Towards a more reliable BlueKeep exploit

zerosum0x0 recently improved the reliability of our BlueKeep exploit after a little soul searching and a helpful cue from Worawit Wang.

In short, the exploit was developed in a lab without the Meltdown patch, which meant more frequent crashes in the wild against targets that have the patch installed — a high likelihood. You can read zerosum0x0's full analysis on his blog. We're just glad it wasn't the lizard people causing those crashes.

Gaining access to Pulse Secure VPN servers

Earlier this year, Orange Tsai and Meh Chang were on a rampage through VPN server software, having discovered more than a few vulnerabilities in popular VPN solutions, such as Palo Alto Networks, Fortinet's FortiGate, and Pulse Secure. They were even able to compromise Twitter via their bug bounty!

Starting with a contribution from Alyssa Herrera and Justin Wagner that exploits a file disclosure vulnerability in Pulse Secure's VPN server, we created a finished module that will download any credentials, hashes, and sessions from a server, allowing an attacker to authenticate to the VPN, potentially as an administrator. A manual mode is also supported to download arbitrary files.

This leads us to the next phase, which uses a valid administrator session from the file disclosure to authenticate a post-auth, remote root RCE against the server, bypassing the software's application whitelisting by using the env(1) command — which is happily permitted. The module can pop a root shell or run an arbitrary command on a vulnerable target.

A major overhaul of password cracking integration

The ever-reliable h00die graced us with a complete and total overhaul of our password cracking integration, notably adding new support for hashcat. Check out the pull request. It's a doozy, and we can't do it enough justice in this wrap-up alone!

New modules (14)

Enhancements and features

  • PR #11695 by h00die is a complete transformation of the cracking system, adding support for additional applications and hash types to be utilized during reversing of stored credential details. JtR has been migrated and Hashcat has been added using this pattern.
  • PR #12556 by bcoles bumps the maximum size for ASCII art banners to 65,535 bytes.

Bugs fixed

  • PR #12543 by layderv fixes several modules to use myworkspace_id instead of myworkspace.id, the former of which will check if the database is connected first, whereas the latter will crash if not connected.
  • PR #12570 by timwr changes the Msf::Post::Linux::Compile mixin to use the correct Failure class.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).