BSD love

Outside of macOS, not many people run (or run into) a BSD-flavored system very often. Even still, bcoles and space-r7 teamed up for a pair of BSD enhancements. The first, a privilege escalation, affects FreeBSD's runtime linker dealing with LD_PRELOAD in FreeBSD 7.1, 7.2, and 8.0. The next enhancement adds BSD targets to our known-credential ssh executor which now allows BSD-specific payloads. Not wanting macOS to be left out timwr ported CodeColorist's privilege escalation via the Feedback Assistant. So even if you run a BSD, be sure to protect your creds and patch your systems!

A payload for ants

It's not too often that a Linux exploit requires a very small binary payload, but when you need one it is the only thing that will do. Thanks to Ekzorcist and our own busterb we have now have a Linux bind payload that is just 44 bytes long! It saves size by offloading the networking code to nc(1) on the target and allowing it to use a random port, which means that you will need to scan the target to find the port that now has your shell. It's only triggered when you need a bind payload for Linux that is smaller than the one we have been using (57 bytes), but when you need it, it will be there waiting for you.

New modules (4)

Enhancements and features

  • PR #11864 updates the jenkins_metaprogramming exploit module with an additional target that uses the GroovyShell.parse entry point for command execution.
  • PR #11861 updates exploit/multi/misc/weblogic_deserialize_asyncresponseservice to reference the correct CVE and consolidates on the TARGETURI option.
  • PR #11833 adds a check to give a better error message when the exploit is thrown against a server that's not listening.
  • PR #11805 adds BSD targets to exploit/multi/ssh/sshexec module.
  • PR #11374 - linux/x86/shell_bind_tcp_random_port now has a smaller version that uses the nc command on the target to reduce the amount of shellcode needed. The new payload will automatically be used when the old one is too large.

Bugs fixed

  • PR #11871 fixes an issue where an error would display in msfconsole when establishing a Meterpreter HTTP/S session when using a local postgresql database, preventing interaction with the session.
  • PR #11863 bumps Mettle's version to incorporate the changes made in rapid7/mettle#185 which fixed the environment variables for meterpreter when it starts. This should fix the bugs we are seeing in the get_env post/test module.
  • PR #11868 fixes the disclosure date in exploit/windows/iis/iis_webdav_upload_asp.
  • PR #11860 adds normalization to the pipe_auditor mixin (used by the module) to prefix named pipe names with a backslash. Samba 3.x doesn't perform any normalization on the pipe name, thus requiring the backslash. Samba 4.x and Windows are unaffected.
  • PR #11847 fixes a few bugs in post/multi/gather/jenkins_gather.
  • PR #11843 updates the links generated from MSB references to security bulletins on docs.microsoft.com.
  • PR #11842 changes Powershell::wrap_double_quotes to false in exploit/windows/browser/ms14_064_ole_code_execution in order to fix a regression in functionality.
  • PR #11834 fixes a bug in the previous version of the module so that it once again works against Symantec System Center Alert Management System.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).