A2K19: MSF community hackathon update

Planes, trains and automobiles brought together the Metasploit team and a group of Metasploit committers under one roof. Problems were discussed, ideas were proposed, solutions were debated, code was written and PRs landed. The hackathon helped create an even stronger sense of camaraderie between the Metasploit team and committers.

Among things landed this week from the hackathon, busterb worked with Op3n4M3 and timwr to get Mettle’s iOS dylib support packaged. This made its debut with timwr’s exploit module for CVE-2018-4233 on iOS and should work on all 64-bit iOS 10 to 11.2 devices.
busterb also performed a tree-wide cleanup of the ‘expand_path’ API usage, switching over to sys.config.getenv in order to get consistent results across all session types. timwr also fixed a race condition in the java/android cmd_exec and shell_command_token increasing reliability for Java exploit cleanup. Finally, wvu changed the default video ID and added Unix command shell support to the post/multi/manage/play_youtube module to facilitate hacking while listening to the never ending Epic Sax Guy.

Look forward to a more detailed post on the Austin Metasploit Hackathon 2019 (A2K19) in the future!

Flexible shell deployments

b0yd of Securifera both discovered the vulnerability and contributed the IBM Websphere Application Server Network Deployment RCE exploit module for CVE-2019-4279. The exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce module achieves arbitrary command execution and upload of an arbitrary file as SYSTEM due to a lack of proper authentication checks. The module serializes the required Java objects expected by the IBM Websphere server and the untrusted serialized data is processed by the WAS DMGR Server and Cells results in remote code execution. WebSphere Application Server ND Versions 8.5 and 9.0 and WebSphere Virtual Enterprise Version 7.0 are vulnerable. The WebSphere Application Server ND agent is installed on servers with the network deployment feature and is found listening on TCP port 11002, 11004 or 11006.

New modules (3)

Enhancements and features

  • PR 11938 from timwr provides a temporary bugfix for how we interpret quotes in meterpreter commands. Currently, Python on Windows handles quotation marks differently than exe or Java meterpreter handles them. This fix adapts the test to verify that they work, but not that they are treated equally.
  • a2k19 PR 11945 from busterb fixes a bug in the http payloads where we may have been overly-aggressive in disabling auto_cl.
  • a2k19 PR 11937 from busterb allows the Rex::Proto::Http::Packet Content-Length header to be optional.
  • a2k19 PR 11933 from wvu adds a default video ID and Unix command shell support to post/multi/manage/play_youtube.
  • PR 11924 from suzu991154 adds Windows 10 target support for adobe_flash_opaque_background_uaf
  • a2k19 PR 11918 from busterb replaces the use of expand_path methods when possible to reduce the code occurrences of expand_path, which is inconsistent.
  • a2k19 PR 11913 from busterb removes Ruby 2.3.8 from the Metasploit test matrix.
  • a2k19 PR 11912 from busterb move BigDecimal patch earlier in the boot process. This quiets msfvenom about the impending deprecation of BigDecimal.new.
  • a2k19 PR 11906 from h00die fixes the JTR tags on OSX hashes (since they are standard sha1 and sha512) and adjusts the regex for macOS 10.7 hashes to match properly.
  • PR 11862 from NoodleOfDeath adds wordlists for WordPress plugin/theme directories.
  • PR 11838 from timwr extends the stdapi user interface extension to add basic commands to send keyboard and mouse input to a meterpreter client.
  • PR 11823 from busterb adds improved error messaging for fatal conditions while generating payloads.

Bugs fixed

  • a2k19 PR 11911 from busterb fixes cmd_exec and shell_command_token in the Java and Android payloads.
  • PR 11892 from ssyy201506 fixes URI parsing to work properly with reverse_http/s payloads when IPv6 addresses are specified.
  • PR 11887 from brimstone fixes the multi/meterpreter_reverse_https payload handler.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).