Hey who finked about Flink?
In this week's round of modules, contributor bcoles offered up two modules to leverage that Apache Flink install you found in some fun new ways. If you are just looking to filch a few files,
auxiliary/scanner/http/apache_flink_jobmanager_traversal leverages CVE-2020-17519 to pilfer the filesystem on Flink versions 1.11.0 thru 1.11.2. The second module, for a litte extra fun,
exploit/multi/http/apache_flink_jar_upload_exec utilizes the job functionality in Flink to run arbitrary java code as the web server user, turns out there is a
meterpreter for that!
RDP: a dream and a nightmare for the sysAdmin near you.
Ever wonder if exposing a remote desktop in a web page was a good idea? I mean, it's just a web server, the internet loves those. Turns out timing attacks can expose your usernames when someone chooses to pay close attention. A recently contributed module
auxiliary/scanner/http/rdp_web_login contributed by Matthew Dunn can even pay attention for you. Using the module you can now enumerate users by setting a few options.
Have you heard of herpaderping?
For those that have, Metasploit now has a new toy for you. Christophe De La Fuente built on some great research by Johnny Shaw, to bring this technique to Metasploit. Using the new
evasion/windows/process_herpaderping module, you too can generate Windows PE files that hide the code behind the curtain, if you will, when executed on a target.
Join the community.
For anyone interested in working with Metasploit in this year's Google Summer of Code, you'll have to wait until March 9th to find out if we've been accepted as mentors. However, you can get a head start by checking out our current project shortlist. Said shortlist is still being worked on, and applicants can suggest their own project ideas, so get looking and see what jumps out at you!
New Modules (4)
- Apache Flink JobManager Traversal by 0rich1 - Ant Security FG Lab, Hoa Nguyen - Suncsr Team, and bcoles, which exploitsCVE-2020-17519, adds an auxiliary module that leverages the directory traversal vulnerability within Apache Flink to recover files from the affected server. This vulnerability does not require authentication.
- Apache Flink JAR Upload Java Code Execution by Henry Chen, bcoles, and bigger.wing, adds an exploit module that leverages Apache Flink to upload and run an arbitrary JAR file.
- Microsoft RDP Web Client Login Enumeration by Matthew Dunn, adds a scanner module that leverages the timing behavior of the web rdp authentication process to determine valid users.
- Process Herpaderping evasion technique by Christophe De La Fuente and Johnny Shaw, adds an evasion module that takes advantage of the Process Herpaderping evasion technique.
Enhancements and features
#14617 from zeroSteiner The core Meterpreter and console libraries have been updated to better handle cases where a given implementation of Meterpreter may not support a certain command. Now instead of each version of Meterpreter trying to handle invalid commands, which previously lead to errors, they will instead check if they support that command and then will throw an error message if they do not support that command. Additionally, the output from running the
?command inside the
meterpreterprompt has been updated so as to not display a command that a given Meterpreter implementation does not support. Tests have also been updated accordingly to support checking this functionality works as expected.
#14670 from adfoster-r7 Word wrapping of Rex tables is now enabled by default for all Rex tables except for those output by the
searchcommands. This feature can optionally be turned off by issuing the
features set wrapped_tables falsecommand.
#14735 from adfoster-r7 Updates have been made to require all new modules to now pass RuboCop and msftidy.rb checks prior to being merged into the framework. These checks will now be run automatically on PRs to detect issues rather than users having to run these tools manually to detect code quality issues within their contributions.
#14740 from zeroSteiner This makes a few improvements to the CVE-2021-3156 and adds a couple of features that were left out of the first submission due to time constraints (e.g cleanup and randomisation of the payload library).
- #14748 from cdelafuente-r7 A bug has been fixed in the
Auxiliary::AuthBrutethat caused a crash when the
DB_ALL_PASSoptions were set. This has now been addressed.
- #14789 from zeroSteiner A bug has been fixed whereby Meterpreter sessions were incorrectly being validated due to the fact that TLV encryption for the session would take place before session verification. The fix now considers Meterpreter sessions valid if they successfully negotiate TLV encryption. This fix also removes the
AutoVerifySessiondatastore option since all valid Meterpreter instances should negotiate TLV encryption automatically.
- #14802 from dwelch-r7 A bug within the Kiwi library has been fixed whereby commands passed to Kiwi via the
kiwi_cmdcommand in Metasploit where not being properly enclosed in double quotes, which could lead to Kiwi thinking the user had passed it two separate commands to execute rather than one space separated command.
- #14812 from dwelch-r7 Restores missing requires for sock5 proxy support.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).