Exploiting Windows tools
There are two new Windows modules this week, both brought to you by the Metasploit team.
The Windows Silent Process Exit Persistence module, from our own bwatters-r7, exploits a Windows tool that allows for debugging a specified process on exit. With escalated privileges, an attacker can configure the debug process and then use the module to upload a payload which will launch every time the specified binary exits.
The File Sharing Wizard - POST SEH Overflow module, contributed by our own dwelch-r7, exploits a vulnerability in the Windows File Sharing Wizard. An unauthenticated HTTP POST Structured Exception Handler (SEH) buffer overflow allows a remote attacker to obtain arbitrary code execution on vulnerable Windows targets.
Untitled Goose Banner
___ ____ ,-"" `. < HONK > ,' _ e )`-._ / ---- / ,' `-._<.===-' / / / ; _ / ; (`._ _.-"" ""--..__,' | <_ `-"" \ <`- : (__ <__. ; `-. '-.__. _.' / \ `-.__,-' _,' `._ , /__,-' ""._\__,'< <____ | | `----.`. | | \ `. ; |___ \-`` \ --< `.`.< `-' =[ metasploit v5.0.54-dev-82c77a4ec8 ] + -- --=[ 1931 exploits - 1079 auxiliary - 332 post ] + -- --=[ 556 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ] msf5 >
New modules (2)
- File Sharing Wizard - POST SEH Overflow by Dean Welch and x00pwn, which exploits CVE-2019-16724
- Windows Silent Process Exit Persistence by Mithun Shanbhag and Brendan Watters
Enhancements and features
- PR #12398 by nsa adds documentation for the
- PR #12368 by h00die adds documentation for the
- PR #12396 by bwatters-r7 updates
metasploit-payloadsto version 1.3.78, which adds support for key event management in Java payloads.
- PR #12388 by zeroSteiner adds metadata to the SMB client library, which enables detection of required signatures for incoming connections to the target host.
- PR #12432 by busterb fixes a false negative bug in the BlueKeep scanner by checking the length of the result from an
rdp_recvcall in the RDP library.
- PR #12404 by bcoles fixes a bug with the shell session handler that resulted in unexpected deletion of directories when the path contained a space.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).