Skip navigation
All Places > Metasploit > Blog > Authors Pearce Barry

Metasploit

2 Posts authored by: Pearce Barry Employee

Ghost...what???

hdm recently provided a new exploit module for a type confusion vulnerability that exists in Ghostscript versions 9.21 and earlier, allowing remote code execution on the target. And to "kick it up a notch", this exploit got itself a snazzy logo which also contains the exploit:

GhostButt

(spoiler alert: it's called GhostButt)

Forever and a day

From mr_me comes a one-two punch in the form of two exploits which target an EOL'd Trend Micro appliance. Certain versions of the Threat Discovery Appliance contain both authentication bypass and command injection vulnerabilities, which can be used to gain access to the appliance and run whatevs, respectively. And because this product is no longer supported by Trend Micro, these vulns are expected to be "forever day".

 

HTA RCE FTW

If you're looking for remote code execution via an MS Office document vuln, nixawk's exploit module might fit the bill nicely. This new addition allows Framework users to easily craft a doc file containing an OLE object which references an HTML Application (HTA). When the target opens this document, the HTA is accessed over the network (Framework acting as the server, of course), and remote code execution is back on the menu.

 

Feeling constrained?

Mercurial SCM users with ssh access can now move about more freely thanks to a new exploit module from claudijd. By targeting weak repo validation in HG server's customizable hg-ssh script, users can use this module to break out of their restricted shell and execute arbitrary code. Give it a go and enjoy your new-found freedom...!

 

But wait, there's more!

Rounding out our tech updates, bcook-r7 has given us a polite push forward and "flipped the switch" so that the POSIX Meterpreter used by Framework is now providing Mettle as its payload. Not only does Mettle weigh-in at ~1/2 the size of the old POSIX Meterpreter, it also provides more functionality. Additionally, it's being actively worked on these days, unlike the old POSIX Meterpreter. Yes, plz!

 

The Summer of Code is upon us!

We are excited to welcome Tabish Imran, B.N. Chandrapal, and Taichi Kotake to the Metasploit community as 2017 Google Summer of Code students. We thank everyone who took the time to participate; it was a fierce competition, with over 30 applicants. Look forward to seeing the great projects these students create this summer!

 

New Modules

Exploit modules (6 new)

 

Auxiliary and post modules (1 new)

 

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Pearce Barry

Weekly Metasploit Wrapup

Posted by Pearce Barry Employee Feb 23, 2017

I gave at the office

The office can be a popular place when it comes to giving. From selling kids' cookies/candy to raising awareness for a charity, the opportunity to 'give at the office' is definitely a thing. And now, thanks to Office macros, Metasploit offers a new way to give (and receive!) at 'the Office'.

 

These days, using malicious macros in office productivity programs is still a common attack vector. Designed with a handful of word-processing programs in mind (including some open source), Metasploit can now generate documents which utilize macros to execute an injected payload. Once a target receives and opens one of these documents (with macros enabled), the payload is executed, and now you have a shell or Meterpreter session (or whatever your payload is). Who says it's better to give than to receive?

 

 

When the sequel is better than the original

In the vein of "creative ways to achieve code execution on a MS SQL server", here's a new one which doesn't write to disk and works on a number of MS SQL versions. By setting up a stored procedure (with some pre-built .NET assembly code Metasploit provides) on the target, one can then issue a query containing an encoded payload, which will be executed as native shellcode by the stored procedure (woo!). Valid credentials with a certain level of privilege are required to use this new module, then you're good to go.

 

Screen Shot 2017-02-23 at 11.11.01 AM.png

 

Logins, logins, everywhere...

We've had a couple of good login-related fixes recently, including a fix to properly honor USER_AS_PASS and USER_FILE options when running a login scanner. Also of note is a fix to the owa_login module to properly handle valid credentials when a user doesn't have a mailbox setup. And if you'd rather skip logins entirely, grab yourself a misfortune cookie and check out the new authentication bypass RomPager module.

 

New Modules

Exploit modules (4 new)

Auxiliary and post modules (1 new)

 

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Filter Blog

By date: By tag: