Metasploit 4.12.0 (Update 2016092601)

Document created by tdoan Employee on Sep 28, 2016Last modified by tdoan Employee on Oct 7, 2016
Version 2Show Document
  • View in full screen mode

bacon-banner.png

 

Bugs Fixed

 

  • PR #7356 - Update windows/ssh/freesshd_authbypass to avoid interactive password prompting due to recent updates to the Net-SSH gem.
  • PR #7352 - This patch allows the exploit to be more reliable, specifically the stage 1 XSS/JS attack, as well as longer timing for Firefox.
  • PR #7351 - Some modules using NTLM were broken, unable to locate some NTLM aliases that had been removed from the framework code base. This patch reintroduces the missing aliases, allowing the affected modules to work as-expected.
  • PR #7349 - This fix addresses a bug in the library code for scanners which does not correctly set an rhost in the check function on scanner modules such as the module defined in the pr validation steps above. This bug did not impact typical use of scanner modules (by running exploit or run) but only the check function. Users can now successfully run check on all scanner modules.
  • PR #7342 - OSVDB references are now no longer linked from Metasploit Framework.
  • PR #7345 - This fix synchronizes Metasploit's list of interesting SAP URLs with the list from the fuzzdb project.
  • PR #7344 - This fix adds a warning to msfconsole telling the user they can't run msfconsole within msfconsole.
  • PR #7339 - A number of modules that used SSH were rendered non-functional due to recent library and API updates. This fix restores functionality to those modules.
  • PR #7335 - This fix is a change of e-mail address for the author of exploit/unix/local/netbsd_mail_local.
  • PR #7325 - This fix updates exploit/unix/webapp/skybluecanvas_exec for two new HTML form inputs that may cause the exploit to fail against vulnerable targets. It also improves the correctness of the check method.
  • PR #7317 - This fix addresses a typographical error in the description field for the exploit/unix/local/chkrootkit local exploit. Normally, "privesc" is an abbreviation for "privilege escalation." The module had this misspelled as "privsec," so we opted to expand the abbreviation to its full wording while fixing the error.
  • PR #7308 - This fix adds disclosure dates to auxiliary/admin/http/tomcat_utf8_traversal and auxiliary/admin/http/trendmicro_dlp_traversal.
  • PR #7305 - This fix addresses an environment variable check in post/windows/gather/credentials/steam.
  • PR #7304 - The Rails secret deserialization exploit was broken due to ERB changes that were introduced with Ruby 2.2.0. This fix adds support for Ruby >=2.2.0 by fleshing out the Marshalled objects to include a @lineno attribute.
  • PR #7301 - This fix allows the exploits/linux/smtp/exim4dovecotexec module to support NAT with the URIHOST option.
  • PR #7294 - This patch fixes the Metasploit openvas plugin to use the ID values openvas creates/uses instead of arbitrary ID values.
  • PR #7276 - This fix addresses the usage of the Meterpreter clipboard API, which allows a user to obtain the contents of the user's clipboard via a Meterpreter session.
  • PR #7255 - This patch fixes a problem in exploits/multi/http/glassfish_deployer. On Windows setups, the Glassfish module fails to upload the war file due to some missing fields in the HTTP POST request. However, this does not actually affect Linux setups even with the same Java version or GlassFish version.
  • PR #7252 - This fix converts exploit/multi/http/phoenix_exec from ARCH_CMD to ARCH_PHP, allowing the use of native PHP payloads instead of just command execution.
  • Pro: MS-1450: An issue with missing environment variables caused modules to fail. This patch checks for the environment variable before the module tries to use it.
  • Pro: MS-1451: This fix addresses an issue with the environment variable check in post/windows/gather/credentials/steam.

 

Features and Enhancements

 

  • PR #7086 - The meterpreter 'download' command now has two new options. The first one, '-c' supports continuing a download for a file that was interrupted previously. The second one '-l ' specifies an automatic number of times meterpreter will attempt to download a file if it fails (due to a network interruption or other failure) before giving up. These options improve the resiliency of downloads and make getting large files more convenient.
  • PR #7346 - The Metasploit 'route' command is now more tolerant of incorrect parameters and the default behavior now displays the routing table rather than an error.
  • PR #7322 - This update adds module documentation for exploit/multi/http/drupal_drupageddon.
  • PR #7314 - This update adds module documentation for exploits/linux/ssh/exagridknownprivkey
  • PR #7311 - This update adds module documentation for both post/linux/gather/checkvm and post/linux/gather/hashdump
  • PR #7283 - Added the ability to generate a jsp payload with msfvenom. In addition to the new functionality, it simplifies the logic behind jsp execution in war payloads. This commit does the heavy lifting people would have had to manually do before, with intermediate stagers, and allows for more flexibility with binary payloads.

 

Exploits Added

 

stagefright.png

  • Android Stagefright MP4 tx3g Integer Overflow by NorthBit and jduck exploits CVE-2015-3864 - This module exploits an integer overflow vulnerability in the Stagefright library. The vulnerability can be abused in multiple ways, but this particular exploit is designed to work within an HTML5 compatible browser.
  • Kaltura Remote PHP Code Execution by Mehmet Ince and Security-Assessment.com - This module takes advantage of a vulnerability where Kaltura servers will execute commands included in a properly-formatted object. This module bundles an arbitrary payload with the associated extraction and execution commands necessary to affect arbitrary payload execution on a remote Kaltura server.
  • Docker Daemon Privilege Escalation by forzoni -This module adds a generic privilege escalation exploit for Docker. The prerequisite is being a user with docker group membership on the target system.
  • Linux Kernel 4.6.3 Netfilter Privilege Escalation by h00die and vnik exploits CVE-2016-4997 - The new exploit/linux/local/netfilterprivesc module allows you to execute a privilege escalation on certain compromised Linux targets that are using 4.4.0 kernels. Please see the module documentation for details.
  • Metasploit Web UI Static secret_key_base Value by Justin Steven and joernchen of Phenoelit - This module allows the user to exploit certain upgraded versions of Metasploit Community, Express, and Pro by forging a session cookie, allowing remote code execution. Upgrade versions of Metasploit Community, Express, and Pro 4.12.0-2016061501 through 4.12.0-2016083001 are vulnerable (full installs of these versions are not vulnerable, only the upgrades). Authentication is not required to exploit this vulnerability. See this blog post for more details: https://community.rapid7.com/community/metasploit/blog/2016/09/19/important-secu rity-fixes-in-metasploit-4120-2016091401
  • Metasploit Web UI Diagnostic Console Command Execution by Justin Steven - A Web UI user account on Metasploit Community or Express, or an administrative user on Pro, can remotely enable a diagnostic console giving Web UI users access to msfconsole. This can be used to execute shell commands and create a remote session.
  • NetBSD mail.local Privilege Escalation by akat1 and h00die exploits CVE-2016-6253 - This modules adds an exploit for CVE-2016-6253, which is a local privilege escalation vulnerability affecting NetBSD 6.0-7.0.1.
  • Cisco ASA Authentication Bypass (EXTRABACON) by Dylan Davis, Equation Group, Nate Caroe, Sean Dillon, Shadow Brokers, William Webb, and Zachary Harding exploits CVE-2016-6366 - This module implements the EXTRABACON exploit for Cisco ASA VPN appliances. The exploit works by disabling authentication remotely via a specially-crafted SNMP packet. This was originally part of the Equation Group disclosure made by Shadow Brokers. It supports a variety of firmware versions from 8.x to 9.x.

 

Offline Update

 

To download the offline file for this update, go to http://updates.metasploit.com/packages/a5ba45e5b79e41ce3d498069486b85246abbe0c8. bin.

 

Version Information

 

PRO 4.12.0 updates to 4.12.0-2016092601

Attachments

    Outcomes