Outside of macOS, not many people run (or run into) a BSD-flavored system very often. Even still, bcoles and space-r7 teamed up for a pair of BSD enhancements. The first, a privilege escalation, affects FreeBSD's runtime linker dealing with
LD_PRELOAD in FreeBSD 7.1, 7.2, and 8.0. The next enhancement adds BSD targets to our known-credential
ssh executor which now allows BSD-specific payloads. Not wanting macOS to be left out timwr ported CodeColorist's privilege escalation via the Feedback Assistant. So even if you run a BSD, be sure to protect your creds and patch your systems!
A payload for ants
It's not too often that a Linux exploit requires a very small binary payload, but when you need one it is the only thing that will do. Thanks to Ekzorcist and our own busterb we have now have a Linux bind payload that is just 44 bytes long! It saves size by offloading the networking code to
nc(1) on the target and allowing it to use a random port, which means that you will need to scan the target to find the port that now has your shell. It's only triggered when you need a bind payload for Linux that is smaller than the one we have been using (57 bytes), but when you need it, it will be there waiting for you.
New modules (4)
- FreeBSD rtld execl() Privilege Escalation by Kingcope, bcoles, and stealth, which exploits CVE-2009-4147
- Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE by Karim Ouerghemmi and mr_me, which exploits CVE-2017-18357
- Mac OS X Feedback Assistant Race Condition by CodeColorist and timwr, which exploits CVE-2019-8565
- Onion Omega2 Login Brute-Force by Not So Attractive
Enhancements and features
- PR #11864 updates the jenkins_metaprogramming exploit module with an additional target that uses the
GroovyShell.parseentry point for command execution.
- PR #11861 updates
exploit/multi/misc/weblogic_deserialize_asyncresponseserviceto reference the correct CVE and consolidates on the
- PR #11833 adds a check to give a better error message when the exploit is thrown against a server that's not listening.
- PR #11805 adds BSD targets to
- PR #11374 -
linux/x86/shell_bind_tcp_random_portnow has a smaller version that uses the
nccommand on the target to reduce the amount of shellcode needed. The new payload will automatically be used when the old one is too large.
- PR #11871 fixes an issue where an error would display in msfconsole when establishing a Meterpreter HTTP/S session when using a local postgresql database, preventing interaction with the session.
- PR #11863 bumps Mettle's version to incorporate the changes made in rapid7/mettle#185 which fixed the environment variables for meterpreter when it starts. This should fix the bugs we are seeing in the get_env post/test module.
- PR #11868 fixes the disclosure date in
- PR #11860 adds normalization to the
pipe_auditormixin (used by the module) to prefix named pipe names with a backslash. Samba 3.x doesn't perform any normalization on the pipe name, thus requiring the backslash. Samba 4.x and Windows are unaffected.
- PR #11847 fixes a few bugs in
- PR #11843 updates the links generated from MSB references to security bulletins on docs.microsoft.com.
- PR #11842 changes
exploit/windows/browser/ms14_064_ole_code_executionin order to fix a regression in functionality.
- PR #11834 fixes a bug in the previous version of the module so that it once again works against Symantec System Center Alert Management System.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).