BlueKeep is Here
The BlueKeep exploit module is now officially a part of Metasploit Framework. This module reached
merged status thanks to lots of collaboration between Rapid7 and the MSF community members. The module requires some manual configuration per target, and targets include both virtualized and non-virtualized versions of Windows 7 and Windows Server 2008. For a full overview of the exploit’s development and notes on use and detection, see Brent Cook’s write-up here. Please exploit responsibly.
Brocade Device Modules
If you’re looking to exploit some Brocade ICX devices, h00die has you covered. A post module and an auxiliary module have been contributed to Framework by one of our community members, h00die. The modules gather files and useful information about the target device and store the data in MSF’s database.
ABRT Privilege Escalation
bcoles added an exploit module that attempts to escalate privileges on Red Hat Enterprise Linux versions with Automatic Bug Reporting Tool (ABRT) configured as the system’s crash handler. The vulnerability lies in the fact that the software uses a temporary directory that gives write access to local users. This enables a symlink attack that can result in root privileges.
New modules (5)
- ABRT sosreport Privilege Escalation by bcoles and rebel, which exploits CVE-2015-5287
- CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free by Brent Cook, OJ Reeves, Ryan Hanson, and Sean Dillon, which exploits CVE-2019-0708
- Brocade Configuration Importer by h00die
- Brocade Gather Device General Information by h00die
- Mazda 2 Instrument Cluster Accelerometer Mover by Jay Turla
Enhancements and features
- PR 12349 by OJ adds HTTP header and proxy options to the Windows and Python stageless Meterpreter payloads.
- PR 12314 by cnotin adds support for using both the
file:syntax with the
RHOSTSoption and documents the usage of both syntaxes.
- PR 12295 by AstroZombieSG adds support for functions 2 and 4 in
- PR 12258 by gkweb76 updates
post/windows/gather/credentials/gpp.rbto return the Group Policy Object (GPO) name in its results.
- PR 12353 by wvu-r7 limits the output of the BlueKeep scanner to vulnerable hosts by default.
- PR 12354 by dwelch-r7 removes unnecessary
TARGEToptions from auxiliary and post modules.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).