2018: a new year, new vulns, and endless opportunities to exploit them. The Metasploit community is kicking off the year with a variety of new content, functionality, research, and coordinated vulnerability disclosure.
New Year, New Vulns
After a couple months of coordinated disclosure work, long-time Metasploit contributor Karn Ganeshen offered up a handful of modules and a couple mixins for testing wireless routers from Cambium Networks. These devices are primarily for fixed wireless internet access, often in remote, outdoor locations. The folks at Cambium were a delight to work with for these issues, taking these reports in stride and producing firmware updates in short order—no small task considering they were also dealing with the industry-wide KRACK vulnerability concurrently. You can read the full details on all eleven identified issues in our R7-2017-25 disclosure post, and if you're responsible for maintaining a Cambium-based backhaul infrastructure, you're going to want to snag the latest release of Metasploit to test your patching efficacy.
@mmetince recently discovered and helped remediate a chain of vulnerabilities in Xpico leading to unauthenticated RCE. It begins with a hidden user registration page, segues into weak activation code generation, and lands with command injection via a pcap upload. CVE-2017-16666 was assigned for this discovery.
@Janfred revealed a flaw in Postfixadmin allowing domain admins to delete protected aliases, which can potentially be used to redirect common trusted aliases: opening doors for further attacks. This discovery was assigned CVE-2017-5930, along with its remediation and Metasploit module.
Buffer overflows are given some love from @DanielRTeixeira via an exploit module for Ayukov NFTP FTP Client by responding to the SYST request with a long string of data. @aushack gives the community a command exec exploit module written for HP LoadRunner exploiting a vuln from 2010.
Fluency in Protocol
@sempervictus extended efforts to generate more legitimate looking SSL certificates to improve evasion of network intrusion monitoring systems, by refactoring the certificate generation process used to allow injection of custom generators. He also took advantage of Metasploit’s transition to using the upstream ruby net-ssh library to add the ability to specify a passphrase along with SSH private keys in the SSH Public Key Login Scanner. These improvements are crucial for traversing defensive IT landscapes.
@jhart-r7 introduces a framework for interacting with instances via the MQTT protocol. Distributed IoT devices are flocking to the flexibility of the pubsub oriented architecture the protocol allows. A bruteforce login scanner has been added to discover endpoints, connect, and initiate authentication attempts. More of this is just around the corner.
@jgor added a new ARD login scanner targeting vulnerable unpatched High Sierra hosts with Screen Sharing or Remote Management enabled ala CVE-2017-13872 (iamroot). The module enables and sets root account to a chosen password. In addition to the scan for the vuln, it improves the VNC login scanner with the ability to test any OSX host.
Escalate Your Privilege
In an era where virtual machines are plenty, @bcoles adds a local privilege escalation module for VMware Workstation Pro and Play (Linux) by using an ALSA configuration file to load and execute a shared object as root when launching a VM with an attached sound card. This generates some awareness about being overly comfortable with the perceived sense of “nothing could go wrong” if you are using a VM.
@mkienow and @bcook teamed up to bring the ability for command shell payloads to register a command that can be executed after a session has ended, usable via the new CommandShellCleanupCommand advanced option. This allows for payloads to do things such as cleaning up stray bits, or killing a telnetd after the session completes.
As we do every year, the Metasploit team contributed handily to Rapid7’s annual 12 Days of HaXmas series. Matthew relayed a printer hacking tale in rhymed verse (with a little help from Brent and wvu), Adam talked about extending Framework’s scalability with Python (to start!), and Tod told a thrilling story about the true meaning of Metasploit. Finally, Brent laid out a litany of Memorable Metasploit Moments™ from 2017 that takes readers through some of the year’s highlights—from killer modules and hardware hacking to last month’s community CTF and our earlier hackathon. Relive the memories here. Other HaXmas writers dropped festive holiday research projects, helpful PSAs, and pen testing takes well worth a read, so get all the HaXmas gifts here.
As always, you can update to the latest Metasploit Framework by simply updating to the latest version provided by BlackArch Linux, Kali Linux, Metasploit Pro, or by using the handy msfupdate command available in the Nightly Installers.
You can get more details on the changes since the last wrap-up here at:
To install fresh, you can use the:
Want a fresh wrap-up in your RSS feed every week? You're in luck.