Ghost(script) in the shell
There has been a lot of buzz the last couple weeks about Google Project Zero's Tavis Ormandy's new Ghostscript
-dSAFER bypass, now complete with a Metasploit module. With some valiant work by wvu and taviso himself, the latest way to break out of a PDF is now at your fingertips. If you pulled an advanced copy from the PR, make sure to use the refined version in the latest Metasploit release!
More payload documentation
Did you know that, like other modules, payloads can have full fledged module documentation? Thanks to agrawalarpit14, we now have documentation that explains options and demonstrates usage for another one:
windows/shell/reverse_ord_tcp. To view it, run
msfconsole -x 'use payloads/windows/shell/reverse_ord_tcp; info -d'.
SITREP: External modules
Earlier this week I posted an update on how our support for modules that run as separate executables is progressing. These modules can be written in Ruby, Python, or anything else that can speak JSON over stdin and stdout. If you are interested in writing a module in Python, be sure to check out jrobles-r7's guide after reading the blog post!
Remote data service usability
The Metasploit 5-only external data service got a big enhancement this week allowing the
db_connect command to connect to both Postgres and HTTP data services, thanks to jbarnett-r7. The new
db_connect functionality replaces the previous
data_services command. This also introduces the
db_save command to save a default data service that will be restored when starting
msfconsole. This was used by mkienow-r7 to prompt users initializing a remote data service with
msfdb to save the connection for automatic use on startup.
Exploit modules (1 new)
- Ghostscript Failed Restore Command Execution by wvu and Tavis Ormandy, which exploits CVE-2018-16509
Auxiliary and post modules (2 new)
- Dolibarr List Creds by Issam Rabhi, Kevin Locati, and Shelby Pace, which exploits CVE-2018-10094
- Phpmyadmin credentials stealer by Chaitanya Haritash (bofheaded) and Dhiraj Mishra
DisableNopscan now be set per target by a module, thanks to wvu. This helps when certain payload types or injection methods have a small, fixed space to work with.
- OS X command shells now work with
sessions -uto smoothly upgrade to our native OS X meterpreter, courtesy of timwr.
windows/shell/reverse_ord_tcpnow has documentation by agrawalarpit14.
- The post-exploitation API for Solaris has been expanded a bit to more closely match the capabilities we have for Linux by h00die.
- jbarnett-r7 modified
db_connectso it now works with remote data services, and added a new command:
msfdbnow prompts to save connection information for automatic reuse, via mkienow-r7.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers,or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.