Faster, Meterpreter, KILL! KILL!
You can now search for and kill processes by name in Meterpreter with the new
pkill commands. They both have flags similar to the older
ps command, allowing you to filter by architecture (
-a), user (
-u), or to show only child processes of the current session's process (
-c). We've also added a
-x flag to find processes with an exact match instead of a regex, if you're into that.
Fun with radiation
Craig Smith has been killing it lately with all his hardware exploitation techniques. Check out his post from earlier this week for details of his latest work on integrating radio reconaissance with Metasploit via the HWBridge, including crafting and examining radio frequency packets, brute force via amplitude modulation, and more!
Java web things
This update includes modules for two fun Java things: Struts2 and WebSphere.
Struts is a Java web application framework often deployed on Tomcat, but it can run on any of the various servlet containers out there. The bug is in an error handler. Basically, if the
Content-Type header sent by the client is malformed, it will cause an exception and send a stack trace back to the client. As part of its rendering process, Struts will treat the value of the header as part of a template. Templates can contain Object-Graph Navigation Language (OGNL) expressions meaning we get full code execution as the user running the web process. The exploit for this drops a file and runs it so your shells can strut their stuff.
WebSphere is an application server manager. It is particularly interesting because it is often used to deploy code to clusters of application servers, which means popping one box can potentially give you code execution on dozens more.
You used to pwn me on my cell phone
While MMS messages aren't as common of a phishing vector as email, they can potentially be highly successful late at night when you need those shells. Now you can send SMS and MMS messages with Metasploit, using any SMTP server including GMail or Yahoo servers. Pair this with a malicious attachment such as the one generated by
android/fileformat/adobe_reader_pdf_js_interface, or a link to the Stagefright browser exploit (
android/browser/stagefright_mp4_tx3g_64bit), and get that holla back.
Exploit modules (6 new)
- dnaLIMS Admin Module Command Execution by flakey_biscuit, and h00die exploits CVE-CVE-2017-6526
- Logsign Remote Command Injection by Mehmet Ince
- Netgear R7000 and R6400 cgi-bin Command Injection by Acew0rm, and thecarterb exploits CVE-CVE-2016-6277
- Apache Struts Jakarta Multipart Parser OGNL Injection by egyp7, Chorder, Jeffrey Martin, Nike.Zheng, and Nixawk exploits CVE-CVE-2017-5638
- IBM WebSphere RCE Java Deserialization Vulnerability by Liatsis Fotios exploits CVE-CVE-2015-7450
- SysGauge SMTP Validation Buffer Overflow by Chris Higgins, and Peter Baris
Auxiliary and post modules (10 new)
- MMS Client by sinn3r
- SMS Client by sinn3r
- QNAP NAS/NVR Administrator Hash Disclosure by wvu, Donald Knuth, and bashis
- Easy File Sharing FTP Server 3.6 Directory Traversal by Ahmed Elhady Mohamed exploits CVE-CVE-2017-6510
- DnaLIMS Directory Traversal by flakey_biscuit, and h00die exploits CVE-CVE-2017-6527
- Carlo Gavazzi Energy Meters - Login Brute Force, Extract Info and Dump Plant Database by Karn Ganeshen
- mDNS Spoofer by James Lee, Joe Testa, and Robin Francois
- Brute Force AM/OOK (ie: Garage Doors) by Craig Smith
- RF Transceiver Transmitter by Craig Smith
- Sends Beacons to Scan for Active ZigBee Networks by Craig Smith
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub: