'Sploits! Get yer 'sploits heeere!
Lots of fresh modules this week with six shiny new exploits to showcase—but first, a blast from the past:
Solaris wants to help you get password hashes and they've invented the NIS protocol. The next time you find a Solaris box, locked in a closet, that three generations of sysadmins have been afraid to touch, you can dump hashes straight to your Metasploit loot. Check out the documentation to see it in action.
Back to the Future
Stepping forward a few decades, @_0xFFFFFF discovered a new vuln and chained it with an older one to get unauthenticated remote code execution on the Hanwha (AKA Samsung) SRN-1670D, a security camera NVR/DVR with a network-accessible web server. The samsung_srv_1670d_upload_exec module first uses CVE-2015-8279 to gather the credentials, then CVE-2017-16524 uses those credentials to upload a PHP payload. The authors of the 2015 vuln, Luca Giancane, Aristide Fattori (@joystick) and Roberto Paleari (@rpaleari), have a good writeup on their findings as does @_0xFFFFFF on Github.
HP IMC, two ways
@bcoles cooked up two exploit modules for remote code execution on the HP IMC, hp_imc_dbman_restartdb_unauth_rce and hp_imc_dbman_restoredbase_unauth_rce. Both were tested against IMC PLAT v7.2 and provide SYSTEM on a listening target, so if you notice TCP/2810 in your nmap results, head on over to the documentation for each exploit for details.
Moar New Exploits
- @1oopho1e returns with phpcollab_upload_exec which gives unauthenticated RCE on phpCollab v2.5.1. CVE-2017-6090, discovered by Nicholas SERRA at Sysdream, allows for the upload of PHP payloads, clearing the way for access at the web server user. Check out the documentation to take it for a spin.
- @b0yd discovered and wrote commvault_cmd_exec which, by default, provides SYSTEM-level, unauthenticated remote code execution in the Commvault Service v11 SP5 in a Windows environment. You might find Commvault listening on TCP/8400, but be aware that there might be a Unix version out there as well. While this module doesn't support it, pull requests are always welcome. :-)
- Finally, the old tricks are new again, thanks to @DanielRTeixeira, who modularized Tulpa's stack-based exploit for the LabF nfsAxe 3.7 FTP client. The labf_nfsaxe module sets up an FTP server which, once an nfsAxe client connects and authenticates, sends an exploit that allows for remote code execution. @wchen-r7 has all the juicy details in his documentation
As you can tell, it's been a busy week for our contributors, and we'd like to thank them for not only what you see here but also what is in the pipe for our upcoming releases. If you'd like to get in on the action, learn how to contribute to Metasploit.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub: