- Exploit vulnerable versions of Apache Struts to execute arbitrary code
- Exploit image uploaders that leverage ImageMagick to upload malicious SVG/MVG files
- Use the new 'resolve' command to perform DNS lookups
- Create a reverse port forward within a remote Meterpreter session to send connections back to a local port
- Fixed style issues with JCL payloads (PR-6810) - This fix changes JCL payloads so that they use a static size and updates the payload cached size to tool to work with the MetasploitModule class names. It also includes a fix for PR-6809, which modifies how the LPORT hex conversions are done.
- Large files could not be imported on Windows (PR-6824 / MS-255) - Importing files that were larger than 250MB caused a memory allocation error on Windows systems. Improvements to the importer now make it possible to import large files on Windows systems.
- Fixed non-standard local redirect behavior (PR-6821) - When an HTTP server returns a relative path that begins with a dot, an invalid GET request path format is used, and the redirect fails. This fixes issue #6806 and issue #6820.
- Unexpected syntax in PHP caused Meterpreter to die (PR-6826 / PR-96) - A syntax error in older versions of PHP, such as 5.3.6-13, caused Meterpreter to die as soon as it opened a session. This fixes the syntax error and bumps metasploit-payloads to 1.1.8.
- Fixed content length for Rex HTTP client (PR-6827) - Some modules, such as winrm_login, failed because the Rex HTTP client did not follow RFC-7230. This fix adds the missing content-length header in HTTP to resolve this issue. This fixes issue #6398.
- Documentation was not generated if a module was not loaded (PR-6843) - The 'info -d' command previously only worked if a module was loaded. Now, this command works outside the context of a module. Running 'info -d <module path>' now generates documentation as expected.
- Hashdump modules did not handle Unicode correctly (PR-6850) - Recent Unicode fixes for Meterpreter broke registry class reads, which caused hashdump modules to fail. This fix reverts the dynamic buffer method back to a static buffer method. It also bumps the metasploit-payloads gem to 1.1.10.
- AWS SES rejected email from Metasploit (PR-6854 / MS-1476) - The email header contained duplicate date and subject headers, which caused email servers, like AWS SES, to reject the emails. This fix removes the duplicate headers so that emails can be sent successfully.
- Running the task chain twice caused it to fail (MS-303) - Attempting to run a task chain when it is already running causes it to fail. This fix disables the 'Run' buttons when a task chain run is in progress.
- Automatic tags weren't being applied (MS-965) - During discovery scans and imports in Metasploit Pro, tags were not being automatically applied to hosts. This fix modifies how hosts are stored so that new hosts are tagged correctly when they are added to a project.
- The Phishing Wizard only created a project (MS-1416) - The Phishing Wizard enables you to create a project and progress to the campaign configuration page in a single workflow. An issue caused the Phishing Wizard to not display the campaign configuration form after it created the project. This fix resolves the issue, and the Phishing Wizard works as expected.
- Auto Exploit could fail with an 'Invalid DOMAIN' error (MS-1477) - Fixing auto exploitation web vulns to only pass params that have values this fixing a validation error on DOMAIN.
Features and Enhancements
- UTF-8 registry support (PR-85) - Windows Meterpreter now uses the wide character versions of the registry API functions and UTF-8 for the comm channel.
- Reverse port forwarding with Meterpreter (PR-6753) - Add the -R flag to the 'portfwd' command to perform a reverse port forward, which enables you to pivot out to a local port. When you use reverse port forwarding, Meterpreter opens up a port and listens for connections. When it receives a connection, it creates a new channel, and data can move back and forth through that channel.
- Resolve command for Meterpreter (PR-6802) - The 'resolve' command enables you to perform DNS lookups with Meterpreter. To resolve host names on the target, you can run the 'resolve' command followed by the host name. For example, in the Meterpreter prompt, you can type something like 'resolve rapid7.com' to view the host resolutions for rapid7.
- Windows and Java payloads for Apache Struts (PR-6835) - The Apache Struts module now supports universal Windows and Java payloads.
- Improve module portability on Linux, OS X, and BSDs (PR-6849) - BSDs and OS X uses a system call, mknod, that doesn't have the ability to create FIFOs. The system call, mknod ,has been replaced with mkfifo, which creates a more portable solution that allows FIFO-based shells to work on Linux, OS X, and BSDs.
- Apache Struts Dynamic Method Invocation Remote Code Execution - This module allows you to remotely execute arbitrary code on Apache Struts versions between 2.3.20 and 2.3.28 (except 18.104.22.168 and 22.214.171.124).
- Apache Struts Dynamic Method Invocation Remote Code Execution - This module exploits a remote command execution vulnerability in Apache Struts version between 2.3.20 and 2.3.28 (except 126.96.36.199 and 188.8.131.52).
- HP Data Protector 6.10/6.11/6.20 Install Service - This module allows you to exploit HP Data Protector, a backup and recovery system, to remotely upload files to the file share. Versions 6.10, 6.10, and 6.20 are vulnerable. Authentication is not required to exploit this vulnerability.
- Ruby on Rails Development Web Console (v2) Code Execution - This module allows you to inject code into Ruby on Rails applications if the webconsole gem is enabled.
- ImageMagick Delegate Arbitrary Command Execution - This module allows you to exploit image uploaders that leverage ImageMagick on Unix systems. To use this module, you can upload malicious a MVG/SVG/MIFF file that executes shell commands.
To download the offline file for this update, go to http://updates.metasploit.com/packages/c5b26d071181a7714774c066f34c6a204f788854. bin.
PRO 4.11.7 updates to 4.11.7-2016050601