Skip navigation
All Places > Metasploit > Blog > 2016 > May
2016
egypt

Weekly Metasploit Wrapup

Posted by egypt Employee May 20, 2016

Check the computer, the mainframe computer

 

This week's update comes with our first ever exploit module for z/OS, the operating system used by mainframes, from our friend Bigendian Smalls who also built the payloads. The module in question is an example of authenticated code execution by design, which takes advantage of a design feature allowing users to submit jobs via uploading files to an FTP daemon.

 

So all we have to do is load it anywhere into the credit union mainframe, and it'll do the rest.

 

More movie hacking

 

Also this week, we have a module straight out of the movies. Long-time contributor nstarke brings us another fun RCE-by-design exploit, this time for a TP-Link surveillance camera. From a network perspective it's just another embedded Linux system, of course, but having root on one of these things means you can potentially steal surveillance video or even replace the feed with old benign images while you steal those diamonds from under the nose of that hapless security guard.

 

Operations center with video surveillance monitors

 

 

Documenting modules

 

Our friendly neighborhood exploit dev, sinn3r, recently put together a really handy system for writing module documentation in markdown. I haven't mentioned it in a Wrapup yet because I'm working on a bigger announcement, but for now it will suffice to say that markdown docs are super fun and easy to write, and that figuring out how a module is supposed to work has never been easier. From msfconsole, just type info -d and you'll get the full knowledge base for the given module.

 

We've already added supporting documentation for several modules, including the new mainframe exploit module mentioned above. If you've ever wanted to contribute, but don't feel like you want to write code, this is a great place to get started.

 

New Modules

 

Exploit modules (3 new)

 

New Modules

Auxiliary and post modules (2 new)

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.26...4.12.2

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee May 11, 2016

Resolve, v. transitive

 

Sometimes the biggest things that make working with a tool fun are the small things. One of those things is the recent addition of a resolve command for Meterpreter. It does what it sounds like: it resolves a hostname to an IP address on the victim system, taking advantage of the local DNS. Of course, that's not a huge thing, but it is pretty convenient.

 

Strut, v. intransitive

 

This update also comes with a fun exploit for Apache Struts, a web framework for webby things. It's a Model-View-Controller framework for Java web applications, somewhat similar to Rails in the ruby world. Bugs in frameworks like this can end up lasting a lot longer than in applications, as all the things that depend on it have to be updated too.

 

Magick, n.

 

Also in this update is a shiny new exploit module for the latest Branded Vulnerability(tm), ImageTragick. In this case though, it can actually get you shells. As the advisory explains, this is a command injection vulnerability in the way image metadata is passed to a conversion utility. It's tough to gauge how useful this will be since it depends a lot on how applications use ImageMagick, but the potential is pretty shiny. If you've found something that uses it in a vulnerable way, it sure would be keen if you'd let us know and even more awesome would be a module for it in a new Pull Request.

 

Committer, n.

 

In great open-source-land news, we've added a new committer! As Tod mentioned the last time this happened, new committers don't come along very often and when they do it's usually surprising to learn that they aren't already committers because they've been around for quite a while. Mubix has been a long-time friend of the Metasploit family, helping out with code review, module development, and lots of testing. He has also helped countless people learn about Metasploit features with his fabulous Metasploit Minute series with Hak5.

 

5907607001_b3954dfaa9_b.jpgThe open source community has always been integral to Metasploit. Adding new Committers increases the Bus Factor of the project. Non-Rapid7 Committers are super important for the vitality of the project and help cement the relationship between Rapid7 and the community.

 

Also, Mubix is a personal friend of mine and I think he's a hoopy frood who really knows where his towel is. I'm excited to see how he'll use his new-found powers.

 

In fact, he's already landed his first Pull Request, which brings me to...

 

Portfwd, n.

 

Some of the most fun you can have with Meterpreter is by sending your evil packets through it. One way to do that is the portfwd command, which allows you to do what it sounds like -- forward connections from one port to another. This works pretty similarly to portfwarding in SSH, except that previously, it was only possible to listen on the attack platform and forward connections to the victim's network. As of this update, you can go the other direction as well. By setting up a reverse forward, you can tell Meterpreter to listen on the victim system and have it forwarded back to the network where Metasploit is running. For the latest in fun stuff happening in Meterpreter land, I recommend checking out OJ's recent bloggery on the subject.

 

New Modules

 

Exploit modules (3 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.23...4.11.26

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Filter Blog

By date: By tag: