• 4.17.1 Product Update 2020-03-02

    • Bugs Fixed

      • Pro: MS - 5127 - Service and uninstall operations are better restricted to intended paths. Thanks to sailay(valen) for highlighting this to Rapid7.
      • Pro: MS-4912 - Social engineering phishing campaigns with many targets will no longer cause the application to freeze or crash.
      • PR 12921 - This fixes #12968 where the Windows OS and build were not being parsed correctly due to changes in the client.sys.config lib. There was a bug in the regex check code for ms16_075_reflection_juicy.
      • PR 12945 - This PR switches the powershell payload to an asynchronous read, preventing some issues where we return before we have a message.
      • PR 12966 - This updates the warning message when setting DisablePayloadHandler to more accurately reflect the scenario that is occurring.
      • PR 12970 - This PR reverts to the previous powershell reverse shell payload to avoid an issue in Windows 7.
      • PR 13012 - This fixes the error handling for when a plugin fails to load. It now alerts the user to the failure reason.

      Enhancements and Features

      • PR 12002 - This PR adds a new ssh transport for payloads and a new ssh payload.
      • PR 12865 - This adds additional functionality and options to the reflective_dll_injection module to make it more flexible and useful with 3rd party DLLs. Added functionality allows module-specified arguments to be passed to the DLLs entry point, output to be read from the targeted process and finally for the targeted process to optionally be killed when done.
      • PR 12907 - Update the unix_users.txt file to include all defaults identified on a fresh Ubuntu Server 18.04 with lamp installed as identified through the apache userdir mod.
      • PR 12916 - Adds support for colorized HttpTrace output, with an additional HttpTraceHeadersOnly option to only show HTTP headers when HttpTrace is enabled.
      • PR 12951 - The module template is updated to reflect standardization of module documentation. This builds on
        • #12831
        • #12878
      • PR 12952 - This add additional dependencies for pry to give enhanced debugging capabilities to developers.
      • PR 12955 - This lets the user opt out of running check completely.
      • PR 12964 - Adds RPC endpoint that returns the total number of modules in the ready, running, & results states.
      • PR 12976 - This adds additional logging to Metasploit's PostgreSQL protocol client when it encounters an unknown authentication type, rather than raising an exception later.
      • PR 12978 - This PR adds options to support earlier additions to rex-powershell allowing for rc4 encoding on powershell payloads.
      • PR 12995 - Adds support for SMBv2 to the pipe auditor auxiliary module.
      • PR 12998 - Allows users to say either type:aux or type:auxiliary when searching for auxiliary modules.
      • PR 13005 - This adds the pry-byebug gem to offer a more fulfilling interactive debugging experience for Metasploit developers.
      • PR 13006 - This adds the cAutoCheck mixin to the OpenSMTPD CVE-2020-7247 exploit, exploit/unix/smtp/opensmtpd_mail_from_rce, and slightly improves the check method's precision.
      • PR 13015 - This PR updates login scanners to work with usernames stored in the database and sets the last_attempted_at value in scanner/smb/smb_login.

      New Modules

      • PR 12465 - This adds a demonstration exploit module for the Android Binder UAF bug (CVE-2019-2215) which allows for root privilege escalation from an unprivileged application, in this case a Meterpreter shell. This module targets the Pixel 2 and 2 XL running the September 2019 security patch revision.
      • PR 12704 - This module allow you to exploit a command injection vulnerability in OpenNetAdmin 18.1.1, a network management application for managing IP subnets, and remotely execute commands. You don’t need to authenticate to exploit this vulnerability.
      • PR 12862 - This module exploits an arbitrary file write vulnerability in Apache James 2.3.2, which exists due to a lack of input validation when creating a user. By creating a user with a directory traversal payload as the username, commands can be written to specific directory/file and give remote code execution.
      • PR 12959 - This adds an exploit module for various vulnerabilities in EyesOfNetwork v5.3. First, an admin account is created either by generating an access token via a hardcoded API key or by obtaining it via a SQL injection vulnerability. After logging in as the newly created user, a command injection vulnerability is exploited to gain code execution with root privileges.

      Offline Update

      • https://updates.metasploit.com/packages/3b97f9d982670e3cd522a235a59a7d49179b0be9.bin

      Metasploit Framework and Pro Installers

      • https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version