Eternal Blue improvements
Prior to this release Metasploit offered two separate exploit modules for targeting MS17-010, dubbed Eternal Blue. The Ruby module previously only supported Windows 7, and a separate
ms17_010_eternalblue_win8 Python module would target Windows 8 and above.
Now Metasploit provides a single Ruby exploit module
exploits/windows/smb/ms17_010_eternalblue.rb which has the capability to target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. This change removes the need for users to have Python and impacket installed on their host machine, and the automatic targeting functionality will now also make this module easier to run and exploit targets.
The Anti-Malware Scan Interface integrated into Windows poses a lot of challenges for offensive security testing. While bypasses exist and one such technique is integrated directly into Metasploit, the stub itself is identified as malicious. A chicken and egg problem exists due to the stub being incapable of being executed to bypass AMSI and permit the payload from executing. To address this, Metasploit now randomizes the AMSI bypass stub itself. The randomization both obfuscates literal string values that are known qualifiers for AMSI such as
amsiInitFailed as well as shuffles the placement of powershell expressions. With these improvements in place, Powershell payloads are now much more likely to be successfully executed. While the bypass stub is now prepended by default for all exploit modules, it can be explicitly disabled by setting
Powershell::prepend_protections_bypass to false.
VMware vCenter Server RCE
Our very own Will Vu has added a new exploit module targeting VMware vCenter Server CVE-2021-21985. This module exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user. See the vendor advisory for affected and patched versions. This module has been tested against VMware vCenter Server 6.7 Update 3m (Linux appliance). For testing in your own lab environment, full details are in the module documentation.
New module content (4)
- VMware vCenter Server Virtual SAN Health Check Plugin RCE by wvu and Ricter Z, which exploits CVE-2021-21985 - A new exploit module for VMware vCenter Server CVE-2021-21985 which exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user.
- Polkit D-Bus Authentication Bypass by Kevin Backhouse, Spencer McIntyre, and jheysel-r7, which exploits CVE-2021-3560 - A new module has been added which exploits CVE-2021-3560, an authentication bypass and local privilege elevation vulnerability in polkit, a toolkit for defining and handling authorizations which is installed by default on many Linux systems. Successful exploitation results in the creation of a new user with
rootpermissions, which can then be used to gain a shell as
root. Note that exploitation requires that users have a non-interactive session on some systems so users may need to gain a SSH session first before exploiting this vulnerability.
- ForgeRock / OpenAM Jato Java Deserialization by Michael Stepankin, Spencer McIntyre, bwatters-r7, and jheysel-r7, which exploits CVE-2021-35464 - A new module has been added which exploits CVE-2021-35464, a pre-authentication Java deserialization vulnerability
in OpenAM and ForgeRock AM. Succcessful exploitation allows for remote code execution as the user running the OpenAM service.
- Windows Process Memory Dump by smashery - This adds a new post module that dumps the memory of any process on the target. This module is able to perform a full or a standard dump. It also downloads the file into the local loot database and delete the temporary file on the target.
Enhancements and features
- #15217 from agalway-r7 - Removes the Python module
ms17_010_eternalblue_win8.pyand consolidates the functionality into
exploits/windows/smb/ms17_010_eternalblue.rb- which as a result can now target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. This change now removes the need to have Python installed on the host machine, and the automatic targeting functionality will now make this module easier to run.
- #15254 from zeroSteiner - This updates the AMSI bypass used by modules executing Powershell code to be randomized making it more difficult to be detected using static signatures.
- #15362 from bwatters-r7 - Fixes a regression issue with
post/multi/manage/shell_to_meterpreter, and other interactions with command shell based sessions
- #15420 from adfoster-r7 - Fixes an regression issue were
auxiliary/scanner/ssh/eaton_xpert_backdoorfailed to load correctly
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).