Tomorrow brings the fall equinox, and that means (as we are almost contractually obligated to say at this point) winter is coming. The days are getting shorter, the nights longer, and you can get your required dose of caffeine with pumpkin flavor, if that’s your preference.
It has been very busy summer at Metasploit, between moving offices, hiring new faces, eternally bluing, and gathering modules for the long winter ahead. It seems fitting that in this last wrapup of summer, we feature a Solaris exploit and credential gathering just before winter.
Solaris Local Privilege Escalation
Some exploits drive a pen test, while others are just getting old enough to drive. The Solaris libnspr NSPR_LOG_FILE Privilege Escalation may be nearing its teenage years, but we do not doubt for a moment that there’s still a chance of finding a vulnerable Solaris machine tucked away somewhere in your target network. (It might even be hidden behind some drywall).
SQL Credential Capture
Our very own @space-r7 added a module to grab the hashed passwords from Pimcore databases. Some MD5 calculating required.
Exploit modules (1 new)
- Solaris libnspr NSPR_LOG_FILE Privilege Escalation by Brendan Coles, Marco Ivaldi, and iDefense, which exploits CVE-2006-4842
Auxiliary and post modules (3 new)
- iOS Safari Denial of Service with CSS by Sabri Haddouche
- Dolibarr Gather Credentials via SQL Injection by Issam Rabhi, Kevin Locati, and Shelby Pace, which exploits CVE-2018-10094
- Pimcore Gather Credentials via SQL Injection by N. Rai-Ngoen, Shelby Pace, and Thongchai Silpavarangkura, which exploits CVE-2018-14058
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers, which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.