Ubiquitous Devices

Our Rapid7 Labs team pulled the thread on some recent buzz around exploitable Ubiquiti devices, which led to a new scanner module (auxiliary/scanner/ubiquiti/ubiquiti_discover.rb) from jhart-r7. This module uses a simple UDP protocol to identify potentially exploitable Ubiquiti devices on your network, and can return details like MAC and IP address, model info, and firmware version.

NVR RCE

Some NUUO NVRmini devices contain a vulnerable web application which can be exploited to gain remote code execution. And the new exploits/multi/http/nuuo_nvrmini_upgrade_rce module can help get you there. Thanks to community member berkdsnr for this contribution!

Cisco Configs

Certain small business routers from Cisco (like the RV320 and RV326 models) may contain firmware vulnerable to unauthenticated, remote retrieval of the configuration file. The new auxiliary/gather/cisco_rv320_config module from our own asoto-r7 can help you gather the configs from such vulnerable devices on your network. Be forewarned that firmware auto-update settings on potential target devices might have already moved them to a patched version of firmware.

New Modules

Exploit modules (2 new)

Auxiliary and post modules (3 new)

Improvements

  • New Linux x64 IPv6 bind and reverse payloads, from epi052 (PR 11039)
  • Enhanced usability of the msfdb script, from ebleiweiss-r7 (PR 11299)
  • Support for levels of debug output in Mettle, from bwatters-r7 (PR 11332)
  • 32-bit iPhone support for the webkit_trident exploit, from timwr (PR 10812)
  • Improved reliability of the macOS staged payloads, from timwr (PR 11165)
  • Updated file enumeration in Meterpreter to understand 64-bit file sizes, 32-bit UID/GID values, and 64-bit time, from timwr (PR 11193)
  • Bug fixes for the loot endpoint API, from jbarnett-r7 (PR 11270)
  • Fix to normalize newlines in CommandShell#run_single, from wvu-r7 (PR 11309)
  • SMB client fix, from MarianG (PR 11315)
  • Update to store Cisco config file hostname and OS info to the database, from h00die (PR 11322)
  • mbedtls fixed to get mips payloads working again, from jmartin-r7 (PR 11325)
  • Fixed support for ranges used with the sessions command, from yamitenshi (PR 11329)
  • Fixed HTTP/SMB mixin order to restore SSL option, from wvu-r7 (PR 11330)
  • Enhanced library support for evasion modules and added initial scaffolding for integrating with external tools, from zeroSteiner (PR 11333)
  • Added a run-time check if a file exists in a shell session before trying to read that file, from bcoles (PR 11342)
  • Added version check to Safari RCE exploit, from timwr (PR 11347
  • Added additional error handling to the windows/gather/enum_patches post exploitation module, from bcoles (PR 11348)
  • Support generation of ARMLE shared object payloads, from BoLaMN (PR 11350)
  • Added URL scheme and Base64.encode64 checks to msftidy, from bcoles (PR 11361)

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

We recently-announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions). PLEASE NOTE that the binary installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the Metasploit 4 branch for the time being. Migration is underway, so you can look forward to getting Metasploit 5 in the binary installers and in third-party software distributions soon.