Resolve, v. transitive
Sometimes the biggest things that make working with a tool fun are the small things. One of those things is the recent addition of a
resolve command for Meterpreter. It does what it sounds like: it resolves a hostname to an IP address on the victim system, taking advantage of the local DNS. Of course, that’s not a huge thing, but it is pretty convenient.
Strut, v. intransitive
This update also comes with a fun exploit for Apache Struts, a web framework for webby things. It’s a Model-View-Controller framework for Java web applications, somewhat similar to Rails in the ruby world. Bugs in frameworks like this can end up lasting a lot longer than in applications, as all the things that depend on it have to be updated too.
Also in this update is a shiny new exploit module for the latest Branded Vulnerability(tm), ImageTragick. In this case though, it can actually get you shells. As the advisory explains, this is a command injection vulnerability in the way image metadata is passed to a conversion utility. It’s tough to gauge how useful this will be since it depends a lot on how applications use ImageMagick, but the potential is pretty shiny. If you’ve found something that uses it in a vulnerable way, it sure would be keen if you’d let us know and even more awesome would be a module for it in a new Pull Request.
In great open-source-land news, we’ve added a new committer! As Tod mentioned the last time this happened, new committers don’t come along very often and when they do it’s usually surprising to learn that they aren’t already committers because they’ve been around for quite a while. Mubix has been a long-time friend of the Metasploit family, helping out with code review, module development, and lots of testing. He has also helped countless people learn about Metasploit features with his fabulous Metasploit Minute series with Hak5.
The open source community has always been integral to Metasploit. Adding new Committers increases the Bus Factor of the project. Non-Rapid7 Committers are super important for the vitality of the project and help cement the relationship between Rapid7 and the community.
Also, Mubix is a personal friend of mine and I think he’s a hoopy frood who really knows where his towel is. I’m excited to see how he’ll use his new-found powers.
In fact, he’s already landed his first Pull Request, which brings me to…
Some of the most fun you can have with Meterpreter is by sending your evil packets through it. One way to do that is the
portfwd command, which allows you to do what it sounds like — forward connections from one port to another. This works pretty similarly to portfwarding in SSH, except that previously, it was only possible to listen on the attack platform and forward connections to the victim’s network. As of this update, you can go the other direction as well. By setting up a reverse forward, you can tell Meterpreter to listen on the victim system and have it forwarded back to the network where Metasploit is running. For the latest in fun stuff happening in Meterpreter land, I recommend checking out OJ’s recent bloggery on the subject.
Exploit modules (3 new)
- Ruby on Rails Development Web Console (v2) Code Execution by hdm
- Apache Struts Dynamic Method Invocation Remote Code Execution by Nixawk, and rungobier exploits CVE-2016-3081
- ImageMagick Delegate Arbitrary Command Execution by wvu, hdm, Nikolay Ermishkin, and stewie exploits CVE-2016-3714
As always, you can update to the latest Metasploit Framework with a simple
msfupdate and the full diff since the last blog post is available on GitHub: 4.11.23…4.11.26
Source: Rapid 7