Meterpreter on Axis
Everyone loves shells, but Meterpreter sessions are always better. Thanks to William Vu, the axis_srv_parhand_rce module is now capable of giving you a Meterpreter session instead of a regular shell with netcat.
DLL Injection for POP/MOV SS
Another awesome improvement is Brendan Watters' work on the POP/MOV SS exploit against Windows (CVE-2018-8897), also known exploits/windows/local/mov_ss.rb. The updated module now allows you to exploit the system in two ways: EXE, and reflective DLL injection.
The first approach is rather simple, the module uploads the actual exploit onto the target system, and then use it to execute another payload. Reflective DLL is much more stealthy about this. Instead of that, the exploit is crafted as a DLL, which is injected into a remote process. This is also a common technique used by Metasploit local exploits, and Meterpreter's metsrv.dll.
If you are curious about how to use Reflective DLL injection, make sure to checkout Brendan's documentation about it here.
If you're in the mood for some web application vulnerabilities, WordPress is always a fun target because there are a lot of third-party plugins to audit and exploit. And here's another one for you: Responsive Thumbnail Slider, or wp_responsive_thumbnail_slider_upload, which allows you to upload a PHP payload through the management page and gain remote code execution.
Another module for WordPress is wp_arbitrary_file_deletion, which exploits the WordPress core to allow anybody to delete files as an author; by default the module aims for the wp-config.php file. Naughty.
Hacker Summer Camp Events
If you're going to be in Las Vegas next week, you can find Metasploit trading T-shirts for shells at BSides LV, chatting with the open source developers at OSSM, and selling sweet limited edition Metasploit 0xf anniversary tour shirts to benefit the EFF in the vendor hall at DEF CON. Join us for one or all three of these!
- Responsive Thumbnail Slider Plugin Arbitrary File Upload by Arash Khazaei and Shelby Pace
- SonicWall XML-RPC Remote Code Execution by Michael Flanders and kernelsmith
- Micro Focus Secure Messaging Gateway by Mehmet Ince
- vTiger CRM Arbitrary File Upload by Touhid M Shaikh, Benjamin Daniel Mussler
- Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation by Andrey Konovalov, h00die, and Brendan Coles
- WordPress File Deletion by Slavco Mihajloski, Karim El Ouerghemmi, and Aloïs Thévenot
- Android Subscriber Information Extraction by Auxilus
- PR #10413 - This PR just bumps Rex-Powershell to 1.7.9.
- PR #10409 - This adds Meterpreter support for Axis Camera remote code execution module linux/http/axissrvparhand_rce.
- PR #10406 - This fixes service name, protocol, and port normalization for notes generated by some HTTP and SMB modules.
- PR #10405 - Dropped files are now cleaned up for exploit/multi/http/cmsms_upload_rename_rce
- PR #10403 - This fixes the auxiliary/scanner/http/joomla_pages module to display IP and port when scanning a range of hosts.
- PR #10397 - SMBv2 support has been added to the module exploit/windows/smb/psexec_psh.
- PR #10387 - This PR improves the mov_ss exploit with DLL injection (using ReflectiveLoader)
- PR #10384 - This fixes post/multi/manage/upload_exec to support absolute paths in the options LPATH and RPATH.
- PR #10330 - This adds SMBv2 support by way of the rubysmb library to bindnamed_pipe Meterpreter payloads.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers,or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.