Brendan Watters

Metasploit Wrapup

Blog Post created by Brendan Watters Employee on Jun 16, 2017

A fresh, new UAC bypass module for Windows 10!

Leveraging the behavior of fodhelper.exe and a writable registry key as a normal user, you too can be admin! Unpatched as of last week, this bypass module works on Windows 10 only, but it works like a charm!

 

Reach out and allocate something

This release offers up a fresh denial/degradation of services exploit against hosts running a vulnerable version of rpcbind. Specifically, you can repeatedly allocate up to four gigabytes of RAM on the remote host with predictably bad results. It becomes worse when you realize that the allocation process is outside tracked memory, so that memory will not be unallocated. As a bonus, the granularity of the module accommodates those who wish to be truly evil by allowing them to simply degrade a host's performance, rather than completely crashing it.

 

Hardware agnosticism

Thanks to our great community, this release contains a fix for a troublesome bug where a Meterpreter session would crash under a specific set of circumstances when running on an AMD CPU. The exact cause is yet to be determined, but it appears the AMD chip becomes confused about the memory it can access, and inserting an otherwise bogus move instruction causes the chip to recover or somehow right itself, allowing it to execute the originally-offending instruction. If you are a bit of a hardware junkie, feel free to read more.

 

Improved reporting

There were multiple fixes to help in a less exciting, but still incredibly important, aspect of pen-testing: reporting. We fixed a bug in vulnerability reporting where Metasploit was not correctly tracking the attempted vulnerabilities so reports would be less accurate than they could be. Also, an update to our scanner modules increases the CVE references for each scan to allow better reporting or researching for methods of attack.

 

Download now supports terrible networks

A new feature allows Metasploit users to control the block size when downloading files. In most cases, this is not important, but on a network that might be slow or laggy, the ability to control block size will result in more reliable downloads. Included is an adaptive flag to drop the block size in half every time a block transfer fails. If you've never had to redteam on a bad network, count yourself lucky; if you have, you'll love this new feature.

 

It happens to the best of us

In addition to adding functionality and fixing user bugs, this release also includes a security fix reported by our community. The CSRF vulnerability is now patched; we send a hearty thank you to the reporter, @SymbianSyMoh!

 

New Modules

Exploit modules (2 new)

 

Auxiliary and post modules (1 new)

* RPC DoS targeting *nix rpcbind/libtirpc by Pearce Barry and guidovranken exploits CVE-2017-8779

 

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Outcomes