Metasploit Wrap-Up

Powershell Express Delivery

The web_delivery module is often used to deliver a payload during post exploitation by quickly firing up a local web server. Since it does not write anything on target’s disk, payloads are less likely to be caught by anti-virus protections. However, since Microsoft added Antimalware Scan Interface (AMSI) protection to defend from attacks performed by scripting languages, it started to get harder to successfully execute Powershell payloads with web_delivery. Fortunately for us, community contributor phra added support for a Powershell AMSI bypass to web_delivery module. Note that this bypass has been added to the rex-powershell library by the same community member earlier this year (here and here).

Everybody loves Pre-Auth RCE

Community contributor mekhalleh added an exploit module that gains unauthenticated remote code execution in vBulletin v5.0.0 through v5.5.4. This zero-day vulnerability was recently disclosed and takes advantage of a flaw in vBulletin widget creation functionality. Arbitrary commands can be executed by sending an HTTP POST request with specially crafted parameters. Two POST data parameters need to be set: routestring=ajax/render/widget_php and widgetConfig[code]=<your command>.

Abusing headless Chrome

Since Chrome 59, it is possible to run in headless mode and take advantage of all modern web platform features from command line without actually launching the browser UI. It is particularly useful for debugging, but it can lead to some security issues when not configured correctly. Community contributor nstarke added an auxiliary module that primarily aims to retrieve arbitrary files off the remote target by abusing misconfigured headless Chrome sessions. This module is also able to make web requests from the remote machine and send back the content.

What’s Up, Doc?

Community contributor kenlacroix (Kenneth LaCroix) added documentation for five more modules this week. Adding missing documentation is always great, especially for people that are new to Metasploit. This is something we wanted to call out this week, so, thank you!

New modules (3)

• vBulletin widgetConfig RCE by mekhalleh (RAMELLA Sébastien), which exploits CVE-2019-16759, anonymously disclosed on Full Disclosure mailing list
• Chrome Debugger Arbitrary File Read / Arbitrary Web Request by evilpacket (Adam Baldwin) and nstarke (Nicholas Starke)
• BSD Dump Password Hashes by bcoles

Enhancements and features

• PR #12679 by bcoles removes file_local_digestsha1, file_local_digestsha2 and file_local_digestmd5 methods from the Post::File API
• PR #12675 by busterb updates Kiwi extension with latest Mimikatz
• PR #12668 by busterb adds several improvements to Meterpreter (see this Releases Notes for details)
• PR #12663 by jmartin-r7 updates methods for reporting data to the DB
• PR #12662 by HenryHoggard updates post/multi/gather/gpg_creds module to support gathering of GPG version 2.1+ keys
• PR #12561 by busterb adds several memory utilization improvements
• PR #12446 by phra adds support for a powershell AMSI bypass which enables the web_delivery module to bypass Windows defender on Windows 10

Bugs fixed

• PR #12699 by busterb fixes an issue for payloads that utilize UUIDS
• PR #12695 by adamgalway-r7 fixes incorrect check status for auxiliary modules returned by search
• PR #12686 by phra fixes an issue with msfvenom exiting before trying all encoders (reported by phra in #12685)
• PR #12673 by FenixH fixes an issue in the credentials RPC command to avoid a Nil object dereference and some minor bugs in the autoroute and web_delivery modules (reported by FenixH in #12460)
• PR #12672 by cdelafuente-r7 fixes an issue in the OptString validation method
• PR #12666 by cnotin cleans up the %WINDIR% environment variable before calling the PowerShell payload in exploit/windows/local/bypassuac_silentcleanup module (reported by cnotin in #12665)
• PR #12614 by MangyCoyote fixes an issue in post/multi/gather/ssh_creds module when reading files (reported by MangyCoyote in #12609)
• PR #12577 by Green-m fixes an issue with linux/redis/redis_unauth_exec module when the module cannot bind to a NATed or load-balanced address

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 5.0.63…5.0.64
• Full diff 5.0.63…5.0.64

We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).