What's Old is New (a.k.a. jQuery File Upload)
Recently, an eight-year-old jQuery File Upload plugin vulnerability (one that allows arbitrary files to be uploaded with no authentication required) gained some public exposure. Researcher Larry Cashdollar reported the find (with PoC), and @wvu put together a Metasploit module for Framework. While this vulnerability was patched recently, consensus seems to be that many systems are still unpatched.
Gathering Data From iOS Devices
@space added two new post modules this week for exfiltrating images and text messages from compromised iOS devices. A working session on a compatible iOS device is all you need to try these modules out!
Golang Module Support Lands (MSF5)
Concurrent with this release, @busterb has added initial support for modules written in Go to Metasploit 5. At the moment, 'description' and 'run' Framework actions are supported (if you'd like to help add support for more actions, please consider contributing!). To check out this new functionality, pull the latest Framework from the GitHub repo master branch and you'll be good to Go!
Community CTF Registration Monday!
We announced the 2018 Metasploit community CTF this week. Registration opens Monday, and play starts Friday, November 30. Find flags, get points, win prizes. Double the teams this year, too!
Exploit modules (1 new)
- blueimp's jQuery (Arbitrary) File Upload by wvu, Claudio Viviani, and Larry W. Cashdollar, which exploits CVE-2018-9206
Auxiliary and post modules (2 new)
- PR #10792 allows users to specify into which process they would like the payload injected when using the ms17_010_eternalblue module.
- PR #10919 updates auxiliary/server/capture/ftp with a new field banner so you can emulate a specific server type.
- PR #10917 adds a Unix Cmd target to the multi/ssh/sshexec module to support cmd/unix payloads.
- PR #10888 updates the Net::SSH::CommandStream library to handle SSH session open failures and adds additional protection against such failures in the auxiliary/scanner/ssh/libssh_auth_bypass module.
- PR #10874 removes the unnecessary size restriction from the exploit/windows/local/payload_inject module. This has the notable advantage of enabling use of the newer and much larger stageless payloads.
- PR #10843 fixes an issue with permission errors when mounting the home directory with Metasploit in a Docker image.
- PR #10834 adds a 64-bit payload that launches a messagebox with custom values.
- PR #10823 updates the post/system libraries for Linux, OSX and Solaris to store retrieved host system information in the database.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.