Data service improvements

The Payload UUID and paranoid mode Meterpreter payload and listener features were first introduced and added to many HTTP and TCP Metasploit payloads in mid-2015. These features provided three major enhancements for Metasploit payload use. First, they allowed the user to uniquely identify a generated payload, which is important when running social engineering campaigns. Second, they allowed the user to drop session connections without a known UUID. Third, they created a secure communication link between the payload and listener.

In late 2018, the team revisited Payload UUIDs with a focus on supporting the feature through the data service, thus allowing teams to more easily work from a single payload UUID source. Between PR #10675 and PR #11532, Erin Bleiweiss and Matthew Kienow shifted Metasploit's payload UUID tracking mechanism from a local file, ~/.msf4/payloads.json, to the Metasploit data service, allowing users to store and track UUID payloads in a local or remote database.

The change also opens the door for third-party integrations leveraging the payload UUID data through MSF5’s REST API. It is important to note that those currently using a payloads.json file for UUID tracking may need to remain on Metasploit 5.0.9 or earlier, the Metasploit 4.x branch, or regenerate their payloads while connected to a data service in order to use the new mechanism. The instance hosting the listener should also be configured to connect to the same data service used when the UUID payloads were generated.

As MSF5 becomes more widely used, the web service-related components are exercised further by our community, who diligently report their findings. Thanks to Ted R for noting an issue, which led to busterb opening PR #11533 to fix an issue where the createcrackedcredential method would incorrectly handle the result of a service lookup against the database. Also, thanks to Acidical for reporting an issue with msfdb, which led to Erin Bleiweiss opening #11525 to fix an issue with the msfdb reinit command in which the web service SSL key and cert (.pem) files were deleted regardless of the user answering “no” to delete existing data and configurations. Keep exploring the new features and reporting back if they don’t operate as expected!

A number of users have reported issues using msfdb on Linux distributions that use the postgresql-common tools, and have discovered a workaround of adding PostgreSQL binaries to their path and adding their user to the postgres group. A Wiki entry was created to document an initial investigation into the work needed to allow msfdb to use postgresql-common in response to the open issue Improve msfdb to work with pg_createcluster, pg_ctlcluster and other Debian-specific tools #11369. Anyone interested in working on the enhancement should first read the Wiki, since it explores the high-level steps necessary to enhance msfdb to use postgresql-common.

GET Drupal

Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to inform users that a REST resource endpoint is also vulnerable, even if it only accepts GET requests. The exploits/unix/webapp/drupal_restws_unserialize module introduced in PR #11481 by Rotem Reiss and wvu exploits a vulnerability in Drupal RESTful web services that can cause arbitrary PHP code execution (CVE-2019-6340). Drupal versions 8.5.0 to 8.5.10 and 8.6.0 to 8.6.9 are vulnerable. It is important to note that Drupal caches GET responses and this can interfere with exploit success. If issues are encountered, clear the cache in a controlled test environment; otherwise, set another node ID.

New modules

Exploit modules (4 new)

Improvements

  • PR #11419 by Cale Black adds systemd user-level service persistence to the exploit/linux/local/service_persistence module.
  • PR #11505 by bcoles deprecated the pml_driver_config Meterpreter script in favor of the exploit/windows/local/service_permissions module.
  • PR #11521 by Clément Notin adds the handling of UnicastRef2 responses in RMI serialized responses, allowing modules to exploit a wider variety of targets.
  • PR #11500 by Shelby Pace updates the Cisco ASA Directory Traversal module with a more permissive software detection regex to ensure targets aren't falsely reported as inaccessible.
  • PR #11498 by acammack-r7 adds extended documentation for the jobs command to msfconsole.
  • PR #11464 by Nicholas Starke adds firmware version checking to the check method in exploit/linux/upnp/belkin_wemo_upnp_exec.
  • PR #11077 by Imran E. Dawoodjee adds a new module doc for exploit/windows/ftp/wing_ftp_admin_exec, as well as an improved check, and support for Powershell.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).