With the Northeast U.S. getting hit with back-to-back nor’easters this week, it’s probably a good idea to head back inside and wait it out until spring arrives. So toss another log on the fire, grab a hot drink, raise a toast to all the folks making Metasploit awesome, and catch up on the latest!
It Goes to 11
While amplification attacks are nothing new, the memcached amplification attack vector (reffered to as “memcrashed”) which came to light last week is notable for its staggering 1:50000 amplification capability. Couple that with the many publicly-accessible vulnerable memcached instances out there, and we had the perfect recipe for the distributed denial-of-service attacks which followed, like the one targeting GitHub. Thanks to work by Marek Majkowski, xistence, and Jon Hart, Metasploit now has a new memcached_amp scanner module which can help identify your memcached instances vulnerable to amplification. Additionally, Jon Hart provided a second memcached scanning module for gathering version information of memcached instances over the same exposed UDP port that plays a role in the memcrashed amplification attacks. Hopefully we’ll see the number of vulnerable memcached instances out there continue to decline.
Grinds My Netgears
If you like magic packets and root-level shell sessions, we’ve got a new module right up your alley. Targeting a number of vulnerable NETGEAR devices, the new netgear_telnetenable module from Paul Gebheim, insanid, and wvu will pop a shell prompt with root-level access on vulnerable targets. This is actually an older known “feature” of these devices, and with the proliferation of NETGEAR devices around, you might find this module useful!
School of Hard ‘Nox
OMG, OSGi! As it turns out, the OSGi framework console provided in vulnerable versions of Eclipse Equinox allows for remote code execution. And the new osgi_console_exec module from Quentin Kaiser will take you there! With
fork in hand, you’ll be running your code in no time...
Exploit modules (2 new)
- NETGEAR TelnetEnable by wvu, Paul Gebheim, and insanid
- Eclipse Equinox OSGi Console Command Execution by Quentin Kaiser
Auxiliary and post modules (3 new)
- Memcached Stats Amplification Scanner by Jon Hart, Marek Majkowski, and xistence, which exploits CVE-2018-1000115
- Memcached UDP Version Scanner by Jon Hart
- Juniper Gather Device General Information by h00die
- smb_login scanner module fix to treat PASSWORD_MUST_CHANGE and PASSWORD_EXPIRED responses as SUCCESS
- updating macOS shells to Meterpreter sessions now supported via the
session -u <session number>command
- enum_ms_product_keys post gather module update to support Windows 2008, Windows 7, and later
- PHP Meterpreter fix to ensure messages aren’t discarded unexpectedly
- RC4 encryption support for windows/x64/meterpreter/reverse_tcp payloads
- auto-generated SSL certificates fixed to avoid invalid characters
- Y2k38 Java SSL certificate generation fix to assure a “within range” expiration date
- several ntp scanner modules fixed to remedy a
NoMethodError undefined method ‘size'condition
- multi/handler improvement to not attempt to run if
- Docker build fix
As always, you can update to the latest Metasploit Framework with
msfupdate, and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.