Windows Privilege Escalation
In the long long ago, Windows users pretty much universally had local Administrator accounts. While that's still true in less mature environments, I think we have done a pretty good job as an industry of convincing folks to reduce users' privileges. Back in those days, privilege escalation exploits weren't all that useful because every exploit, executable, and Word macro already gave you the highest privileges. Today that's less true.
Even worse for the enterprising hacker, modern browser exploitation frequently gives you the lowest possible privileges, even without the ability to read or write files outside of certain directories or interact with processes other than your own, due to sandboxing. One major advantage of kernel vulnerabilities is the fact that they skip right out of those sandboxes straight to NT AUTHORITY\SYSTEM.
Two Windows vulnerabilities, one patched in February and the second in March, get exploits this week for your privilege escalating pleasure.
Test Our Mettle
Over the years there have been several iterations of Meterpreter for a POSIX environment, with limited success. As of this week, we're shipping a new contender for the throne of unix payloads: Mettle. It's a ground-up implementation of the Meterpreter protocol and featureset for multiple architectures and POSIX platforms. One of the barriers to such a payload has been the fact that it requires packaging up a static libc and any libraries it will need on target. This is in contrast to Windows where the extreme adherence to backwards compatibility through the ages means that things like socket functions in ws2_32.dll can be relied upon pretty universally, which just isn't remotely true of all the various unices. Android's Bionic libc was the most recent, but several issues have made it clear we needed something else. Mettle uses musl, a small, highly portable, optimized libc. While we're currently only testing Linux, musl's portability will give us the ability to expand to other things like Solaris and BSD in the future.
The old implementation will continue to live side-by-side with the new one for a while, but once Mettle has the main required features, the Bionic-based POSIX Meterpreter will be allowed to retire to a beach somewhere to drink margaritas and complain about kids these days.
New Modules
Exploit modules (5 new)
- Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution by Francesco Oddo
- Ruby on Rails ActionPack Inline ERB Code Execution by RageLtMan exploits CVE-2016-2098
- Tiki Wiki Unauthenticated File Upload Vulnerability by Mehmet Ince
- MS16-016 mrxdav.sys WebDav Local Privilege Escalation by Tamas Koczka, and William Webb exploits CVE-2016-0051
- MS16-032 Secondary Logon Handle Privilege Escalation by James Forshaw, b33f, and khr0x40sh exploits CVE-2016-0099
Auxiliary and post modules (3 new)
- WebNMS Framework Server Credential Disclosure by Pedro Ribeiro
- WebNMS Framework Server Arbitrary Text File Download by Pedro Ribeiro
- Linux DoS Xen 4.2.0 2012-5525 by Aleksandar Milenkoski, and Christoph Sendner exploits CVE-2012-5525
Get it
As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.11...4.12.14
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.