Last updated at Wed, 17 Jan 2024 01:33:25 GMT
BSD love
Outside of macOS, not many people run (or run into) a BSD-flavored system very often. Even still, bcoles and space-r7 teamed up for a pair of BSD enhancements. The first, a privilege escalation, affects FreeBSD's runtime linker dealing with LD_PRELOAD
in FreeBSD 7.1, 7.2, and 8.0. The next enhancement adds BSD targets to our known-credential ssh
executor which now allows BSD-specific payloads. Not wanting macOS to be left out timwr ported CodeColorist's privilege escalation via the Feedback Assistant. So even if you run a BSD, be sure to protect your creds and patch your systems!
A payload for ants
It's not too often that a Linux exploit requires a very small binary payload, but when you need one it is the only thing that will do. Thanks to Ekzorcist and our own busterb we have now have a Linux bind payload that is just 44 bytes long! It saves size by offloading the networking code to nc(1)
on the target and allowing it to use a random port, which means that you will need to scan the target to find the port that now has your shell. It's only triggered when you need a bind payload for Linux that is smaller than the one we have been using (57 bytes), but when you need it, it will be there waiting for you.
New modules (4)
- FreeBSD rtld execl() Privilege Escalation by Kingcope, bcoles, and stealth, which exploits CVE-2009-4147
- Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE by Karim Ouerghemmi and mr_me, which exploits CVE-2017-18357
- Mac OS X Feedback Assistant Race Condition by CodeColorist and timwr, which exploits CVE-2019-8565
- Onion Omega2 Login Brute-Force by Not So Attractive
Enhancements and features
- PR #11864 updates the jenkins_metaprogramming exploit module with an additional target that uses the
GroovyShell.parse
entry point for command execution. - PR #11861 updates
exploit/multi/misc/weblogic_deserialize_asyncresponseservice
to reference the correct CVE and consolidates on theTARGETURI
option. - PR #11833 adds a check to give a better error message when the exploit is thrown against a server that's not listening.
- PR #11805 adds BSD targets to
exploit/multi/ssh/sshexec
module. - PR #11374 -
linux/x86/shell_bind_tcp_random_port
now has a smaller version that uses thenc
command on the target to reduce the amount of shellcode needed. The new payload will automatically be used when the old one is too large.
Bugs fixed
- PR #11871 fixes an issue where an error would display in msfconsole when establishing a Meterpreter HTTP/S session when using a local postgresql database, preventing interaction with the session.
- PR #11863 bumps Mettle's version to incorporate the changes made in rapid7/mettle#185 which fixed the environment variables for meterpreter when it starts. This should fix the bugs we are seeing in the get_env post/test module.
- PR #11868 fixes the disclosure date in
exploit/windows/iis/iis_webdav_upload_asp
. - PR #11860 adds normalization to the
pipe_auditor
mixin (used by the module) to prefix named pipe names with a backslash. Samba 3.x doesn't perform any normalization on the pipe name, thus requiring the backslash. Samba 4.x and Windows are unaffected. - PR #11847 fixes a few bugs in
post/multi/gather/jenkins_gather
. - PR #11843 updates the links generated from MSB references to security bulletins on docs.microsoft.com.
- PR #11842 changes
Powershell::wrap_double_quotes
tofalse
inexploit/windows/browser/ms14_064_ole_code_execution
in order to fix a regression in functionality. - PR #11834 fixes a bug in the previous version of the module so that it once again works against Symantec System Center Alert Management System.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).