Android Binder Use-After-Free

Metasploit contributor @timwr added a a module that exploits CVE-2019-2215, which is a local privilege escalation vulnerability targeting Binder, the main Inter-Process Communication system in Android. If delivered via the web, only a paired renderer exploit is required, because it is accessible through the sandbox. Three malicious apps disguised as photography and file manager tools were found on the Google Play Store that exploit this vulnerability. There are a number of Android devices, including the Pixel 2 with Android 9 and 10, that are affected. Currently this module works on the Pixel 2 (and Pixel 2 XL) with the September 2019 Security patch level.

OpenNetAdmin 18.1.1 Remote Code Execution

Contributor Onur ER added a Metasploit module exploiting a remote code execution vulnerability in OpenNetAdmin 18.1.1. OpenNetAdmin is a tool for managing IP inventory. Each subnet, host, and IP can be tracked via an AJAX enabled web interface. OpenNetAdmin also provides a full CLI interface for convenience when scripting and performing bulk work. The exploit performs command injection by taking advantage of lacking input validation. Authentication is not required.

Overheard in the Metasploit office this week

Might as well, since you're there...

"Person A: I really appreciate your ‘when in Rome’ coding style changes. Person B: haha I try to blend in as much as I can"

When "self-commenting" code doesn't cut it...

"At least when you see some disclaimer comments you know that the person who wrote it knew that it was bad. When you don't see any comments at all, it’s natural to think that they legitimately thought it was a good idea."

So many blogs, so little time...

"My inability to understand Ruby dependencies has once again caused me to fall in a rabbit hole, and I'm tired of wasting time reading 12 blogs that tell me 12 ways to do this because each one is subtly smarter."

New modules (2)

Enhancements and features

  • PR 13005 from adfoster-r7 adds pry-byebug to offer a more fulfilling interactive debugging experience for Metasploit developers.

  • PR 12995 from cdelafuente-r7 adds support for SMBv2 to the pipe auditor auxiliary module.

  • PR 12978 from Adrian Vollmer adds options to support earlier additions to rex-powershell allowing for rc4 encoding on powershell payloads.

  • PR 12964 from adamgalway-r7 adds RPC endpoint that returns the total number of modules in the ready, running, & results states.

  • PR 12960 from dwelch-r7 adds support for job results to be deleted after a period of 5 minutes of being un-acked by a json rpc client.

  • PR 12916 from wvu-r7 adds support for colorized HttpTrace output, with an additional HttpTraceHeadersOnly option to only show HTTP headers when HttpTrace is enabled.

  • PR 12865 from b4rtik adds additional functionality and options to the reflective_dll_injection module to make it more flexible and useful with 3rd party DLLs.

  • PR 12002 from sempervictus adds a new ssh transport for payloads and a new ssh payload.

Bugs fixed

  • PR 12921 from 0x44434241 fixes the check method for windows/local/ms16_075_reflection_juicy.

  • PR 12976 from adfoster-r7 adds additional logging to Metasploit's PostgreSQL protocol client when it encounters an unknown authentication type, rather than raising an exception later.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).