Metasploit 4.12.0 (Update 2016062701)

Document created by tdoan Employee on Jun 23, 2016Last modified by tdoan Employee on Oct 7, 2016
Version 2Show Document
  • View in full screen mode

Highlights

 

  • The Windows Gather Microsoft Office Trusted Locations module: Enumerate trusted Microsoft Office locations on the target host.
  • ClamAV remote code execution: Take advantage of a misconfiguration in ClamAV, an open source antivirus engine, to send commands to to shut down and view the version for the service.
  • The Swagger CodeGen Parameter Injector: Generate a Swagger JSON file with embedded Metasploit payloads to introduce arbitrary code to the client.

 

Bugs Fixed

 

  • Chrome enum post module failed when extensions were not found (PR-6997) - The post/windows/gather/enum_chrome module was returning a stack trace when the browser was missing extensions. This fix adds better error handling for when this case occurs.
  • The Payload Generator fails (MS-1678) - When building bind TCP payloads, the Payload Generator would fail because the RHOST option was not being set. This fix adds the RHOST option to the strong parameters.

 

Features and Enhancements

 

  • Download files from DarkComet (PR-6955) - Download arbitrary files from the DarkComet C2 server by exploiting a known vulnerability in versions 3.2+.
  • Enumerate trusted locations for all Office applications (PR-6966) - This post-exploitation module gathers and enumerates the trusted Microsoft Office locations on a target host.
  • Improve the speed of NOP generation (PR-6970) - A new method called make_fast_nops has been added to create large chunks of NOPS more quickly then the make_nops method. The make_fast_nops method works faster, but creates less random and less evasive chunks of NOPs.
  • Add missing rank check to msftidy (PR-6976) - A check for rank has been added to msftidy. When you run msftidy and a rank has not been specified for a module, a message informs you to explicitly add a rank value.
  • Exploit predictable transaction IDs in NetBIOS lookups (PR-6994) - Two modules have been added to exploit NetBIOS lookups. They can be used to change the addresses that the target machine resolves to. The first module continuously spams NetBIOS responses to a target for given hostname, which causes the target to cache a malicious address for this name. The second module listens for a NetBIOS name request and then continuously spams NetBIOS responses to a target for given hostname, which causes the target to cache a malicious address for the hostname.
  • Create ZIP files more easily for modules (PR-6999) - An API call has been added to make it more convenient and easier to generate a ZIP file. This eliminates the need to learn how to make a direct REX call.
  • REX code clean up (PR-7005) - Portions of the REX code has been replaced with gems to clean up the code base and enable each atomic part to be individually maintained and tested.

 

Exploits Added

 

  • Apache Continuum Arbitrary Command Execution - Apache Continuum is an enterprise-ready continuous integration server for popular build tools and source control management systems. This exploit performs a simple command injection through a POST parameter. Successful exploitation spawns a shell.
  • op5 v7.1.9 Configuration Command Execution -  op5 an open source network monitoring software. This module exploits the configuration page in version 7.1.9 and below that allows the ability to test a system command. This vulnerability can be exploited to run arbitrary code as an unprivileged user.
  • Tiki-Wiki CMS Calendar Command Execution - Tiki-Wiki CMS's calendar module contains a remote code execution vulnerability within the viewmode GET parameter. If the parameter is enabled, the default permissions are set to not allow anonymous users access. Successful exploitation of this vulnerability results in a session as an Apache user.
  • JSON Swagger CodeGen Parameter Injector - The Swagger API can be used to build clients for RPC APIs. The Swagger CodeGen parameter injector module generates a Swagger JSON file with embedded Metasploit payloads and enables you to introduce arbitrary code for the language that the client is written in. Currently, this module supports 4 languages for delivery: NodeJS, PHP, Ruby, and Java.
  • ClamAV Remote Code Execution - This module takes advantage of a possible misconfiguration in the ClamAV service on release 0.99.2, which allows you to send commands to the service. If the service is tied to a socket, the ClamAV service listens for commands on all addresses. This module connects to the ClamAV service port and sends the proper commands for VERSION and SHUTDOWN.

 

Offline Update

 

To download the offline file for this update, go to http://updates.metasploit.com/packages/15b656041b6b42ce255867b7286db0de6c46b726. bin.

 

Version Information

 

PRO 4.12.0 updates to 4.12.0-2016062701

1 person found this helpful

Attachments

    Outcomes