Metasploit 4.12.0 (Update 2016081001)

Document created by tdoan Employee on Aug 10, 2016Last modified by tdoan Employee on Oct 7, 2016
Version 2Show Document
  • View in full screen mode

Bugs Fixed

 

  • PR #7100 - This fixes an issue with the Burp importer dropping vulnerability information if there is no reference, which would result in missing exploitation coverage, and in reporting.
  • PR #7104 - This is an ActiveRecord syntax fix for framework db credential iteration. It uses the new join syntax with the Metasploit database.
  • PR #7107 - This fixes a problem where the HTTP request containing a Host header field not matching IP-based redirection.
  • PR #7118 - The x64 version of PrependMigrate appeared to have incorrect values set for structure size and offset when dealing with the STARTUPINFO structure and values, resulting in processes crashing when the code executes. This change fixes both offset and size so that they are correct, resulting in x64 payloads working correctly with PrependMigrate set to true.
  • PR #7121 - If a user previously used the 'save' feature on the psexec (and possibly other) modules, parameters that were marked as 'nil' on save were replaced with an empty string when the module was reloaded. This led to problems where the module would no longer work. For example, psexec would attempt to create an empty service name, which would cause the module to fail.
  • PR #7127 - This fixes a condition where users can specify a superfluous value (rhost) that while unused by scanner modules, is included in printed status updates. This fix sets the rhost value to nil temporarily, thus preventing the data from appearing in the status updates.
  • PR #7176 -  The nbname_probe module is deprecated. It will be removed On Sep 1st 2016. Please use auxiliary/scanner/netbios/nbname instead.
  • Pro: MS-1697 - The 'Service' column on the Vulnerabilities page now shows a service name in the service column instead of a networking protocol.
  • Pro: MS-1780 - We have fixed an issue that prevented social engineering web templates from being created. Web templates can now be added.
  • Pro: MS-1822 - We have fixed an issue that caused the SSH Key Tester MetaModule to fail when an invalid private key is used.
  • Pro: MS-1904 - We have fixed an issue that prevented updates from occurring when a proxy was configured in the Global Settings. Updates can be applied successfully through the web interface when a proxy is configured.
  • Pro: MS-1905 - We have fixed an issue that prevented licenses from being activated when a proxy was configured in the Global Settings. Licenses can now be added through the web interface when a proxy is configured.
  • Pro: MS-1914 - We have fixed an issue that caused the pro_exploit command to not work with the Pro console. You can now run pro commands through the console without any issues.

 

Features and Enhancements

 

  • PR #6625 - We have changed the encoding of payloads by the vbs file of the persistence module from a texty-based encoding to a base64 encoding. In the case of unicode-dependent operating systems, the resulting text encoding could/does render the payload invalid.
  • PR #7106 - We have made multiple improvements for post/windows/capture/keylog_recorder, including such as adding module documentation, adding an option to pause recording on timeout, to stop job, adding better error handling, fixed a explorer.exe migration issue, and adding better log output, etc.
  • PR #7109 - The msfvenom command now prints the final payload size, including any extra size due to encoding, format, etc. This makes the output more intuitive to the user, especially when trying to determine the size tradeoffs for different payload formats.
  • PR #7113 - We have modified the check method for module drupalrestwsexec.rb. It uses the print command instead of echo to reduce false positives.
  • PR #7116 - We've added documentation for MSSL local auth bypass module.
  • PR #7125 - We've added a new '-t' command line option to Meterpreter's 'download' command, allowing you to automatically have the current date and time (in ISO 8601 format) appended to the filename of each file you are downloading from a target system running Meterpreter.
  • PR #7126 - This updates Mettle to 0.0.6, bringing in a whole slew of changes, such as complete stdapi/net support, machine_id support, multi-arch ps, memoized sysinfo, and powerpc64le and mips64 support.
  • PR #7128 - We have added a Windows post gather module that will retrieve the stored password hash for a target system running Avira Antivirus.
  • PR #7149 - We have added an uploads directory to the WordPress mixin, a utility useful for various types of WordPress modules.
  • PR #7151 - We have improved the Powershell script for CVE-2016-0099 to make it more reliable by checking CreateProcessWithLogonW. Submitted by b33f.
  • PR #7157 - We have updated the RC script for ms08067netapi.feature in order to avoid a race condition that would cause the test script to exit before the exploits finish.
  • PR #7165 - We have added documentation for several modules, including juniperbackdoor.md, brocadeenablelogin.md, werkzeugdebug_rce.md.
  • PR #7168 - We have improved the user experience of the 'ps' command within Meterpreter sessions by allowing shorter inputs to the -A flag.

 

Exploits Added

 

  • Centreon Web Useralias Command Execution by Nicolas CHATELAIN and h00die - Centreon is a free network monitoring software suite, and this module takes advantage of security holes in how Centreon's web portal logs database errors to execute arbitrary code on the remote host.
  • Polycom Command Shell Authorization Bypass by Paul Haas and h00die - The login component of the Polycom Command Shell on Polycom HDX video endpints, running software versions 3.0.5 and earlier, is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prompt without authentication.
  • Drupal RESTWS Module Remote PHP Code Execution by Devin Zuczek and Mehmet Ince
  • Internet Explorer 11 VBScript Engine Memory Corruption by Theori and William Webb exploits CVE-2016-0189 - This module exploits a vulnerability in Microsoft Internet Explorer, which was originally spotted in the wild.
  • SMB Delivery by Andrew Smith and Russel Van Tuyl - This module allows you to host a Metasploit payload from a fake SMB server, which can be used for code injection or other similar attacks.

 

Offline Update

 

To download the offline file for this update, go to http://updates.metasploit.com/packages/8df36704d0753b34c4b6f116f0d99e1e77f5daf5. bin.

 

Version Information

 

PRO 4.12.0 updates to 4.12.0-2016081001

Attachments

    Outcomes