Last updated at Fri, 28 Feb 2020 20:14:13 GMT
Android Binder Use-After-Free
@timwr added a a module that exploits CVE-2019-2215, which is a local privilege escalation vulnerability targeting Binder, the main Inter-Process Communication system in Android. If delivered via the web, only a paired renderer exploit is required, because it is accessible through the sandbox. Three malicious apps disguised as photography and file manager tools were found on the Google Play Store that exploit this vulnerability. There are a number of Android devices, including the Pixel 2 with Android 9 and 10, that are affected. Currently this module works on the Pixel 2 (and Pixel 2 XL) with the September 2019 Security patch level.
OpenNetAdmin 18.1.1 Remote Code Execution
Contributor Onur ER added a Metasploit module exploiting a remote code execution vulnerability in OpenNetAdmin 18.1.1. OpenNetAdmin is a tool for managing IP inventory. Each subnet, host, and IP can be tracked via an AJAX enabled web interface. OpenNetAdmin also provides a full CLI interface for convenience when scripting and performing bulk work. The exploit performs command injection by taking advantage of lacking input validation. Authentication is not required.
Overheard in the Metasploit office this week
Might as well, since you're there...
"Person A: I really appreciate your ‘when in Rome’ coding style changes. Person B: haha I try to blend in as much as I can"
When "self-commenting" code doesn't cut it...
"At least when you see some disclaimer comments you know that the person who wrote it knew that it was bad. When you don't see any comments at all, it’s natural to think that they legitimately thought it was a good idea."
So many blogs, so little time...
"My inability to understand Ruby dependencies has once again caused me to fall in a rabbit hole, and I'm tired of wasting time reading 12 blogs that tell me 12 ways to do this because each one is subtly smarter."
New modules (2)
Android Binder Use-After-Free Exploit by Jann Horn, Maddie Stone, grant-h, and timwr, which exploits CVE-2019-2215
OpenNetAdmin Ping Command Injection by Onur ER and mattpascoe
Enhancements and features
PR 13005 from adfoster-r7 adds
pry-byebugto offer a more fulfilling interactive debugging experience for Metasploit developers.
PR 12995 from cdelafuente-r7 adds support for SMBv2 to the pipe auditor auxiliary module.
PR 12978 from Adrian Vollmer adds options to support earlier additions to rex-powershell allowing for rc4 encoding on powershell payloads.
PR 12964 from adamgalway-r7 adds RPC endpoint that returns the total number of modules in the ready, running, & results states.
PR 12960 from dwelch-r7 adds support for job results to be deleted after a period of 5 minutes of being un-acked by a json rpc client.
PR 12916 from wvu-r7 adds support for colorized HttpTrace output, with an additional HttpTraceHeadersOnly option to only show HTTP headers when HttpTrace is enabled.
PR 12865 from b4rtik adds additional functionality and options to the reflective_dll_injection module to make it more flexible and useful with 3rd party DLLs.
PR 12002 from sempervictus adds a new ssh transport for payloads and a new ssh payload.
PR 12921 from 0x44434241 fixes the check method for
PR 12976 from adfoster-r7 adds additional logging to Metasploit's PostgreSQL protocol client when it encounters an unknown authentication type, rather than raising an exception later.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).