Exploiting Windows tools
There are two new Windows modules this week, both brought to you by the Metasploit team.
The Windows Silent Process Exit Persistence module, from our own bwatters-r7, exploits a Windows tool that allows for debugging a specified process on exit. With escalated privileges, an attacker can configure the debug process and then use the module to upload a payload which will launch every time the specified binary exits.
The File Sharing Wizard - POST SEH Overflow module, contributed by our own dwelch-r7, exploits a vulnerability in the Windows File Sharing Wizard. An unauthenticated HTTP POST Structured Exception Handler (SEH) buffer overflow allows a remote attacker to obtain arbitrary code execution on vulnerable Windows targets.
Untitled Goose Banner
A contribution by 0xGilda addresses a glaring omission from msfconsole, which is its lack of Untitled Goose Game homages. A new goose banner has been added, which you can now see on startup. HONK!
___ ____
,-"" `. < HONK >
,' _ e )`-._ / ----
/ ,' `-._<.===-'
/ /
/ ;
_ / ;
(`._ _.-"" ""--..__,' |
<_ `-"" \
<`- :
(__ <__. ;
`-. '-.__. _.' /
\ `-.__,-' _,'
`._ , /__,-'
""._\__,'< <____
| | `----.`.
| | \ `.
; |___ \-``
\ --<
`.`.<
`-'
=[ metasploit v5.0.54-dev-82c77a4ec8 ]
+ -- --=[ 1931 exploits - 1079 auxiliary - 332 post ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 >
New modules (2)
- File Sharing Wizard - POST SEH Overflow by Dean Welch and x00pwn, which exploits CVE-2019-16724
- Windows Silent Process Exit Persistence by Mithun Shanbhag and Brendan Watters
Enhancements and features
- PR #12398 by nsa adds documentation for the auxiliary/scanner/ssh/ssh_version module.
- PR #12368 by h00die adds documentation for the auxiliary/server/capture/smb module.
- PR #12396 by bwatters-r7 updates metasploit-payloads to version 1.3.78, which adds support for key event management in Java payloads.
- PR #12388 by zeroSteiner adds metadata to the SMB client library, which enables detection of required signatures for incoming connections to the target host.
Bugs fixed
- PR #12432 by busterb fixes a false negative bug in the BlueKeep scanner by checking the length of the result from an rdp_recv call in the RDP library.
- PR #12404 by bcoles fixes a bug with the shell session handler that resulted in unexpected deletion of directories when the path contained a space.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).