We got to hit the build button three times this week. It's not something that we normally do, since the Metasploit release each week triggers automatically. But it's been such a week of surprise vulnerabilities and improvements that it made sense to get a few extra builds out the door. So, Metasploit this week jumps from 4.14.18 to 4.17.21. Look for it during your next Metasploit romp.

Exploit wrapup

While the excitement around libssl CVE-2018-10933 may be winding down, the Metasploit module did receive a few more refinments to its check methods. It is now able to more accurately pinpoint potentially vulnerable targets, but keep in mind that the number of viable targets in the wild is still relatively small.

A remote exploit for Cisco WebEx client software was added thanks to Ron Bowes of SkullSecurity and Jeff McJunkin from Counter Hack. After patching, be sure to check out their excellent blog on the subject.

Finally, a new Windows privilege escalation module for CVE-2018-8120 landed. It only targets Windows 7 and Windows 2008 (all architectures), but does allow running code in kernel mode, which gives full access to the host. Thanks to Anton Cherepanov, Dhiraj Mishra, bigric3, and unamer for the contribution.

Slow search is dead

Have you ever noticed that a fresh Metasploit installation may use CPU for minutes on end the first time it starts? Have you ever gotten coffee after receiving an infamous:

[!] Module database cache not built yet, using slow search

If so, you have fallen victim to one of the sore points in Metasploit's design; it tries to store and look up module information in a SQL database, and without it, it operates very slowly. However, in this release, we're happy to announce the problem is solved.

In the Metasploit master tree, we have been working on revamping how module metadata is searched and stored, along the way adding a lot of new ways to annotate things like module side effects, alternative names, and much more. This feature has since become very stable, so we ported it to the 4.x branch as well.

What does this mean? Search is now lighting fast, even without a database. Metasploit uses less memory. And you can now start seeing lots of new information about modules, like what their side effects are, in an upcoming security distribution near you.

Module side effects and other curious annotations

While modules have long supported 'ranks' for determining how reliable an exploit is, they do not always tell a user what the side effects of the module are, at least not in a formal way. It is also difficult to express exactly what to expect from a module with a single ranking. To solve this issue, we have added a new metadata to modules:

Tag Description
CRASH_SAFE Module should not crash the service
CRASH_SERVICE_RESTARTS Module may crash the service
CRASH_SERVICE_DOWN Module may crash the service
CRASH_OS_RESTARTS Module may crash the OS
CRASH_OS_DOWN Module may crash the OS
SERVICE_RESOURCE_LOSS Module may cause a resource (such as a file or data in database) to be unavailable for the service.
OS_RESOURCE_LOSS Modules may cause a resource (such as a file) to be unavailable for the OS.
ARTIFACTS_ON_DISK Modules leaves payload or a dropper on the target machine
CONFIG_CHANGES Module modifies some config file on the target machine
IOC_IN_LOGS Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log)
ACCOUNT_LOCKOUTS Module may cause account lockouts (likely due to brute-forcing)
SCREEN_EFFECTS Module may show something on the screen (Example: a window pops up)
AUDIO_EFFECTS Module may cause a noise (Examples: audio output from the speakers or hardware beeps)
PHYSICAL_EFFECTS Module may produce physical effects (Examples: the device makes movement or flashes LEDs)
FIRST_ATTEMPT_FAIL The module tends to fail to get a session at first attempt
REPEATABLE_SESSION The module is expected to get a shell every time it fires

These definitions are just the start, but there are lots of modules to annotate. Have a favorite module that you would like to see annotated? Why not give it a try and send us a PR? It's a fast and easy way to get your feet wet with the Metasploit project.

New modules

Exploit modules (4 new)

Auxiliary and post modules (3 new)

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers, which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.