We got to hit the build button three times this week. It's not something that we normally do, since the Metasploit release each week triggers automatically. But it's been such a week of surprise vulnerabilities and improvements that it made sense to get a few extra builds out the door. So, Metasploit this week jumps from 4.14.18 to 4.17.21. Look for it during your next Metasploit romp.
While the excitement around libssl CVE-2018-10933 may be winding down, the Metasploit module did receive a few more refinments to its check methods. It is now able to more accurately pinpoint potentially vulnerable targets, but keep in mind that the number of viable targets in the wild is still relatively small.
A remote exploit for Cisco WebEx client software was added thanks to Ron Bowes of SkullSecurity and Jeff McJunkin from Counter Hack. After patching, be sure to check out their excellent blog on the subject.
Finally, a new Windows privilege escalation module for CVE-2018-8120 landed. It only targets Windows 7 and Windows 2008 (all architectures), but does allow running code in kernel mode, which gives full access to the host. Thanks to Anton Cherepanov, Dhiraj Mishra, bigric3, and unamer for the contribution.
Slow search is dead
Have you ever noticed that a fresh Metasploit installation may use CPU for minutes on end the first time it starts? Have you ever gotten coffee after receiving an infamous:
[!] Module database cache not built yet, using slow search
If so, you have fallen victim to one of the sore points in Metasploit's design; it tries to store and look up module information in a SQL database, and without it, it operates very slowly. However, in this release, we're happy to announce the problem is solved.
In the Metasploit master tree, we have been working on revamping how module metadata is searched and stored, along the way adding a lot of new ways to annotate things like module side effects, alternative names, and much more. This feature has since become very stable, so we ported it to the 4.x branch as well.
What does this mean? Search is now lighting fast, even without a database. Metasploit uses less memory. And you can now start seeing lots of new information about modules, like what their side effects are, in an upcoming security distribution near you.
Module side effects and other curious annotations
While modules have long supported 'ranks' for determining how reliable an exploit is, they do not always tell a user what the side effects of the module are, at least not in a formal way. It is also difficult to express exactly what to expect from a module with a single ranking. To solve this issue, we have added a new metadata to modules:
|CRASH_SAFE||Module should not crash the service|
|CRASH_SERVICE_RESTARTS||Module may crash the service|
|CRASH_SERVICE_DOWN||Module may crash the service|
|CRASH_OS_RESTARTS||Module may crash the OS|
|CRASH_OS_DOWN||Module may crash the OS|
|SERVICE_RESOURCE_LOSS||Module may cause a resource (such as a file or data in database) to be unavailable for the service.|
|OS_RESOURCE_LOSS||Modules may cause a resource (such as a file) to be unavailable for the OS.|
|ARTIFACTS_ON_DISK||Modules leaves payload or a dropper on the target machine|
|CONFIG_CHANGES||Module modifies some config file on the target machine|
|IOC_IN_LOGS||Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log)|
|ACCOUNT_LOCKOUTS||Module may cause account lockouts (likely due to brute-forcing)|
|SCREEN_EFFECTS||Module may show something on the screen (Example: a window pops up)|
|AUDIO_EFFECTS||Module may cause a noise (Examples: audio output from the speakers or hardware beeps)|
|PHYSICAL_EFFECTS||Module may produce physical effects (Examples: the device makes movement or flashes LEDs)|
|FIRST_ATTEMPT_FAIL||The module tends to fail to get a session at first attempt|
|REPEATABLE_SESSION||The module is expected to get a shell every time it fires|
These definitions are just the start, but there are lots of modules to annotate. Have a favorite module that you would like to see annotated? Why not give it a try and send us a PR? It's a fast and easy way to get your feet wet with the Metasploit project.
Exploit modules (4 new)
- QNX qconn Command Execution by Brendan Coles, David Odell, and Mor!p3r
- Windows SetImeInfoEx Win32k NULL Pointer Dereference by Anton Cherepanov, Dhiraj Mishra, bigric3, and unamer, which exploits CVE-2018-8120
- WebEx Local Service Permissions Exploit by Jeff McJunkin, which exploits CVE-2018-15442
- WebExec Authenticated User Code Execution by Ron, which exploits CVE-2018-15442
Auxiliary and post modules (3 new)
- WebEx Remote Command Execution Utility by Ron Bowes, which exploits CVE-2018-15442
- libssh Authentication Bypass Scanner by wvu and Peter Winter-Smith, which exploits CVE-2018-10933
- Windows unmarshal post exploitation by Matthias Kaiser, Nicolas Joly, Pratik Shah, and Sanjay Gondaliya, which exploits CVE-2018-0824
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers, which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.