What time is it?
If you want to run some scheduled task, either with schtasks or cron, you have to decide when to run that task. In both cases, the schedule is based on what time it is according to the victim system, so when you make that decision, it's super helpful to know what the victim thinks the current time is.
As of #7435, Meterpreter has a
localtime command that gives you that information and then it's peanut butter jelly time.
Windows uses UTF-16le to store hostnames (and pretty much everything else). For ASCII characters, you can convert to that format simply by inserting NULL bytes in between each ASCII byte. When you run into a hostname that uses characters for which there is no direct ASCII equivalent, conversion is a lot more complex. As of this weeek, that complexity works correctly for hostnames in Metasploit. This affects several things that use the SMB protocol, including
smb_version, and the places where hostnames are displayed in msfconsole.
----- BENIGN CERTAIN -----
Along with Extra Bacon, the fun SNMP RCE bug for Cisco devices we mentioned here a couple months ago, the same dump included an information disclosure vulnerability in Cisco devices as well. The result is similar to what you get with Heartbleed - random memory contents that can sometimes contain credentials.
Android Application Packages (APK files) are very similar to JAR files. They're basically a zip archive with a certain directory structure. Android requries that APKs must be cryptographically signed before the system will allow you to install them. Earlier this year, we added the ability to use an existing APK as a template for your payload, but of course that makes the signature invalid. To fix it up, we re-sign with a new certificate.
As of this week, that certificate will match all of the metadata from the original template's signature which makes the installed app a bit less conscpicuous.
Local File Inclusion
In the world of PHP, Local File Includes or LFIs are a common vulnerability due to the nature of the language and how its
require directives work. That class of vulnerability is a lot less common in other langauges, so it was a bit surprising when the details of CVE-2016-0752 came out. What was previously believed to be merely a local file read vulnerability in Ruby on Rails when the bug was first made public back in February, can actually be turned into a local file include vulnerability. This works because the file that Rails is reading is actually used as template that can contain. (Note that's ERB, not ERB.)
This wrapup covers a few weeks, so the new module count is quite a bit higher than usual.
Exploit modules (9 new)
- Hak5 WiFi Pineapple Preconfiguration Command Injection by catatonicprime
- Hak5 WiFi Pineapple Preconfiguration Command Injection by catatonicprime exploits CVE-2015-4624
- Linux Kernel 3.13.1 Recvmmsg Privilege Escalation by h00die, and rebel exploits CVE-2014-0038
- OpenNMS Java Object Unserialization Remote Code Execution by Ben Turner
- Ruby on Rails Dynamic Render File Upload Remote Code Execution by John Poulin (forced-request), and mr_me exploits CVE-2016-0752
- Allwinner 3.4 Legacy Kernel Local Privilege Escalation by KotCzarny, and h00die
- Panda Security PSEvents Privilege Escalation by Security-Assessment.com, and h00die
- Powershell Payload Execution by Matt "hostess" Andreko, and RageLtMan
- HTA Web Server by Spencer McIntyre
Auxiliary and post modules (6 new)
- ZoomEye Search by Nixawk
- Cisco IKE Information Disclosure by Nixawk exploits CVE-2016-6415
- Siemens Profinet Scanner by Tijl Deneut
- Regsvr32.exe (.sct) Command Delivery Server by Casey Smith, Trenton Ivey, and mubix
- Windows Manage Persistent EXE Payload Installer by Merlyn drforbin Cousins
- Powershell .NET Compiler by RageLtMan
As always, you can update to the latest Metasploit Framework with a simple
msfupdate and the full diff since the last blog post is available on GitHub: 4.12.30...4.12.38