Metasploit Recent Releases / Aug 17, 2020

Aug 17, 20204.18.0

Bugs Fixed

  • PR 13238 - Fixed a bug in the bind_named_pipe handler where Metasploit would unexpectedly quit due to a call to exit instead of Thread.exit. This fix ensures that only the threads associated with the bind listener are closed, rather than Metasploit itself.
  • PR 13783 - Fixed a bug related to recent cryptography changes, where Java Meterpreter payloads may not have access to 256-bit encryption. This fix allows Meterpreter running in older Java environments to use AES-128-CBC if 256-bit encryption is not available.
  • PR 13894 - We unlocked the bcrypt version, which had been previously locked due to compilation issues on ARM (see PR 12148). Unfortunately, newer releases of bcrypt still fail on BSD systems. The issue is known, and unlocking the version will pull in the correct fix whenever bcrypt lands one.
  • PR 13897 - Fixed a bug with the closing and removal of mountpoints in filesystem.rb. Previously, we failed to return the handle or to close the mountpoint properly.
  • PR 13936 - Fixed a user-reported regression, now providing a detailed error message when a module is run with no selected payload instead of a generic error message.
  • PR 13939 - Fixed a very extreme edge-case bug where it is possible (but unlikely) a race condition occurs during a socket read, and the data sent to the postgres parser is of nil value. This fix verifies the data is not nil before attempting to parse the data.
  • PR 13949 - Fixed a bug within DBManager::Note's report_note() method that limited users to :insert update mode only. Users should now be able to correctly choose any of the :insert, :unique or :unique_data modes.
  • PR 13953 - Fixed an unexpected error when running DNS enumeration via auxiliary/gather/enum_dns, where a bad type check was causing an exception to be raised and a stack trace to be printed.
  • PR 13958 - Updated the auxiliary/admin/dns/dyn_dns_update module to properly identify that a record is missing when a valid DNS response is returned with no answers.
  • PR 13965 - Fixed a stack trace condition users would encounter when running the gather network modules with no database connected. Updated behavior is to print the output if no database is connected.
  • PR 13975 - Fixed the DNS enumeration library so that auxiliary/gather/enum_dns will not display a stack trace when it receives a connection reset message from a DNS server. Additional checks were also added to the DNS enumeration module to handle errors in the event that the library does not handle them correctly.

Enhancements and Features

  • Pro: MS-5959 - We updated Pro's HTTP gateway services.
  • PR 13191 - Updated tools/dev/check_external_scripts.rb to include JohnTheRipper, SQLMap UDF, and SharpHound.ps1 related files, providing assurance that those related libraries and configuration files are kept up to date.
  • PR 13194 - Improved and cleaned up the post/windows/gather/bloodhound module, including new EncryptZip and NoSaveCache module options. Also updated to SharpHound v3.
  • PR 13395 - Updated the TLV protocol used by Meterpreter to use numeric identifiers for commands instead of string values. This makes the traffic (and certain generated binaries) less conspicuous by removing strings that are obviously associated with Meterpreter such as stdapi_fs_file_copy, core_migrate and mimikatz_custom_command. NOTE: older payloads are incompatible with this change and users should take care to not upgrade to this version during active operations lest those incompatible sessions and payloads become unresponsive.
  • PR 13400 - Updated transmission of the RSA key used to negotiate TLV encryption for Meterpreter to use the binary DER format instead of the text-based PEM format. This makes the key smaller, easier to process, and removes the static "BEGIN PUBLIC KEY" string.
  • PR 13417 - Added SMB v3 support for client operations to the Metasploit Framework. Modules which already used the new SMB client will now be capable of connecting to servers with all three SMB v3 dialects (3.0, 3.0.2, 3.1.1). In cases where an SMB 3.x dialect is negotiated, the default behavior will be to encrypt the communications to the server (users can disable this by setting SMB::AlwaysEncrypt to false).
  • PR 13432 - Added TLV encryption support to the Python Meterpreter, allowing it to securely communicate with Metasploit Framework.
  • PR 13476 - Updated the Reflective DLL injection capabilities used by Metasploit for payloads and exploits to resolve functions by either ordinal or name. This allows the framework to take advantage of recent payload updates that remove string names and instead resolve the necessary values by ordinal. The framework change are backwards compatible with Reflective DLLs that use the standard ReflectiveLoader name.
  • PR 13529 - Removed the Mimikatz Meterpreter extension in favor of the newer Kiwi extension. The mimikatz extension name is currently an alias for Kiwi that will print a warning message for period of time to allow users to smoothly transition to the new workflow. The post/windows/gather/credentials/sso module was also updated to use Kiwi instead of Mimikatz.
  • PR 13764 - Improved the auxiliary/scanner/smb/smb_version scanning module to report the following target information (additional to the target OS, which it currently reports): supported SMB versions, preferred dialect of SMB, SMB 3.1.1 encryption and compression capabilities, server's GUID value, and how long the server has been online. With this update, the auxiliary/scanner/smb/smb1 and auxiliary/scanner/smb/smb2 modules were deprecated in favor of auxiliary/scanner/smb/smb_version.
  • PR 13778 - Added conditions for module options, improving the user experience by omitting options from the help output which are not used/relevant for a particular module configuration.
  • PR 13812 - Improved PsExec support by adding an ARCH_CMD target to the exploit/windows/smb/psexec module and deprecating auxiliary/admin/smb/psexec_command.
  • PR 13831 - Updated Metasploit's dependency on Rails from version 4.2.6 to 5.2
  • PR 13832 - Improved Metasploit-generated x86 and x64 native Windows payloads by adding polymorphic qualities without changing the size or requiring that the payloads be self modifying.
  • PR 13833 - Added initial 'wrapped tables' support to Metasploit, improving column text appearance. This functionality is currently hidden behind an opt-in feature flag, allowing for the functionality to be released and tested without breaking existing user's workflows. The steps for enabling this feature can be seen within the help features command.
  • PR 13903 - Updated the OpenVAS importer to allow importing vulnerabilities reported in an OpenVAS scan which do not have a CVE or BID assigned to them. Previously, OpenVAS-reported vulnerabilities lacking a reference were skipped by the importer logic.
  • PR 13957 - Updated the auxiliary/admin/dns/dyn_dns_update module to allow the remote port to be specified, enabling this module to target DNS servers which run on non-standard ports.
  • PR 13969 - Improved the scanner library code in Framework so that multi-threaded scanner operations won't block progress waiting on the slowest thread. Previously, the scanner library code would wait for all threads to complete before spawning more threads.
  • PR 13988 - Improved the Framework reload-changed-files logic to skip RSpec test files. Previously, commands like reload_lib -a would return an error attempting to load these test files.

New Modules

  • PR 13517 - New module exploits/windows/fileformat/documalis_pdf_editor_and_scanner exploits a stack based buffer overflow in Documalis Free PDF Editor and Documalis Free PDF Scanner when processing PDF files containing an embedded JPEG image. Successful exploitation will result in arbitrary code execution as the user running the affected software.
  • PR 13844 - New module post/linux/gather/enum_containers detects if there are any container platforms (runnable by the current user) on the target machine and lists all actively running containers. This module currently supports Docker, LXC and RKT, though more platforms may be added in the future.
  • PR 13860 - New modules post/networking/gather/enum_mikrotik and auxiliary/admin/networking/mikrotik_config allow for gathering+processing Microtik device and configuration information, the former running on-device and the latter for offline config processing. The Framework library and tests were also updated to for Microtik support.
  • PR 13875 - New module exploits/windows/nimsoft/nimcontroller_bof achieves remote code execution by exploiting an unauthenticated, remotely-exploitable stack buffer overflow in CA Infrastructure Management monitoring agents prior to 9.20. The relevant vulnerabilities are CVE-2020-8010 and CVE-2020-8012.
  • PR 13904 - New module exploits/linux/local/docker_privileged_container_escape provides a Docker container escape which obtains root on the host machine from a privileged docker container by abusing the Linux cgroup "notification on release" feature.
  • PR 13959 - New login scanner module auxiliary/scanner/http/jupyter_login identifies if target Jupyter Lab/Notebook servers require authentication or not. For those targets which do require authentication, this module can also attempt to brute force the password.
  • PR 13970 - New module exploits/multi/http/vbulletin_widget_template_rce gains unauthenticated remote code execution on vulnerable vBulletin targets (identified as CVE-2020-7373). Upon receiving a specially-crafted HTTP request from this module, a vulnerable target will allow arbitrary PHP code execution within the context of the application server (a non-root account).

Offline Update

Metasploit Framework and Pro Installers