Commandline tools in general are powerful, but come with a learning curve. When you've been using a tool for a long time, that curve becomes a status quo that embeds itself in your fingers. That isn't always a good thing because it tends to make you blind to how things can be better and it takes an effort of introspection to notice inefficiencies. Even then, you weigh those inefficiencies against the effort required to improve.
An example of that is msfconsole's
route command, which gets a bit of a spruce up this week. Instead of showing help output when given no arguments, it now shows the current routing table. In addition, it now supports using a session id of "-1" to indicate the most recent session, just like you can do for the
SESSION option in post modules.
Extra privilege escalation
In the last few years, privilege escalation has become more important in the Windows world but it has always been a staple on Unix operating systems. This update brings two privilege escalation modules, one for the Linux kernel and one for NetBSD's
/usr/libexec/mail.local, for your rooting pleasure.
Extra Meta Metasploitation
As I mentioned in the last wrapup, we've landed @justinsteven's modules for attacking Metasploit from Metasploit. The first,
metasploit_static_secret_key_base, exploits the way Rails cookies are serialized and the fact that an update would step on the randomly generated secret key with a static one. Check out the full details if you're interested in how that works.
metasploit_webui_console_command_execution, isn't a vulnerability as such. Rather, it takes advantage of the fact that admin users can run msfconsole in the browser, and therefore run commands on the server. This is the sort of thing that can't be patched without just removing the functionality altogether; it's literally a feature, not a bug. Authenticated administrators can do administrator things, as you might expect.
Extra Android Exploit
At Derbycon last week, long-time friend of the Metasploit family, @jduck, released his latest version of Stagefright, an exploit for Android's libstagefright. He demo'd exploiting a Nexus device, but lots of other stuff is vulnerable too. Due to the rampant fragmentation in the Android world, this year-old bug is probably going to be showing up on new phones sitting on store shelves for quite a while yet.
And last but not least, this week brings a module for exploiting EXTRABACON, the Cisco ASA vulnerability made public by the Shadowbroker leak a few weeks ago. The bug is a buffer overflow in SNMP object id strings. The module does exactly what the Equation Group exploit does -- it disables authentication on the victim device and allows you to login to ssh or telnet with no password. This module was a collaboration between lots of folks and improves on the coverage in the original exploit, even adding targets for some 9.x devices that the advisory says are not affected.
This democratization of exploits through open source continues to show that being open and transparent leads to better exploits, more public knowledge, and better patches.
Exploit modules (7 new)
- Android Stagefright MP4 tx3g Integer Overflow by NorthBit, and jduck exploits CVE-2015-3864
- Kaltura Remote PHP Code Execution by Mehmet Ince, and Security-Assessment.com
- Docker Daemon Privilege Escalation by forzoni
- Linux Kernel 4.6.3 Netfilter Privilege Escalation by h00die, and vnik exploits CVE-2016-4997
- Metasploit Web UI Static secret_key_base Value by Justin Steven, and joernchen of Phenoelit
- Metasploit Web UI Diagnostic Console Command Execution by Justin Steven
- NetBSD mail.local Privilege Escalation by akat1, and h00die exploits CVE-2016-6253
Auxiliary and post modules (1 new)
- Cisco ASA Authentication Bypass (EXTRABACON) by Dylan Davis, Equation Group, Nate Caroe, Sean Dillon, Shadow Brokers, William Webb, and Zachary Harding exploits CVE-2016-6366
As always, you can update to the latest Metasploit Framework with a simple
msfupdate and the full diff since the last blog post is available on GitHub: 4.12.25...4.12.28