Meterpreter ADSI support
We ended up skipping last week's update since upwards of 90% of Rapid7 folks were Shanghaied up to Boston, in the dead of winter, with only expense-reportable booze too keep us warm at night. So, with much fanfare comes this week's update, featuring the all new ADSI interface for Meterpreter, via OJ TheColonial Reeves' Extended API.
Lucky for us, and you, Carlos DarkOperator Perez was not ensconced in Boston, but in (what I can only assume is) sunny Puerto Rico. Between (again, as I imagine his lifestyle to be) frosty tropical cocktails on the beach, he wrote up a delightful overview on how to use OJ's new ADSI hotness, descriptively titled, Enumeration using the Meterpreter ADSI Extended API Commands. It's a thorough HOWTO, so if you're interested in that sort of thing (and seriously, who isn't?), I encourage you to check it out.
Thanks heaps, OJ and Carlos! Great work!
MSFTidy Your Modules
For quite a while now, we've been gently reminding, tearfully pleading, and angrily demanding that all Metasploit modules take a quick pass through msftidy.rb, aka MSFTidy, aka our style checker for modules. Some of the checks are more cosmetic, such as ensuring that you're using soft tabs rather than hard tabs. Some make sure you're not setting up for threading bugs by modifying the datastore at runtime. Some protect against vulnerabilities in other libraries (notably, Nokogiri's terrible habit of shipping vulnerable libxml2 binaries). We've had a handy method to run MSFTidy as a pre-commit hook for a while now -- see this pull request from about a year ago. But alas, I cannot force people out on the Internet to run my delightful pre-commit checks, and it's clear to me now that few actually do.
So, starting this week, our good buddy Travis-CI will do our dirty work for us by running msftidy.rb on any new Pull Request. It looks like PR #2948 was the first to fall victim to our new automated style fascism enforcement -- sorry @juushya! All the checks are worth validating, if only to save the sanity of future exploit developers. MSFTidy ensures that modules have some kind of predictable layout that's familiar to anyone who takes the time to learn the format. We've been hewing closer and closer to the Ruby style guide, and it's for a reason -- the less time future exploit devs have to spend on figuring out what the heck you're trying to express in your code, the more time they have to fix your bugs and extend your modules with new features. Of course, Metasploit is ultimately community driven, so if you have some strongly held and defensible believe that something in msftidy shouldn't be checked (the line length limits are contentious), then feel free to express your opinion in the form of a Pull Request. We're happy to discuss basically everything about Metasploit development here in the People's Republic.
We've seven new modules this week -- Juan has been busy with Apache Structs and Apache Tomcat, which are always a nice targets to go after since they're pretty popular webapp server components. In addition, we have one module which just struck me funny: @Xistence's ManageEngine Support Center directory traversal module. This is a ticketing system, basically, where users can attach files to their bug reports (like you'd expect). Problem is, they can "attach" local files on the ManageEngine machine as well -- and on Windows, Support Center runs as SYSTEM by default. So, yeah. Any local file on the entire system, just there for the attaching. Oops.
If you run ManageEngine's software in your environment, then you really ought to consider patching.
- Apache Struts Developer Mode OGNL Execution by juan vazquez, Alvaro, Andreas Nusser, and Johannes Dahse exploits CVE-2012-0394
- Apache Tomcat Manager Application Upload Authenticated Code Execution by rangercha exploits ZDI-10-214
- Simple E-Document Arbitrary File Upload by Brendan Coles and vinicius777
- SkyBlueCanvas CMS Remote Code Execution by Scott Parish and xistence exploits CVE-2014-1683
Auxiliary and post modules
- Drupal OpenID External Entity Injection by juan vazquez and Reginaldo Silva exploits CVE-2012-4554
- ManageEngine Support Center Plus Directory Traversal by xistence exploits OSVDB-102656
- Windows Gather SmarterMail Password Extraction by sinn3r, Brendan Coles, and Joe Giron
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.