Metasploit Wrap-Up
Powershell Express Delivery
The web_delivery module is often used to deliver a payload during post exploitation by quickly firing up a local web server. Since it does not write anything on target’s disk, payloads are less likely to be caught by anti-virus protections. However, since Microsoft added Antimalware Scan Interface (AMSI) protection to defend from attacks performed by scripting languages, it started to get harder to successfully execute Powershell payloads with web_delivery. Fortunately for us, community contributor phra added support for a Powershell AMSI bypass to web_delivery module. Note that this bypass has been added to the rex-powershell library by the same community member earlier this year (here and here).
Everybody loves Pre-Auth RCE
Community contributor mekhalleh added an exploit module that gains unauthenticated remote code execution in vBulletin v5.0.0 through v5.5.4. This zero-day vulnerability was recently disclosed and takes advantage of a flaw in vBulletin widget creation functionality. Arbitrary commands can be executed by sending an HTTP POST request with specially crafted parameters. Two POST data parameters need to be set: routestring=ajax/render/widget_php
and widgetConfig[code]=<your command>
.
Abusing headless Chrome
Since Chrome 59, it is possible to run in headless mode and take advantage of all modern web platform features from command line without actually launching the browser UI. It is particularly useful for debugging, but it can lead to some security issues when not configured correctly. Community contributor nstarke added an auxiliary module that primarily aims to retrieve arbitrary files off the remote target by abusing misconfigured headless Chrome sessions. This module is also able to make web requests from the remote machine and send back the content.
What’s Up, Doc?
Community contributor kenlacroix (Kenneth LaCroix) added documentation for five more modules this week. Adding missing documentation is always great, especially for people that are new to Metasploit. This is something we wanted to call out this week, so, thank you!
New modules (3)
- vBulletin widgetConfig RCE by mekhalleh (RAMELLA Sébastien), which exploits CVE-2019-16759, anonymously disclosed on Full Disclosure mailing list
- Chrome Debugger Arbitrary File Read / Arbitrary Web Request by evilpacket (Adam Baldwin) and nstarke (Nicholas Starke)
- BSD Dump Password Hashes by bcoles
Enhancements and features
- PR #12679 by bcoles removes
file_local_digestsha1
,file_local_digestsha2
andfile_local_digestmd5
methods from the Post::File API - PR #12675 by busterb updates Kiwi extension with latest Mimikatz
- PR #12668 by busterb adds several improvements to Meterpreter (see this Releases Notes for details)
- PR #12663 by jmartin-r7 updates methods for reporting data to the DB
- PR #12662 by HenryHoggard updates
post/multi/gather/gpg_creds
module to support gathering of GPG version 2.1+ keys - PR #12561 by busterb adds several memory utilization improvements
- PR #12446 by phra adds support for a powershell AMSI bypass which enables the web_delivery module to bypass Windows defender on Windows 10
Bugs fixed
- PR #12699 by busterb fixes an issue for payloads that utilize UUIDS
- PR #12695 by adamgalway-r7 fixes incorrect check status for auxiliary modules returned by search
- PR #12686 by phra fixes an issue with
msfvenom
exiting before trying all encoders (reported by phra in #12685) - PR #12673 by FenixH fixes an issue in the credentials RPC command to avoid a Nil object dereference and some minor bugs in the autoroute and web_delivery modules (reported by FenixH in #12460)
- PR #12672 by cdelafuente-r7 fixes an issue in the
OptString
validation method - PR #12666 by cnotin cleans up the
%WINDIR%
environment variable before calling the PowerShell payload inexploit/windows/local/bypassuac_silentcleanup
module (reported by cnotin in #12665) - PR #12614 by MangyCoyote fixes an issue in
post/multi/gather/ssh_creds
module when reading files (reported by MangyCoyote in #12609) - PR #12577 by Green-m fixes an issue with
linux/redis/redis_unauth_exec
module when the module cannot bind to a NATed or load-balanced address
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
- Pull Requests 5.0.63…5.0.64
- Full diff 5.0.63…5.0.64
We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).