Data service improvements
The Payload UUID and paranoid mode Meterpreter payload and listener features were first introduced and added to many HTTP and TCP Metasploit payloads in mid-2015. These features provided three major enhancements for Metasploit payload use. First, they allowed the user to uniquely identify a generated payload, which is important when running social engineering campaigns. Second, they allowed the user to drop session connections without a known UUID. Third, they created a secure communication link between the payload and listener.
In late 2018, the team revisited Payload UUIDs with a focus on supporting the feature through the data service, thus allowing teams to more easily work from a single payload UUID source. Between PR #10675 and PR #11532, Erin Bleiweiss and Matthew Kienow shifted Metasploit's payload UUID tracking mechanism from a local file,
~/.msf4/payloads.json, to the Metasploit data service, allowing users to store and track UUID payloads in a local or remote database.
The change also opens the door for third-party integrations leveraging the payload UUID data through MSF5’s REST API. It is important to note that those currently using a
payloads.json file for UUID tracking may need to remain on Metasploit 5.0.9 or earlier, the Metasploit 4.x branch, or regenerate their payloads while connected to a data service in order to use the new mechanism. The instance hosting the listener should also be configured to connect to the same data service used when the UUID payloads were generated.
As MSF5 becomes more widely used, the web service-related components are exercised further by our community, who diligently report their findings. Thanks to Ted R for noting an issue, which led to busterb opening PR #11533 to fix an issue where the
createcrackedcredential method would incorrectly handle the result of a service lookup against the database. Also, thanks to Acidical for reporting an issue with
msfdb, which led to Erin Bleiweiss opening #11525 to fix an issue with the
msfdb reinit command in which the web service SSL key and cert (.pem) files were deleted regardless of the user answering “no” to delete existing data and configurations. Keep exploring the new features and reporting back if they don’t operate as expected!
A number of users have reported issues using
msfdb on Linux distributions that use the postgresql-common tools, and have discovered a workaround of adding PostgreSQL binaries to their path and adding their user to the postgres group. A Wiki entry was created to document an initial investigation into the work needed to allow msfdb to use postgresql-common in response to the open issue Improve msfdb to work with pg_createcluster, pg_ctlcluster and other Debian-specific tools #11369. Anyone interested in working on the enhancement should first read the Wiki, since it explores the high-level steps necessary to enhance
msfdb to use postgresql-common.
PSA-2019-02-22 to inform users that a REST resource endpoint is also vulnerable, even if it only accepts GET requests. The
exploits/unix/webapp/drupal_restws_unserialize module introduced in PR #11481 by Rotem Reiss and wvu exploits a vulnerability in Drupal RESTful web services that can cause arbitrary PHP code execution (CVE-2019-6340). Drupal versions 8.5.0 to 8.5.10 and 8.6.0 to 8.6.9 are vulnerable. It is important to note that Drupal caches GET responses and this can interfere with exploit success. If issues are encountered, clear the cache in a controlled test environment; otherwise, set another node ID.
Exploit modules (4 new)
- Android 'su' Privilege Escalation by timwr
- FreeBSD Intel SYSRET Privilege Escalation by John Baldwin, Rafal Wojtczuk, bcoles, and iZsh, which exploits CVE-2012-0217
- Imperva SecureSphere PWS Command Injection by rsp3ar
- Drupal RESTful Web Services unserialize() RCE by wvu, Charles Fol, Jasper Mattsson, and Rotem Reiss, which exploits CVE-2019-6340
- PR #11419 by Cale Black adds systemd user-level service persistence to the
- PR #11505 by bcoles deprecated the
pml_driver_configMeterpreter script in favor of the
- PR #11521 by Clément Notin adds the handling of UnicastRef2 responses in RMI serialized responses, allowing modules to exploit a wider variety of targets.
- PR #11500 by Shelby Pace updates the Cisco ASA Directory Traversal module with a more permissive software detection regex to ensure targets aren't falsely reported as inaccessible.
- PR #11498 by acammack-r7 adds extended documentation for the jobs command to msfconsole.
- PR #11464 by Nicholas Starke adds firmware version checking to the check method in
- PR #11077 by Imran E. Dawoodjee adds a new module doc for
exploit/windows/ftp/wing_ftp_admin_exec, as well as an improved check, and support for Powershell.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).