Last updated at Tue, 16 Jan 2024 01:49:54 GMT
Why can't I hold all these Pull Requests?
It has been a busy month here in Metasploit-land, with the holidays, the holiday community contributions, and our community CTF. It doesn't help that the last few months have seen our open pull request count keep climbing as well, reaching over 90 at times. Our fearless leader, busterb, decided to take on the challenge and landed over 20 PRs by himself in the last two weeks, with nearly 50 total in the release since the last write-up. I won't be able to give a shout-out to all the amazing stuff that landed and all the invaluable community members who contributed, so be sure to peruse the landed PRs.
WebSphere ALL THE THINGS
One of the things that stands out even in the middle of all this development is the IBM WebSphere work contributed by pkb1s. Thanks to them, we now have login and channel brute forcing and version enumeration. They have been tested with versions 7.5 through 9, so if you come across some of these in the wild be sure to give these a look! Also, big props to asoto-r7 for a thorough job testing against such a... fun... target.
New Modules
Exploit modules (8 new)
- Netgear Devices Unauthenticated Remote Command Execution by Daming Dominic Chen and Imran Dawoodjee, which exploits CVE-2016-1555
- php imap_open Remote Code Execution by Anton Lopanitsyn, Twoster, and h00die, which exploits CVE-2018-19518
- Apache Spark Unauthenticated Command Execution by Green-m and aRe00t
- Linux Nested User Namespace idmap Limit Local Privilege Escalation by Jann Horn and bcoles, which exploits CVE-2018-18955
- Unitrends Enterprise Backup bpserverd Privilege Escalation by Benny Husted, Cale Smith, Jared Arave, and h00die, which exploits CVE-2018-6329
- Xorg X11 Server SUID privilege escalation by Aaron Ringo, Brendan Coles, Narendra Shinde, and Raptor - 0xdea, which exploits CVE-2018-14665
- TeamCity Agent XML-RPC Command Execution by Dylan Pindur
- Mac OS X libxpc MITM Privilege Escalation by saelo, which exploits CVE-2018-4237
Auxiliary and post modules (7 new)
- WordPress WP GDPR Compliance Plugin Privilege Escalation by Mikey Veenstra (WordFence) and Thomas Labadie, which exploits CVE-2018-19207
- Microsoft IIS shortname vulnerability scanner by Ali Abbasnejad, MinatoTW, Soroush Dalili, and egre55
- IBM WebSphere MQ Channel Name Bruteforce by Petros Koutroumpis
- Identify Queue Manager Name and MQ Version by Petros Koutroumpis
- IBM WebSphere MQ Login Check by Petros Koutroumpis
- Eaton Xpert Meter SSH Private Key Exposure Scanner by BrianWGray, which exploits CVE-2018-16158
- Windows Gather PureVPN Client Credential Collector by Manuel Nader #AgoraSecurity
Improvements
- PR #11035 - This PR improves Cisco SSL VPN fingerprinting the the
auxiliary/scanner/http/cisco_ssl_vpn
module. - PR #11032 - This updates the documentation for
exploit/linux/local/af_packet_chocobo_root_priv_esc
, noting that the exploit does not bypass SMAP. - PR #11019 - This fixes
nagios_xi_chained_rce_2_electric_boogaloo
andppr_flatten_rec
to properly respect the WfsDelay option. - PR #11017 - This fixes the userns_enabled? method for Linux kernel post module capability detection when the unprivileged_userns_clone or proc file entries are unavailable.
- PR #11015 - This fixes various issues related to Linux targets in the Xorg X11 Server SUID privilege escalation module.
- PR #11011 - This PR fixes incorrect capitalization used for a
datastore
option in the iis_shortname_scanner module. - PR #11002 - This adds Python 3.7 support for external python scanner modules, and raises the minimum Python 3 version to 3.5.3.
- PR #11001 - This improves error handling when certain payloads cannot be generated as position-independent shellcode, only executables.
- PR #10998 - When unregistering options for a module, aliases will now also be unregistered. Also, to avoid option name conflicts, the list of available options is checked before the list of aliases.
- PR #10997 - This removes the default command string for the
php/exec
payload, requiring the user to specify one instead. This prevents the user from accidentally overwriting the/etc/passwd
file on the target if the exploit is sufficiently privileged. - PR #10996 - Correctly check the code returned by the
check
method before attempting to dump memory for MS15-034. - PR #10989 - This fixes an issue where saving and restoring datastore state leads to an incorrect message about the payload handler being disabled.
- PR #10984 - This prevents the ms15_034_ulonglongadd DoS module from failing if it does not receive a response from the target.
- PR #10981 - This modernizes the
printjob_capture
module and fixes up loot storage. - PR #10977 - This updates the freesshd_authbypass module to work more reliably in the presence of antivirus by avoiding writes to disk.
- PR #10975 - This adds documentation for the following modules: * auxiliary/server/capture/postgresql * auxiliary/server/capture/telnet * auxiliary/server/capture/vnc
- PR #10973 - This enables support for ISO 8601 style dates for disclosure dates in modules.
- PR #10972 - This improves session / module compatibility checking to have fewer false warnings about session incompatibility.
- PR #10971 - This fixes a formatting error when printing messages while running the
check
command from local exploit modules. - PR #10949 - This adds the
ForceExploit
option to Linux local exploits to opt out of acheck
method's return value during the exploitation phase. - PR #10872 - This adds a --pad-nops option for msfvenom to pad a payload up to -n nops bytes. This is useful when replacing shellcode in an exploit with a fixed-length payload.
- PR #10802 - The format (
-f
) option formsfvenom
is no longer case-sensitive, allowing for formats likeC
andPython
. - PR #10727 - This fixes a
nil
dereference in the shim layer of external module loading, allowing external modules without notes to be loaded successfully. - PR #10509 - This adds a
source
command for shell sessions that allows running a local shell script remotely in a single step. - PR #10352 - This adds an additional vulnerability check to the
jboss_vulnscan
auxiliary module. Now the module will check for a deserialization RCE vulnerability referenced in CVE-2017-12149. - PR #9915 - This improves reliability and compatibility of the influxdb_enum scanner module.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.