Initial exploit PR for BlueKeep

At our (final!) DerbyCon Town Hall today, the Metasploit team announced the release of an initial exploit module PR for CVE-2019-0708, aka BlueKeep. We received PoC exploit code from Metasploit contributor zerosum0x0 earlier this summer; since then, a group of longtime committers and community members have been working with the Framework development team to test, extend, and integrate the PoC code into Metasploit. There are a number of important notes on exploitation and detection that users should be aware of. See the full write-up on the initial exploit module PR for details.

Huge thanks to everyone who lent their hands and their brainpower to the collective development effort. In particular, thanks to @zerosum0x0, @ryHanson, @TheColonial, @rickoates, @zeroSteiner, and @TomSellers. We wish you all many shells.

We're looking forward to working with the community to improve the exploit's reliability, expand the target list, and add support for automatic targeting, for a start. Interested in joining the list of contributors and testers? Get started here!

Five fantastic Cisco exploits

Contributor pedrib added four new exploit modules targeting Cisco products. Two of the exploits are related to the UCS Director virtual appliance. Module linux/http/cisco_ucs_rce combines authentication bypass to administrator (CVE-2019-1937) and command injection using a password change form (CVE-2019-1936) to achieve remote code execution as root. Module linux/ssh/cisco_ucs_scpuser takes advantage of a common default password weakness. The appliance is shipped with user scpuser that has the password scpuser. This vulnerability (CVE-2019-1935) allows an attacker to gain access to the virtual appliance through ssh. Both modules have been tested on the Cisco UCS Director virtual machines 6.6.0 and 6.7.0.

The other two modules target the Cisco Data Center Network Manager (DCNM) web interface. Module multi/http/cisco_dcnm_upload_2019 enables an authenticated user to achieve RCE by exploiting the FileUploadServlet to place a WAR file into the Apache Tomcat webapps directory. This module also targets an authentication bypass vulnerability and an information disclosure vulnerability (CVE-2019-1622) to obtain the WAR file upload path. Module auxiliary/admin/cisco/cisco_dcnm_download exploits a servlet to download arbitrary files as root (CVE-2019-1621). These modules were tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1). Only version 11.0(1) requires authentication to exploit.

Contributor QKaiser added module linux/http/cve_2019_1663_cisco_rmi_rce.rb, which exploits a weakness in the web interface of Cisco's RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router. The web interface does not properly validate user input. An unauthenticated attacker can send malicious HTTP requests to achieve arbitrary code execution as a high-privileged user.

Overheard in the Metasploit office this week

Common developer optimism...
"It turns out 15 minutes was not enough to finish it."

After reading some great press about us...
"It really is a love song to Metasploit, for sure."

On the high level of quality from Metasploit contributors...
"Those are two dope-ass modules"

New modules (8)

Enhancements and features

PR 12271 from RageLtMan improves the reliability of Linux x86 and x64 reverse TCP stagers by preventing premature reads of the final Meterpreter payload.

PR 12223 from acammack-r7 introduces a new procedure that transparently redirects users to new modules when deprecated ones are deleted.

Bugs fixed

PR 12273 from space-r7 corrects the handler type for linux/x64/pingback_bind_tcp

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).