Metasploit Pro Recent Releases / Jan 13, 2020

Jan 13, 20204.16.2

Bugs Fixed

  • PR 12577 - This fixes `exploit/linux/redis/redis_unauth_exec` module. If the module can not bind to a NATed or load-balanced address it falls back to `0.0.0.0`. Additionally, the `check` method has been improved to report if the Redis version cannot be determined.
  • PR 12614 - The `post/multi/gather/ssh_creds` module now checks if directories have execute permission (access to files) and if files have read permission. Fixes https://github.com/rapid7/metasploit-framework/issues/12609.
  • PR 12666 - This fixes the `exploit/windows/local/bypassuac_silentcleanup` module to clean up the `%WINDIR%` environment variable before calling the PowerShell payload. Fixes https://github.com/rapid7/metasploit-framework/issues/12665.
  • PR 12668 - This adds the following improvements to Meterpreter: - fixed function hooking on 64-bit Windows to avoid truncating addresses larger than 32-bits - fixed a per-packet memory leak when using encrypted sessions - added hidpi and multi-desktop support for screenshots with the espia extension - added Android builds to the default Makefile - fixed a bug unhooking user-land process hooks
  • PR 12673 - This corrects an error in the credentials RPC command to avoid a Nil object dereference. It also fixes some minor bugs in the autoroute and web_delivery modules.
  • PR 12686 - This fixes an issue with the xor_dynamic encoder to raise a more appropriate exception when there is a bad character issue while encoding a payload, allowing more valid payload options to succeed. Fixes https://github.com/rapid7/metasploit-framework/issues/12685.
  • PR 12699 - This fixes an issue for payloads that utilize UUIDS. The `format_uuid()` method was using the wrong variable name to parse the UUID. This also stores generated files used by the encrypted payloads in a temp location and deletes them by default.
  • PR 12703 - Added RHOST to SSH modules.
  • PR 12714 - Fixes https://github.com/rapid7/metasploit-framework/issues/12709 by adding a missing require statement.
  • PR 12727 - Fixes netfilter_priv_esc_ipv4 local privilege escalation module,
    • Update Arch from ARCH_X86 to both ARCH_X86 and ARCH_X64. The exploit supports X64 systems and X64 payloads.
    • Promote check != CheckCode::Appears check to the start of the exploit method.
    • Add a check to the check method to verify if unprivileged user namespaces are permitted.
    • Add a check to confirm that the WritableDir is writable.
    • Add to_s to read_file calls, as read_file can return nil.
  • PR 12750 - This PR fixes a minor transposition error in the haKCers.txt banner
  • PR 12760 - This improves the Linux bpf_priv_esc module to more accurately target vulnerable kernel versions as well as warning the user that manual cleanup of the added cron job is necessary post-exploitation.
  • PR 12785 - Fix login prompt parsing regex bug in auxiliary/scanner/telnet/telnet_login when parsing banners upon successful login.
  • PR 12799 - This fixes python web_delivery when SSL is enabled.

Enhancements and Features

  • Pro: MS-4897 - Updated Java 8 runtime version.
  • PR 12363 - The `auxiliary/gather/chrome_debugger` module takes advantage of misconfigured headless chrome sessions to either retrieve a specified file off the remote file system, or makes a web request from the remote machine.
  • PR 12433 - This add a DoS module targeting a regex parsing weakness in reverse_http and reverse_https payload handlers in Metasploit 5.0.27 and below.
  • PR 12446 - This change adds support for a powershell AMSI bypass which enables the web_delivery module to bypass Windows defender on Windows 10.
  • PR 12486 - This improves the `auxiliary/scanner/http/host_header_injection` module by adding new OPTIONS to set the HTTP request method and POST data. It also adds the `X-Host` HTTP header to the request.
  • PR 12524 - This updates most Python code in Metasploit Framework to be compatible with Python 3.
  • PR 12640 - This adds a log message to Detected and Unknown check codes, an exception handler to catch Gem::Version parsing errors and updates the spec for the `exploit/http/wordpress/version.rb` exploit.
  • PR 12643 - This adds additional exploit modules examples for Linux privilege escalation and web application vulnerabilities.
  • PR 12647 - This adds back a check to `msftidy` that checks if the module is accidentally executable or not.
  • PR 12662 - Update post/multi/gather/gpg_creds module to support gathering of GPG version 2.1+ keys.
  • PR 12675 - Update the Meterpreter kiwi extension to use Mimikatz 2.2.0-20191125.
  • PR 12679 - This removes `file_local_digestsha1`, `file_local_digestsha2`, `file_local_digestmd5` methods from the `Post::File` API. These methods do not appear to have ever been used since they were first added 10 years ago.
  • PR 12744 - Rename the exploit/linux/local/rds_priv_esc to exploit/linux/local/rds_rds_page_copy_user_priv_esc so other rds exploits can be added without name issues. It also updates rds_rds_page_copy_user_priv_esc to use newer Metasploit libraries.
  • PR 12754 - This adds the ForceExploit option to the exploit/bsd/finger/morris_fingerd_bof and exploit/unix/smtp/morris_sendmail_debug modules, enforcing an automatic check before exploitation unless ForceExploit is set.
  • PR 12779 - Add support for the PrependSetuid and PrependSetresuid payload options on the ARMLE architecture.
  • PR 12804 - Add support for macOS in the web_delivery module.

New Modules

  • PR 12364 - This adds an exploit module for vBulletin `v5.0.0` through `v5.5.4` that gains unauthenticated remote code execution by leveraging a flaw in the widget creation functionality. RCE can be leveraged by sending a POST request to `ajax/render/widget_php` with arbitrary data located in the `widgetConfig[code]` parameter.
  • PR 12391 - This module allows a user to inject arbitrary shellcode into the memory of an existing process on Windows.
  • PR 12651 - This adds an object deserialization vulnerability module for OpenMRS versions prior to v2.24.0. The object deserialization vulnerability is in webservices.rest module used in OpenMRS. Unauthenticated remote code execution can be achieved by sending a malicious XML payload to a Rest API endpoint. OpenMRS is an open-source platform that supplies users with a customizable medical record system.
  • PR 12693 - This module leverages two privilege escalation vulnerabilities, CVE-2019-1405 and CVE-2019-1322, to gain SYSTEM privileges on Windows 10 x64. The initial vulnerability gives a local user the ability to execute commands as a LOCAL SERVICE user via a logic error in the UPnP device host service. The user can then further elevate privileges via the Update Orchestrator Service, which allows LOCAL SERVICE users to execute arbitrary commands as SYSTEM.
  • PR 12701 - This adds a local privilege escalation against a host which has the `reptile` linux rootkit installed.
  • PR 12712 - This adds a local privilege escalation module exploiting a vulnerability in the OpenBSD `ld.so` dynamic loader (CVE-2019-19726).
  • PR 12725 - The `exploit/linux/local/bash_profile_persistence` module uploads a payload to the remote target and adds code to the shell configuration file (e.g. `~/.bashrc`) to trigger it. The payload will be executed each time a new shell session is created, which helps to maintain persistence on the exploited system.
  • PR 12788 - Add re-exploitation notes to `exploit/linux/local/rds_rds_page_copy_user_priv_esc` module documentation.

Offline Update

Metasploit Framework and Pro Installers