Hello Metasploit 4.12!
Hooray, it's finally here! Metasploit 4.12 has a ton of fixes, enhancements, and exploits. It also includes a major technology stack upgrade to Ruby on Rails 4.2. With all the goodies and upgrades in this release, it makes sense to bump the Metasploit version from 4.11 to 4.12.
To get Metasploit 4.12, you can download the installers or the offline update. This week, we're enabling everyone to manually update Metasploit. If you want to automatically update Metasploit, you'll have to wait until next week. We're staggering the release of our installers and updates to ensure that the transition to this major point release is as smooth as possible for everyone.
If you plan to download and apply the offline update, please wait at least 10 minutes for the update to finish. After 10 minutes, you'll need to refresh your browser to log in to Metasploit again.
Here are the links to the installers and offline update:
- Session upgrades failed over proxy pivot (PR-5191) - The LHOST format was invalid, which caused session upgrades over a proxy pivot to fail. This fixes the LHOST format by converting the local pipe to an IP address.
- Thread errors during thread suspension (PR-6864) - A thread error occurred when a thread was suspended. This fix improves thread suspension and resume resiliency so that thread errors do not occur.
- Staged Python TCP Meterpreter does not reconnect (Payload-98) - The Python reverse TCP Python payload failed to reconnect after restarting Metasploit. This fix modifies the packet length, so that the session now reconnects as expected.
- EOF error occurred when upgrading a Python reverse TCP SSL Meterpreter shell (PR-6897) - Upgrading the Python reverse TCP SSL Meterpreter shell resulted in the error "ssl.SSLEOFError: EOF occurred in violation of protocol". This fix updates the "send" function to "sendall", so that it continues to send data from string until either it sends all data or encounters an issue.
- Unsetting CMD caused exploits to fail the Symantec System Center Alert Management System Arbitrary Command Execution module to fail (PR-6889) - The exploit/windows/antivirus/ams_xfr exploit failed when CMD is empty. This fixes issue-6888; the module now runs without error when CMD is unset.
- Minor fixes to the SSH Public Key Acceptance Scanner (PR-6528) - This PR contains multiple fixes for issues with the SSH Public Key Acceptance Scanner module. It fixes the following issues: KEY_DIR and KEY_PATH did not expand if they had symbolic values in them (~/foo/bar.txt). Public keys that included commands the user can run did not work.
- Missing div tag caused error when running the Moodle exploit (PR-6882) - When running the Moodle exploit, the error "REXML::ParseException No close tag for /div" would occur. This fix patches the HTML parsing issue so that Moodle can run without issues.
- Check command failed when the RHOST was not specified (PR-6907) - The check command returned a stack trace error if the RHOST was not set. This fix adds some peer elements back to the datastore that prevented a nil element from being assigned to a required datastore option.
- Setting the cookie expiration did not work for BAP2 (PR-6912) - An exception occurred when the cookie variable is set for Browser Autopwn 2 and web exploits. This fix uses the correct expiration variable when the cookie is set.
- Bruteforce tasks stack traced when there were connection failures (MS-1475) - A stack trace displayed in the task log when bruteforce attempts were made against services that could not reached by the Metasploit server. This fix removes the stack trace from occurring when a connection cannot be made to a target port. Instead, the bruteforce task continues onto the next target.
- HTML tags are removed from e-mails (MS-314 / IS-6781) - Switching to the rich text view and preview caused HTML tags to be removed from plain text emails. This fix adds the HTML tags to emails and ensures that they are not removed when the view is changed.
- Typo in RPC API Guide (MS-1538) - The RPC API Guide contained a typo in the path for api examples. This fix corrects the path name.
- The 'Meterpreter Transport Change' modal displays in a fixed location (MS-716) - When the Post-Exploitation tab was open on the Session details page, the 'Meterpreter Transport Change' modal displayed at the bottom of the page and was not easily visible. This fixes the modal so that it consistently displays in a fixed location when the Post-Exploitation Modules tab is open.
Features and Enhancements
- Generate UDP/TCP egress traffic (PR-6296) - Find holes in firewall and egress filtering by generating TCP/UDP traffic with the Generate TCP/UDP Outbound Traffic On Multiple Ports post-exploitation module. Just specify the port range you want to use, and the module generates the traffic for you.
- Pull APIs from Bing and Yahoo subdomains (PR-6576) - Easily gather subdomains from Yahoo and Bing search results using the Search Engine Subdomains Collector auxiliary module.
- Generate Axis2 payloads with msfvenom (PR-6868) - Axis2 has been added as a supported payload type.
- Rebase R4 metasm payloads (PR-6905) - This enhancement rebases the reverse TCP and bind TCP stagers for Metasm.
- Capture keystrokes, screenshots, and webcam snapshots with Beholder (PR-6878) - The Beholder plugin automatically captures keystrokes, screenshots, and webcam snapshots from your active sessions. Run this plugin to collect data from your compromised targets every 30 seconds.
- Quickly scan for Jenkins servers (PR-6947) - The Jenkins Server Broadcast Enumeration module sends a UDP broadcast packet and waits for Jenkins servers to respond. This helps easily and quickly enumerate Jenkins servers on the network.
- Set up a development environment with Vagrant (PR-6556) - Use the vagrant recipe and chef-apply to set up a Metasploit development environment.
- New "Payloads opts" column in jobs output (PR-6919) - The "Payloads opts" column has been added to the jobs output so that URIPATH can be restored to its original function. This allows LURI to be used as a full URI in the "Payloads opts" column.
- Popen () vulnerability added to ImageMagick (PR-6922) - The ImageMagick exploit has been modified to include the popen () vulnerability. If ImageMagick supports popen(), a |-prefixed command will be used for the exploit.
- Get LDAP password from Symantec Brightmail (PR-6793) - This module pulls the AD account saved in Symantec Messaging Gateway and deciphers it using the disclosed Symantec PBE key. Authentication is required in order to successfully get the LDAP credentials. Read access is required. Version 10.6.0-7 and earlier are affected.
- Modified contributing requirements (PR-6958) - Back in March, we made it possible for contributors to easily add module documentation to the Framework. Now, we're kindly asking that contributors start providing documentation for new modules that they write. There's a lot of good stuff coming in from the community, and it can be overwhelming to try to investigate how a module works. Because of that, we want to provide a simple way for authors to write documentation for their module and a way for users to easily figure out how to set up and actually use the module.
- Escalate privileges on Allwinner 3.4 (PR-6890) - Exploit a debug backdoor privilege escalation vulnerability in Allwinner devices to obtain root.
- Find the type, firmware, and build number for PLCs (PR-6885) - Remotely access port 20547 to read out the CPU state, PLC type, firmware, and build number as well as start and stop the CPU.
- IPFire Bash Environment Variable Injection (Shellshock) - This module takes advantage of the shellshock vulnerability in IPFire's web interface which allows for remote command execution. Authentication is required.
- IPFire proxy.cgi RCE - This module exploits the RCE vulnerability in IPFire's web interface which allows for remote command execution. Authentication is required.
- TP-Link SC2020n Authenticated Telnet Injection - This module targets a command injection vulnerability in TP-Link sc2020 network video cameras. Successful exploitation results in root access on the device.
- Ubiquiti airOS Arbitrary File Upload - This module exploits an authentication file upload vulnerability in Ubiquiti airOS, which is an advanced operating system used for long haul antennas, to obtain a privileged BusyBox shell.
- FTP JCL Execution - Remember those JCL payloads we added a couple of months ago for z/OS? Here is the first exploit that you can use to deliver those JCL payloads. This module targets FTP servers on z/OS systems; it submits a JCL job via FTP to exploit the target. To use this exploit, you'll need to have valid credentials.
- Magento 2.0.6 Unserialize Remote Code Execution - This module exploits a PHP object injection vulnerability in Magento versions 2.0.6 and lower.
- Oracle ATS Arbitrary File Upload - This module targets a directory traversal vulnerability in Oracle Testing Suite version 126.96.36.199.0 and earlier. It bypasses authentication and directly accesses the file upload form to upload and execute a JSP shell. Successful exploitation results in a privileged shell on Windows systems.
- Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection - This module exploits a vulnerability in Dell SonicWALL Scrutinizer 11.0.1. You can exploit the methodDetail parameter in exporters.php to write arbitrary files to the file system with a SQL Injection attack and gain remote code execution under the context of 'SYSTEM' for Windows or as 'Apache' for Linux.
- Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution - This module exploits a remote command execution vulnerability in the REST Plugin on Apache Struts versions between 2.3.20 and 2.3.28.
- WordPress Ninja Forms Unauthenticated File Upload - This module exploits versions 2.9.36 to 2.9.42 of the Ninja Forms plugin, which contain an unauthenticated file upload vulnerability, to allow the upload of arbitrary PHP code that can be executed in the context of the web server.
- HP Data Protector Encrypted Communication Remote Command Execution - This module exploits a remote code execution vulnerability on Data Protector versions 9.06 and earlier. It is only successful on Data Protector agents that have been configured to only use encrypted control communications and against targets running Windows Vista or newer.
- Poison Ivy 2.1.x C2 Buffer Overflow - This module exploits a stack buffer overflow vulnerability in Poison Ivy versions 2.1.x.
To download the offline file for this update, go to http://downloads.metasploit.com/data/metasploit-4.12.0-2016061501-update.bin.
PRO 4.11.7 updates to 4.12.0-2016061501