Metasploit Pro Recent Releases / May 14, 2020

May 14, 20204.17.1

Bugs Fixed

  • PR 13358 - This ensures that we correctly handle out-of-order packets on pivoted sessions.
  • PR 13360 - The msfconsole will no longer output ActiveRecord warning messages on start up when using Ruby 2.7.x
  • PR 13363 - This fixes a deprecation error that was occurring when generating the HTTP and HTTPS Meterpreter shells using Ruby 2.7.x by replacing a URI.decode call with a CGI.unescape call.
  • PR 13406 - We updated the DNS enumeration to ignore unhandled resource records safely, and patches bugs within the internal implementation of Rex::Proto::DNS::Resolver.

Enhancements and Features

  • Pro: MS-3169 - Payload generation wizard now logs events in the database.
  • Pro: MS-5092 - We did an overhaul of the JavaScript in Metasploit Pro to modernize XSS protections, including fixes for CVE-2020-7354 and CVE-2020-7355 (XSSes in host ID and notes fields). Many thanks to Andrea Valenza (AvalZ) with the University of Genoa who reported this to Rapid7.
  • Pro: MS-5537 - The 2020 custom survey banner was removed. Thank you for your response!.
  • Pro: MS-5626 - A certificate installed on all Pro customer systems expired on May 14th, 2020. We updated the certificate and some related logic to provide a path forward. Pro customers should update to release 4.17.1-2020051401 (or later) as soon as possible.
  • PR 12234 - This adds an auxiliary module that attempts multiple techniques to fingerprint IP addresses that can be used for directly connecting to web servers that are supposed to be protected by cloud based solutions. This helps to identify a common class of misconfiguration vulnerabilities in these scenarios.
  • PR 13100 - This updates the OSX stager to add support for cases where the dyld macho might not be loaded into the expected location. It also adds MeterpreterDebugLevel support to the OSX stager to allow users to view debug output coming from the payload.
  • PR 13257 - This improves the .NET deserialization library by adding two new chains, TypeConfuseDelegate and WindowsIdentity. A new formatter, SoapFormatter, and updating the applicable modules to use them.
  • PR 13281 - This fixes an issue with Meterpreter's screenshot command on Windows. When the Meterpreter session is opened as a service the screenshot command will cause Explorer to crash due to restricted desktops. This checks that desktops are available to avoid that condition and prevents the user from accidentally triggering the crash.
  • PR 13313 - Adds improvements to msfconsole to warn the user that changing the current SSL options value with set ssl true or set ssl false may require changing the RPORT value as well.
  • PR 13315 - The GatherProof advanced option is now set to true by default for the auxiliary/scanner/ssh/ssh_login and auxiliary/scanner/ssh/ssh_login_pubkey modules in order to address the common case when scanning SSH servers.
  • PR 13316 - RemoteHttpDataService can now manage tags.
  • PR 13321 - This enhances the GatherProof advanced option in SSH login scanners to handle Windows and unknown platforms better
  • PR 13325 - This updates the behavior of Meterpreter's ls command to expand environment variables in the path argument on Windows systems.
  • PR 13330 - We updated the version of the Meterpreter payloads gem to 1.4.1. This pulls in the changes made in rapid7/metasploit-payloads#388 and rapid7/metasploit-payloads#389 to Windows Meterpeter payloads and helps to reduce the complexity of extension building and loading as well as remove some fingerprint artifacts. The new versions of these Windows Meterpreter payloads should now be smaller.
  • PR 13340 - This fixes up the PKS link used by import-dev-keys.sh to use the Ubuntu PKS (public key server) rather than MIT's key server.
  • PR 13342 - Updates Msf::Post::Linux::Kernel.pax_installed? to use /proc/self/status rather than /sbin/paxctl, and adds checks for paxctld, paxtest, firejail, auditd to the post/linux/gather/enum_protections module.
  • PR 13364 - A new tool, tools/payloads/ysoserial/dot_net.rb was added. It is a command-line tool to generate ysoserial.net payloads for .NET deserialization attacks.
  • PR 13367 - Adds enhancements to ensure that developer provided error messages are properly surfaced to users, which should allow users to better debug why errors are occurring.
  • PR 13375 - This adds a fix to the encoder/x86/unicode_mixed and encoder/x86/unicode_upper encoders to ensure that the mandatory option BufferRegister is always set. This fixes #13372 that was preventing users from being able to Unicode encode payloads.
  • PR 13380 - This fixes a typo in the description of lib/msf/core/encoder/alphanum.rb, and applies RuboCop fixes to alphanum.rb, unicode_upper.rb and unicode_mixed.rb.
  • PR 13388 - This updates the sap_icm_urlscan module to use more up-to-date URLs from newer versions of SAP. Thanks to Joris van de Vis (@kloris) for providing many of the newer SICF URL’s.
  • PR 13401 - This adds an auxiliary and exploit module to leverage a root key disclosure in SaltStack Salt and an unauthenticated RCE, CVE-2020-11651. A basic ZeroMQ library that future modules can use was added.
  • PR 13402 - This adds the service_exists?() method to the Post::Windows::Services mixin.
  • PR 13405 - This converts the SRVHOST option from type OptAddress to OptAddressLocal, allowing a user to specify a network interface for Metasploit servers to listen on.
  • PR 13416 - This adds an Reflectively Loaded Dynamic-link library (RDLL) Visual Studio project template that allows users to more easily create RDLLs for use in their exploits. This also adds more documentation regarding where RDLLs are meant to be placed once compiled and how to set up Rapid7's fork of Stephan Fewer's (@stephenfewer) ReflectiveDLLInjection project so that the RDLLs can be compiled successfully.
  • PR 13422 - Updates the Linux Polkit pkexec helper PTRACE_TRACEME local root exploit module to prefer automatic targeting of useful Polkit helpers before falling back to a hard-coded list of helpers.
  • PR 13433 - This updates msf-json-rpc to work when run from any path.

New Modules

  • PR 11359 - This adds an exploit targeting an unauthenticated RCE in vulnerable Apache Shiro instances where the rememberMe cookie is insecurely treated as a Java serialized object. This vulnerability is identified as CVE-2016-4437.
  • PR 13107 - This adds an exploit module for an unauthenticated RCE in the Kentico CMS platform versions 12.0.14 and earlier. An attacker can leverage a deserialization vulnerability in the Staging Service to execute arbitrary commands in the context of the target server process.
  • PR 13200 - A new exploit for CVE-2019-0808 was added. This targets versions of Windows 7 x86 SP0 and SP1. Successful exploitation will result in SYSTEM level privileges. Some minor screen effects may occur when exploiting this vulnerability, however these effects will go away when the session is closed.
  • PR 13260 - This adds a local exploit module for Docker Community Edition for Windows versions <= v2.1.0.0. When executing the login functionality for Docker, Docker attempts to execute docker-credential-wincred.exe in a directory readable/writeable to low-privileged users. Given this, prior to executing the login functionality the docker-credential-wincred.exe file can be overwritten with a malicious file, giving the potential for privilege escalation. This vulnerability is identified as CVE-2019-15752.
  • PR 13290 - A privilege escalation module leveraging CVE-2014-2630. The vulnerability takes advantage of inxglance-bin based on its loading of user-accessible .so files.
  • PR 13300 - This adds a remote root exploit for IBM Data Risk Manager versions 2.0.3 and below. Version 2.0.6 might also be vulnerable. The exploit covers:
  • PR 13301 - This adds an arbitrary file download module for IBM Data Risk Manager versions 2.0.2 and 2.0.3. Version 2.0.6 might also be vulnerable. The exploit covers CVE-2020-4427 and CVE-2020-4429.
  • PR 13304 - This adds an SSH remote exploit with privilege escalation to root for IBM Data Risk Manager versions 2.0.3 and below. Version 2.0.6 might also be vulnerable. This exploits CVE-2020-4429.
  • PR 13322 - This adds an exploit for CVE-2020-0668, which is a privileged file write operation. The written file is then loaded by the Service Orchestrator as NT AUTHORITY\SYSTEM, resulting in a privileged session.
  • PR 13327 - This adds an exploit module for an unauthenticated RCE in the Veeam ONE Agent due to the use of insecure methods of deserializing .NET objects received over the network. This also adds a brand new CMD stager which uses Powershell to download and execute a binary. This module exploits CVE-2020-10915 also known as ZDI-20-546.
  • PR 13353 - This adds in a module for CVE-2020-7351, an authenticated RCE in the endpoint_devicemap.php page of Trixbox CE devices running version 1.2.0 to 2.8.0.4 inclusive. Successful exploitation results in RCE as the asterisk user, however users can easily elevate their privileges to the root user by utilizing an outdated version of Nmap that comes installed by default on these devices.
  • PR 13370 - This adds an exploit module for the Druva inSync client for Windows which exposes a network service on TCP port 6064 on the local network interface. inSync versions 6.5.2 and prior do not validate user-supplied program paths in RPC type 5 messages, allowing execution of arbitrary commands as SYSTEM.
  • PR 13429 - This adds a module to exploit a Python code injection in the Netsweeper WebAdmin component's unixlogin.php script, for versions 6.4.4 and prior, to execute code as the root user.

Offline Update

Metasploit Framework and Pro Installers