Just Let Me Grab My Popcorn First
This week, rmdavy contributed a pair of modules designed to fool Windows into authenticating to you so you can capture sweet, sweet NetNTLM hashes. BadODT targets LibreOffice/Apache OpenOffice by providing a link to an image on a network share, and the new Multi Dropper creates all sorts of files Windows itself loves to look in for SMB shares. Special thanks to asoto-r7 to getting these across the line and thinking up
auxiliary/fileformat to hold them all.
More Impacket Functionality
PSEXEC is fun, but sometimes adding WMI can spice things up. Thanks to zeroSteiner, our third Impacket-based module has now landed, this time porting over the functionality of the popular
wmiexec.py. "But isn't Impacket Python?" you may ask, and yes, it still is. zeroSteiner's work is made possible by the work we have done over the last year to enable modules to run in external processes, dubbed Project Coldstone. More improvements are being landed regularly in this area, and you can expect more news around this in the next couple weeks. Until then, you can catch up on PRs, read the intro post from HaXmas, or check out my demo of some of the stuff I am working on.
Jailbreaks All Around
The WebKit use-after-free CVE-2016-4657 has been the gift that kept giving us access to our devices over the last two years, first as part of the Trident jailbreak for iOS 9.3 and then for the Nintendo Switch last year. Now, with timwr's help, you can use Trident to put Meterpreter on 64-bit iOS devices <= 9.3.4. Many thanks to timwr for the months of poking at both the exploit and payload side to get this working!
Exploit modules (2 new)
- WebKit not_number defineProperties UAF by qwertyoruiop, siguza, tihmstar, and timwr, which exploits CVE-2016-4657
- Windows UAC Protection Bypass (Via Slui File Handler Hijack) by bytecode-77 and gushmazuko
Auxiliary and post modules (4 new)
- Flexense HTTP Server Denial Of Service by Ege Balci, which exploits CVE-2018-8065
- Windows SMB Multi Dropper by Lnk Creation Code by Mubix and Richard Davy - secureyourit.co.uk
- LibreOffice 6.03 /Apache OpenOffice 4.1.5 Malicious ODT File Generator by Richard Davy - secureyourit.co.uk, which exploits CVE-2018-10583
- WMI Exec by beto and Spencer McIntyre
LHOSToption now tab-completes with local addresses and interface names, thanks to wvu-r7
- The SOCKS5 module (from last week) supports the
BINDcommand, via zeroSteiner
msfvenomhas had its help output clarified and organized, by g0tmi1k
resourcecommand will now expand paths passed to it, added by mkienow-r7
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.