Injecting the Time Machine
From contributor timwr comes a new module targeting Time Machine on macOS 10.14.3 and earlier. Specifically, the tmdiagnose binary for these vulnerable versions suffers from a command injection vulnerability that can be exploited via a specially crafted disk label. This new module uses an existing session for exploitation on the target, allowing the Framework user to run a payload as root.
What’s on TV?
If you are nearby to a vulnerable Supra Smart Cloud TV, the answer could be: “Whatever you feel like!” Contributor rootup and our own wvu have a new module which exploits a remote file inclusion vulnerability in the Supra’s openLiveURL function, allowing a local attacker to broadcast fake video without any authentication.
When the Tomcat’s away…
And from our own sinn3r comes a new exploit module targeting Apache Tomcat on Windows. Vulnerable versions of the application (including many of the 7.0 through 9.X releases) contain a CGIServlet component which, when the enableCmdLineArguments setting is set to ‘true’, allows a remote user to execute system commands, leading to remote code execution. While the default value of the enableCmdLineArguments setting is ‘false’ at installation time, the potential for RCE is a nice incentive to try this module out.
New modules (4)
- Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation by CodeColorist and timwr, which exploits CVE-2019-8513
- Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability by sinn3r and Yakov Shafranovich, which exploits CVE-2019-0232
- Supra Smart Cloud TV Remote File Inclusion by wvu and Dhiraj Mishra, which exploits CVE-2019-12477
- Serv-U FTP Server prepareinstallation Privilege Escalation by Guy Levin and bcoles, which exploits CVE-2019-12181
Enhancements and features
- PR #12023 from wvu-r7 modifies the search command to return the results of any previous search by default, returning nothing if there was no previous search.
- PR #12045 from busterb fixes an issue where reverse_https handlers would report that they did not properly bind to a free port.
- PR #12044 from mkienow-r7 fixes an SNMP::NoSuchInstance bug in the auxiliary/scanner/snmp/snmp_enum module.
- PR #12036 from mkienow-r7 fixes a missing workspace bug in the OpenVAS importer.
- PR #12029 from space-r7 fixes a crash in the creds command when a credential doesn't have a private object associated with it.
- PR #12025 from wvu-r7 adds fixes to sshexec related to hanging on exec! and blocking close.
- PR #12022 from jbarnett-r7 deregisters the PASSWORD_SPRAY option from LoginScanner modules, since it is not supported yet.
- PR #12014 from wvu-r7 fixes a crash in modules that call the get_uri method from the HttpServer library before the service has started.
- PR #12007 from wvu-r7 changes the behavior of the send_request_cgi and send_request_raw methods in the HttpClient library (technically the underlying code in Rex::Proto::Http::Client) to perform expected behavior when supplied with a zero-second timeout.
- PR #11976 from timwr fixes the shell command on Android Meterpreter to explicitly use the correct path to the shell binary.
- PR #11968 from busterb enables UDP support only where there are compatible payloads, removing some broken stager/stage combinations from the payload module list.
- PR #11923 from CCob corrects a bug from an uninitialized value in the Linux x64 shellfindport payload.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).