Fall is in the air, October is on the way, and it is Friday the 13th. We have a lot of updates and features that landed this week, though none are particularly spooky, and unfortunately, none are json-related…1
We recently updated our digital signing keys, and some users may have seen warnings that their Metasploit packages were not signed. We’ve fixed this as of this week—apologies for any confusion. If you are still experiencing signing issues, you may need to re-download Metasploit installers that failed verification. It may take a few days for our partners to update the installers they host to pick up the new signature.
@sinn3r’s zipslip exploit works against multiple targets utilizing unsafe extraction code that fails to check for directory traversal attacks. Make sure that any time you accept unknown (and maybe even known) zip files, you check the directory list for anything containing the folder-up character sequence ‘..’.
Under the heading of “Free Space”, our own space-r7 dropped a new exploit module targeting LibreNMS Collectd service.
Rapid7’s @tychos_moose teamed up with community contributor, timwr, and through a fortunate misunderstanding created two different bypassuac modules targeting the Windows 10 Store cache reset binary, WSReset.exe. While verifying Tim’s module, it looked nothing like the PoC I found online. It turns out that WSReset.exe auto elevates and then runs both a dll file subject to hijacking and whatever exe is listed in a low-privileged registry key. The modules were based on work by ACTIVELabs and sailay1996. It turns out that not only does WSReset.exe have a dll hijacking vulnerability, it also has a registry hijacking vulnerability, too!
Evasion modules have been getting more attention lately, and a good bit of why is community member NickTyrer. They came through again and added a new evasion module that evadesSoftware Restriction Policies and Applocker by using the trusted binary Microsoft.Workflow.Compiler.exe
Everyone’s favorite exploit, BlueKeep, is still being community-developed as a pull request before we release it officially as part of framework. Feel free to grab it and play, and feel even more free to help us make it better!
1 If this joke missed you, see: https://en.wikipedia.org/wiki/Friday_the_13th_(franchise)
New modules (7)
- LibreNMS Collectd Command Injection by Eldar Marcussen and Shelby Pace, which exploits CVE-2019-10669
- Generic Zip Slip Traversal Vulnerability by sinn3r and Snyk
- October CMS Upload Protection Bypass Code Execution by Anti Räis, SecureLayer7.net, and Touhid M.Shaikh, which exploits CVE-2017-1000119
- Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) by ACTIVELabs, sailay1996, and timwr
- Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry by ACTIVELabs, bwatters-r7, and sailay1996
- OpenEMR 5.0.1 Patch 6 SQLi Dump by Will Porter, which exploits CVE-2018-17179
- Applocker Evasion - Microsoft Workflow Compiler by Matt Graeber and Nick Tyrer
Enhancements and features
We added a lot of features and enhancements this time around with the release of a big update to the metasploit-payloads package. AmAMong fixes and updates, timwr sent us a new payloads feature that allows a Meterpreter session to send keystrokes to the user workspace. Check it out: https://github.com/rapid7/metasploit-framework/pull/11984
Several bug-fixes went out with the payload update including fixes to better support python3, removing NDK from our android build process, improvements to the PHP cryptTLV negotiation, more accurate output for modern Windows server versions, and improvements to the java payloads ‘ls’ command to make it behave more naturally.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).