Introducing Metasploit Development Diaries

We are happy to introduce a new quarterly series, the Metasploit Development Diaries. The dev diaries walk users and developers through some example exploits and give detailed analysis of how the exploits operate and how Metasploit evaluates vulnerabilities for inclusion in Framework. The first in the dev diaries series features technical analysis by sinn3r and includes modules from community members and fellow researchers Mehmet Ince, Green-m, and Alex Gonzalez.

You can check out the dev diaries here. If you’re in the mood for even more research, we published a practical exploitation guide to Java Serialized Objects (JSOs) last week. As part of that research, Aaron Soto added native support to Metasploit for building Java deserialization payloads with ysoserial.

RCE Everywhere!

The CMS Made Simple Showtime2 File Upload module contributed by fabiocogno allows an authenticated user with the Use Showtime2 privilege to gain code execution through the application’s failure to validate the extension for watermarked files. This module works on various versions including 3.6.0-3.6.2.

acamro added a module that exploits a Java deserialization vulnerability in Oracle’s Weblogic Server through the server’s T3 interface. This works for versions 10.3.6.0 and 12.1.3.0.

New Modules (2)

Enhancements and features

  • PR 11628 by rwincey added support for newer Outlook versions to the windows/gather/credentials/outlook post module. This module can now gather credentials from Outlook 2013, 2016, and Office 365.
  • PR 11622 by h00die introduced more hash-identifying capabilities that also puts hashes in JtR format.
  • PR 11619 by bcoles added further error handling to modules/exploits/linux/http/panos_readsessionvars.
  • PR 11616 by brimstone fixed an issue with Meterpreter’s paranoid mode.
  • PR 11615 by h00die added functionality that exports credentials in the JtR format by specifying the JtR extension for a file when using creds -o.
  • PR 11605 by Green-m made enhancements to msfconsole’s load command by adding tab completion for plugins regardless of being loaded or not. This PR also added a new switch to the load command that displays loaded plugins.
  • PR 11603 by Green-m added better error-handling when attempting to load the aggregator plugin in framework.
  • PR 11570 by h00die added a new advanced option, DeleteTempFiles that prevents the deletion of temporary files in case the file will be needed elsewhere.

Bugs fixed

  • PR 11631 by mkienow-r7 fixed an issue with the generation of payloads with PayloadUUIDTracking enabled. These payloads would be assigned non-existent workspaces at msfconsole startup.
  • PR 11614 by bwatters-r7 updated payloads to bring in fixes for both the Java meterpreter and the php meterpreter.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:

We recently-announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers, or the binary installers (which also include the commercial editions).