- PR #6954 - This fix corrects the payload size for the windows local payload injection exploit, allowing it to use more complex payloads, including proxy callbacks which obfuscate the IP address of the attacker.
- PR #7030 - The msfconsole's show options command can sometime reflect the incorrect 'Current Setting' value for an option variable. Specifically, this occurs when a boolean option variable has a default value of 'true', in that show options will always say the 'Current Setting' is 'true' even when the user has changed the value of the option variable to 'false'. It should be noted that this is only a cosmetic issue, as the usual set/get operations against option variables work as expected.
- PR #7037 - This patch fixes a stack trace in
db_export -f xmldue to deprecated Active Record methods. The
find/allqueries have been replaced with
order. After applying this patch, users will be able to use
db_export -f xmlagain.
- PR #7043 -This fixes a bug in the LURI (Local URI) parameter for reverse HTTP / HTTPS stagers, where setting the parameter to a single slash ('/') would automatically turn it into two slashes '//', leading to failed connections and other problems.
- PR #7044 - In BrowserAutoPwn2, the mixin forgets to pass the SRVPORT datastore option to the exploits, so they always use the default 8080. As a result, if a different SRVPORT is set, BAP2 would be serving the target machine with bad exploit links.
- PR #7045 -This fixes the behavior that the channel is immediately closed when starting a shell in a Meterpreter session on Windows. The problem is that a Meterpreter process checks the LastError value even though the named pipe was read successfully. The Meterpreter process should check the LastError value only when the named pipe read fails.
- PR #7046 - This fixes a problem while exporting notes from msfconsole due to a missing rhost field. When a fileformat exploit generates the malicious file, a note is created to keep track of where the file is, but no rhost information is given. This becomes a problem since the notes command is always expecting a rhost, and not having one will result a backtrace.
Features and Enhancements
- PR #6959 - This adds shell code for staging Linux Bind TCP payloads on ARM big-endian platforms, which are found in devices using Intel XScale and IXP network processors or Marvell ARMADA embedded processors.
- PR #7040 - This improves handling of a condition where a remote process exits before an interactive channel is closed by Metasploit, causing an occasional error in the Meterpreter channel handling code as it tries to close a channel that has already closed.
- PR #7055 - This adds additional verification that the netgearsoappassword_extractor module works on more devices, and adds module documentation with sample output.
- PR #7059 - This restores an earlier default pattern length for the pattern_offset tool back to 8192 bytes, which makes existing course materials work again.
- PR #7066 -This reenables support for the HttpUnknownRequestResponse parameter in HTTP/HTTPS reverse stagers. This parameter allows a user to configure a stager to handle unknown requests as though it was a legitimate web server, increasing stealthiness.
- Nagios XI Chained Remote Code Execution by Francesco Oddo and wvu - This module exploits an SQL injection, auth bypass, file upload, command injection, and privilege escalation in Nagios XI <= 5.2.7 to pop a root shell.
To download the offline file for this update, go to http://updates.metasploit.com/packages/b6cc69a0778fe2e4627d4d343af9cb744e6a4e28. bin.
PRO 4.12.0 updates to 4.12.0-2016070501