- PR-7253 - This fix resolves an issue where the x64 XOR encoder would not work properly. This could cause stage encoding on a 64-bit meterpreter session to fail.
- PR-7360 - This fix resolves an issue where modules that included a passive service (such as HTTP), but acted in an active manner (server-side exploits), would be launched in the background as opposed to the foreground as expected.
- PR-7362 - This fix changes the APK injection code so that it also injects the Android service and BOOT_COMPLETED broadcast receiver. This means that a backdoored APK will only need to be run once and when the phone reboots it will reconnect automatically. The change also moves the payload classes into the original apps package namespace (as opposed to just com.metasploit.stage), which defeats most Android antivirus (for the time being).
- PR-7372 - This fix resolves a couple candidates for the Useless Use of cat Award. Why cat | grep when you can just grep?
- PR-7374 - This patch fixes a bug where enabling the SSL option for exploit/multi/script/web_delivery's PSH target would generate invalid PowerShell syntax. Now the generated PowerShell syntax is correct when SSL is enabled.
- PR-7377 - This fix replaces a particular cmd_exec anti-pattern in a few modules with the correct read_file call.
- PR-7378 - This fix adds zipalign as a final step in the APK injection process exposed via msfvenom.
- PR-7392 - This fix resolves an issue in Browser Autopwn 2 where modules don't specify a stance.
- PR-7398 - This fix resolves an issue that causes a segfault when trying to use the elf-so payload with LD_PRELOAD.
- PR-7399 - This fix resolves an issue with a missing require, 'msf/core/handler/reverse_tcp', in the Android Meterpreter reverse TCP payload, which caused an error when you tried to start up msfconsole.
- PR-7405 - This fix resolves an error in auxiliary/fuzzers/ntp/ntp_protocol_fuzzer where unset options would cause the module to crash. The default nil values have been removed.
- PR-7407 - This fixes an error in auxiliary/dos/tcp/synflood where not setting NUM crashes the module. The default is now 0 (transparent to the user), which means run an unlimited number of times.
- PR-7432 - This fixes incorrect reports of successful administrator credential logins when the sonicwallscrutinizermethoddetail_sql module is run against a non-exploitable HTTP service.
- PR-7433 - More verbosity and clarity has been added to the HTTP PUT/DELETE scanner output in the form of IP addresses.
- PR-7446 - The Capcom driver local privilege escalation module now includes support for Windows 10.
- PR-7469 - This fix resolves issues with improper generation of certain PHP payloads.
- PR-7470 - This patch fixes a recent breakage when attempting to upgrade a session (sessions -u). The breakage was related to some missed file references when we moved cmdstagers out of MSF into a new rex-exploitation gem.
- Pro: MS-315 - This fix allows any SSL key provided to Metasploit Pro to be used for creating SSL/TLS connections. A restriction has been added that allows trusted certs without keys a store to be added in the future. Adjustments to the validation requirements or a separate class would be needed.
- Pro: MS-1609 - The struts_default_action_mapper exploit did not wait a sufficient time for the preconditions to complete in order for the exploit to succeed. The exploit has been enhanced to be more tolerant of slower network conditions.
- Pro: MS-2039 - This fix resolves an issue that caused modules that use the packet capture mixin to result in an application error.
- Pro: MS-2064 - Improvements have been made to the Reports page to ensure that you are properly alerted when you are trying to view a report that is no longer available.
- Pro: MS-2073 - XML files that contain a large number of services are now imported into Metasploit at a faster rate. Improvements have been made to the import function so that 19,000 services can now be imported in 6 minutes, instead of 5.5 hours.
- Pro: MS-2175 - This fix resolves incorrect reports of successful administrator credential logins when the sonicwall_scrutinizer_methoddetail_sql module is run against a non-exploitable HTTP service.
Features and Enhancements
- PR-7093 - This adds a new command to the Nessus plugin that allows the user to specify a single workspace inside Metasploit to have Nessus scan against, instead of all hosts in every workspace.
- PR-7292 - The new stageless payloads for android reversetcp and reversehttp enable deployment of all android meterpreter capabilities to a compromised device in a single upload.
- PR-7296 - A new auxillary module, auxiliary/scanner/scada/profinet_siemens, can scan and detect Profinet SCADA devices.
- PR-7334 - Colorado FTP server has a bug in that a properly-authenticated user can perform an upward directory traversal (../..); by performing that upward directory traversal, it is possible to obtain the config/credential file, which contains the users and passwords in plaintext. This module performs the upward directory traversal and pulls the config/cred file.
- PR-7340 - This adds documentation for the auxiliary/server/socks4a module.
- PR-7350 - The msfconsole prompt and Meterpreter session prompts now share a common 'sess' command for quickly switching between session IDs directly.
- PR-7355 - The former post module post/multi/escalate/allwinner_backdoor is now a local exploit module to match how the normal method of privilege escalation in Metasploit.
- PR-7361 - Users of the post/osx/capture/screen to take a screen capture might trigger the "shutter" sound effect on the target system. This fix ensures screen capture actions do not make any sounds on the target system.
- PR-7363 - This module achieves local privilege escalation on a Windows target by exploiting a "feature" provided by the CAPCOM.SYS driver for Windows x64. The "feature" is the driver allows for user-land functions to be executed in the context of the kernel. Currently this module has only been tested with Windows 7, but should work on earlier Windows versions or any other version that doesn't have SMAP support.
- PR-7364 - The Metasploit Framework is now on metasploit-payloads 1.1.15.
- PR-7376 - The MySQL Writable Directory Enumeration module by AverageSecurityguy uses credentials to log into a MySQL server and takes a list of directories to see if it can write to them.
- PR-7385 - This post module uses an existing session on an AWS EC2 instance to gather the metadata about the instance. Metadata can include: SSH public keys, IPs, networks, user names, MACs, custom user data and numerous other things that could be useful in EC2 post-exploitation scenarios. Any EC2 instance with curl is an applicable target. More information about AWS's EC2 instance metadata can be read about here: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html.
- PR-7387 - The checksum command has been added to Meterpreter, which allows you to check the integrity of remote files using either MD5 or SHA-1.
- PR-7395 - The errors messages for the wpninjaformsunauthenticatedfile_upload module have been improved to provide more meaningful context.
- PR-7396 - This PR includes two improvements. First, the capcom exploit has been updated so that it no longer checks for the capcom.sys file in a fixed location on disk. Second, a list of active drivers can now be enumerated on the machine that Meterpreter is running on.
- PR-7401 - An option has been added to sysinfo to refresh its cached information. The user command will always refresh.
- PR-7411 - This is a new, simple module for hosting an HTML Application (HTA) which delivers a payload via Powershell. Using this module requires convincing a user to navigate to the page and accept the two prompts by IE before the payload is executed.
- PR-7408 - Wordlists have been added from the Mirai botnet.
- PR-7414 - cmd_bash has been removed from the supported payload types for exploit/unix/local/netbsd_mail_local.
- PR-7418 - This new module provides privilege escalation via the recvmmesg system call on vulnerable Linux kernels (CVE-2014-0038). Ubuntu 13.04 and 13.10 are currently supported, with the option to later add support for other Linux variants running vulnerable kernels.
- PR-7422 - This patch fixes an issue with the MSF nessus plugin that causes an error when importing a Nessus scan using the nessusdbimport command. You can now import Nessus scans via the nessusdbimport command without any issues.
- PR-7423 - A localtime command for Meterpreter has been added, which allows the user of a session to get the local system time of the machine that the session is running on.
- PR-7451 - Changes have been made so that a new signing certificate is created, using the dname value copied from the original APK certificate, during the APK injection process.
- PR-7481 - This adds backwards compatibility for older Android payloads when connecting to the latest version of Metasploit Framework. It also fixes an import performance problem with recog when there are many services on a host. decreasing import time in once case from 5 hours to less than 10 minutes (several thousand services).
- R-7460 - The ZomeEye Search module has been added and enables you to look up resources on zoomeye.org.
- Pro: MS-2170 - The smb_version scan now supports targets with Unicode hostnames.
- Hak5 WiFi Pineapple Login/CSRF Check Bypass by catatonicprime - The 'pineapple_bypass_cmdinject' exploit attacks a weak check for pre-authorized CSS files, which allows the attacker to bypass authentication. The exploit then relies on an anti-CSRF vulnerability (CVE-2015-4624) to obtain command injection.
- Hak5 WiFi Pineapple Preconfiguration Command Injection by catatonicprime exploits CVE-2015-4624 - The 'pineapple_preconfig_cmdinject' module exploits the pre-configuration state of a freshly imaged WiFi Pineapple to execute commands remotely. It works for devices in both the pre and post-password set state.
- Linux Kernel 3.13.1 Recvmmsg Privilege Escalation by h00die and rebel exploits CVE-2014-0038 - This new module provides privilege escalation via the recvmmesg system call on vulnerable Linux kernels (CVE-2014-0038). Ubuntu 13.04 and 13.10 are currently supported, with the option to later add support for other Linux variants running vulnerable kernels.
- OpenNMS Java Object Unserialization Remote Code Execution by Ben Turner - An exploit for Java object deserialization vulnerability in OpenNMS has been added. Full technical details are available at http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins- opennms-and-your-application-have-in-common-this-vulnerability/
- Ruby on Rails Dynamic Render File Upload Remote Code Execution by John Poulin (forced-request) and mr_me exploits CVE-2016-0752 - This module exploits a remote code execution vulnerability in Ruby on Rails, specifically in the explicit render method when leveraging user parameters.
- Windows Capcom.sys Kernel Execution Exploit (x64 only) by OJ Reeves and TheWack0lian - This PR includes two improvements. First, the capcom exploit has been updated so that it no longer checks for the capcom.sys file in a fixed location on disk. Second, a list of active drivers can now be enumerated on the machine that Meterpreter is running on.
- Powershell Payload Execution by Matt "hostess" Andreko and RageLtMan - This modules allows you to compile powershell commands using the .NET framework.
- HTA Web Server by Spencer McIntyre - This is a new, simple module for hosting an HTML Application (HTA) which delivers a payload via Powershell. Using this module requires convincing a user to navigate to the page and accept the two prompts by IE before the payload is executed.
- Panda Security PSEvents Privilege Escalation by Security-Assessment.com and h00die - This new module provides privilege escalation via a Panda Antivirus vulnerability, allowing a standard Windows user to become system.
To download the offline file for this update, go to http://updates.metasploit.com/packages/a8358990cebe444b6189c90957968cbf28e0785e. bin.
PRO 4.12.0 updates to 4.12.0-2016102501