It has only been one week since the last wrapup, so it's not like much could have happened, right? Wrong!
Misery Loves Company
After last week's excitement with Metasploit's version of ETERNALBLUE (AKA the Wannacry vulnerability), this week SAMBA had its own "Hold My Beer" moment with the disclosure that an authenticated (or anonymous) client can upload a shared library to a SAMBA server, and that server will happily execute the library! The vulnerability is present in all versions of SAMBA since 2010 and was only patched a few days ago. That length of time paired with the number, simplicity, and price points of the devices that run SAMBA mean that this vulnerability will be around for a very, very long time. The always-original internet appears to have dubbed this "Sambacry" whereas we here at Rapid7 have taken a more animated path in our references. In the scant week since the vulnerability was released, we've already landed and improved a module that takes advantage of the vulnerability, and it works on fifteen different computing architectures. Because SAMBA runs on so many different architectures, and we're supporting them, this really is the perfect opportunity to go out and play with the new and improved POSIX Meterpreter!
Make New Friends, But Keep the Old
Just because we had a shiny new exploit does not mean we forgot about our old friend from last week, ETERNALBLUE. This update sees several improvements to last week's module, including:
- An improved architecture verification when port 135 is blocked
- Ignoring and continuing if the target does not reply to an SMB request
- OS Verification
We've Got Your Back
Not too long ago, we added a module to migrate from one architecture to another on Windows hosts. Unfortunately, if you were running as an elevated user, the new session did not maintain those privileges. Now, if you try to migrate as SYSTEM, we'll stop you and make sure you really want to privdesc(?) yourself.
Speaking of Running Metasploit in Strange Places
zombieCraig has extended support for the hardware bridge in Metasploit, squashing bugs and adding two new commands: testerpresent and isotpsend. The first sends keepalive packets in the background to maintain the diagnostic connection, and the second allows communication with ISO-TP compatible modules. We've also added a module to dump credentials on scadaBR systems.
Target your Target
For those who have enjoyed the recent Office Macro exploit, you can now embed it into custom docx templates for that personal touch.
Exploit modules (5 new)
- Samba is_known_pipename() Arbitrary Module Load by hdm, Brendan Coles, and steelo exploits CVE-CVE-2017-7494
- Octopus Deploy Authenticated Code Execution by James Otten
- VX Search Enterprise GET Buffer Overflow by Daniel Teixeira Auxiliary and post modules(2 new)
- ScadaBR Credentials Dumper by Brendan Coles
- WordPress Traversal Directory DoS by CryptisStudents and Yorick Koster exploits CVE-CVE-2016-6897
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub: