A2K19: MSF community hackathon update
Planes, trains and automobiles brought together the Metasploit team and a group of Metasploit committers under one roof. Problems were discussed, ideas were proposed, solutions were debated, code was written and PRs landed. The hackathon helped create an even stronger sense of camaraderie between the Metasploit team and committers.
Among things landed this week from the hackathon, busterb worked with Op3n4M3 and timwr to get Mettle’s iOS dylib support packaged. This made its debut with timwr’s exploit module for CVE-2018-4233 on iOS and should work on all 64-bit iOS 10 to 11.2 devices.
busterb also performed a tree-wide cleanup of the ‘expand_path’ API usage, switching over to
sys.config.getenv in order to get consistent results across all session types. timwr also fixed a race condition in the java/android
shell_command_token increasing reliability for Java exploit cleanup. Finally, wvu changed the default video ID and added Unix command shell support to the
post/multi/manage/play_youtube module to facilitate hacking while listening to the never ending Epic Sax Guy.
Look forward to a more detailed post on the Austin Metasploit Hackathon 2019 (A2K19) in the future!
Flexible shell deployments
b0yd of Securifera both discovered the vulnerability and contributed the IBM Websphere Application Server Network Deployment RCE exploit module for CVE-2019-4279. The
exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce module achieves arbitrary command execution and upload of an arbitrary file as SYSTEM due to a lack of proper authentication checks. The module serializes the required Java objects expected by the IBM Websphere server and the untrusted serialized data is processed by the WAS DMGR Server and Cells results in remote code execution. WebSphere Application Server ND Versions 8.5 and 9.0 and WebSphere Virtual Enterprise Version 7.0 are vulnerable. The WebSphere Application Server ND agent is installed on servers with the network deployment feature and is found listening on TCP port 11002, 11004 or 11006.
New modules (3)
- Safari Webkit Proxy Object Type Confusion by timwr, Ian Beer, niklasb, saelo, and siguza, which exploits CVE-2018-4233. This adds an exploit module for CVE-2018-4233 on iOS and should work on all 64-bit iOS 10 to 11.2 devices. The WebKit exploit looks up offsets dynamically thanks to work by JakeBlair420 and Siguza on the TotallyNotSpyware project.
- LibreNMS addhost Command Injection by Shelby Pace and mhaskar, which exploits CVE-2018-20434
- IBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution by b0yd, which exploits CVE-2019-4279
Enhancements and features
- PR 11938 from timwr provides a temporary bugfix for how we interpret quotes in meterpreter commands. Currently, Python on Windows handles quotation marks differently than exe or Java meterpreter handles them. This fix adapts the test to verify that they work, but not that they are treated equally.
a2k19PR 11945 from busterb fixes a bug in the http payloads where we may have been overly-aggressive in disabling auto_cl.
a2k19PR 11937 from busterb allows the
Content-Lengthheader to be optional.
a2k19PR 11933 from wvu adds a default video ID and Unix command shell support to
- PR 11924 from suzu991154 adds Windows 10 target support for adobe_flash_opaque_background_uaf
a2k19PR 11918 from busterb replaces the use of expand_path methods when possible to reduce the code occurrences of expand_path, which is inconsistent.
a2k19PR 11913 from busterb removes Ruby 2.3.8 from the Metasploit test matrix.
a2k19PR 11912 from busterb move BigDecimal patch earlier in the boot process. This quiets
msfvenomabout the impending deprecation of
a2k19PR 11906 from h00die fixes the JTR tags on OSX hashes (since they are standard sha1 and sha512) and adjusts the regex for macOS 10.7 hashes to match properly.
- PR 11862 from NoodleOfDeath adds wordlists for WordPress plugin/theme directories.
- PR 11838 from timwr extends the stdapi user interface extension to add basic commands to send keyboard and mouse input to a meterpreter client.
- PR 11823 from busterb adds improved error messaging for fatal conditions while generating payloads.
a2k19PR 11911 from busterb fixes
shell_command_tokenin the Java and Android payloads.
- PR 11892 from ssyy201506 fixes URI parsing to work properly with reverse_http/s payloads when IPv6 addresses are specified.
- PR 11887 from brimstone fixes the multi/meterpreter_reverse_https payload handler.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).