Metasploit Wrap-Up

Word and Javascript are a rare duo.

Thanks to thesunRider. you too can experience the wonder of this mystical duo. The sole new metasploit module this release adds a file format attack to generate a very special document. By utilizing Javascript embedded in a Word document to trigger a chain of events that slip through various Windows facilities, a session as the user who opened the document can be yours.

Do you like spiders?

It has been 3 years since SMB2 support was added to smb share enumeration and over a year ago SMB3 support was added, yet the spiders are not done spinning their webs. Thanks to sjanusz-r7 the spiders have evolved to take advantage of these new skills and the webs can span new doorways. Updates to scanner/smb/smb_enumshares improve enumeration support for the latest Windows targets that deploy with SMB3 only by default.

New module content (1)

• Microsoft Office Word Malicious MSHTML RCE by klezVirus, lockedbyte, mekhalleh (RAMELLA Sébastien), and thesunRider, which exploits CVE-2021-40444 - This adds an exploit for CVE-2021-40444 which is a vulnerability that affects Microsoft Word. Successful exploitation results in code execution in the context of the user running Microsoft Word.

Enhancements and features

• #15854 from sjanusz-r7 - This updates the SpiderProfiles option as part of the scanner/smb/smb_enumshares module to now work against newer SMB3 targets, such as windows 10, Windows Server 2016, and above.
• #15888 from sjanusz-r7 - This adds anonymised database statistics to msfconsole’s debug command, which is used to help developers track down database issues as part of user generated error reports.
• #15929 from bcoles - This adds nine new Windows 2003 SP2 targets that the exploit/windows/smb/ms08_067_netapi module can exploit.

Bugs fixed

• #15808 from timwr - This fixes a compatibility issue with Powershell read_file on Windows Server 2012 by using the old style Powershell syntax (New-Object).
• #15937 from adfoster-r7 - This removes usage of SortedSet to improve support for Ruby 3.
• #15939 from zeroSteiner - This fixes a bug where the Meterpreter dir/ls function would show the creation date instead of the modified date for the directory contents.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.17…6.1.19
• Full diff 6.1.17…6.1.19

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).