Metasploit 4.12.0 (Update 2016120701)

Document created by tdoan Employee on Dec 7, 2016Last modified by tdoan Employee on Dec 8, 2016
Version 3Show Document
  • View in full screen mode

Highlights

 

Resource scripts can be used to automate repetitive tasks in Metasploit. They contain a set of commands that are automatically and sequentially executed when you run the script in Metasploit. Historically, Metasploit users have only been able to run resource scripts from msfconsole. However, this release includes the ability to run resource scripts directly from Metasploit Pro. So now, you can do anything you can do almost anything you'd do in the Metasploit Framework in Metasploit Pro. To check out resource scripts in Metasploit Pro, open a project and go to Modules > Resource Scripts.

 

rcscripts.jpg

To learn more about resource scripts, please read Importing and Running Resource Scripts with Metasploit Pro.

 

Bugs Fixed

 

  • PR #7527 - This fix addresses a bug in stagers when receiving a callback from a reversewinhttp and reversewinhttps payloads that implement a LURI value. Previously, these stagers failed to establish a session.
  • PR #7536 - This fixes an issue in the arp_poisoning module where, when the local source IP option is not specified by the user (LOCALSIP), the module fails with an exception. It now properly obtains the local source IP from the configured interface.
  • PR #7537 - This fix addresses a bug in auxiliary/admin/scada/phoenix_command where the action port (datastore option RPORT) was being checked against 0 and not nil. When the option is unset, the action port is autodetected.
  • PR #7553 - This fix resolves an issue with APK payload injection failing on non-English based installs.
  • PR #7554 - A recent regression was introduced that prevents users from upgrading an existing PowerShell session to a Meterpreter session. This patch fixes this behavior, allowing users to upgrade existing PowerShell sessions to Meterpreter sessions.
  • PR #7556 - This fix addresses an issue where certain hosts may cause psexeccommand to stop due to a STATUSBADNETWORKNAME failure during cleanup. The updated behavior allows the module to continue.
  • PR #7561 - This fix ensures the module returns the correct status code Metasploit::Model::Login::Status::SUCCESSFUL for a valid login.
  • PR #7562 - This fix addresses the column alignment in Metasploit's text tables with Unicode characters. Notably, it allows the output of the 'show options' command to appear aligned when the options include Unicode text.
  • PR #7570 - This fix addresses an issue where output from asynchronous jobs causes issues with the console prompt.
  • PR #7576 - This fix addresses an error in the auxiliary/scanner/ftp/titanftpxcrctraversal module where it failed to use the rhost value for targeting purposes.
  • PR #7577 - Fixes an issue with the auxiliary/gather/ieuxssinjection module that would cause the URIPORT option to not be handled correctly.
  • PR #7579 - The netfilterprivesc module was renamed to netfilterprivesc_ipv4.
  • PR #7586 - This fix addresses a missing variable error while running auxiliary/scanner/http/brute_dirs.
  • PR #7588 - This fix addresses an incorrect disclosure date in exploit/linux/misc/opennms_java_serialize.
  • PR #7590 - This fix addresses a mixin order issue in auxiliary/scanner/http/buffalo_login where both RHOST and RHOSTS were available options. Now only RHOSTS is available.
  • PR #7591 - This fix resolves an issue that causes payload injection to fail to properly identify Warbird License Verification in an executable template.
  • PR #7599 - When running commands that create connections, you can unexpectedly encounter the following error: "Exploit failed: RuntimeError TCP connect-back payloads cannot be used with Proxies" (even when no proxies are configured). This patch ensures this error only appears when a proxy is configured.
  • PR #7606 - When you bruteforce credentials using the auxiliary/scanner/http/owalogin module, you can experience an unexpected halt in operation if the connection to the OWA server encounters an error. This fix allows the owalogin module to continue testing credentials in the face of connection issues.
  • PR #7609 - The cisconacmanager_traversal module now uses SSL by default.
  • PR #7611 - The auxiliary/scanner/http/ciscoironportenum module would abruptly quit on the first brute-force attempt. This fix proceeds as-expected on a good connection.
  • PR #7612 - If you generate payloads with msfconsole, you may intermittently encounter an "undefined method `length' for nil:NilClass" error. This fix gives msfconsole an extra moment to load, which prevents this error.
  • PR #7627 - This fix resolves a typo in payloads/linux/armle/mettle.
  • PR #7630 - This fix addresses an issue with auxiliary/scanner/http/concrete5memberlist that causes usernames to be parsed incorrectly.
  • PR #7633 - This fix resolves a bug in dell_idrac. The module stops trying the same user after a valid credential is found.
  • PR #7635 - This fix addresses an issue with payload UUIDs not being parsed correctly causing intermittent failures in the payload handler.
  • PR #7641 - This fix changes the check_conn? method in auxiliary/scanner/http/cisco_ssl_vpn to return the correct status in order to proceed with scanning.
  • PR #7644 - This fix removes a duplicate report_cred method in exploit/unix/webapp/vbulletin_vote_sqli_exec.
  • PR #7646 - This fixes auxiliary/scanner/http/dolibarr_login to properly use get_cookies, allowing the module to fetch the session ID from the cookie. Previously, the module was calling the method without res.
  • Pro: MS-2204 - Elements on the Task Chain modal are now aligned properly.
  • Pro: MS-2267: An issue caused TCP sessions to not complete SSL handshakes, which prevented other clients from doing the SSL handshakes.  This fix resolves this issue so that social engineering campaigns can run as expected.
  • Pro: MS-2283 - Updates were made to support the revision to framework session platform values.

 

Features and Enhancements

  • PR #7636 - The sleep command has been added to Android Meterpreter.
  • PR #7261 - A winpmem meterpreter extension has been added to dump a victim's RAM.
  • PR #7328 - Samba 3.0.0 through 3.0.25rc3 are vulneable to mulitple heap overflows. This module targets a heap overflow in the LsarLookupSids RPC call (CVE-2007-2446), causing an overflow in the function lsaiotrans_name() . This updates the module to target MIPS routers running a vulnerable OpenWRT firmware, and adds a new MIPS nop generator module.
  • PR #7427 - Two new options, USER_ID and API_TOKEN, have been addded to exploit/linux/http/nagios_xi_chained_rce, which allow the user to override certain exploit requirements for special setups.
  • PR #7456 - A new Android Meterpreter command hide_app_icon has been added, which removes the Meterpreter application icon from the Android app launcher after Meterpreter is installed.
  • PR #7505 - The ciscoasaextrabacon module has been improved in a few ways. Support for some ASA versions that failed previously due to lack of MIB support has been added. The module now uses an auxiliary module 'action' specifier rather than a custom data store option for specifying what action the module should take. It also allows specifying a particular ASA version to target, for when auto-targeting does not work and to aid in future module development.
  • PR #7506 - A post-exploitation module has been added that will extract credential and other valuable AWS information from a machine with AWS console/CLI installed and configured with credentials. You can use these credentials to access all of an AWS user's resources.
  • PR #7507 - Changes that aim to facilitate moving towards the creation of a universal handler have been made to the framework. Much better tracking of a session's arch and platform was required, along with better identification of those properties as well. This resulted in changes around platform and arch strings, and the deprecating ARCHX8664 with ARCH_X64 for consistency. Metasploit previously used a mixture of both strings, the former of which was often mismatched with the /x86/ regex, which had the unintended side-effect of matching for 32-bit and 64-bit payloads.
  • PR #7530 - The auxiliary/admin/atg/atg_client scanner now parses the unknown command response and provides the valid options. It altogether transforms a mysterious output into something the user can make sense of and fix his/her configuration accordingly.
  • PR #7531 - Previously, this exploit tried two different exploit paths and favored one. This change splits the methods apart allowing mutually exclusive targeting and adds a few other minor changes to increase the payload options and ensure better error messages.
  • PR #7546 - This updates framework to pull the latest gems and ActiveRecord schema.
  • PR #7565 - Aliases have been added to print_error and vprint_error to print_bad and vprint_bad. This makes the opposite of print_good more intuitive.
  • PR #7574 - Enhancements to the auxiliary/scanner/http/open_proxy module were made to improve things like using the HttpClient header, supporting more ports, using only GET and CONNECT methods, etc.
  • PR #7594 - The resiliency of auxiliary/scanner/http/blindsqlquery has been improved for unexpected responses from the target server.
  • PR #7597 - This module allows you to collect archived chat messages from OS X.
  • PR #7636 - The sleep command has been added to Android Meterpreter.

 

Exploits Added

  • Dlink DIR Routers Unauthenticated HNAP Login Stack Buffer Overflow by Pedro Ribeiro exploits CVE-2016-6563 - An exploit for the vulnerability described by CVE-2016-6563, which is present on numerous D-Link products, has been added.
  • PowerShellEmpire Arbitrary File Upload (Skywalker) by Erik Daguerre and Spencer McIntyre - This module exploits a vulnerability in PowerShellEmpire. By recovering the staging key, the module is able to communicate using a malicious agent, and triggers a download task that leverages a traversal vulnerability in order to write to an arbitrary location, which results in remote code execution.
  • Trend Micro Smart Protection Server Exec Remote Code Injection by Quentin Kaiser - This module exploits a vulnerability CVE-2016-6267 found in TrendMicro Smart Protection Server where untrusted inputs are fed to ServWebExec system command, leading to command injection. Shell access obtained is within 'webserv' service user context. Please note that authentication is required to exploit this vulnerability. Unpatched versions 2.5, 2.6, and 3.0 are vulnerable.
  • Linux BPF Local Privilege Escalation by h00die and jannh exploits CVE-2016-4557 - This new exploit module targets a BPF vulnerability in certain Linux kernel versions (CVE-2016-4557), resulting in privilege escalation.
  • WordPress Ninja Forms Unauthenticated File Upload by James Golovich and Rob Carr exploits CVE-2016-1209 - The wpninjaformsunauthenticatedfile_upload module now supports multiple platforms, so it has moved from the 'unix' namespace to 'multi'. Users should discontinue using the 'unix' version in favor of the 'multi' version.
  • Office OLE Multiple DLL Side Loading Vulnerabilities by Yorick Koster exploits CVE-2016-3235 - An exploit module for multiple DLL hijack vulnerabilities in Office/Windows has been added. This module contains an embedded PPTX.
  • PDF Shaper Buffer Overflow by metacom and metacom27 - The Buffer Overflow Exploit for PDF Shaper v3.5 by metacom has been added.
  • WinaXe 7.7 FTP Client Remote Buffer Overflow by Chris Higgins and hyp3rlix - This module exploits a buffer overflow vulnerability in WinaXe 7.7 FTP client. When the client makes a connection to the exploit server, a buffer overflow condition could trigger by responding a long string in the ready message, and gain arbitrary code execution under the context of the user.
  • Disk Pulse Enterprise Login Buffer Overflow by Chris Higgins and Tulpa Security - An exploit module for a stack based buffer overflow vulnerability in Disk Pulse Enterprise 9.0.34 which grants SYSTEM privileges to the user has been added to the framework.
  • Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key) by Matt Graeber, Matt Nelson, and OJ Reeves - This is a local exploit module that allows you to bypass UAC via the Event Viewer. It works against a variety of Windows versions, from Windows 7 to Windows 10.
  • Authenticated WMI Exec via Powershell by RageLtMan - This module allows the attacker to execute a payload against another machine via the compromised one by using Powershell/WMI. Execution is performed in memory via psh-net, which means this module can also be used to deliver a payload with extra stealth on the compromised machine.

 

Offline Update

 

To download the offline file for this update, go to http://updates.metasploit.com/packages/6c0faf8675a6e202ea5bbddfd1784f09250db9f2. bin.

 

Version Information

 

PRO 4.12.0 updates to 4.12.0-2016120701

Attachments

    Outcomes