Metasploit 4.13.0 (Update 2017012501)

Document created by tdoan Employee on Jan 24, 2017Last modified by tdoan Employee on Jan 26, 2017
Version 3Show Document
  • View in full screen mode

Bugs Fixed


  • PR #7584 - This fix resolves an injection into apps that have been protected by ProGuard. By default, the package name of the app was being reused as the payload, which means the .a class would likely be overwritten. To avoid these types of conflicts, randomly generated packages are used.
  • PR #7794 - This fix addresses an issue with the android send_sms command in the Meterpreter extension.
  • PR #7806 - This fix resolves an issue with UDP servers in Metasploit, which prevented them from binding as an IPv6-only socket when the server has an IPv4 address.
  • PR #7825 - Plugins are now unloaded before they are loaded, which prevents duplicate plugins from being loaded.
  • PR #7838 - This fix resolves a bug in the auto-targeting feature that was recently added. Auto-targeting relies on RHOSTS values to grab information from the database to fill in the required information. Browser Autopwn has no RHOSTS value, so when auto-targeting tries to pull information, it fails. This fix stops auto-targeting from trying to auto-target things that do not have RHOSTS values.
  • PR #7850 - This patch updates the auxiliary/scanner/http/ipboard_login module to provide more informative error messages when it fails to successfully connect to a target.
  • Pro: MS-1785 - Ubuntu 16.04 LTS is now supported.
  • Pro: MS-2312 - Running the pro_report command in the pro console resulted in an error. This patch fixes the pro_report command to allow users to generate reports from the pro console.
  • Pro: MS-2419 - The REST API v1 was not returning all of the campaigns on a Metasploit instance.  This fix removes a broken filter, so you will not see campaigns missing from an API request.


Features and Enhancements

  • PR #7763 - We have added the -sl 'silence' switch to multi_console_command script to allow it to run silently, which is useful in the context of automatic command invocation.
  • PR #7771 - We have added the history -u switch, which removes duplicate entries from the history output.
  • PR #7796 - This module replaces an ambiguously-licensed code snippet with original code and solves some other underlying problems like supporting relative paths, file shares, and Unicode filenames.
  • PR #7797 - A module that targets a remote code execution vulnerability in DiskBoss Enterprise v7.4.28 and v7.5.12 with server enabled running on Windows XP or 7 has been added.
  • PR #7803 - This patch adds a new post-auth RCE exploit module for the Cisco Firepower Management Center (versions 5.2.0 through 6.0.1). You can go to CVE-2016-6433 for vulnerability details.
  • PR #7812 - The Mettle payload now supports network pivoting with TCP and UDP sockets.
  • PR #7823 - Certain Meterpreter scripts have been removed if post-exploitation modules already exist for them. A check that resolves a script name to its corresponding module reference name has also been added.
  • PR #7829 - The workspace command now appears in a table with counts of hosts, services, vulns, creds, loots, and notes.
  • PR #7832 - The table output for `workspace` to `workspace -v` has been moved, which preserves the original output.
  • PR #7833 - Module documentation has been added for for tomcat_administration. The module's description in the metadata has also been updated.


Exploits Added


Offline Update


To download the offline file for this update, go to bin


Version Information


PRO 4.13.0 updates to 4.13.0-2017012501