Gift exchange

If you're looking for remote code execution against Microsoft Exchange, Spencer McIntyre crafted up a cool new module targeting a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. Vulnerable versions of Exchange don't randomize keys on a per-installation basis, resulting in reuse of the same validationKey and decryptionKey values. With knowledge of these, an attacker can craft a special Viewstate to cause an OS command to be executed as NT_AUTHORITY\SYSTEM using .NET deserialization. Note that this module does require the user to authenticate to Exchange, be a member of the Domain Users group, and have a mailbox configured on the Exchange server.

Open sesame

Courtesy our friendly neighborhood researcher, wvu added a new local module targeting OpenSMTPD. Vulnerable versions of OpenSMTPD (prior to v6.6.4) contain an out-of-bounds read vulnerability in their MTA implementation, allowing an attacker escalated command execution as either the root or nobody user (depending on the grammar used by OpenSMTPD). Simple!

You down with PHP...?

And not to be missed, cdelafuente-r7 dropped in a new exploit module targeting PHP-FPM, where an underflow vulnerability in message passing between Nginx and PHP can lead to code execution on a vulnerable target. Versions containing this vulnerability are scattered about a bit, you can check out the new module here.

Share your attacker knowledge!

Do you have opinions on vulns? Want to learn others' opinions about vulns? Our new AttackerKB (Attacker Knowledge Base) web app has got you covered! We're currently in Beta with AttackerKB, where you can read about vulns, opinions and analysis around them, and provide your own analysis and thoughts, too! You can get the deets on AttackerKB (and request Beta access) here!

New modules (6)

Enhancements and features

  • PR #12929 by 0x44434241, adds the DB_ALL_USERS option to auxiliary/scanner/smb/smb_enumusers, which allows users to store enumerated user names in the database.
  • PR #12984 by Spencer McIntyre, corrects an issue with remote Meterpreter-backed network connections where local socket parameters where not updated properly on connect.
  • PR #12985 by timwr, switches the powershell payload to a polling read, preventing some issues where it read before having a message.
  • PR #12989 by adamgalway-r7, sanitizes user input for module and payload paths, removing starting ., ./ /, [module|payload]/, & /[module|payload]/ from a path. Also trims trailing . & extensions from a path, as well as any possible misspellings of an extension.
  • PR #12998 by adamgalway-r7, allows users to say either type:aux or type:auxiliary when searching for auxiliary modules.
  • PR #13012 by adfoster-r7, improves error handling when a plugin fails to load, now displaying the reason for the failure.
  • PR #13015 by space-r7, updates login scanners to work with usernames stored in the database and sets the last_attempted_at value in scanner/smb/smb_login.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).