Apache Struts vulnerability from earlier this year (thanks to its involvement in a consumer credit reporting agency data breach), there's a new Struts vuln getting attention. Due to how untrusted, user-provided data is handled during deserialization, it's possible to achieve remote code execution on vulnerable versions of Struts (which reportedly go back to 2008!). Struts devs were quick to release a patch to address the new vuln, while Metasploit dev @wvu was quick to create an exploit module for Framework. For additional details and musings, check out this blog post from R7's Tod Beardsley, Director of Research.
Better living through Meterpreter
There've been a number of substantial improvements to Meterpreter going on, some of which have been released since the last wrapup post.
Transport-agnostic encryption (wat?)
Colloquially referred to as CryptTLV (because, well, it encrypts the TLV message payloads between Framework and Meterpreter), this new mechanism has a couple of immediate benefits for MSF users:
- Doesn't require OpenSSL (reducing Meterpreter payload size by roughly 80%!)
- Operates at the packet payload level, allowing it work across various transports types (TCP, UDP, so on...)
There's some more work coming along in this vein. Stay tuned.
Playing a 'pivotal' role
It's what you do once you have your foothold on a multi-homed system connected to a private network: you pivot. Which leads to further discovery, moving around, and sometimes more pivoting. We've recently upgraded this key Meterpreter feature with the following:
- Works over named pipes
- More performant than the existing tunnelling mechanism (and latency doesn't compound as you make additional pivots!)
- Traffic is encrypted with CryptTLV
Definitely worth taking for a spin, so let us know what you think!
And SO MANY NEW MODULES!
Seriously, there's a bunch of neat stuff that's been added. Check out the New Modules list below, where you'll find stuff to help you with all the following:
- credential gathering
- container detection
- privilege escalation
- remote code execution
- denial of service
- C2 server software exploitation
Exploit modules (9 new)
- Docker Daemon - Unprotected TCP Socket Exploit by Martin Pizala
- QNAP Transcode Server Command Execution by 0x00string, Brendan Coles, and Zenofex
- VMware VDP Known SSH Key by phroxvs exploits CVE-2016-7456
- Malicious Git HTTP Server For CVE-2017-1000117 by NOBODY exploits CVE-2017-1000117
- IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution by Brendan Coles and SecuriTeam exploits CVE-2017-1092
- Apache Struts 2 REST Plugin XStream RCE by wvu and Man Yue Mo exploits CVE-2017-9805
- Windows Escalate UAC Protection Bypass (Via COM Handler Hijack) by Matt Nelson, OJ Reeves, and b33f
- Gh0st Client buffer Overflow by Professor Plum
- PlugX Controller Stack Overflow by Professor Plum
Auxiliary and post modules (6 new)
- BIND TKEY Query Denial of Service by Alejandro Parodi, Ezequiel Tavella, Infobyte Research Team, and Martin Rocha exploits CVE-2016-2776
- Asterisk Gather Credentials by Brendan Coles
- TeamTalk Gather Credentials by Brendan Coles
- Identify Cisco Smart Install endpoints by Jon Hart
- Linux Gather Container Detection by James Otten
- Multi Gather Maven Credentials Collection by elenoir
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from