Moar Power
OJ Reeves added two new PowerShell transport functions to Metasploit payloads and made modifications to the PowerShell transport binding functionality. The aptly-named Add-TcpTransport function adds an active TCP transport to the current session and the Add-WebTransport function adds an HTTP/S transport to the current session. These functions are fully documented, allowing the user to leverage the Get-Help cmdlet to display usage information. The functions are simply abstractions that work on the built-in Meterpreter transport binding functionality and allow for more PowerShell fun.
Unauthenticated Journey
The Quest KACE Systems Management module by bcoles exploits an unauthenticated command injection vulnerability (CVE-2018-11138) in Quest KACE Systems Management Appliance 8.0 (build 8.0.318) and possibly previous versions. The software includes a /common/download_agent_installer.php script that can be accessed by unauthenticated users to download the agent software. This script requires both an organization ID and agent version parameter, and due to improper input sanitization it allows arbitrary command execution on the host system injected via the organization ID parameter.
Google Summer of Code
Our Google Summer of Code students are fully immersed in each of their projects and the PRs are starting to roll in. If you are curious what they are working on take a quick look at the currently open GSoC PRs. Eliott Teissonniere, one of our students, continues to make Mettle extension enhancements by adding Linux support to the microphone extension. The enhancement allows users to capture audio from the microphone on a remote Linux host, streaming the audio back to Metasploit via a Meterpreter channel.
New Modules
Exploit modules (1 new)
- Quest KACE Systems Management Command Injection by bcoles, Guido Leo, and Leandro Barragan, which exploits CVE-2018-11138
Auxiliary and post modules (4 new)
- HTTP SickRage Password Leak by Shelby Pace and Sven Fassbender, which exploits CVE-2018-9160
- Teradata ODBC SQL Query Module by Ted Raffle (actuated)
- Teradata ODBC Login Scanner Module by Ted Raffle (actuated)
- WebKitGTK+ WebKitFaviconDatabase DoS by Dhiraj Mishra, Hardik Mehta, Manuel Caballero, and Zubin Devnani, which exploits CVE-2018-11646
Improvements
- Customizable duration was added to golden tickets in post/windows/escalate/golden_ticket and Kiwi using mimikatz's /startoffset and /endin parameters, thanks to Hypnoze57.
- PowerShell-based exploits and payloads were fixed after Windows 10 version 1803 introduced an override on GetProcAddress which caused issues with GetMethod, thanks to Yoann Chevalier.
- Documentation was added for auxiliary/scanner/db2/discovery in response to h00die’s attempt to prioritize auxiliary Scanner documentation, thanks to Guilherme Leite.
- Payload generate command simplified, new ways to specify parameters: In the Metasploit 5 development branch, the payload generate command is now directly compatible with msfvenom, and takes the same parameters as well. In addition, parameters for any command can now be entered directly on the command-line! msf5> exploit THINGS=all !
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.