Last updated at Fri, 26 Jan 2018 20:34:18 GMT
In last week’s wrap-up post, we raised awareness of the new Metasploit 5 work we’re ramping up on. This week, please GoAhead and enjoy some new Metasploit goodies!
Get Up, GoAhead
Based on research from danielhodson, hdm and h00die put together a new module which targets GoAhead web server versions vulnerable to creative use of CGI and the dynamic linker. Exploiting this vulnerability results in remote code execution on the target; juicy details can be found in Daniel’s writeup here.
I Verse, U-verse
In our newest Python module addition, one can scan for vulnerable AT&T U-verse routers (spefically, Arris NVG589 and NVG599 models running vulnerable firmware) that expose an un-authenticated proxy, allowing connections from WAN to LAN by MAC address. Aptly named “SharknAT&To”, Adam’s new module also supports easy integration with single request/response scanners (like many used in Rapid7’s Project Sonar).
Nothing to See Here
For users of the POSIX Meterpreter, Brent recently added the ability “blend into” the process list via a new payload generation option: PayloadProcessCommandLine. This allows your Meterpreter payload to appear as whatever innocuous process name you prefer on your Linux and macOS targets! You can watch a video of Brent demoing this new feature (from our Metasploit Demo meeting) here.
Exploit modules (3 new)
- GoAhead Web Server LD_PRELOAD Arbitrary Module Load by hdm, Daniel Hodson, and h00die, which exploits CVE-2017-17562
- Kaltura Remote PHP Code Execution over Cookie by Mehmet Ince and Robin Verton, which exploits CVE-2017-14143
- Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow by Daniel Teixeira, which exploits CVE-2017-7310
Auxiliary and post modules (3 new)
- Open WAN-to-LAN proxy on AT&T routers by Joseph Hutchins, Jon Hart, and Adam Cammack
- Native DNS Server (Example) by RageLtMan
- Native DNS Spoofer (Example) by RageLtMan
- checkvm module update for improved detection on Windows 10 targets
- owa_login module update for properly storing discovered creds when the target is provided as a hostname
- java_jmx_server module update to work in more environments
- colorado_ftp_traversal module update for large file transfers
- new PayloadProcessCommandLine payload generation option for POSIX Meterpreter
- ensure cmd_exec works the same for Meterpreter and shell sessions
- native DNS implementation for Msf Namespace, part of a larger deliverable we briefly discussed in our recent Metasploit Demo Meeting
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.