Last updated at Wed, 17 Jan 2024 01:05:16 GMT
Introducing Metasploit Development Diaries
We are happy to introduce a new quarterly series, the Metasploit Development Diaries. The dev diaries walk users and developers through some example exploits and give detailed analysis of how the exploits operate and how Metasploit evaluates vulnerabilities for inclusion in Framework. The first in the dev diaries series features technical analysis by sinn3r and includes modules from community members and fellow researchers Mehmet Ince, Green-m, and Alex Gonzalez.
You can check out the dev diaries here. If you’re in the mood for even more research, we published a practical exploitation guide to Java Serialized Objects (JSOs) last week. As part of that research, Aaron Soto added native support to Metasploit for building Java deserialization payloads with ysoserial.
RCE Everywhere!
The CMS Made Simple Showtime2 File Upload module contributed by fabiocogno allows an authenticated user with the Use Showtime2 privilege to gain code execution through the application’s failure to validate the extension for watermarked files. This module works on various versions including 3.6.0-3.6.2.
acamro added a module that exploits a Java deserialization vulnerability in Oracle’s Weblogic Server through the server’s T3 interface. This works for versions 10.3.6.0 and 12.1.3.0.
New Modules (2)
- CMS Made Simple (CMSMS) Showtime2 File Upload RCE by Daniele Scanu and Fabio Cogno, which exploits CVE-2019-9692
- Oracle Weblogic Server Deserialization RCE - Raw Object by Aaron Soto, Andres Rodriguez, and Stephen Breen, which exploits CVE-2015-4852
Enhancements and features
- PR 11628 by rwincey added support for newer Outlook versions to the
windows/gather/credentials/outlookpost module. This module can now gather credentials from Outlook 2013, 2016, and Office 365. - PR 11622 by h00die introduced more hash-identifying capabilities that also puts hashes in JtR format.
- PR 11619 by bcoles added further error handling to
modules/exploits/linux/http/panos_readsessionvars. - PR 11616 by brimstone fixed an issue with Meterpreter’s paranoid mode.
- PR 11615 by h00die added functionality that exports credentials in the JtR format by specifying the JtR extension for a file when using
creds -o. - PR 11605 by Green-m made enhancements to msfconsole’s
loadcommand by adding tab completion for plugins regardless of being loaded or not. This PR also added a new switch to theloadcommand that displays loaded plugins. - PR 11603 by Green-m added better error-handling when attempting to load the
aggregatorplugin in framework. - PR 11570 by h00die added a new advanced option,
DeleteTempFilesthat prevents the deletion of temporary files in case the file will be needed elsewhere.
Bugs fixed
- PR 11631 by mkienow-r7 fixed an issue with the generation of payloads with
PayloadUUIDTrackingenabled. These payloads would be assigned non-existent workspaces atmsfconsolestartup. - PR 11614 by bwatters-r7 updated payloads to bring in fixes for both the Java meterpreter and the php meterpreter.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
We recently-announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers, or the binary installers (which also include the commercial editions).
