It’s a special day here in the U.S.. This morning, media folks were hovering over a specific rodent living in an eastern state to discover that we are in for six more weeks of winter, apparently.
¯\_(ツ)_/¯ Guess we’ll stay inside and work on Metasploit…
EternalSunshine of the Security Minded
If you’re still following along since the Shadow Broker’s leak last April, then we’ve got two new modules just for you. Courtesy of contributor zerosum0x0, both modules exploit MS17-010 vulnerabities via EternalRomance, EternalSynergy, and EternalChampion. You can use auxiliary/admin/smb/ms17_010_command.rb for command execution on a vulnerable Windows target, or if code execution is more your jam, check out exploits/windows/smb/ms17_010_psexec.rb. The exploit chain in both modules is considered more reliable than EternalBlue, requires the target have a named pipe and SMBv1 enabled, and it works against any version of Windows!
Did the Oracle Foretell this RCE…?
From the keystrokes of kkirsche comes a new module targeting certain versions of Oracle WebLogic Server. The vulnerability lies within the WLS WSAT component, where one can get unauthenticated remote code execution via an XML deserialization. Just make sure you target a vulnerable version, of course...
A Rising Tide Lifts All Privs
From the “I was only trying to help!” file comes a tale of two Linux utilities designed to provide developers with valuable info related to application crashes. Vulnerable versions of apport (Ubuntu) and ABRT (Fedora) each can be cajoled into running a specially crafted executable, leaving you with root privs. This new module from bcoles will even kick off a payload for you, too!
Exploit modules (5 new)
- Apport / ABRT chroot Privilege Escalation by Brendan Coles, Ricardo F. Teixeira, Stéphane Graber, and Tavis Ormandy, which exploits CVE-2015-1318
- Oracle WebLogic wls-wsat Component Deserialization RCE by Alexey Tyurin, Federico Dotta, Kevin Kirsche, and Luffin, which exploits CVE-2017-10271
- BMC Server Automation RSCD Agent NSH Remote Command Execution by Nicky Bloor (@NickstaDB) and Olga Yanushkevich, ERNW, which exploits CVE-2016-1543
- Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow by Daniel Teixeira, which exploits CVE-2017-7310
- MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution by Equation Group, Shadow Brokers, sleepya, and zerosum0x0, which exploits CVE-2017-0147
Auxiliary and post modules (2 new)
- MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution by Equation Group, Shadow Brokers, sleepya, and zerosum0x0, which exploits CVE-2017-0147
- Brother Debut http Denial Of Service by h00die and z00n, which exploits CVE-2017-16249
- ssl labs scanner update to work with newer API (and be more resilient to future API updates)
- setuid_nmap module update to work with shell sessions (no longer just Meterpreter sessions)
- php meterpreter fix to ensure ithe payload properly stages and loads stdapi
- Docker image update to support python modules
- Windows Meterpreter fix when using HTTP Proxy Authentication with reverse_http stagers
- payload test coverage increased
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
To install fresh, check out the open-source-only Nightly Installers,
or the binary installers which also include the commercial
editions. PLEASE NOTE that these installers, and Metasploit
Framework versions included in distros such as Kali, Parrot, etc.,
are based off the stable Metasploit 4 branch. If you'd like to try out
the newer things going into Metasploit 5, that work is
available in the master branch of the Metasploit Framework repo on GitHub.