I gave at the office
The office can be a popular place when it comes to giving. From selling kids' cookies/candy to raising awareness for a charity, the opportunity to 'give at the office' is definitely a thing. And now, thanks to Office macros, Metasploit offers a new way to give (and receive!) at 'the Office'.
These days, using malicious macros in office productivity programs is still a common attack vector. Designed with a handful of word-processing programs in mind (including some open source), Metasploit can now generate documents which utilize macros to execute an injected payload. Once a target receives and opens one of these documents (with macros enabled), the payload is executed, and now you have a shell or Meterpreter session (or whatever your payload is). Who says it's better to give than to receive?
When the sequel is better than the original
In the vein of "creative ways to achieve code execution on a MS SQL server", here's a new one which doesn't write to disk and works on a number of MS SQL versions. By setting up a stored procedure (with some pre-built .NET assembly code Metasploit provides) on the target, one can then issue a query containing an encoded payload, which will be executed as native shellcode by the stored procedure (woo!). Valid credentials with a certain level of privilege are required to use this new module, then you're good to go.
Logins, logins, everywhere...
We've had a couple of good login-related fixes recently, including a fix to properly honor USER_AS_PASS and USER_FILE options when running a login scanner. Also of note is a fix to the owa_login module to properly handle valid credentials when a user doesn't have a mailbox setup. And if you'd rather skip logins entirely, grab yourself a misfortune cookie and check out the new authentication bypass RomPager module.
Exploit modules (4 new)
- AlienVault OSSIM/USM Remote Code Execution by Mehmet Ince and Peter Lapp
- Microsoft Office Word Malicious Macro Execution by sinn3r
- Piwik Superuser Plugin Upload by FireFart
- Microsoft SQL Server Clr Stored Procedure Payload Execution by Lee Christensen, Nathan Kirk, and OJ Reeves
Auxiliary and post modules (1 new)
- Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass by Jan Trencansky, Jon Hart, and Lior Oppenheim exploits CVE-CVE-2014-9222
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub: