Why can't I hold all these Pull Requests?
It has been a busy month here in Metasploit-land, with the holidays, the holiday community contributions, and our community CTF. It doesn't help that the last few months have seen our open pull request count keep climbing as well, reaching over 90 at times. Our fearless leader, busterb, decided to take on the challenge and landed over 20 PRs by himself in the last two weeks, with nearly 50 total in the release since the last write-up. I won't be able to give a shout-out to all the amazing stuff that landed and all the invaluable community members who contributed, so be sure to peruse the landed PRs.
WebSphere ALL THE THINGS
One of the things that stands out even in the middle of all this development is the IBM WebSphere work contributed by pkb1s. Thanks to them, we now have login and channel brute forcing and version enumeration. They have been tested with versions 7.5 through 9, so if you come across some of these in the wild be sure to give these a look! Also, big props to asoto-r7 for a thorough job testing against such a... fun... target.
Exploit modules (8 new)
- Netgear Devices Unauthenticated Remote Command Execution by Daming Dominic Chen and Imran Dawoodjee, which exploits CVE-2016-1555
- php imap_open Remote Code Execution by Anton Lopanitsyn, Twoster, and h00die, which exploits CVE-2018-19518
- Apache Spark Unauthenticated Command Execution by Green-m and aRe00t
- Linux Nested User Namespace idmap Limit Local Privilege Escalation by Jann Horn and bcoles, which exploits CVE-2018-18955
- Unitrends Enterprise Backup bpserverd Privilege Escalation by Benny Husted, Cale Smith, Jared Arave, and h00die, which exploits CVE-2018-6329
- Xorg X11 Server SUID privilege escalation by Aaron Ringo, Brendan Coles, Narendra Shinde, and Raptor - 0xdea, which exploits CVE-2018-14665
- TeamCity Agent XML-RPC Command Execution by Dylan Pindur
- Mac OS X libxpc MITM Privilege Escalation by saelo, which exploits CVE-2018-4237
Auxiliary and post modules (7 new)
- WordPress WP GDPR Compliance Plugin Privilege Escalation by Mikey Veenstra (WordFence) and Thomas Labadie, which exploits CVE-2018-19207
- Microsoft IIS shortname vulnerability scanner by Ali Abbasnejad, MinatoTW, Soroush Dalili, and egre55
- IBM WebSphere MQ Channel Name Bruteforce by Petros Koutroumpis
- Identify Queue Manager Name and MQ Version by Petros Koutroumpis
- IBM WebSphere MQ Login Check by Petros Koutroumpis
- Eaton Xpert Meter SSH Private Key Exposure Scanner by BrianWGray, which exploits CVE-2018-16158
- Windows Gather PureVPN Client Credential Collector by Manuel Nader #AgoraSecurity
- PR #11035 - This PR improves Cisco SSL VPN fingerprinting the the
- PR #11032 - This updates the documentation for
exploit/linux/local/af_packet_chocobo_root_priv_esc, noting that the exploit does not bypass SMAP.
- PR #11019 - This fixes
ppr_flatten_recto properly respect the WfsDelay option.
- PR #11017 - This fixes the userns_enabled? method for Linux kernel post module capability detection when the unprivileged_userns_clone or proc file entries are unavailable.
- PR #11015 - This fixes various issues related to Linux targets in the Xorg X11 Server SUID privilege escalation module.
- PR #11011 - This PR fixes incorrect capitalization used for a
datastoreoption in the iis_shortname_scanner module.
- PR #11002 - This adds Python 3.7 support for external python scanner modules, and raises the minimum Python 3 version to 3.5.3.
- PR #11001 - This improves error handling when certain payloads cannot be generated as position-independent shellcode, only executables.
- PR #10998 - When unregistering options for a module, aliases will now also be unregistered. Also, to avoid option name conflicts, the list of available options is checked before the list of aliases.
- PR #10997 - This removes the default command string for the
php/execpayload, requiring the user to specify one instead. This prevents the user from accidentally overwriting the
/etc/passwdfile on the target if the exploit is sufficiently privileged.
- PR #10996 - Correctly check the code returned by the
checkmethod before attempting to dump memory for MS15-034.
- PR #10989 - This fixes an issue where saving and restoring datastore state leads to an incorrect message about the payload handler being disabled.
- PR #10984 - This prevents the ms15_034_ulonglongadd DoS module from failing if it does not receive a response from the target.
- PR #10981 - This modernizes the
printjob_capturemodule and fixes up loot storage.
- PR #10977 - This updates the freesshd_authbypass module to work more reliably in the presence of antivirus by avoiding writes to disk.
- PR #10975 - This adds documentation for the following modules: * auxiliary/server/capture/postgresql * auxiliary/server/capture/telnet * auxiliary/server/capture/vnc
- PR #10973 - This enables support for ISO 8601 style dates for disclosure dates in modules.
- PR #10972 - This improves session / module compatibility checking to have fewer false warnings about session incompatibility.
- PR #10971 - This fixes a formatting error when printing messages while running the
checkcommand from local exploit modules.
- PR #10949 - This adds the
ForceExploitoption to Linux local exploits to opt out of a
checkmethod's return value during the exploitation phase.
- PR #10872 - This adds a --pad-nops option for msfvenom to pad a payload up to -n nops bytes. This is useful when replacing shellcode in an exploit with a fixed-length payload.
- PR #10802 - The format (
-f) option for
msfvenomis no longer case-sensitive, allowing for formats like
- PR #10727 - This fixes a
nildereference in the shim layer of external module loading, allowing external modules without notes to be loaded successfully.
- PR #10509 - This adds a
sourcecommand for shell sessions that allows running a local shell script remotely in a single step.
- PR #10352 - This adds an additional vulnerability check to the
jboss_vulnscanauxiliary module. Now the module will check for a deserialization RCE vulnerability referenced in CVE-2017-12149.
- PR #9915 - This improves reliability and compatibility of the influxdb_enum scanner module.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.