Since the last Wrapup, we've been continuing our long-running project of breaking up some of the old cobweb-encrusted parts of the framework codebase into smaller pieces that are easier to deal with. A few things, lib/sshkey and lib/bit-struct in particular, that for historical reasons were just slightly modified copies of a gem, have been pulled out entirely in favor of the upstream release. A bunch of other things have been pulled out into their own repositories, making the whole codebase a little tidier.
NBNS and BadTunnel
NBNS is the NetBIOS Name Service, which Windows uses to do fast local translations of hostnames to IP addresses. Like DNS, being able to lie about answers gives an attacker the ability to act as a Man-in-the-Middle. Unlike DNS, Requests are sent broadcast to the local subnet. That means that listening for these requests and spoofing replies gets you a MitM stance on whatever they were requesting, a longstanding hacker favorite. This is also a downside because it means you have to be on the same local network as the victim to see those requests and know how to reply. However, all of this happens over UDP which routers don't mind forwarding on to different subnets. You just need to guess the transaction ID, a 16-bit number. As it turns out 16-bit numbers aren't that big and you can just spam packets until it works. You still need to know the hostname, though. Enter WPAD.
One way to convince a client that you are their WPAD server is to respond to the NBNS lookup for a host with that name. Metasploit and other tools like Responder.py have been providing that handy service for years to great effect. But now with you don't need to be on the same subnet. Now you can just spam replies for WPAD for a few seconds until you get lucky and suddenly you can be in the middle of all HTTP requests by claiming to be their proxy. And it gets better. If you can somehow convince someone to send any NetBIOS traffic your way, you can do the same across NAT, thanks to BadTunnel.
Have fun storming the castle.
Nagios is a nifty monitoring tool that has basically become the defacto standard. They also produce a proprietary commercial frontend called Nagios XI. That frontend has a SQL injection vuln that can lead to authentication bypass. The bypass gives you access to a command injection. The command injection lets you run sudo without a password. Nothing but net.
Expect a more detailed write up on this one.
Exploit modules (6 new)
- Apache Continuum Arbitrary Command Execution by wvu, and David Shanahan
- Nagios XI Chained Remote Code Execution by wvu, and Francesco Oddo
- op5 v7.1.9 Configuration Command Execution by h00die, and hyp3rlinx
- Tiki-Wiki CMS Calendar Command Execution by Dany Ouellet, and h00die
- JSON Swagger CodeGen Parameter Injector by ethersnowman
- Regsvr32.exe (.sct) Application Whitelisting Bypass Server by Casey Smith, and Trenton Ivey
Auxiliary and post modules (5 new)
- NetBIOS Response Brute Force Spoof (Direct) by hdm, tombkeeper, and vvalien
- DarkComet Server Remote File Download Exploit by Jos Wetzels, and Shawn Denbow & Jesse Hertz
- ClamAV Remote Command Transmitter by wvu, Alejandro Hdeza, and bwatters-r7
- NetBIOS Response "BadTunnel" Brute Force Spoof (NAT Tunnel) by hdm, tombkeeper, and vvalien exploits CVE-2016-3236
- Windows Gather Microsoft Office Trusted Locations by vysec
As always, you can update to the latest Metasploit Framework with a simple
msfupdate and the full diff since the last blog post is available on GitHub: 4.12.7...4.12.11