Metasploit Wrap-Up: 12/19/19

It’s beginning to look a lot like HaXmas, everywhere you go! We have a great selection of gift-wrapped modules this holiday season, sure to have you entertained from one to eight nights, depending on your preference! On a personal note, we here at the Metasploit workshop would like to welcome our newest elf, Spencer McIntyre. Spencer has been a long-time contributor to the project, and we’re thrilled to have him on the team!

In the spirit of giving, space-r7 has provided you the opportunity to give the gift of an XML payload to a deserving Rest API endpoint on OpenMRS, an open-source medical record software system.

Phra got even more personal this year, allowing you to inject a gift of shellcode directly into the memory of a running process in Windows. Teamed with donut, you could spend the entire holiday season in the giving spirit!

If you are looking to feel this spirit on a more permanent basis, look no further than Michael Long’s Bash Profile Persistence Module.

If you are looking to level up this holiday season, try bundling a few CVE’s to stuff containers and elevate with the Comahawk escalation module for Windows, written by tychos_moose.

And finally, possibly the most giving of all, Kenneth LaCroix has channeled his inner Ruby-Nosed-Reindeer to guide us with documentation!

New modules

• Bash Profile Persistence by Michael Long
• OpenMRS Java Deserialization RCE by Nicolas Serra, Shelby Pace, and mpgn, which exploits CVE-2018-19276
• Microsoft UPnP Local Privilege Elevation Vulnerability by NCC Group, bwatters-r7, and hoangprod, which exploits CVE-2019-1405
• Windows Manage Memory Shellcode Injection Module by phra

Enhancements and features

• PR #12740, Remove method call side-effects by jmartin-r7
• PR #12677, Better error when JtR not adequate by pbarry-r7
• PR #12738, add support for Mdm::Module::Ref objects when linking refs to vulns by jmartin-r7
• PR #12702, has_check? for modules by adamgalway-r7
• PR #12517, replace CheckScanner mixin with CheckModule, which works with anything by wvu-r7
• PR #12727, netfilter_priv_esc_ipv4 improvements by bcoles
• PR #12486, Small changes to the host_header_injection aux module by mcantoni

Bugs fixed

• PR #12714, fix encrypted_shell warning by space-r7
• PR #12742, bsd/vax/shell_reverse_tcp style fix by wvu-r7
• PR #12737, further improvements to CheckModule mixin by wvu-r7
• PR #12711, return correct values for credential proxy methods by jmartin-r7

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 5.0.64...5.0.65
• Full diff 5.0.64...5.0.65

We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).