Towards a more reliable BlueKeep exploit
In short, the exploit was developed in a lab without the Meltdown patch, which meant more frequent crashes in the wild against targets that have the patch installed — a high likelihood. You can read zerosum0x0's full analysis on his blog. We're just glad it wasn't the lizard people causing those crashes.
Gaining access to Pulse Secure VPN servers
Earlier this year, Orange Tsai and Meh Chang were on a rampage through VPN server software, having discovered more than a few vulnerabilities in popular VPN solutions, such as Palo Alto Networks, Fortinet's FortiGate, and Pulse Secure. They were even able to compromise Twitter via their bug bounty!
Starting with a contribution from Alyssa Herrera and Justin Wagner that exploits a file disclosure vulnerability in Pulse Secure's VPN server, we created a finished module that will download any credentials, hashes, and sessions from a server, allowing an attacker to authenticate to the VPN, potentially as an administrator. A manual mode is also supported to download arbitrary files.
This leads us to the next phase, which uses a valid administrator session from the file disclosure to authenticate a post-auth, remote root RCE against the server, bypassing the software's application whitelisting by using the
env(1) command — which is happily permitted. The module can pop a root shell or run an arbitrary command on a vulnerable target.
A major overhaul of password cracking integration
The ever-reliable h00die graced us with a complete and total overhaul of our password cracking integration, notably adding new support for hashcat. Check out the pull request. It's a doozy, and we can't do it enough justice in this wrap-up alone!
New modules (14)
- Xorg X11 Server Local Privilege Escalation by Narendra Shinde and Zack Flack, which exploits CVE-2018-14665
- Bludit Directory Traversal Image File Upload Vulnerability by sinn3r and christasa, which exploits CVE-2019-16113
- Pulse Secure VPN Arbitrary File Disclosure by wvu, Alyssa Herrera, Justin Wagner, Meh Chang, and Orange Tsai, which exploits CVE-2019-11510
- Pulse Secure VPN Arbitrary Command Execution by wvu, Meh Chang, and Orange Tsai, which exploits CVE-2019-11539
- CMS Made Simple Authenticated RCE via object injection by Daniele Scanu, which exploits CVE-2019-9055
- FreeSWITCH Event Socket Command Execution by bcoles
- FusionPBX Command exec.php Command Execution by bcoles
- FusionPBX Operator Panel exec.php Command Execution by Dustin Cobb and bcoles, which exploits CVE-2019-11409
- Password Cracker: AIX by hdm, h00die, and theLightCosine
- Password Cracker: Databases by hdm, h00die, and theLightCosine
- Password Cracker: Linux by hdm, h00die, and theLightCosine
- Password Cracker: OSX by h00die
- Password Cracker: Webapps by h00die
- Password Cracker: Windows by hdm, h00die, and theLightCosine
Enhancements and features
- PR #11695 by h00die is a complete transformation of the cracking system, adding support for additional applications and hash types to be utilized during reversing of stored credential details. JtR has been migrated and Hashcat has been added using this pattern.
- PR #12556 by bcoles bumps the maximum size for ASCII art banners to 65,535 bytes.
- PR #12543 by layderv fixes several modules to use
myworkspace.id, the former of which will check if the database is connected first, whereas the latter will crash if not connected.
- PR #12570 by timwr changes the
Msf::Post::Linux::Compilemixin to use the correct
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).