Metasploit Wrap-Up: 8/7/20

Last updated at Thu, 25 Jan 2024 01:05:07 GMT

Metasploit 6 is in progress!!!

It's here (at least in baby form)! Yesterday we announced that Metasploit Framework 6.0 is under active development and is available now for testing. Initial features include end-to-end encryption of Meterpreter communications, SMBv3 client support, and a new polymorphic payload generation routine for Windows shellcode.

This isn’t a stable major release yet, so users should expect breaking changes and more features in the coming months. Of note: Metasploit 6 includes backwards-incompatible changes for payload communication, so users should not update to Metasploit 6 during active operations unless they are prepared to lose their sessions. We’ve asked Kali and other distros to keep shipping Metasploit 5 until 6 is ready for primetime release.

Everything is OSSM

We held our annual open-source security meetup virtually last night in lieu of an in-person gathering in Vegas. While we hope to meet folks IRL at hacker summer camp next year, we were lucky to host a great group on YouTube this time around. The full recording is here and features:

• A look at new Metasploit 6 features with OJ Reeves and Spencer McIntyre
• A primer on how to get started as a Metasploit contributor with longtime Meta-friend h00die
• An overview of Recog (“one of the most underrated open source security projects of all time”) and Rumble Network Discovery’s additions to the project, courtesy of HD Moore
• A summary of LibreSSL, six years later (!) from Brent Cook
• A guided demonstration on writing a login scanner for Metasploit with Spencer McIntyre
• An update on new AttackerKB features and futures with James Barnett

You can't contain me!

We have a brand new privileged Docker container escape from stealthcopter. This escape works by abusing the "notification on release" feature found in Linux cgroup. The exploit should work against any container started with the following flags: --cap-add=SYS_ADMIN, --privileged.

Documalis JPEG buffer overflow

Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not appropriately validate the contents of JPEG images contained within a PDF and now thanks to metacom27 you can now exploit this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the user running the Documalis Free PDF Editor or Documalis Free PDF Scanner software.

New modules (4)

• Docker Privileged Container Escape by stealthcopter
• Documalis Free PDF Editor and Scanner JPEG Stack Buffer Overflow by metacom and metacom27
• CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow by wetw0rk, which exploits CVE-2020-8012
• Linux Container Enumeration by stealthcopter

Enhancements and features

• PR #13903 from busterb allows allow importing vulnerabilities reported in an OpenVAS scan that do not have a CVE or BID assigned to them.

• PR #13832 from zeroSteiner adds the necessary infrastructure to load and process polymorphic assembly stubs from external data files and uses it to dynamically reorder the instructions for the Block API stub that powers all of the x86 and x64 native Windows payloads.

• PR #13831 from jmartin-r7 updates Metasploit's dependency on Rails from version 4.2.6 to 5.2. Lots of great work from jmartin-r7 and multiple teams on this one!

• PR #13812 from zeroSteiner further unifies PsExec support by adding an ARCH_CMD target to the exploit/windows/smb/psexec module and deprecating auxiliary/admin/smb/psexec_command.

• PR #13764 from zeroSteiner updates the SMB version scanning module that, in addition to host OS information, now reports information such as supported SMB versions, preferred dialect of SMB, SMB 3.1.1 encryption and compression capabilities, server's GUID value and how long the server has been online. This also deprecates the smb1 and smb2 modules.

• PR #13529 from OJ removes the Mimikatz Meterpreter extension in favor of the newer Kiwi extension. The Mimikatz extension name is currently an alias for Kiwi that will print a warning message for a period of time to allow users to smoothly transition to the new workflow. The post/windows/gather/credentials/sso module was also updated to use Kiwi instead of Mimikatz.

• PR #13476 from OJ changes the reflective DLL injection capabilities used by Metasploit for payloads and exploits to resolve functions by either ordinal or name. This allows the Framework to take advantage of recent payload updates that remove string names and instead resolve the necessary values by ordinal. The Framework changes are backwards compatible with Reflective DLLs that use the standard ReflectiveLoader name.

• PR #13432 from OJ adds TLV encryption support for the Python Meterpreter, allowing it to securely communicate with the framework.

• PR #13417 cdelafuente-r7 adds SMBv3 support for client operations. Modules that already used the new SMB client will now be capable of connecting to servers with all 3 SMB v3 dialects (3.0, 3.0.2, 3.1.1). In cases where an SMB 3.x dialect is negotiated, the default behavior will be to encrypt the communications to the server. Users can disable this by setting SMB::AlwaysEncrypt to false.

• PR #13400 from OJ changes the RSA key that is used to negotiate TLV encryption for Meterpreter to being transmitted in the binary DER format instead of the text-based PEM format. This makes the key smaller, easier to process and removes the static "BEGIN PUBLIC KEY" string.

• PR #13194 from h00die improves bloodhound module support, specifically:

  • Updates to sharphound v3
  • Adds the ability to write the exe to disk and run it, this was favored over ps1 due to permissions and policies.
  • Adds the option to EncryptZip, set to true by default. This adds some protection to the file, and the output is stored as a note
  • Adds NoSaveCache option to avoid writing a file to disk and leaving it there
  • Avoids using parameters if they are the default, which makes the command to run (and command passed on the wire) significantly shorter.

• PR #13191 by h00die makes changes to tools/dev/check_external_scripts.rb to include additional JohnTheRipper and sqlmap related files. This allows tools/dev/check_external_scripts.rb, to provide additional assurance that all JohnTheRipper and sqlmap related libraries and configuration files are kept up to date.

Bugs fixed

• PR #13939 by our own gwillcox-r7 fixes an extreme edge case bug where it is possible but unlikely a race condition occurs during a socket read, and the data sent to the postgres parser is of nil value. This verifies the data is not nil before attempting to parse the data.

• PR #13936 from gwillcox-r7 fixes a regression issue. The error message when a module is run with no selected payload has been updated from a generic error message to a more detailed error message.

• PR #13897 from gwillcox-r7 corrects the closing and removal of mountpoints in finesystem.rb. Previously, we failed to return the handle or to close the mountpoint properly.

• PR #13783 from zeroSteiner fixes a bug that came in with updates to recent cryptography changes; previously, we assumed all Java releases would be able to support 256-bit encryption, but some older environments cannot support that. Here, we add AES-128-CBC as an additional option for TLV encryption as a fallback if the remote Java version cannot negotiate 256-bit.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 5.0.101...6.0.0
• Full diff 5.0.101...6.0.0

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).