Pearce Barry

Weekly Metasploit Wrapup

Blog Post created by Pearce Barry Employee on Feb 23, 2017

I gave at the office

The office can be a popular place when it comes to giving. From selling kids' cookies/candy to raising awareness for a charity, the opportunity to 'give at the office' is definitely a thing. And now, thanks to Office macros, Metasploit offers a new way to give (and receive!) at 'the Office'.

 

These days, using malicious macros in office productivity programs is still a common attack vector. Designed with a handful of word-processing programs in mind (including some open source), Metasploit can now generate documents which utilize macros to execute an injected payload. Once a target receives and opens one of these documents (with macros enabled), the payload is executed, and now you have a shell or Meterpreter session (or whatever your payload is). Who says it's better to give than to receive?

 

 

When the sequel is better than the original

In the vein of "creative ways to achieve code execution on a MS SQL server", here's a new one which doesn't write to disk and works on a number of MS SQL versions. By setting up a stored procedure (with some pre-built .NET assembly code Metasploit provides) on the target, one can then issue a query containing an encoded payload, which will be executed as native shellcode by the stored procedure (woo!). Valid credentials with a certain level of privilege are required to use this new module, then you're good to go.

 

Screen Shot 2017-02-23 at 11.11.01 AM.png

 

Logins, logins, everywhere...

We've had a couple of good login-related fixes recently, including a fix to properly honor USER_AS_PASS and USER_FILE options when running a login scanner. Also of note is a fix to the owa_login module to properly handle valid credentials when a user doesn't have a mailbox setup. And if you'd rather skip logins entirely, grab yourself a misfortune cookie and check out the new authentication bypass RomPager module.

 

New Modules

Exploit modules (4 new)

Auxiliary and post modules (1 new)

 

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Outcomes