Even with the year winding down to a close, activity around Metasploit has been decidedly “hustle and bustle”. Some cool new things to talk about this week, so sit back and dig in!
For Your iOS Only
If you’ve been wanting to run Meterpreter under iOS, then this bit is for you! While Mettle has technically worked on iOS since February, @timwr has added official Metasploit Framework support for stageless payloads targeting 32-bit and 64-bit ARM-based iOS devices. While the out-of-box configuration currently only works with jailbroken devices as a stageless payload, with a little effort, you can also link the library portion of Mettle into a new iOS app, allowing it to run on a non-jailbroken device as well. Look for more interesting delivery mechanisms for this payload in the future.
And speaking of Mettle...
Extensions: Not Just For Hair and Deadlines
Now that the associated PRs have landed, we’re excited for folks to try out the new Mettle extension loader functionality! Certainly there are some similarities to how extensions in the C Meterpreter operate, such as being built separate of the Meterpreter, itself, and using the Meterpreter
load command to download and execute an extension. That said, there are a few notable differences with Mettle extensions:
- They can exist as a binary image which is deployed inside of a hollowed process
- They can be written in any language that is supported by the target
If you’d like more details (and see an example using our new sniffer extension, as well as how to create a simple “hello, world” extension), check out our recent video!
Now Available: Airbag Authentication
For the past few months, Craig Smith, Rapid7’s director of transportation security research, has been working with researchers Jürgen Dürrwang and Johannes Braun from the Karlsruhe University of Applied Sciences on a methodology for performing testing in automotive networks for security-relevant attack vectors. That’s a lot of words, but the TL;DR is this: Dürrwang and Braun found that a security component on the airbag deployment system from several auto vendors wasn’t implemented securely, and they disclosed this to the affected vendors. Craig wrote a testing module that leverages this research and Metasploit’s hardware bridge to authenticate airbags for deployment during a standard salvage routine. Local access to a CAN bus is required, but if transport security testing strikes your fancy and you don’t know where to start, Craig and Andrew Bindner have a cool series of write-ups here on building your own car hacking workbench.
But Wait, There’s More!
So much more. We’ve picked up two new exploit modules—modules that can score you remote code execution via vulnerable versions of Jenkins and Tuleap. And we have a smattering of new auxiliary modules rounding things out, including a DoS module, a login scanner module, and a Same-Origin Policy (SOP) bypass cred gathering module. Details on all those are below, and as always a BIG THANKS to our contributors!
Exploit modules (2 new)
- Jenkins XStream Groovy classpath Deserialization Vulnerability by Arshan Dabirsiaghi and Matt Byrne, which exploits CVE-2016-0792
- Tuleap 9.6 Second-Order PHP Object Injection by EgiX, which exploits CVE-2017-7411
Auxiliary and post modules (4 new)
- ws - Denial of Service by Nick Starke, Sonatype Security Research and Ryan Knell, Sonatype Security Research
- Samsung Internet Browser SOP Bypass by Dhiraj Mishra, Jeffrey Martin, and Tod Beardsley, which exploits CVE-2017-17692
- DirectAdmin Web Control Panel Login Utility by Nick Marcoccio "1oopho1e"
- Check For and Prep the Pyrotechnic Devices (Airbags, Battery Clamps, etc.) by Craig Smith, Johannes Braun, and Juergen Duerrwang, which exploits CVE-2017-14937
As always, you can update to the latest Metasploit Framework by simply updating to the latest version provided by BlackArch Linux, Kali Linux, Metasploit Pro, or by using the handy msfupdate command available in the Nightly Installers.
You can get more details on the changes since the last wrapup here at:
To install fresh, you can use the:
Want a fresh wrapup in your RSS feed every week? You're in luck.