The Vegas and vacation season is behind us, so it's time to release our first post-4.4.0 update. Here we go!
A few factors conspired to make this update more module-heavy than usual. We released Metasploit 4.4 in mid-July. Historically, a dot version release of Metasploit means that we spend a little post-release time closing out bugs, performing some internal housekeeping that we'd been putting off, and other boring software engineering tasks. Right after this exercise, it was Vegas season for the security crowd, and pretty huge chunk of Metasploit was out there for BlackHat, DefCon, and BSides. Related to DefCon season, we had an unusually high volume of module submissions in the last two weeks.
So, we end up with a union of module backlog and a bumper crop of exploits and auxiliary modules. This update brings new exploits for, in no particular order, Symantec Web Gateway, Zenoss, the Linux Kernel, CuteFlow, WebPageTest, Nmap, EGallery, Cisco Linksys WVC200, Microsoft Internet Explorer, Photodex ProShow Producer, Dell SonicWALL Scrutinizer, Simple Web Server, Windows Task Scheduler, Microsoft Office SharePoint Server, and Novell ZENworks.
Community contributor Patrik Karlsson (aka, @nevdull77) has been on fire lately with his Authentication Capture modules -- this update has modules for impersonating MySQL and SIP servers to go along with his DB2, Microsoft SQL, and VNC server auth capture modules.
The basic idea with these is that you, as a penetration tester, trick your victim into providing authentication credentials to your fake server (which is really a Metasploit instance). This can be done in a variety of ways. If you're local to the victim, you can pretty trivially poison DNS or DHCP to get your victim to the wrong place. If you're remote, it might be just a matter of social engineering, or domain squatting, or something along those lines.
Of course, this isn't the only use of these modules. Having a responsive authentication service at your fingertips is a super-handy research tool if you're interested in experimenting with how different clients behave, or if you're looking in training up a protocol analyzer or something like that. They're really pretty versatile, so thanks tons nevdull for your work on these!
Lone Star Ruby Conf
Almost totally unrelated to Metasploit updates, I'm seizing this blog post to point at my upcoming talk Lone Star Ruby Conf 6 here in Austin at the end of the week. It's entitled "Offensive Ruby," and I'll be speaking on Friday morning. The abstract is linked from the LSRC page -- the shorter of the short stories is, I'll be talking about how the security community has adopted Ruby for its own, and give demos. I intend to deliver a whirlwind tour of PacketFu, Ronin, Ruby BlackBag, Arachni, Metasm, and... well I guess I'll talk about Metasploit, too. (:
It's a developer conference, not a security conference, so my whole goal there is to remind the dev community that we exist, and not everyone who uses Ruby is using it to build out web apps and RSS readers. LSRC is notable in that it's not RailsConf, so that barrier shouldn't be too hard to breach -- there are lots of people there using Ruby for weird and wonderful applications. Should be fun, so if you happen to be there, track me down to say "hi."
Here are the new modules -- for details and usage, follow the links to our Exploit Database.
- Microsoft SQL Server Generic Query from File by j0hn__f
- SAP Management Console GetProcessList by Bruno Morisson and Chris John Riley
- Authentication Capture: MySQL by Patrik Karlsson
- Authentication Capture: SIP by Patrik Karlsson
- Symantec Web Gateway 188.8.131.52 pbcontrol.php Command Injection by sinn3r and muts exploits CVE-2012-2953
- Zenoss 3 showDaemonXMLConfig Command Execution by Brendan Coles exploits OSVDB-84408
- Linux Kernel Sendpage Local Privilege Escalation by egyp7, Julien Tinnes, Tavis Ormandy, rcvalle, and spender exploits CVE-2009-2692
- CuteFlow v2.11.2 Arbitrary File Upload Vulnerability by Brendan Coles exploits OSVDB-84829
- WebPageTest Arbitrary PHP File Upload by sinn3r and dun exploits OSVDB-83822
- Setuid Nmap Exploit by egyp7 exploits a misconfiguration in Nmap
- EGallery PHP File Upload Vulnerability by juan vazquez and Sammy FORGIT exploits OSVDB-83891
- Cisco Linksys PlayerPT ActiveX Control Buffer Overflow by juan vazquez and rgod exploits OSVDB-80297
- Cisco Linksys PlayerPT ActiveX Control SetSource sURL argument Buffer Overflow by juan vazquez and Carsten Eiram exploits CVE-2012-0284
- Microsoft Internet Explorer Fixed Table Col Span Heap Overflow by sinn3r, juan vazquez, Alexandre Pelletier, binjo, and mr_me exploits MS12-037
- Photodex ProShow Producer 5.0.3256 load File Handling Buffer Overflow by juan vazquez, Julien Ahrens, and mr.pr0n exploits OSVDB-83745
- Dell SonicWALL Scrutinizer 9 SQL Injection by sinn3r, Devon Kearns, and muts exploits CVE-2012-2962
- Simple Web Server Connection Header Buffer Overflow by juan vazquez and mr.pr0n exploits OSVDB-84310
- PsExec via Current User Token by egyp7 and jabra exploits CVE-1999-0504
- Windows Escalate Task Scheduler XML Privilege Escalation by jduck exploits MS10-092
- Microsoft Office SharePoint Server 2007 Remote Code Execution by juan vazquez, James Burton, and Oleksandr Mirosh exploits MS10-104
- Novell ZENworks Configuration Management Preboot Service 0x21 Buffer Overflow by juan vazquez and Stephen Fewer exploits ZDI-10-090
- Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow by juan vazquez and Luigi Auriemma exploits CVE-2011-3176
- Novell ZENworks Configuration Management Preboot Service 0x06 Buffer Overflow by juan vazquez and Stephen Fewer exploits ZDI-10-090
- Novell ZENworks Configuration Management Preboot Service 0x6c Buffer Overflow by juan vazquez and Luigi Auriemma exploits CVE-2011-3175
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.