Injecting the Time Machine

From contributor timwr comes a new module targeting Time Machine on macOS 10.14.3 and earlier. Specifically, the tmdiagnose binary for these vulnerable versions suffers from a command injection vulnerability that can be exploited via a specially crafted disk label. This new module uses an existing session for exploitation on the target, allowing the Framework user to run a payload as root.

What’s on TV?

If you are nearby to a vulnerable Supra Smart Cloud TV, the answer could be: “Whatever you feel like!” Contributor rootup and our own wvu have a new module which exploits a remote file inclusion vulnerability in the Supra’s openLiveURL function, allowing a local attacker to broadcast fake video without any authentication.

When the Tomcat’s away…

And from our own sinn3r comes a new exploit module targeting Apache Tomcat on Windows. Vulnerable versions of the application (including many of the 7.0 through 9.X releases) contain a CGIServlet component which, when the enableCmdLineArguments setting is set to ‘true’, allows a remote user to execute system commands, leading to remote code execution. While the default value of the enableCmdLineArguments setting is ‘false’ at installation time, the potential for RCE is a nice incentive to try this module out.

New modules (4)

Enhancements and features

  • PR #12023 from wvu-r7 modifies the search command to return the results of any previous search by default, returning nothing if there was no previous search.

Bugs fixed

  • PR #12045 from busterb fixes an issue where reverse_https handlers would report that they did not properly bind to a free port.
  • PR #12044 from mkienow-r7 fixes an SNMP::NoSuchInstance bug in the auxiliary/scanner/snmp/snmp_enum module.
  • PR #12036 from mkienow-r7 fixes a missing workspace bug in the OpenVAS importer.
  • PR #12029 from space-r7 fixes a crash in the creds command when a credential doesn't have a private object associated with it.
  • PR #12025 from wvu-r7 adds fixes to sshexec related to hanging on exec! and blocking close.
  • PR #12022 from jbarnett-r7 deregisters the PASSWORD_SPRAY option from LoginScanner modules, since it is not supported yet.
  • PR #12014 from wvu-r7 fixes a crash in modules that call the get_uri method from the HttpServer library before the service has started.
  • PR #12007 from wvu-r7 changes the behavior of the send_request_cgi and send_request_raw methods in the HttpClient library (technically the underlying code in Rex::Proto::Http::Client) to perform expected behavior when supplied with a zero-second timeout.
  • PR #11976 from timwr fixes the shell command on Android Meterpreter to explicitly use the correct path to the shell binary.
  • PR #11968 from busterb enables UDP support only where there are compatible payloads, removing some broken stager/stage combinations from the payload module list.
  • PR #11923 from CCob corrects a bug from an uninitialized value in the Linux x64 shellfindport payload.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).