Metasploit 4.12.0 (Update 2016111001)

Document created by tdoan Employee on Nov 9, 2016Last modified by Brent Cook on Nov 10, 2016
Version 2Show Document
  • View in full screen mode

Bugs Fixed


  • PR #7485 - The last remaining Perl file in framework has been removed.
  • PR #7488 - This fix resolves an issue with calling prove_amplification with a zero-length key (indicating that no UDP payload was sent); this call would fail with a divide by zero error.
  • PR #7490 - When improving the XML import performance, fingerprinting was broken. This is not in the wild. As a result, you would not get the correct OS name, purpose, and other fingerprinting information. The importer now correctly fingerprints hosts.
  • PR #7493 - This fixes a problem in Meterpreter that would cause an exploit to not establish a session. It also disables the DEBUG mode.
  • PR #7497 - An information leak in the Kerberos authentication process exists; an authentication failure for a valid user is different than a failure for an invalid user. This module abuses that information leak to determine if a username is a valid user on the domain. It uses a file containing a list of "guesses" and attempts to authenticate, printing the status of the username to the screen and storing it to creds table if it is valid.
  • PR #7508 - This patch fixes broken behavior of the shelltometerpreter post module when a payload other than the default (reverse TCP Meterpreter) is specified. Users should now be able to choose a different payload by setting PAYLOAD_OVERRIDE to the name of their desired payload.
  • PR #7511 - This patch allows jenkinsscriptconsole to be used against newer versions for Jenkins.
  • PR #7512 - This patch fixes a broken check method when using the exploit/linux/http/seagatenasphpexecnoauth module. Users should now be able to select that module and run check successfully to see if their Seagate NAS device is vulnerable.
  • PR #7522 - This fixes a bug in the Powershell payload where it spiked a core on the remote CPU after termination through standard 'ctrl-c'
  • PR #7523 - This fixes a bug that arose when much of the powershell functionality was offloaded to separate Gem. The code here was never updated to call the Gem, and instead continued to try and create the payload based on the old templates that were no longer there. This fix removes references to the old templates and replaces them with the relevant objects in the powershell Gem.
  • PR #7529 - This fixes a nil bug in exploit/multi/http/tomcat_mgr_deploy where the saved password was being converted to lowercase unconditionally. Additionally, there was no reason to downcase the password.
  • Pro: MS-2154 - An issue has that causes Social Engineering campaigns to not send some email attachments correctly has been fixed.
  • Pro: MS-2155 - Edits to a persistent listener is now saved as expected.
  • Pro: MS-2182 - If you installed Metasploit Pro in a file system other than the rootfs, backups would incorrectly reference the rootfs when checking available space to store the backup. This fix ensures the actual file system where Pro is installed is always referenced. Additionally, if there's not enough file system space available to store the backup, you will see an informative message instead of a generic exception dialog.
  • Pro: MS-2221 - TLS support for the SMTP server implementation has been updated to interoperate with modern server configurations, including the latest versions of Postfix and Microsoft Exchange.
  • Pro: MS-2242 - An issue with the index prevented large SSH keys from being added to the database. This fix resolves the index issue so that SSH keys can be added as expected.


Features and Enhancements


  • PR #6711 - Drforbin's new EXE persistence module for creating persistent sessions on a compromised machine has been added.
  • PR #6969 - The Regsvr32 Command Delivery Server, which allows for remotely set commands to be retrieved from a server and executed, has been added to the framework.
  • PR #7439 - Ghostscript support has been added to the ImageMagick fileformat exploit module. The target option, MIFF file, is removed. A PS file target option is now available.
  • PR #7459 - The fingerprinting of imported hosts is now delayed until after the end of an import, instead of fingerprinting them after every service is saved. The result is a drastic reduction of time importing hosts with many services.
  • PR #7462 - Support for Unicode domain names, such as Cyrillic for example, has been added in the output of framework scripts and modules.
  • PR #7480 - A deprecation warning for udpprobe in favor of udpsweep has been added.
  • PR #7484 - This module retrieves credentials from a Telpho10 ISDN+VOIP system.
  • PR #7489 - A module has been added that detects and researches UDP amplification vulnerabilities. It should only be used for broad classes of UDP amplification vulnerabilities (e.g., empty or single-byte UDP datagrams) or for specific UDP amplification vulnerabilities that are already known to exist in specific protocols.
  • PR #7498 - This adds auxiliary/admin/http/joomla_registration_privesc, a module that will create an admin user in Joomla versions 3.4.4 through 3.6.3. By default, e-mail activation is required, so the attacker must supply a valid e-mail address to continue exploitation.
  • PR #7499 - A check method has been added to exploit/linux/local/pkexec.
  • PR #7521 - Framework can now talk over more modern cryptographic channels.


Exploits Added


  • Overlayfs Privilege Escalation by h00die and rebel exploits CVE-2015-8660 - Exploits for CVE-2015-1328 and CVE-2015-8660, which are local privilege escalations vulnerabilities on Linux via the same vector of overlayfs, have been added to the framework.
  • Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution by Jarda Kotesovec and mr_me exploits CVE-2014-7205 - A module has been added for the bassmaster batch arbitrary JavaScript injection remote code execution vulnerability. This module exploits an un-authenticated code injection vulnerability in the bassmaster nodejs plugin for hapi. The vulnerability is within the batch endpoint and allows an attacker to dynamically execute JavaScript code on the server side using an eval.


Offline Update


To download the offline file for this update, go to bin.


Version Information


PRO 4.12.0 updates to 4.12.0-2016111001