Happy Summer Solstice, the longest day of the year. We've had a lot of Metasploit activity leading up to Summer. Here’s some more cool stuff to balance out the maximum sun today.

BlueKeep upkeep

Security researcher @TomSellers gave the BlueKeep (CVE-2019-0708) scanner module a lot of tender loving care recently. Among the improvements:

  • Added TLS support to cover servers that require it
  • Documented a large portion of the binary blobs, paving the way for easier future improvements
  • Reorganized the module to allow extraction of code to a possible RDP library in the future
  • Added options for username, hostname, domain name, and IP address, which allows testers to blend in with their target environment better by reducing the module fingerprinting risk.

The updated module was tested against Windows XP SP3, Server 2008 SP2, Server 2016, and Server 2019. It does handle the case of Server 2008 being configured only for RDP Security.

Cisco Prime Infrastructure exploit modules

Security researcher @sinn3r added two new modules exploiting Cisco Prime Infrastructure device management software. Gain RCE with his Health Monitor TarArchive module, which takes advantage of missing directory traversal checks (CVE-2019-1829) while unpacking a tar file. A remote user can upload a JSP payload to Apache Tomcat's web apps directory to allow code execution with root-level privileges. The module is based on Steven Seeley's (@mr_me) research. Authentication is not required.

The Cisco Prime Infrastructure Runrshell Privilege Escalation module exploits a vulnerability in the runshell executable. It is possible to inject commands into the argument list to execute arbitrary code as the root user. The vulnerability was originally discovered by Pedro Ribeiro. The approach has been chained in an exploit targeting CVE-2018-15379 and leveraged in @mr_me's Health Monitor TarArchive PoC.

Overheard in the Metasploit office this week

In reference to a module improvement...

"It pretends to be a default web server and pleads ignorance."

Oftentimes a different perspective is helpful.

"I put on my detective hat. I found the diff."

What fun looks like on the Metasploit team.

"Would be fun to get Mettle running on one of these old Kodak cameras, but figuring out how to get it anywhere is the bigger problem."

New modules (4)

Enhancements and features

  • PR 11966 from OJ changes the HTTP payload callback listener to behave like a default web server when the UUID is missing.
  • PR 11965 from OJ adds a secure command to renegotiate TLV encryption when it's not already in place.
  • PR 11944 from sempervictus adds a new RC4 encrypted bind_tcp stager for Windows x64.
  • PR 11932 from TomSellers adds TLS support and documented packets to the BlueKeep (CVE-2019-0708) scanner module.

Bugs fixed

  • PR 11958 from bcoles fixes the abrt_raceabrt_priv_esc module's yum package version check.
  • PR 11904 from timwr fixes the meterpreter screenshot command, allowing it to upload the DLL only on Windows systems.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).