Python extension for Windows Meterpreter
Meterpreter offers some pretty powerful post-exploitation capabilities, from filesystem manipulation to direct Windows API calls with railgun, and everything in between.
One thing that's been missing for a long time is on-victim scripting. With this update comes an experimental Python extension to remedy that. It's still in its infancy, so expect some kinks to be worked out over the next few weeks, but it is functional. OJ's excellent Pull Request offers some insights into how it works and where it's going.
This update also includes a few PHP code execution exploits, including one for the very popular vBulletin, a cheeky one for a cute backdoor used by Chinese attackers according to the great analysis by FireEye, and one for Up.Time.
Up.Time, the tale of a bad patch
In late 2013, we published an exploit module by Denis Andzakovic targetting Up.Time, an IT infrastructure monitoring tool. As part of the initial advisory, the researcher quoted the vendor saying
As a policy to protect our customers, we do not discuss any vulnerabilities with outside companies.
Which apparently includes the person reporting the vulnerability.
And indeed, there doesn't seem to be any public discussion of this vuln (or any others for that matter) from the vendor, not even a mention of when a patch was available. It turns out that, whenever that patch came out, it didn't actually fix the vulnerability and thanks to contributors Ewerson Guimaraes and Gjoko Krstic, we now have an exploit that targets the latest Up.Time versions 7.4 and 7.5.
- China Chopper Caidao PHP Backdoor Code Execution by Nixawk
- ManageEngine ServiceDesk Plus Arbitrary File Upload by Pedro Ribeiro exploits ZDI-15-396
- Th3 MMA mma.php Backdoor Arbitrary File Upload by Jay Turla
- Nibbleblog File Upload Vulnerability by Roberto Soares Espreto and Unknown
- Idera Up.Time Monitoring Station 7.0 post2file.php Arbitrary File Upload by Denis Andzakovic exploits OSVDB-100423
- Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload by Denis Andzakovic, Ewerson Guimaraes(Crash), and Gjoko Krstic(LiquidWorm)
- vBulletin 5.1.2 Unserialize Code Execution by Julien (jvoisin) Voisin, Netanel Rubin, and cutz exploits CVE-2015-7808
- Zpanel Remote Unauthenticated RCE by Balazs Makany, Jose Antonio Perez, brad wolfe, brent morris, dawn isabel, and james fitts exploits OSVDB-102595
- Safari User-Assisted Applescript Exec Attack by joev exploits CVE-2015-7007
- Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation by rebel and shandelman116 exploits CVE-2015-5889
- Wordpress Ajax Load More PHP Upload Vulnerability by Roberto Soares Espreto and Unknown
- X11 Keyboard Command Injection by xistence
- Watermark Master Buffer Overflow (SEH) by Andrew Smith and metacom exploits CVE-2013-6935
- HP SiteScope DNS Tool Command Injection by Charles Riggs, Juan Vazquez, and Kirk Hayes
Auxiliary and post modules
- Joomla Real Estate Manager Component Error-Based SQL Injection by Nixawk and Omer Ramic
- Joomla com_contenthistory Error-Based SQL Injection by Asaf Orpani, Nixawk, and bperry exploits CVE-2015-7297
- BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure by Brad Wolfe, James Fitts, and Jay Turla exploits CVE-2015-7602
- PCMan FTP Server 2.0.7 Directory Traversal Information Disclosure by Brad Wolfe, James Fitts, and Jay Turla exploits CVE-2015-7601
- ElasticSearch Snapshot API Directory Traversal by Benjamin Smith, Jose A. Guasch, and Pedro Andujar exploits CVE-2015-5531
- HTTP Host Header Injection Detection by Jay Turla and Medz Barao
ManageEngine ServiceDesk Plus Path Traversal by xistence
As always, all the changes since the last wrapup can be had with a simple
msfupdate and the full diff is available on github: 4.11.5-2015110801...4.11.5-2015111801