Happy HaXmas, friends and foes (substitute your nouns of choice here). The Metasploit team kicked off 2019 with the release of MSF 5, marking our first major version release since 2011. Since that announcement, we’ve published six pieces of research, merged more than 180 modules, released a few sweet payload- and cracking-related features, and learned more than we thought we’d want to know about RDP. We’ve also been working on a secret project whose debut you can expect sometime in early 2020. If you have opinions on why not all vulnerabilities are equal (and can prove it), ask us for early access.
In no particular order, here’s a smattering of the year’s Metasploit Framework highlights. As ever, we’re grateful to and for the community that keeps us going strong. You can relive 2018’s best Metasploit moments here.
- A serial problem: Metasploit’s R+D team noticed an uptick in exploit module PRs targeting Java deserialization vulnerabilities in 2018 and early 2019. In March of this year, we published a research paper on exposure and practical exploitation of Java Serialized Objects (JSOs); we also added new library code to Framework to support generation of ysoserial-based objects for exploitation, research, and testing.
- Dear Diary, today we hacked the planet. We’ve been testing out a little research experiment this year: The Metasploit Development Diaries series chronicles the process of analyzing vulnerabilities and exploitable conditions in all their nascent forms (PoC, PRs, crashes, overpowered features) and turning them into stable, seasoned Metasploit modules. Over the course of the year, we’ve analyzed the vulns behind community contributions for enterprise software, open-source frameworks, researcher-discovered 0day, and Cisco’s RV130 router. More recently, Metasploit researcher William Vu wrote about open-source command and control of the Equation Group's DOUBLEPULSAR implant for SMB.
- Understanding Ubiquiti discovery service exposures: In January 2019, we noted community reports that Ubiquiti devices were being exploited to conduct DoS attacks. Metasploit and Rapid7 Labs teamed up to illustrate exposure (498,624 unique IPv4s with port 10001/UDP open) and release a Metasploit module for further discovery.
Have feedback about what you’d like to see from Metasploit’s research team in 2020? Let us know.
Feature releases and major enhancements
One ping only, please: In August, we introduced a new, non-interactive payload type that provides users with confirmation of remote execution on a target—and absolutely nothing else. Unlike typical interactive sessions, pingback payloads provide limited “pingback” functionality that verifies target exploitability without loading a shell.
Encrypted and authenticated C shells: In November, Metasploit researcher Shelby Pace added the first round of encrypted payloads to Framework. These new payloads are compiled on the fly from generated C code using the Mingw-w64 toolchain on the user’s system; they communicate over an encrypted connection using the ChaCha20 cipher and can generate a random authentication key every time the payload is used (even rejecting unauthenticated connections!).
Password cracking overhaul: Metasploit contributor and longtime friend h00die gave Framework users the gift of not one, but two epic password-cracking overhauls this year—first a facelift for John the Ripper modules and later a total transformation of our password-cracking integration, complete with added support for hashcat.
(De)serialization exploits: The serialized object exploitation guide we published in March focused on Java deserialization vulnerabilities and some of the exploit PRs we’d seen targeting them. Since then, Metasploit has added half a dozen more deserialization exploits outside the Java realm to encompass Ruby and PHP, among others.
Quintuple evasion: We introduced the
evasionmodule type in October 2018 along with a research-backed framework for developers to build their own evasive modules. As expected, most evasion modules remained squirreled away in private Metasploit branches to maximize their utility in stealth operations. Contributor Nick Tyrer bucked that trend this summer with five evasion module PRs, each of which leverages a trusted Windows binary to bypass software restriction policies and execute user-supplied code under the radar.
Think globally, escalate locally: Last year’s wrap-up noted that Metasploit gained quite a bit in the way of local privilege escalations in 2018. This year followed that same pattern, as contributors added more than a dozen LPEs covering Windows 10, macOS, FreeBSD, AIX, Cisco Prime Infrastructure, Exim, and more.
VPN router and web VPN exploits: Web VPN vulnerabilities were a hot topic during Black Hat and DEF CON this year, thanks largely to two excellent talks by Orange Tsai and Meh Chang. Metasploit gained modules for Pulse Secure VPN (arbitrary file disclosure, which exploits CVE-2019-11510, and arbitrary command execution, which exploits CVE-2019-11539; credit to wvu, Alyssa Herrera, and Justin Wagner). The command execution module adds a post-auth remote root exploit against Pulse Secure VPN servers, bypassing the software's application whitelisting by using the
env(1)command. Users can leverage access gained via the file disclosure module to authenticate the exploit without foreknowledge of credentials. We also incorporated a Fortinet SSL VPN bruteforce login scanner module from Max Michels that tests credentials on FortiGate servers, and a slew of supported targets for Cisco VPN router exploit targets courtesy of Quentin Kaiser (Cisco RV130W management interface RCE, RV110W and RV215W, all of which exploit CVE-2019-1663).
Notable 2019 content
Into the wild blue yonder
The hottest modules of the year were, of course, the community-developed remote scanner and exploit modules for CVE-2019-0708, better known as BlueKeep. The pull request containing the former, courtesy of notable Metasploit contributor zerosum0x0 and JaGoTu, appeared a mere eight days after Microsoft’s May Patch Tuesday bulletin announced the vuln to the wider world. The initial exploit code was also a contribution from zerosum0x0 and Ryan Hanson; nearly a dozen researchers, committers, and team members collaborated on porting the exploit to Ruby, along with testing and integration. As a result of the exploit development process, we also added an improved general-purpose RDP protocol library and enhanced RDP fingerprinting capabilities, both of which we expect will benefit Metasploit developers in the near future. Read Brent Cook’s notes on BlueKeep exploitation and detection here.
Notable aux and post modules
Exploits tend to hog the limelight, but that doesn’t necessarily mean they should. Some of Metasploit’s most interesting and versatile modules fall into the auxiliary and post-exploitation categories, and 2019 was a particularly cool year for neat non-exploit content. A few of our favorites are below:
- Chrome Gather Cookies by mangopdf: This module uses Chrome's remote debugging to read all cookies from the default Chrome profile of the user. The module uses a --headless, or a hidden, Chrome with remote debugging enabled and opens an HTML file to make requests to the remote debugging service. The HTML requests the cookies and logs the output to a file, which is later retrieved by the module.
- Windows Gather PSReadline History by Garvit Dewan: Everyone knows the best way to get to know someone is to read their shell history. Thanks to a convenient tweet by Nikhil Mittal, contributor Garvit Dewan added this nifty post module to gather PSReadline history. You might be surprised at what you'll find!
- APT Package Manager Persistence and Yum Package Manager Persistence by Aaron Ringo: Most Linux machines come pre-installed with package managers. Community member aringo turned that knowledge into two modules for setting up persistence via yum and apt, which give users with privileged access an easy method for getting back in using tools that have a high likelihood of being present.
- GTP Echo Scanner by Daniel Mende and Spencer McIntyre: A port of Daniel Mende's (released under the BSD license) gtp-scan.py utility allows Metasploit users to scan for GPRS servers by sending GTP-U v1 and v2 echo requests.
- IBM BigFix Relay Server Sites and Package Enum by Chris Bellows, HD Moore, Jacob Robles, and Ryan Hanson, which exploits CVE-2019-4061: Some IBM BigFix servers can be used for data exfiltration if they are not set to require authentication when used as an external relay. If you run one of these, check out HD’s blog and make hackers sad. If you find one on a pen test, we’ve got you covered.
Exploits for the exploit god
Ah, exploits: The meat to our (juicy) potatoes. The load-bearing walls for our happy hacker house. The backbone of our vertebrate existence. The cookies to our milk (although arguably, milk is like, more nourishing and protein-rich? Help, this metaphor is falling apart). Exploits are still Metasploit’s roots in many ways, and they’re still super fun to boot. Here are some of our favorites from 2019, though as always, we could extend this list to infinity.
- Jenkins ACL Bypass and Metaprogramming RCE by wvu and Orange Tsai, which exploits CVE-2019-1003002: This was a nice addition earlier in the year. Jenkins versions 2.137 and earlier allow users to bypass the access controls and reprogram Groovy documents to download and run JAR files … like, you know, Metasploit’s Java Meterpreter.
- PostgreSQL COPY FROM PROGRAM Command Execution by Jacob Wilkin, which exploits CVE-2019-9193: One of Rapid7’s pen testers let us know this module treated him nicely on a recent engagement; it exploits PostgreSQL >= 9.3, given there are known credentials and the pg_execute_server_program default role is enabled for the user.
- Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy Potato) by FoxGloveSec, breenmachine, decoder, lupman, ohpe, and phra, which exploits CVE-2016-3225: A weaponized implementation of RottenPotatoNG that abuses Microsoft’s token handling to escalate privileges from a Windows service account to NT AUTHORITY\SYSTEM.
- LibreOffice Macro Code Execution by Alex Inführ and Shelby Pace, which exploits CVE-2018-16858: LibreOffice has its share of macro-based exploit opportunities, but they often get overshadowed by higher-profile targets (like Microsoft Office). Metasploit researcher Shelby Pace turned a community PoC into a stable exploit.
- Generic Zip Slip Traversal Vulnerability by sinn3r and Snyk: This targets a simple yet widespread vulnerability that has been seen affecting a variety of popular products (e.g., HP, Amazon, Apache, Cisco). The highlight here is that often archive extraction libraries have no mitigations against directory traversal attacks. If an application uses a vulnerable library, there is a risk of opening an archive that is maliciously modified; the result is that an embedded payload is written to an arbitrary location (such as a web root), which leads to remote code execution.
- RARLAB WinRAR ACE Format Input Validation Remote Code Execution by ide0x90, which exploits CVE-2018-20250: Exploits a path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path. WinRAR is pervasive and generally used with files that super shouldn’t be trusted (e.g., torrented movie files, cracked software, and so on).
- Webmin password_change.cgi Backdoor by wvu and AkkuS, which exploits CVE-2019-15107: The full context of this Webmin vuln lives here, but the TL;DR is that Webmin’s source code was maliciously modified with a backdoor; in version 1.890, anyone with knowledge of the backdoor could execute commands as root. Versions 1.900 to 1.920 also contained a backdoor using similar code, but it was not exploitable in a default Webmin install.
A2K19 Global Hackathon (Austin, TX): We’ve never had a global committer hackathon in Metasploit’s hometown, so the local team had a blast this year with a half-dozen committers (and twice as many staff members and friends) who made the trek to Austin from across the country and the world. A number of hackathon participants wrote their reports from the weekend up here; you can also check out the
a2k19label on GitHub to see all the code that came out of our first Texas hack-party.
Open-Source Security Meetup (OSSM) @ DEF CON 27: As we have in previous years, we hosted a weekend-long series of open-source “office hours” in Las Vegas this summer, where we chatted to Metasploit users and developers about their MSF desires. This time around, we also had a couple afternoons of quiet time where we sat down with trusted committers to get a Ruby BlueKeep exploit working and stable enough to PR. Our thanks to everyone who visited us in Vegas, especially the first-timers.
DerbyCon Town Hall Finale: HackingDave and the DerbyCon team were gracious enough to invite us back to Louisville for the fifth and final Metasploit Town Hall in September. Offering ourselves up to a crowd of hackers and hecklers in Louisville has been one of our favorite annual traditions these past few years; this year saw fewer questions than usual, possibly because folks were eager to get out of the auditorium and play with the surprise reveal from the talk. We’ll probably be looking for a new con to host the town hall in future years now that Derby has sung its swan song. If you have an idea of a community-centric con that might be a good fit for Metasploit collaboration, let us know! In the meantime, thanks for all the shells.
One more thing: Yes, we’ll be hosting a CTF game, though it won’t quite make the cutoff for 2019. Look out for an announcement in the first few weeks of January for registration and details!
And finally ... we’re hiring!
Still with us? All this sounding pretty good? The Metasploit team is hiring software engineers to join our newest Framework core engineering team in Belfast, and exploit developers/senior researchers to jam with the U.S.-based crew anchored in Austin. If you’re local to Belfast and excited about building the next iteration of Metasploit Framework, apply here or reach out to Brent Cook. Have a body of exploit development work and opinions on which vulnerabilities are most useful to attackers (or overhyped, for that matter)? Reach out to me (remote options available for senior folks).
Happy HaXmas, friends!