After last week's seriously serious write-up, this week we will return to our
norml normal, lighthearted (and Metasploit-hearted) wrap-ups, though we remain fans of terrible 80s movies.
Drupalgeddon 2: Webdev Boogaloo
After last month's Drupal exploit came to light, nearly a dozen developers have been hard at work to add a module targeting CVE-2018-7600. You can read more about that exploit and Metasploit's (and Rapid7 Labs') work on it here.
Keep your streets safe and update your firmware
Some Asus routers run a helpful server called infosvr that assists in configuring and discovering neighborhood routers, and since it configures the router for you, it runs as root. Unfortunately on some earlier versions of the firmware, it also has an unauthenticated command execution vulnerability (CVE-2014-9583). bcoles provided us with a module that takes advantage of that exploit to allow command execution. If you would like to know more, please see jduck's write up here.
Follow your [Metasploit] heart (or your target)
Used correctly, bmerinofe's Windows Probe Request takes an interesting method of bridging online and meatspace by beaconing an SSID on a victim machine, allowing the physical location of a target in close range.
The Goliath team has been busy adding support for the final few commands to function with the remote data service, and at this point in time
creds is the last remaining command. Last Friday we landed #9859, which added remote data service support for the workspace command. Workspaces are very helpful in isolating engagement data not only for an individual, but, increasingly, for when one or more individuals are sharing the same remote data store. This is all the more reason to configure a remote data service today and share it with a friend! Simple validation was also added when registering and setting a data service to prevent an invalid remote data service instance from making
msfconsole enter an unusable state (#9926).
We were busy fixing up our own community center, including improving on our Drupal exploit. Other additions from contributors: bcoles showed some love to other module developers by adding new post-exploitation methods that check Linux targets for security settings; rstenvi added a base64 encoder for Ruby, improved output for ETERNALBLUE exploit failures (especially when AV is involved), added non-powershell psexec improvements, and ensured we can all do nothing better by improving our NOPS (modules can finally now set the default NOP generator for a specific scenario).
Exploit modules (3 new)
- lastore-daemon D-Bus Privilege Escalation by Brendan Coles and King's Way
- ASUS infosvr Auth Bypass Command Execution by Brendan Coles, Friedrich Postelstorfer, and jduck, which exploits CVE-2014-9583
- Drupal Drupalgeddon 2 Forms API Property Injection by wvu, FireFart, Jasper Mattsson, Nixawk, and a2u, which exploits CVE-2018-7600
Auxiliary and post modules (2 new)
- GitStack Unauthenticated REST API Requests by Jacob Robles and Kacper Szurek, which exploits CVE-2018-5955
- Windows Send Probe Request Packets by bmerinofe
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in Linux pen testing distros such as Kali and Parrot, are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework Github repo.