- PR-7680 - This fix addresses a bug in the Login Scanner modules when you are running them without credentials. A warning message will now be printed and the module will gracefully exit.
- PR-7695 - This fix resolves a bug in the Nessus plugin that occurs when a user-invoked scan via the nessus_db_scan_workspace would display an error.
- PR-7844 - This patch adds the protocol to show options and info displays that include RPORT.
- PR-7845 - This patch ensures that an exploit will target the correct architecture based on the given payload's architecture. However, you can still provide your own payload code with specified architecture.
- PR-7858 - An infinite loop condition in shell_command_token has been fixed.
- PR-7887 - Due to the wide variety of documentation and search-engine results still recommending using Meterpreter scripts, it is clear that the word has not yet gotten out that they have been deprecated for some time. It is also clear that translating a Meterpreter script invocation automatically to use a post module is difficult when scripts take advanced options. This change replaces the automatic behavior with a warning to the user.
- PR-7888 - This patch provides a clearer error message when users attempt to run a post-module on an invalid or non-existent session.
- PR-7889 - This fix addresses an issue that causes magic auto targeting to only be added to remote exploits with a remote host and an auto-targeting option available.
- PR-7894 - The credential validation of an empty CredentialCollection object has been refactored.
- PR-7895 - The module exploits/windows/browser/firefox_uaf_smil now uses BrowserExploitServer instead of HttpServer.
- PR-7904 - This patch fixes affected PHP payloads that did not have the <?php tags in the proper place.
- PR-7930 - This fix resolves CVE-2017-5228 and prevents directory traversal upon the download of files via a Meterpreter session. Thanks to Justin Steven.
- PR-7931 - This fix resolves CVE-2017-5231 and prevents directory traversal upon the recursive globbed download of files via a Meterpreter session. Thanks to Justin Steven.
- PR-7932 - This fix resolves CVE-2017-5229 and prevents directory traversal upon the download of files on the clipboard via a Meterpreter session. Thanks to Justin Steven and OJ Reeves.
Features and Enhancements
- PR-7787 - The wakelock command has been added to Android meterpreter, allowing a user to keep the screen/cpu on when the device is idle. This is useful for interacting with a session even when the device otherwise be asleep.
- PR-7790 - Meteocontrol WEB'Log Data Loggers are affected with an authentication bypass vulnerability. The module exploits this vulnerability to remotely extract Administrator password for the device management portal.
- PR-7795 - A REST API is available to hardware devices to either directly support from their device or via a relay on a computer the device is attached to. This provides a method to integrate hardware devices into Metasploit. To learn more, go to http://opengarages.org/hwbridge/.
- PR-7804 - Two major changes to the creds command have been made. The first change allows you to configure all fields, so any credential type that can be represented by the data model can be set in a credential. The second change modifies credential fields so that they are represented by named arguments rather than by their position in the command line. This change makes command invocations self-documenting and makes it easier to add other attribute types later.
- PR-7805 - An exploit for CVE-2016-6435 has been added. It exploits a directory traversal vulnerability in the Cisco Firepower Management Console. Authentication is required, allowing any file accessible by the www user to be exfiltrated.
- PR-7820 - An exploit module that targets a command injection vulnerability in TrueOnline Billion 5200W-T has been added.
- PR-7821 - An exploit module that targets a command injection vulnerability in TrueOnline ZyXEL P660HN has been added.
- PR-7822 - An exploit module that targets a command injection vulnerability in TrueOnline ZyXEL P660HN v2 has been added.
- PR-7827 - A login scanner module has been added for the Cisco Firepower Management console via HTTPS. The credentials are also used for SSH, which could allow remote code execution.
- PR-7846 - CSV and vCard support has been added to the dump_contacts command in Android Meterpreter.
- PR-7848 - An exploit has been added for Disk Savvy Enterprise 9.1.14 and 9.3.14, a Windows based disk space analyzer with a web interface that has a stack based buffer overflow.
- PR-7847 - Improvements have been made to improve the reliability of Android Meterpreter when injected into more applications.
- PR-7852 - The firefox_smil_uaf module exploits a vulnerability found in Mozilla Firefox. It exploits an out of bounds indexing/use-after-free condition in nsSMILTimeContainer::NotifyTimeChange(), which allows arbitrary code execution under the context of the user.
- PR-7856 - The Meterpreter protocol inspection code has been updated to properly decode new field values.
- PR-7862 - Initial compatibility with Ruby 2.4 for metasploit-framework has been added. Metasploit will be fully Ruby 2.4 compatible once upstream dependencies are updated. See #7819.
- PR-7868 - Support has been added for parsing the command line arguments with a stageless Mettle payload. You can redirect a payload to different targets and enable debugging regenerating it or modifying the binary.
- PR-7869 - Improvements to error handling in the phpmyadmin_preg_replace module have been made, which allow it to handle an unexpected HTTP reply from the target without generating a backtrace.
- PR-7870 - The metasploit-payloads gem has been updated to 1.2.11.
- PR-7874 - A login scanner module has been added for Advantech WebAccess.
- PR-7876 - A credential gatherer has been added for Advantech WebAccess which works by exploiting 3 vulnerabilities in the system to gather the plaintext password of every user (even admins) of the system.
- PR-7871 - An exploit has been added for a vulnerability in Cisco WebEx Extension 1.0.1. The browser extension allows any website to execute arbitrary code against anybody using the product.
- PR-7892 - Improvements to the creds command to now allows you to create logins.
- PR-7906 - The Microsoft Word malicious macro document generator creates a macro-enabled Microsoft Office Word document. It does not target a specific CVE or vulnerability; it focuses more on feature abuse in Office.
- PR-7920 - Functionality for Android stateless Meterpreter over HTTPS has been added.
- TrueOnline / Billion 5200W-T Router Unauthenticated Command Injection by Pedro Ribeiro
- TrueOnline / ZyXEL P660HN-T v1 Router Unauthenticated Command Injection by Pedro Ribeiro
- TrueOnline / ZyXEL P660HN-T v2 Router Authenticated Command Injection by Pedro Ribeiro
- Cisco WebEx Chrome Extension RCE (CVE-2017-3823) by Tavis Ormandy and William Webb exploits CVE-CVE-2017-3823
- Firefox nsSMILTimeContainer::NotifyTimeChange() RCE by Anonymous Gaijin and William Webb exploits CVE-CVE-2016-9079
- Microsoft Office Word Malicious Macro Execution by sinn3r
- DiskSavvy Enterprise GET Buffer Overflow by Gabor Seljan and vportal
To download the offline file for this update, go to http://updates.metasploit.com/packages/ce10bf8bb08032845569fe60d84c900b754bd9e9. bin
PRO 4.13.0 updates to 4.13.0-2017020701