Bugs Fixed
- Pro: MS-2708 - CVE-2017-5244 (CWE-352: Cross-Site Request Forgery) has been patched. Metasploit Pro, Express, and Community editions allowed GET requests to the stop and stop_all (task) routes. This should not have been the case, as they change the state of the service, and only should have been allowed through POST requests. In addition, the origin of the requests was not verified until after processing. This could have allowed an attacker to stop one, or all, Metasploit tasks by getting an authenticated user to run JavaScript (e.g. via loading a malicious URL). Now the routes are only exposed to POST requests, which validate the presence of a secret token to prevent CSRF attacks (via Rails' protect_from_forgery). This vulnerability was kindly reported to Rapid7 by Mohamed A. Baset (Founder and Cyber Security Advisor at Seekurity.com SAS de C.V. Mexico; @SymbianSyMoh).
- Pro: MS-2701 - This fix resolves an issue with portable file format generation in Windows installations of Metasploit Pro. These installations were generating corrupted and unusable macros. File generation now works as expected.
- Pro: MS-2666 - Audit trails from Metasploit Framework have been improved to provide better statuses in reports.
- PR 8487 - This fix resolves an unhandled error, Rex::ConnectionTimeout, in the exploit/windows/smb/ms17_010_eternalblue module. Now the suggestion to disable VerifyArch will be printed for all DCE/RPC errors that occur.
- PR 8493 - This fix resolves an issue with the stack trace that was causing the creds -R command to fail in msfconsole.
- PR 8504 - This fix corrects empty output from the auxiliary/scanner/ipmi/ipmi_dumphashes module. Now, the module prints found IPMI hashes by default, instead of requiring the VERBOSE option to be set.
- PR 8508 - This fix resolves a process migration issue that caused sessions to crash on machines with AMD CPUs. Now, Meterpreter can migrate processes between 32-bit and 64-bit AMD CPUs.
- PR 8532 - This fix resolves issues with modules breaking due to metasploit_data_model being unable to store hosts without knowing their IP address first. Now, credential returns a nil instead of throwing an exception.
Enhancements and Features
- Pro: MS-2712 - An informative error message has been added to make it easier to know why we rejected a cert file and what you can do to resolve the issue.
- Pro: MS-2722 - The operation of several Pro modules has been corrected. Thanks to sempervictus for reporting the bug.
- PR 8340 - A payload retry option has been added, which enables the server to start its listener on its own time. This allows the payload execution and the server connection to the client to occur at different times, instead of requiring the server to always be in the listening state.
- PR 8482 - Documentation for the exploit/multi/http/processmaker_exec module has been added.
- PR 8485 - Documentation for the auxiliary/gather/snare_registry module has been added.
- PR 8488 - The exploits/windows/smb/ms17_010_eternalblue module has been improved by using more of the ruby_smb library. Also, the ability to make an authenticated smb connection to the target before throwing the exploit has been added.
- PR 8495 - Support for all reverse http/https payloads with the multi/meterpreter/reverse_http(s) payload type has been enabled.
- PR 8503 - Error handling has been added to the Linux x86 reverse_tcp stager, which prevents a logged system error if it fails to connect to the listener host.
- PR 8512 - The ability to alter the block size for file downloads has been added. Increased control over the behavior of the download function improves support for slow or lagging networks. You can run the download command with the new -b flag to control the initial value of the download block size (in bytes). You can also run the download command with the new -a flag to enable adaptive mode, which halves the block size before retrying the download after a failure. The -a flag must be used in conjunction with the -1 flag, which sets the number of retry attempts.
- PR 8515 - The auxiliary/dos/rpc/rpcbomb module has been added to the framework. The module leaks memory on target systems running vulnerable software. See CVE-2017-8779 at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779.
- PR 8516 - Enhanced debugging output has been added to the NTDS dump mechanism.
- PR 8518 - Where appropriate, scanner modules have been updated to include more CVE references. You can use these references to correlate a module to a vulnerability, which provides a jumping off point for your approach to gaining further access.
- PR 8529 - Payload architecture has been added to the RPC session list. You can use this information to decide whether or not to migrate while interacting with RPC.
- PR 8533 - The ability to store a vulnerability attempts table when reporting a vulnerability has been restored. This improves auditing and reporting capabilities related to reported vulnerabilities.
New Exploits
- PR 8053 - The exploits/linux/http/dcos_marathon module has been added to the framework. This exploit abuses the features of the DC/OS Marathon UI when creating a docker container to inject a remote session that is triggered by a cron job.
- PR 8434 - The exploits/windows/local/bypassuac_fodhelper module has been added to the framework. This module leverages a low-privilege registry key and the behavior of the Microsoft automatic-elevating binary, fodhelper.exe, to start an arbitrary elevated process. You can use this module to bypass Microsoft's User Access Control function on Windows 10.