Payload payday

As we blogged about yesterday, a new form of payload that is compiled directly from C when generated was added by space-7. We hope this is only the first step in a journey of applying the myriad tools that obfuscate C programs to our core payloads, so be sure to check out all the nifty workings of the code! If that wasn't enough, we also got a pair of payloads written for Java's jjs Nashorn engine for JavaScript from bcoles. By the time you can drop a file, there are generally a number of ways to run something, but options are good, this is installed by default on many systems with Java 8+, and it gets shells ^.^

Burgling some Android hashes

Perennial contributors h00die, bcoles, and timwr teamed up to provide a post module for dumping hashes from compromised Android devices and another module for cracking them. This primarily targets phone PINs and pattern locks, which are often short and crack in minutes, even without specialized hardware. While these modules are flashy, it is worth remembering that PINs and patterns are easy to snoop out visually as well, so using a long (10+ character) password or PIN will help keep you secured from l33t hackers and normal shoulder surfers.

Singin' the BlueKeep Blues

We had a pair of PRs from our own wvu-r7 clarifying the documentation around our BlueKeep exploit module, exploit/windows/rdp/cve_2019_0708_bluekeep_rce. While the vulnerability is present across a wide number of releases and configurations, our module currently targets only two: Windows 7 SP1 x64 in the default configuration and Windows Server 2008 R2 x64 with a non-default registry configuration. You can read more of exploit notes in our blog post announcing its release. The module will crash a Windows XP box. The module will crash a Windows 7 x86 box. The module will crash a Windows 2008 R2 x64 box that does not have the correct, non-default registry configuration. It may not always be this way (PRs accepted!), but for now it is important to understand the limitations of this module to prevent unnecessarily crashing important targets.

New modules (4)

New payloads

  • PR #12544 - This PR adds reverse and bind payloads for the jjs tool installed with the JDK.
  • PR #12530 - This adds a new infrastructure for building shell payloads from C source code, and a set of new encrypted stagers and shell payloads that take advantage of the new build system. The shellcode is built at runtime with the mingw-w64 compiler toolchain, which is required in order to take advantage of these payload modules.

Enhancements and features

  • PR #12601 - This updates the ssh_creds module to avoid storing public-only SSH keys, since they cannot be used later.
  • PR #12583 - This adds web reporting methods to the Metasploit 5 data service, re-enabling reporting support for several web vuln modules with Metasploit 5.
  • PR #12581 - This adds a note to the BlueKeep exploit about Windows 7 SP1's default exploitability. The documentation has also been fixed to include the correctly supported targets.
  • PR #12575 - This improves the visibility of a particularly important exploitation caveat for Windows Server 2008 R2 while using the BlueKeep exploit. A Windows Registry key must be modified on vulnerable, standard configurations for exploitation to succeed. Otherwise, the target will crash.
  • PR #12567 - This adds a new banner to the Metasploit console as a tribute to the hacker community.
  • PR #12457 - This revises how workspace operations, particularly renames, are handled in Metasploit 5.

Bugs fixed

  • PR #12593 - This fixes the hash format in the credentials database for Samsung and non-Samsung Android hashes.
  • PR #12589 - This restricts the windows/local/persistence_service module to only execute on supported session types.
  • PR #12588 - This PR removes shell session compatibility from exploit/windows/local/persistence_image_exec_options that was broken due to faulty assumptions about write_file.
  • PR #12585 - This corrects the post/windows/gather/enum_hostfile module to use the post-exploitation API to work with Meterpreter and shell session types.
  • PR #12479 - This fixes an error when running the auxiliary/scanner/sap/sap_mgmt_con_brute_login module.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).