Metasploit Weekly Wrapup  

Exploits for hours. Gather 'round with a pocket full of shells.

What's coming down the pipeline for Metasploit? Brent Cook brings you October's first Metasploit wrap-up.

To celebrate this first day of Autumn[1], we've got a potpourri of "things Metasploit" for you this week. And it might smell a bit like "pumpkin spice"... Or it might not. Who knows? Winter is Coming If you're looking to finish filling your storehouse before the cold sets in, we've got a couple of new gatherer modules to help. This new Linux post module can locate and pull TOR hostname and private key files for TOR hidden services on a target system. If containers are more your thing, this new *nix post module will gather all users' Docker creds from a hosting target. And while your DB is getting stocked up with creds, don't forget to add Fall2017 to your password list[2] ('cause, you know...people). Uniting People Last week, some of the Metasploit team joined Rapid7 customers from around the country for Rapid7’s annual UNITED Summit in Boston. Brent Cook offered an overview of what’s next for Metasploit Framework, Wei Chen and James Barnett led an introduction to CTF competitions, and the Metasploit team hosted UNITED’s inaugural CTF for attendees. 62 teams competed for prizes and bragging rights—and for some of them, UNITED marked their first-ever flag capture. Congrats to the winners and first-timers! Thanks to everyone who joined us to share knowledge, drop shells, and log face-time in Boston! Good Things Come in Threes Today marks the third appearance of the Metasploit Town Hall at DerbyCon. The Town Hall is an interactive panel discussion centered around the current state (and trajectory) of Metasploit, with questions and feedback welcomed. If you're out at Derby this year, drop on by and be a part of the conversation! Want MOAR? Check out our YouTube channel for additional Metasploit-related content, including recent (and past!) recordings of the Metasploit team's bi-monthly sprint demo meetings. At best, you'll find out about new Metasploit work and features in progress. At worst, they aren't really long videos. ¯\_(ツ)_/¯ New Modules Auxiliary and post modules (2 new) Linux Gather TOR Hidden Services by Harvey Phillips Multi Gather Docker Credentials Collection by Flibustier Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.16.6...4.16.7 Full diff 4.16.6...4.16.7 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. Spring for our friends in the Southern Hemisphere! ↩︎ Spring2017 for our friends in the Southern Hemisphere! ↩︎

It's been a hot minute since the last Metasploit Wrapup. So why not take in our snazzy new Rapid7 blog makeover and catch up on what's been goin' down! You can't spell 'Struts' without 'trust' Or perhaps you can! With the all the current news coverage around an Apache Struts vulnerability from earlier this year (thanks to its involvement in a consumer credit reporting agency data breach), there's a new Struts vuln getting attention. Due to how untrusted, user-provided data is handled during deserialization, it's possible to achieve remote code execution on vulnerable versions of Struts (which reportedly go back to 2008!). Struts devs were quick to release a patch to address the new vuln, while Metasploit dev @wvu was quick to create an exploit module for Framework. For additional details and musings, check out this blog post from R7's Tod Beardsley, Director of Research. Better living through Meterpreter There've been a number of substantial improvements to Meterpreter going on, some of which have been released since the last wrapup post. Transport-agnostic encryption (wat?) Colloquially referred to as CryptTLV (because, well, it encrypts the TLV message payloads between Framework and Meterpreter), this new mechanism has a couple of immediate benefits for MSF users: Doesn't require OpenSSL (reducing Meterpreter payload size by roughly 80%!) Operates at the packet payload level, allowing it work across various transports types (TCP, UDP, so on...) There's some more work coming along in this vein. Stay tuned. Playing a 'pivotal' role It's what you do once you have your foothold on a multi-homed system connected to a private network: you pivot. Which leads to further discovery, moving around, and sometimes more pivoting. We've recently upgraded this key Meterpreter feature with the following: Works over named pipes More performant than the existing tunnelling mechanism (and latency doesn't compound as you make additional pivots!) Traffic is encrypted with CryptTLV Definitely worth taking for a spin, so let us know what you think! And SO MANY NEW MODULES! Seriously, there's a bunch of neat stuff that's been added. Check out the New Modules list below, where you'll find stuff to help you with all the following: scanning credential gathering container detection privilege escalation remote code execution denial of service C2 server software exploitation (Tod gets the credit on this) New Modules Exploit modules (9 new) Docker Daemon - Unprotected TCP Socket Exploit by Martin Pizala QNAP Transcode Server Command Execution by 0x00string, Brendan Coles, and Zenofex VMware VDP Known SSH Key by phroxvs exploits CVE-2016-7456 Malicious Git HTTP Server For CVE-2017-1000117 by NOBODY exploits CVE-2017-1000117 IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution by Brendan Coles and SecuriTeam exploits CVE-2017-1092 Apache Struts 2 REST Plugin XStream RCE by wvu and Man Yue Mo exploits CVE-2017-9805 Windows Escalate UAC Protection Bypass (Via COM Handler Hijack) by Matt Nelson, OJ Reeves, and b33f Gh0st Client buffer Overflow by Professor Plum PlugX Controller Stack Overflow by Professor Plum Auxiliary and post modules (6 new) BIND TKEY Query Denial of Service by Alejandro Parodi, Ezequiel Tavella, Infobyte Research Team, and Martin Rocha exploits CVE-2016-2776 Asterisk Gather Credentials by Brendan Coles TeamTalk Gather Credentials by Brendan Coles Identify Cisco Smart Install endpoints by Jon Hart Linux Gather Container Detection by James Otten Multi Gather Maven Credentials Collection by elenoir Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.15.6...4.16.6 Full diff 4.15.6...4.16.6 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Slowloris: SMB edition Taking a page from the Slowloris HTTP DoS attack, the aptly named SMBLoris DoS attack exploits a vuln contained in many Windows releases (back to Windows 2000) and also affects Samba (a popular open source SMB implementation). Through creation of many connections to a target's SMB port, an attacker can exhaust all available memory on the target by sending a specific NBSS length header value over those connections, rendering the system unusable or crashed (if desired). And systems with SMB disabled are vulnerable to this attack too. Word is that Microsoft currently has no plans to issue a fix. Following the SMBLoris reveal at DEF CON (hat tip to the researchers at RiskSense!), Metasploit Framework now contains an exploit module for fulfilling your SMBLoris needs. The Adventure of LNK Think Windows shortcut files are a convenient way to reference a file from multiple places? How about as an attack vector to get remote code execution on a target? Affecting a wide range of Windows releases, a recently-landed exploit module might be just what you're looking for to give this vector a go. Microsoft did release a patch this past June, but we're gonna guess a lot of systems still haven't picked that up yet. Would you like RCE with your PDF (reader)? If so, Nitro's PDF reader might be your hookup. Many versions of both Pro and regular flavors of the reader are vulnerable, providing JavaScript APIs which allow writing a payload to disk and then executing it. Check out the new exploit module and enjoy some of that tasty RCE. Jenkins, tell me your secrets... If you periodically happen upon a target running Jenkins, we've got a new post module you might find useful. jenkins_gather will locate where Jenkins is installed on a system and then proceed to look for creds, tokens, SSH keys, etc., decrypting what it finds and conveniently adding it to your loot. It's been tested on a number of versions and platforms and is ready for you to give it a try. And more! We've also: enabled ed25519 support with net-ssh added better error handing for the Eternal Blue exploit module when it encounters a system that has SMB1 disabled (thx, @multiplex3r!) New Modules Exploit modules (2 new) LNK Code Execution Vulnerability by Uncredited and Yorick Koster exploits CVE-2017-8464 Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution by sinn3r, Brendan Coles, and mr_me exploits CVE-2017-7442 Auxiliary and post modules (2 new) SMBLoris NBSS Denial of Service by thelightcosine Jenkins Credential Collector by thesubtlety Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.15.4...4.15.6 Full diff 4.15.4...4.15.6 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Metasploit Hackathon We were happy to host the very first Metasploit framework open source hackathon this past week in the Rapid7 Austin. Eight Metasploit hackers from outside of Rapid7 joined forces with the in-house team and worked on a lot of great projects, small and large. @bcook started the hackathon working with @sempervictus on his amazing backlog of framework features, including REX library improvements, UDP sessions, TLS encrypted sessions, and support for running framework in Rubinius . We had a lot of good chats on how to move forward with bigger features, and our trees have begun to converge more. @zerosteiner worked on server support for the Net-ssh library, and gave right after dropped Railgun support for OSX Meterpreter, and gave a talk on it at BSides Cleveland. On the module side, we got the long-awaited DNS injection module from @kingsabri rewritten and enhanced. @bcook worked a lot with @mubix's, whose intense testing and feedback made the module really great. Mubix served a unique role at the hackathon to of testing everyone's ideas and providing a critical eye on usability and reliability in engagements. @bcook also worked with @sure-fire testing public PoC code for CVE-2017-3881 on a variety of Cisco gear, and we were able to convert @artkond's great research into another module PR. @bperry stopped by with his guitar, and worked on a plugin for the Arachni web scanner. In his words, "This complements the sqlmap plugin well, going from general web app scanning with arachni to full exploitation with sqlmap straight from Metasploit. It's something I've wanted in Metasploit for a while now.". He also composed a song for the occasion. @bcook worked on a long-awaited search function for the Metasploit RPC interface while @mubix added a nifty new plugin that publishes an RSS feed of shells as they come in. While testing various things, @mubix noticed that his database was taking a long time to delete a workspace. @darkbushido took a look and found that we could speed up deleting workspaces by several orders of magnitude by using a different method. Joining the hackathon virtually, @oj completed his PR for an all-new crypto layer for Meterpreter transports, which provides application-layer encryption for sessions independent of the transport used. It also has the nice effect of reducing the size of Windows meterpreter 5-fold! @bwatters-r7, @hdm, @kernelsmith, @acammack-r7, and @izobashi also worked on a number of interesting projects as well, like a socks5 proxy, automated payload testing, selfhash support, and mimipenguins integration. We will be covering those as the make their way into the PR queue. In total, the hackathon was a great success and we look forward to having another one soon. Passwords In the continual game of cat and mouse with Windows password storage, Rogdham has brought the mice back on top this week. SQUEEK! Previously, Windows stored hashes using RC4 hashing, but Windows 10 uses AES128. With this update, the hashdump module will work with the AES128 hashes, too. catch yourself before you wrek yourself No one likes seg faults while you're trying to be stealthy, so kudos to tkmru who added some error handling to our armle reverse_tcp payload. Previously, the payload would segfault if it could not call back. Now, if it fails to call back, it fails silently, because the best kind of failure is the kind no one notices! New Modules Exploit modules (4 new) Netgear DGN2200 dnslookup.cgi Command Injection by SivertPL and thecarterb exploits CVE-CVE-2017-6334 Symantec Messaging Gateway Remote Code Execution by Mehmet Ince exploits CVE-CVE-2017-6326 Easy File Sharing HTTP Server 7.2 POST Buffer Overflow by Marco Rivoli and bl4ck h4ck3r Auxiliary and post modules (1 new) Riverbed SteelHead VCX File Read by Gregory DRAPERI and h00die Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.14.26...4.14.28 Full diff 4.14.26...4.14.28 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

A fresh, new UAC bypass module for Windows 10!Leveraging the behavior of fodhelper.exe and a writable registry key as a normal user, you too can be admin! Unpatched as of last week, this bypass module works on Windows 10 only, but it works like a charm!Reach out and allocate somethingThis release offers up a fresh denial/degradation of services exploit against hosts running a vulnerable version of rpcbind. Specifically, you can repeatedly allocate up to four gigabytes of RAM on the remote host with predictably bad results. It becomes worse when you realize that the allocation process is outside tracked memory, so that memory will not be unallocated. As a bonus, the granularity of the module accommodates those who wish to be truly evil by allowing them to simply degrade a host's performance, rather than completely crashing it.Hardware agnosticismThanks to our great community, this release contains a fix for a troublesome bug where a Meterpreter session would crash under a specific set of circumstances when running on an AMD CPU. The exact cause is yet to be determined, but it appears the AMD chip becomes confused about the memory it can access, and inserting an otherwise bogus move instruction causes the chip to recover or somehow right itself, allowing it to execute the originally-offending instruction. If you are a bit of a hardware junkie, feel free to read more.Improved reportingThere were multiple fixes to help in a less exciting, but still incredibly important, aspect of pen-testing: reporting. We fixed a bug in vulnerability reporting where [Metasploit](https://www.rapid7.com/products/metasploit/) was not correctly tracking the attempted vulnerabilities so reports would be less accurate than they could be. Also, an update to our scanner modules increases the CVE references for each scan to allow better reporting or researching for methods of attack.Download now supports terrible networksA new feature allows Metasploit users to control the block size when downloading files. In most cases, this is not important, but on a network that might be slow or laggy, the ability to control block size will result in more reliable downloads. Included is an adaptive flag to drop the block size in half every time a block transfer fails. If you've never had to redteam on a bad network, count yourself lucky; if you have, you'll love this new feature.It happens to the best of usIn addition to adding functionality and fixing user bugs, this release also includes a security fix reported by our community. The CSRF vulnerability is now patched; we send a hearty thank you to the reporter, @SymbianSyMoh!New ModulesExploit modules (2 new) DC/OS Marathon UI Docker Exploit by Erik DaguerreWindows UAC Protection Bypass (Via FodHelper Registry Key) by amaloteaux and winscriptingblogAuxiliary and post modules (1 new)* RPC DoS targeting *nix rpcbind/libtirpc by Pearce Barry and guidovranken exploits CVE-2017-8779Get itAs always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:Pull Requsts 4.14.23...4.14.26Full diff 4.14.23...4.14.26To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

It has only been one week since the last wrapup, so it's not like much could have happened, right? Wrong! Misery Loves Company After last week's excitement with Metasploit's version of ETERNALBLUE (AKA the Wannacry vulnerability), this week SAMBA had its own "Hold My Beer" moment with the disclosure that an authenticated (or anonymous) client can upload a shared library to a SAMBA server, and that server will happily execute the library! The vulnerability is present in all versions of SAMBA since 2010 and was only patched a few days ago. That length of time paired with the number, simplicity, and price points of the devices that run SAMBA mean that this vulnerability will be around for a very, very long time. The always-original internet appears to have dubbed this "Sambacry" whereas we here at Rapid7 have taken a more animated path in our references. In the scant week since the vulnerability was released, we've already landed and improved a module that takes advantage of the vulnerability, and it works on fifteen different computing architectures. Because SAMBA runs on so many different architectures, and we're supporting them, this really is the perfect opportunity to go out and play with the new and improved POSIX Meterpreter! Make New Friends, But Keep the Old Just because we had a shiny new exploit does not mean we forgot about our old friend from last week, ETERNALBLUE. This update sees several improvements to last week's module, including: An improved architecture verification when port 135 is blocked Ignoring and continuing if the target does not reply to an SMB request OS Verification We've Got Your Back Not too long ago, we added a module to migrate from one architecture to another on Windows hosts. Unfortunately, if you were running as an elevated user, the new session did not maintain those privileges. Now, if you try to migrate as SYSTEM, we'll stop you and make sure you really want to privdesc(?) yourself. Speaking of Running Metasploit in Strange Places zombieCraig has extended support for the hardware bridge in Metasploit, squashing bugs and adding two new commands: testerpresent and isotpsend. The first sends keepalive packets in the background to maintain the diagnostic connection, and the second allows communication with ISO-TP compatible modules. We've also added a module to dump credentials on scadaBR systems. Target your Target For those who have enjoyed the recent Office Macro exploit, you can now embed it into custom docx templates for that personal touch. New Modules Exploit modules (5 new) Samba is_known_pipename() Arbitrary Module Load by hdm, Brendan Coles, and steelo exploits CVE-CVE-2017-7494 Octopus Deploy Authenticated Code Execution by James Otten VX Search Enterprise GET Buffer Overflow by Daniel Teixeira Auxiliary and post modules_(2 new)_ ScadaBR Credentials Dumper by Brendan Coles WordPress Traversal Directory DoS by CryptisStudents and Yorick Koster exploits CVE-CVE-2016-6897 Get It As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requests 4.14.20...4.14.23 Full diff 4.14.20...4.14.23 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. More Improvements release-notes

It has been an intense couple of weeks in infosec since the last Wrapup and we've got some cool things for you in the latest update. Hacking like No Such Agency I'll admit I was wrong. For several years, I've been saying we'll never see another bug like MS08-067, a full remote hole in a default Windows service. While I'm not yet convinced that MS17-010 will reach the same scale as MS08-067 did, EternalBlue has already done substantial damage to the internet. Rapid7 bloggers covered a bunch of the details last week. More on the EternalBlue Metasploit module How to scan your network for the WannaCry vulnerability with InsightVM and Nexpose A deep dive into the WannaCry vulnerability Since the last Wrapup, we've added an exploit for EternalBlue that targets x64 on the Windows 7 kernel (including 2008 R2). Updates are in the works to cover x86 and other kernels. There is also a scanner that can reliably determine exploitability of MS17-010, as well as previous infection with DOUBLEPULSAR, the primary payload used by the original leaked exploit. While EternalBlue was making all the headlines, we also landed an exploit module for the IIS ScStoragePathFromUrl bug (CVE-2017-7269) for Windows 2003 from the same dump. This one requires the victim to have WebDAV enabled, which isn't default but is really common, especially on webservers of that era. Since 2003 is End of Support, Microsoft is not going to release a patch. Dance the Samba In the few days since we spun this release, we also got a shiny new exploit module for Samba, the Unixy SMB daemon that runs on every little file sharing device ever. Expect some more discussion about it in the next wrapup. In the mean time, you can read more about the effects of the bug. WordPress PHPMailer WordPress, which powers large swaths of the internet, embeds a thing called PHPMailer for sending email, mostly for stuff like password resets. Earlier this May, security researcher Dawid Golunski published a vulnerability in PHPMailer. The vulnerability is similar to CVE-2016-10033, discovered by the same researcher. Both of these bugs allow you to control arguments to sendmail(1). Now, vulns in WordPress core are kind of a big deal, since as previously mentioned, WP is deployed everywhere. Unfortunately (or maybe fortunately depending on your perspective), there is a big caveat -- Apache since 2.2.32 and 2.4.24 changes a default setting, HttpProtocolOptions to disallow the darker corners of RFC2616, effectively mitigating this bug for most modern installations. The intrepid @wvu set forth to turn this into a Metasploit module and came out the other side with some shells and interesting discoveries that he'll cover in a more detailed technical post coming soon to a Metasploit Blog near you. Railgun While Meterpreter is a very powerful and flexible tool for post exploitation on its own, sometimes you need the flexibility to go beyond the functionality that it provides directly. There may be a special API that needs to be called to extract a credential, or a certain system call that is required to trigger an exploit. For a long time, Windows Meterpreter users have enjoyed the use of the Railgun extension, which provides a way to do just that, similar to FFI (Foreign Function Interface) that is available in many scripting languages, but operating remotely. Thanks to an enormous effort by Metasploit contributor, zeroSteiner, Linux users can now also take advantage of Railgun, as it is now implemented as part of Python Meterpreter! This functionality opens the door to many new post-exploitation module possibilities, including the ability to steal cleartext passwords from gnome-keyring. See zeroSteiner's blog and his more technical companion piece for more details. Steal all the things This week's update also continues the fine tradition of Stealing All the Things(tm). The aforementioned gnome-keyring dumper allows you to steal passwords from a logged-in user. In a similar vein, if you have a shell on a JBoss server, post/multi/gather/jboss_gather will give you all the passwords. The fun thing about both of these is that they work on the principle that you have permission to read these things -- there is no exploit here, and nothing to be patched. On the other side of things, auxiliary/admin/scada/moxa_credentials_recovery does take advantage of a vulnerability to grab all the creds from a cute little SCADA device. New Modules Exploit modules (10 new) Crypttech CryptoLog Remote Code Execution by Mehmet Ince Quest Privilege Manager pmmasterd Buffer Overflow by m0t exploits CVE-2017-6553 BuilderEngine Arbitrary File Upload Vulnerability and execution by Marco Rivoli, and metanubix MediaWiki SyntaxHighlight extension option injection vulnerability by Yorick Koster exploits CVE-2017-0372 WordPress PHPMailer Host Header Command Injection by wvu, and Dawid Golunski exploits CVE-2016-10033 Dup Scout Enterprise GET Buffer Overflow by Daniel Teixeira, and vportal Serviio Media Server checkStreamUrl Command Execution by Brendan Coles, and Gjoko Krstic(LiquidWorm) Sync Breeze Enterprise GET Buffer Overflow by Daniel Teixeira Microsoft IIS WebDav ScStoragePathFromUrl Overflow by Chen Wu, Dominic Chell, Lincoln, Rich Whitcroft, Zhiniang Peng, firefart, and zcgonvh exploits CVE-2017-7269 MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption by Dylan Davis, Equation Group, Sean Dillon, and Shadow Brokers exploits CVE-2017-0148 Auxiliary and post modules (6 new) Moxa Device Credential Retrieval by K. Reid Wightman, and Patrick DeSantis exploits CVE-2016-9361 Intel AMT Digest Authentication Bypass Scanner by hdm exploits CVE-2017-5689 Module to Probe Different Data Points in a CAN Packet by Craig Smith Gnome-Keyring Dump by Spencer McIntyre Jboss Credential Collector by Koen Riepe (koen.riepe Multi Manage Network Route via Meterpreter Session by todb, and Josh Hale "sn0wfa11" Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.14.15...4.14.21 Full diff 4.14.15...4.14.21 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Ghost...what??? hdm recently provided a new exploit module for a type confusion vulnerability that exists in Ghostscript versions 9.21 and earlier, allowing remote code execution on the target. And to "kick it up a notch", this exploit got itself a snazzy logo which also contains the exploit: (spoiler alert: it's called GhostButt) Forever and a day From mr_me comes a one-two punch in the form of two exploits which target an EOL'd Trend Micro appliance. Certain versions of the Threat Discovery Appliance contain both authentication bypass and command injection vulnerabilities, which can be used to gain access to the appliance and run whatevs, respectively. And because this product is no longer supported by Trend Micro, these vulns are expected to be "forever day". HTA RCE FTW If you're looking for remote code execution via an MS Office document vuln, nixawk's exploit module might fit the bill nicely. This new addition allows Framework users to easily craft a doc file containing an OLE object which references an HTML Application (HTA). When the target opens this document, the HTA is accessed over the network (Framework acting as the server, of course), and remote code execution is back on the menu. Feeling constrained? Mercurial SCM users with ssh access can now move about more freely thanks to a new exploit module from claudijd. By targeting weak repo validation in HG server's customizable hg-ssh script, users can use this module to break out of their restricted shell and execute arbitrary code. Give it a go and enjoy your new-found freedom...! But wait, there's more! Rounding out our tech updates, bcook-r7 has given us a polite push forward and "flipped the switch" so that the POSIX Meterpreter used by Framework is now providing Mettle as its payload. Not only does Mettle weigh-in at ~1/2 the size of the old POSIX Meterpreter, it also provides more functionality. Additionally, it's being actively worked on these days, unlike the old POSIX Meterpreter. Yes, plz! The Summer of Code is upon us! We are excited to welcome Tabish Imran, B.N. Chandrapal, and Taichi Kotake to the Metasploit community as 2017 Google Summer of Code students. We thank everyone who took the time to participate; it was a fierce competition, with over 30 applicants. Look forward to seeing the great projects these students create this summer! New Modules Exploit modules (6 new) WePresent WiPG-1000 Command Injection by Matthias Brun Mercurial Custom hg-ssh Wrapper Remote Code Exec by claudijd Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution by Roberto Suggi Liverani and mr_me exploits CVE-2016-7547 Ghostscript Type Confusion Arbitrary Command Execution by hdm and Atlassian Security Team exploits CVE-2017-8291 Microsoft Office Word Malicious Hta Execution by sinn3r, DidierStevens, Haifei Li, Nixawk, ryHanson, vysec, and wdormann exploits CVE-2017-0199 Disk Sorter Enterprise GET Buffer Overflow by Daniel Teixeira Auxiliary and post modules (1 new) Upload and Execute by egyp7 Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.14.12...4.14.15 Full diff 4.14.12...4.14.15 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Editor's Note: While this edition of the Metasploit Wrapup is a little late (my fault, sorry), we're super excited that it's our first ever Metasploit Wrapup to be authored by an non-Rapid7 contributor. We'd like to thank claudijd -long-time Metasploit contributor, Mozilla security wrangler, and overall nice guy - for writing this post. If other Metasploit contributors want to get involved with spreading the word, we want to hear from you!We should be back on track timing-wise with our Wrapup for this week on Friday.  Without any further delay, here's what's new in Metasploit versions 4.14.4 through 4.14.11. - JEHere's my number, text me maybe?Metasploit sessions can happen at any time. Fortunately, you can always be plugged in to what's going on with the new session notifier plugin, compliments of wchen. This plugin allows you to send SMS notifications for Metasploit sessions to a variety of carriers (AllTel, AT&T wireless, Boost Mobile, Cricket Wireless, Google Fi, T-Mobile, Version, and Virgin Mobile) so you'll never miss out on the pwnage.Text-editors and Programming LanguagesIf you've ever been cornered by a VIM user around the water cooler and been regaled to exhaustion about why you should also choose VIM, you probably hold your ability to choose in high regard. Recently, acammack extended Metasploit to provide initial support to include more choice in what programming language you can write Metasploit modules in. The idea here would be that instead of being forced to write all modules in Ruby, you could write one in Python, Go, LOLCODE, or whatever your heart desires.Improve Your Spider SenseMany of us have had that feeling before that something doesn't add up, you can think of it as your own "hacker spider-sense." This can sometimes happen when you tell yourself, "that seemed way too easy" or "these services don't quite make sense", only to find out later that you've owned a honeypot. To help fight against this, thecarterb recently added an auxillary module to Metasploit, which allows you to check Shodan's honeyscore to see if your target is or is not known to act like a honeypot with a score between 0.0-1.0 (0.0 being not a honeypot and 1.0 being a honeypot). Having this data can be useful both after exploitation (to realize your blunder) or even earlier in the process to avoid an obvious honeypot before you send a single byte in its direction.Waste Not, Want NotYou never know when a useful bit of information will be the key to another door. In that spirit, it's encouraged to loot as much as you can when you can. Recently, a number of useful modules have been added to help you loot as much as possible and improve your odds of success...Multi Gather IRSSI IRC Passwords - This post module allows you to steal an IRSSI user's configuration file if it contains useful IRC user/network passwords. This could be helpful if you'd like to mix in a little social engineering, by impersonating your target to get additional people working for you.Windows Gather DynaZIP Saved Password Extraction - This post module allows you to harvest clear text passwords from dynazip.log files. This can be pretty handy if you have have an encrypted zip file that you need opened in a hurry.Multiple Cambium Modules - If you find yourself testing Cambium ePMP 1000's, you're in luck, as multiple modules have been added to effectively juice all sorts of information from these devices. These modules allow you to pull a variety of configuration files and password hashes over HTTP and SNMP. This is helpful to identify a shared password or password scheme that's been re-used on other network infrastructure devices to expand your influence.New ModulesExploit Modules (5 new)Cambium ePMP 1000 Arbitrary Command Execution by Karn GaneshenGithub Enterprise Default Session Secret And Deserialization Vulnerability by iblue and sinn3rSolarWind LEM Default SSH Password Remote Code Execution by Mehmet InceDebian/Ubuntu ntfs-3g Local Privilege Escalation by jannh and h00dieNETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Overflow by Pedro RibeiroAuxiliary and post modules (10 new)Cambium ePMP SNMP Enumeration by Karn GaneshenCambium ePMP 1000 Password Hash Extractor by Karn GaneshenCambium ePMP 1000 Dump Device Config by Karn GaneshenCambium ePMP 1000 Login Scanner by Karn GaneshenMulti Gather IRSSI IRC Password(s) by claudijdMoxa UDP Device Discovery by Patrick DeSantisShodan Honeyscore Client by thecarterbArchitecture Migrate by Koen RiepeWindows Gather DynaZIP Saved Password Extraction by Brendan ColesNETGEAR WNR2000v5 Administrator Password Recovery by Pedro RibeiroGet ItAs always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:Pull Requests 4.14.4...4.14.11Full Diff 4.14.4...4.14.11To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Faster, Meterpreter, KILL! KILL! You can now search for and kill processes by name in Meterpreter with the new pgrep and pkill commands. They both have flags similar to the older ps command, allowing you to filter by architecture (-a), user (-u), or to show only child processes of the current session's process (-c). We've also added a -x flag to find processes with an exact match instead of a regex, if you're into that. Fun with radiation Craig Smith has been killing it lately with all his hardware exploitation techniques. Check out his post from earlier this week for details of his latest work on integrating radio reconaissance with Metasploit via the HWBridge, including crafting and examining radio frequency packets, brute force via amplitude modulation, and more! Java web things This update includes modules for two fun Java things: Struts2 and WebSphere. Struts is a Java web application framework often deployed on Tomcat, but it can run on any of the various servlet containers out there. The bug is in an error handler. Basically, if the Content-Type header sent by the client is malformed, it will cause an exception and send a stack trace back to the client. As part of its rendering process, Struts will treat the value of the header as part of a template. Templates can contain Object-Graph Navigation Language (OGNL) expressions meaning we get full code execution as the user running the web process. The exploit for this drops a file and runs it so your shells can strut their stuff. WebSphere is an application server manager. It is particularly interesting because it is often used to deploy code to clusters of application servers, which means popping one box can potentially give you code execution on dozens more. You used to pwn me on my cell phone While MMS messages aren't as common of a phishing vector as email, they can potentially be highly successful late at night when you need those shells. Now you can send SMS and MMS messages with Metasploit, using any SMTP server including GMail or Yahoo servers. Pair this with a malicious attachment such as the one generated by android/fileformat/adobe_reader_pdf_js_interface, or a link to the Stagefright browser exploit (android/browser/stagefright_mp4_tx3g_64bit), and get that holla back. New Modules Exploit modules (6 new) dnaLIMS Admin Module Command Execution by flakey_biscuit, and h00die exploits CVE-CVE-2017-6526 Logsign Remote Command Injection by Mehmet Ince Netgear R7000 and R6400 cgi-bin Command Injection by Acew0rm, and thecarterb exploits CVE-CVE-2016-6277 Apache Struts Jakarta Multipart Parser OGNL Injection by egyp7, Chorder, Jeffrey Martin, Nike.Zheng, and Nixawk exploits CVE-CVE-2017-5638 IBM WebSphere RCE Java Deserialization Vulnerability by Liatsis Fotios exploits CVE-CVE-2015-7450 SysGauge SMTP Validation Buffer Overflow by Chris Higgins, and Peter Baris Auxiliary and post modules (10 new) MMS Client by sinn3r SMS Client by sinn3r QNAP NAS/NVR Administrator Hash Disclosure by wvu, Donald Knuth, and bashis Easy File Sharing FTP Server 3.6 Directory Traversal by Ahmed Elhady Mohamed exploits CVE-CVE-2017-6510 DnaLIMS Directory Traversal by flakey_biscuit, and h00die exploits CVE-CVE-2017-6527 Carlo Gavazzi Energy Meters - Login Brute Force, Extract Info and Dump Plant Database by Karn Ganeshen mDNS Spoofer by James Lee, Joe Testa, and Robin Francois Brute Force AM/OOK (ie: Garage Doors) by Craig Smith RF Transceiver Transmitter by Craig Smith Sends Beacons to Scan for Active ZigBee Networks by Craig Smith Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.14.1...4.14.4 Full diff 4.14.1...4.14.4 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

The last couple of weeks in the infosec world have appeared busier, and buzzier, than most others.  It seems almost futile to pry everyone away from the current drama--that being the bombshell revelation that intelligence agencies collect intelligence--long enough to have them read our dev blog.  Regardless, we've been busy ourselves.  And if you're the least bit like me, you could probably use a quick respite from the cacophony.  Keeping up with all the noise is enough to make anyone feel like Ricky:This is Ricky.  Don't be like Ricky.Features and FixesThere are few things worse than getting a Meterpreter session on a host, only to find yourself unable to download large files that you might be interested in because your connection is spotty.  Unfortunately, download timeouts in such sessions have been a reality for as long as Meterpreter has been around.  Thankfully, a recent patch by Pearce Barry goes a long way to alleviate said issues by providing more fault tolerance to adverse network conditions.  I personally tested this on over 1GB of data across a network link with 20% packet loss, and while it felt like I was using CompuServe once again, it delivered the goods.Other issues addressed include a fix by mrjefftang for an issue in BrowserExploitServer.  Instead of delivering the obfuscated Javascript from JSObfu, raw Javascript was mistakenly being sent.  Good catch.  Also, a major rewrite of the reverse_shell_jcl payload was submitted by bigendiansmalls and merged.  Functionally, it behaves the same as the previous iteration; however, the actual code is much cleaner and easier to maintain.  So if you haven't tried your hand at IBM mainframe hacking, it's now even easier to jump right in.A Requiem for Meterpreter ScriptsWe obliterated what we believe to be the last vestige of Meterpreter scripts in framework.  In their time, an exploit module may have used migrate -f to automatically migrate the session to another process on the target.  This is now handled by 'post/windows/manage/priv_migrate', and has been for some time.  The old migrate -f argument set in InitialAutoRunScript was pointed at this new module; however, there's been a few hiccups over the last few weeks.  That's been corrected, and all should now be right with Windows process migration.  Note: This doesn't mean that your personal custom scripts will stop working. Scripts are still a handy way to bust out a prototype to get stuff done quickly without needing to care about the reliability requirements of a post module.In other assorted bugfix news, Brendan Watters resolved an issue that occurred when sorting tables from auxiliary modules when the results contained both IPv4 and IPv6 addresses.  We also updated Metasploit to use the latest Nexpose client libraries, so it's now able to validate that it's communicating with a trusted Nexpose instance via preconfigured SSL certificates.Docker!One final item in this release was the addition of a basic Dockerfile and Docker Compose configuration.  With support for Docker, you can now isolate your Metasploit instances, and it allows you to both quickly and easily setup new testing and development environments.  Plans are in the works to publish the container to hub.docker.com, and users will be able to deploy new installations of Metasploit Framework just as easily as they would other applications using Docker.New ModulesExploit modules (5 new)MVPower DVR Shell Unauthenticated Command Execution by Andrew Tierney (Pen Test Partners), Brendan Coles, and Paul Davies (UHF-Satcom)Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution by Mehmet InceEktron 8.5, 8.7, 9.0 XSLT Transform Remote Code Execution by catatonicprime exploits CVE-CVE-2015-0923Auxiliary and post modules (2 new)Binom3 Web Management Login Scanner, Config and Password File Dump by Karn GaneshenKodi 17.0 Local File Inclusion Vulnerability by Eric Flokstra, and jvoisin exploits CVE-CVE-2017-5982Get itAs always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:Pull Requests 4.13.25...4.14.1Full diff 4.13.25...4.14.1To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.That's all for now.  Stay tuned, as we have several interesting projects in the works that should be debuting in the coming weeks.

I gave at the officeThe office can be a popular place when it comes to giving. From selling kids' cookies/candy to raising awareness for a charity, the opportunity to 'give at the office' is definitely a thing. And now, thanks to Office macros, Metasploit offers a new way to give (and receive!) at 'the Office'.These days, using malicious macros in office productivity programs is still a common attack vector. Designed with a handful of word-processing programs in mind (including some open source), Metasploit can now generate documents which utilize macros to execute an injected payload. Once a target receives and opens one of these documents (with macros enabled), the payload is executed, and now you have a shell or Meterpreter session (or whatever your payload is). Who says it's better to give than to receive?When the sequel is better than the originalIn the vein of "creative ways to achieve code execution on a MS SQL server", here's a new one which doesn't write to disk and works on a number of MS SQL versions. By setting up a stored procedure (with some pre-built .NET assembly code Metasploit provides) on the target, one can then issue a query containing an encoded payload, which will be executed as native shellcode by the stored procedure (woo!). Valid credentials with a certain level of privilege are required to use this new module, then you're good to go.Logins, logins, everywhere...We've had a couple of good login-related fixes recently, including a fix to properly honor USER_AS_PASS and USER_FILE options when running a login scanner. Also of note is a fix to the owa_login module to properly handle valid credentials when a user doesn't have a mailbox setup. And if you'd rather skip logins entirely, grab yourself a misfortune cookie and check out the new authentication bypass RomPager module.New ModulesExploit modules (4 new)AlienVault OSSIM/USM Remote Code Execution by Mehmet Ince and Peter LappMicrosoft Office Word Malicious Macro Execution by sinn3rPiwik Superuser Plugin Upload by FireFartMicrosoft SQL Server Clr Stored Procedure Payload Execution by Lee Christensen, Nathan Kirk, and OJ ReevesAuxiliary and post modules (1 new)Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass by Jan Trencansky, Jon Hart, and Lior Oppenheim exploits CVE-CVE-2014-9222Get itAs always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:Pull Requests 4.13.21...4.13.25Full diff 4.13.21...4.13.25To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Valentines day is just around the corner! What could be a nicer gift for your sweetie than a bundle of new Metasploit Framework updates? The community has been as busy as ever delivering a sweet crop of sexy exploits, bug fixes, and interesting new features. Everyone Deserves a Second Chance Meterpreter Scripts have been deprecated for years in favor of Post Exploitation modules, which are much more flexible and easy to debug. Unfortunately, the Internet still abounds with blogs and other advice still recommending their use, and it is clear the word still hasn't gotten out. In a previous Metasploit release, we attempted an experiment removing all of the scripts that already had Post Exploitation modules. Unfortunately, this caused even more confusion since it looked like Metasploit was broken. Now, Metasploit will kindly suggest that users explore the vast world of Post modules instead. For now, all of the built-in Meterpreter scripts you know and love are back for one last dance, but you should really look at dumping those guys. Remember, there are many more Post modules in the sea! Traverse your Way into my Life With this release, we have a number of directory traversal updates, both offensive and defensive. First off, we have added a module for exfiltrating arbitrary data from a Cisco Firepower management console. The default credentials are also documented, so if you run into one of these in the wild, there is a good chance you can make a special connection. And in the "it's not you, it's me" department, Justin Steven has been busy finding and fixing a number of directory traversal bugs in Metasploit's session handler, that can be exploited if you interact with a rogue Meterpreter session. Of course you should practice "safe sess(ions)", but if you can't, update your Metasploit Framework and get protected. You Stole my Creds, my Phone, my Car, and my Heart If you're looking for credentials to add to your little black book, Metasploit release also adds credential extraction modules for Advantech WebAccess, Metrocontrol Weblog, and Cisco Firepower Management Console. And once you have filled your cred list, you can now manipulate them in a more powerful way thanks to improvements in credential management. Android Meterpreter adds a number of new features sure to make keeping up with your bae even easier (that doesn't sound creepy at all does it!) Android Meterpreter now supports stageless HTTPS, which makes it easier to keep your payloads secure, fast, and reliable. If you have trouble with your Android sessions falling asleep after you connect, keep them going all night (and day) long with the new wakelock command. Metasploit makes its first foray into car hacking with a new hardware bridge session type, along with a number of new modules for administering and exploiting OBD-II / CANbus networks in modern vehicles. But, it's not limited to just these, you can add your own hardware devices by implementing the HWBridge specification. Don't let your car spoil your next date, hack back! There are many more improvements and modules to enjoy as well, and they are all available now. So why not update your console with someone special, and make everyday a very special Metasploit Valentines day. For full details, see the latest detailed Metasploit release notes: https://community.rapid7.com/docs/DOC-3575