Metasploit Wrapup

2017-08-11T20:03:59
ID RAPID7COMMUNITY:4FC64923DC47E63250AA753E591FC7A7
Type rapid7community
Reporter Pearce Barry
Modified 2017-08-11T20:03:59

Description

<!-- [DocumentBodyStart:3836c61a-5d77-47a8-9728-65d7e934a989] --><div class="jive-rendered-content"><h2>Slowloris: SMB edition</h2><p>Taking a page from the <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fweb.archive.org%2Fweb%2F20090822001255%2Fhttp%3A%2F%2Fha.ckers.org%2Fslowloris%2F" rel="nofollow" target="_blank">Slowloris HTTP DoS attack</a>, the aptly named <a class="jive-link-blog-small" data-containerId="5165" data-containerType="37" data-objectId="7946" data-objectType="38" href="https://community.rapid7.com/community/infosec/blog/2017/08/03/smbloris-what-you-need-to-know">SMBLoris DoS attack</a> exploits a vuln contained in <em>many</em> Windows releases (back to Windows 2000) and also affects Samba (a popular open source SMB implementation). Through creation of many connections to a target's SMB port, an attacker can exhaust all available memory on the target by sending a specific NBSS length header value over those connections, rendering the system unusable or crashed (if desired). And systems with SMB disabled are vulnerable to this attack too. Word is that Microsoft currently has no plans to issue a fix. Following the SMBLoris reveal at DEF CON (hat tip to the researchers at RiskSense!), Metasploit Framework now contains an <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8796" rel="nofollow" target="_blank">exploit module</a> for fulfilling your SMBLoris needs.</p><p style="min-height: 8pt; padding: 0px;"> </p><h2>The Adventure of LNK</h2><p>Think Windows shortcut files are a convenient way to reference a file from multiple places? How about as an attack vector to get remote code execution on a target? Affecting a <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2017-8464" rel="nofollow" target="_blank">wide range of Windows releases</a>, a recently-landed <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8767" rel="nofollow" target="_blank">exploit module</a> might be just what you're looking for to give this vector a go. Microsoft did release a patch this past June, but we're gonna guess a lot of systems still haven't picked that up yet.</p><p style="min-height: 8pt; padding: 0px;"> </p><h2>Would you like RCE with your PDF (reader)?</h2><p>If so, <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.gonitro.com%2Fpdf-reader" rel="nofollow" target="_blank">Nitro's PDF reader</a> might be your hookup. Many versions of both Pro and regular flavors of the reader are vulnerable, providing JavaScript APIs which allow writing a payload to disk and then executing it. Check out the <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Ffileformat%2Fnitro_reader_jsapi" target="_blank">new exploit module</a> and enjoy some of that tasty RCE.</p><p style="min-height: 8pt; padding: 0px;"> </p><h2>Jenkins, tell me your secrets...</h2><p>If you periodically happen upon a target running Jenkins, we've got a <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8627" rel="nofollow" target="_blank">new post module</a> you might find useful. jenkins_gather will locate where Jenkins is installed on a system and then proceed to look for creds, tokens, SSH keys, etc., decrypting what it finds and conveniently adding it to your loot. It's been tested on a number of <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Fthesubtlety%2Fmetasploit-framework%2Fblob%2F7d033688ce2ca9221dcbed5b992798163cc12b56%2Fdocumentation%2Fmodules%2Fpost%2Fmulti%2Fgather%2Fjenkins_gather.md" rel="nofollow" target="_blank">versions and platforms</a> and is ready for you to give it a try.</p><p style="min-height: 8pt; padding: 0px;"> </p><h2>And more!</h2><p>We've also:</p><ul><li>enabled ed25519 support with net-ssh</li><li>added better error handing for the Eternal Blue exploit module when it encounters a system that has SMB1 disabled (thx, <span class="citation">@multiplex3r</span>!)</li></ul><p style="min-height: 8pt; padding: 0px;"> </p><h2>New Modules</h2><p><em>Exploit modules</em> <em>(2 new)</em></p><ul><li><a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Ffileformat%2Fcve_2017_8464_lnk_rce" target="_blank">LNK Code Execution Vulnerability</a> by Uncredited and Yorick Koster exploits CVE-2017-8464</li><li><a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Ffileformat%2Fnitro_reader_jsapi" target="_blank">Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution</a> by sinn3r, Brendan Coles, and mr_me exploits CVE-2017-7442</li></ul><p style="min-height: 8pt; padding: 0px;"> </p><p><em>Auxiliary and post modules</em> <em>(2 new)</em></p><ul><li><a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fdos%2Fsmb%2Fsmb_loris" target="_blank">SMBLoris NBSS Denial of Service</a> by thelightcosine</li><li><a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fpost%2Fmulti%2Fgather%2Fjenkins_gather" target="_blank">Jenkins Credential Collector</a> by thesubtlety</li></ul><p style="min-height: 8pt; padding: 0px;"> </p><h2>Get it</h2><p>As always, you can update to the latest Metasploit Framework with <code>msfupdate</code> and you can get more details on the changes since the last blog post from GitHub:</p><ul><li><a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpulls%3Fq%3Dis%3Apr%2Bmerged%3A%25222017-07-28T09%3A59%3A11-07%3A00%2B..%2B2017-08-10T11%3A06%3A05-05%3A00%2522" rel="nofollow" target="_blank">Pull Requsts 4.15.4...4.15.6</a></li><li><a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fcompare%2F4.15.4...4.15.6" rel="nofollow" target="_blank">Full diff 4.15.4...4.15.6</a></li></ul><p>To install fresh, check out the open-source-only <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fwiki%2FNightly-Installers" rel="nofollow" target="_blank">Nightly Installers</a>, or the <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fmetasploit%2Fdownload.jsp" target="_blank">binary installers</a> which also include the commercial editions.</p></div><!-- [DocumentBodyEnd:3836c61a-5d77-47a8-9728-65d7e934a989] -->