egypt

Metasploit Wrapup

Blog Post created by egypt Employee on May 26, 2017

It has been an intense couple of weeks in infosec since the last Wrapup and we've got some cool things for you in the latest update.

 

Hacking like No Such Agency

I'll admit I was wrong. For several years, I've been saying we'll never see another bug like MS08-067, a full remote hole in a default Windows service. While I'm not yet convinced that MS17-010 will reach the same scale as MS08-067 did, EternalBlue has already done substantial damage to the internet. Rapid7 bloggers covered a bunch of the details last week.

EternalBlue: Metasploit Module for MS17-010

 

Since the last Wrapup, we've added an exploit for EternalBlue that targets x64 on the Windows 7 kernel (including 2008 R2). Updates are in the works to cover x86 and other kernels. There is also a scanner that can reliably determine exploitability of MS17-010, as well as previous infection with DOUBLEPULSAR, the primary payload used by the original leaked exploit.

 

While EternalBlue was making all the headlines, we also landed an exploit module for the IIS ScStoragePathFromUrl bug (CVE-2017-7269) for Windows 2003 from the same dump. This one requires the victim to have WebDAV enabled, which isn't default but is really common, especially on webservers of that era. Since 2003 is End of Support, Microsoft is not going to release a patch.

 

Dance the Samba

In the few days since we spun this release, we also got a shiny new exploit module for Samba, the Unixy SMB daemon that runs on every little file sharing device ever. Expect some more discussion about it in the next wrapup. In the mean time, you can read more about the effects of the bug.

 

WordPress PHPMailer

WordPress, which powers large swaths of the internet, embeds a thing called PHPMailer for sending email, mostly for stuff like password resets. Earlier this May, security researcher Dawid Golunski published a vulnerability in PHPMailer. The vulnerability is similar to CVE-2016-10033, discovered by the same researcher. Both of these bugs allow you to control arguments to sendmail(1).

 

Now, vulns in WordPress core are kind of a big deal, since as previously mentioned, WP is deployed everywhere. Unfortunately (or maybe fortunately depending on your perspective), there is a big caveat -- Apache since 2.2.32 and 2.4.24 changes a default setting, HttpProtocolOptions to disallow the darker corners of RFC2616, effectively mitigating this bug for most modern installations.

 

The intrepid @wvu set forth to turn this into a Metasploit module and came out the other side with some shells and interesting discoveries that he'll cover in a more detailed technical post coming soon to a Metasploit Blog near you.

 

Railgun

While Meterpreter is a very powerful and flexible tool for post exploitation on its own, sometimes you need the flexibility to go beyond the functionality that it provides directly. There may be a special API that needs to be called to extract a credential, or a certain system call that is required to trigger an exploit. For a long time, Windows Meterpreter users have enjoyed the use of the Railgun extension, which provides a way to do just that, similar to FFI (Foreign Function Interface) that is available in many scripting languages, but operating remotely. Thanks to an enormous effort by Metasploit contributor, zeroSteiner, Linux users can now also take advantage of Railgun, as it is now implemented as part of Python Meterpreter! This functionality opens the door to many new post-exploitation module possibilities, including the ability to steal cleartext passwords from gnome-keyring. See zeroSteiner’s blog and his more technical companion piece for more details.

 

Steal all the things

This week's update also continues the fine tradition of Stealing All the Things(tm). The aforementioned gnome-keyring dumper allows you to steal passwords from a logged-in user. In a similar vein, if you have a shell on a JBoss server, post/multi/gather/jboss_gather will give you all the passwords. The fun thing about both of these is that they work on the principle that you have permission to read these things -- there is no exploit here, and nothing to be patched.

 

On the other side of things, auxiliary/admin/scada/moxa_credentials_recovery does take advantage of a vulnerability to grab all the creds from a cute little SCADA device.

 

New Modules

Exploit modules (10 new)

 

Auxiliary and post modules (6 new)

 

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

 

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Outcomes