In this week's round of modules, contributor bcoles offered up two modules to leverage that Apache Flink install you found in some fun new ways. If you are just looking to filch a few files, auxiliary/scanner/http/apache_flink_jobmanager_traversal leverages CVE-2020-17519 to pilfer the filesystem on Flink versions 1.11.0 thru 1.11.2. The second module, for a litte extra fun, exploit/multi/http/apache_flink_jar_upload_exec utilizes the job functionality in Flink to run arbitrary java code as the web server user, turns out there is a meterpreter for that!

RDP: a dream and a nightmare for the sysAdmin near you.

Ever wonder if exposing a remote desktop in a web page was a good idea? I mean, it's just a web server, the internet loves those. Turns out timing attacks can expose your usernames when someone chooses to pay close attention. A recently contributed module auxiliary/scanner/http/rdp_web_login contributed by Matthew Dunn can even pay attention for you. Using the module you can now enumerate users by setting a few options.

Have you heard of herpaderping?

For those that have, Metasploit now has a new toy for you. Christophe De La Fuente built on some great research by Johnny Shaw, to bring this technique to Metasploit. Using the new evasion/windows/process_herpaderping module, you too can generate Windows PE files that hide the code behind the curtain, if you will, when executed on a target.

Join the community.

For anyone interested in working with Metasploit in this year's Google Summer of Code, you'll have to wait until March 9th to find out if we've been accepted as mentors. However, you can get a head start by checking out our current project shortlist. Said shortlist is still being worked on, and applicants can suggest their own project ideas, so get looking and see what jumps out at you!

New Modules (4)

Enhancements and features

  • #14784 from bcoles This fixes a bug in the ScadaBR credential dumping module that prevented it from processing response data.

  • #14617 from zeroSteiner The core Meterpreter and console libraries have been updated to better handle cases where a given implementation of Meterpreter may not support a certain command. Now instead of each version of Meterpreter trying to handle invalid commands, which previously lead to errors, they will instead check if they support that command and then will throw an error message if they do not support that command. Additionally, the output from running the help or ? command inside the meterpreter prompt has been updated so as to not display a command that a given Meterpreter implementation does not support. Tests have also been updated accordingly to support checking this functionality works as expected.

  • #14670 from adfoster-r7 Word wrapping of Rex tables is now enabled by default for all Rex tables except for those output by the creds and search commands. This feature can optionally be turned off by issuing the features set wrapped_tables false command.

  • #14735 from adfoster-r7 Updates have been made to require all new modules to now pass RuboCop and msftidy.rb checks prior to being merged into the framework. These checks will now be run automatically on PRs to detect issues rather than users having to run these tools manually to detect code quality issues within their contributions.

  • #14740 from zeroSteiner This makes a few improvements to the CVE-2021-3156 and adds a couple of features that were left out of the first submission due to time constraints (e.g cleanup and randomisation of the payload library).

Bugs Fixed

  • #14748 from cdelafuente-r7 A bug has been fixed in the Auxiliary::AuthBrute that caused a crash when the DB_ALL_USERS or DB_ALL_PASS options were set. This has now been addressed.
  • #14789 from zeroSteiner A bug has been fixed whereby Meterpreter sessions were incorrectly being validated due to the fact that TLV encryption for the session would take place before session verification. The fix now considers Meterpreter sessions valid if they successfully negotiate TLV encryption. This fix also removes the AutoVerifySession datastore option since all valid Meterpreter instances should negotiate TLV encryption automatically.
  • #14802 from dwelch-r7 A bug within the Kiwi library has been fixed whereby commands passed to Kiwi via the kiwi_cmd command in Metasploit where not being properly enclosed in double quotes, which could lead to Kiwi thinking the user had passed it two separate commands to execute rather than one space separated command.
  • #14812 from dwelch-r7 Restores missing requires for sock5 proxy support.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).