This week, we saw another slew of updates to Metepreter to make your post-exploit experience all the more pleasant, and are pushing forward with some core release changes to hopefully make installing Metasploit a more sane, Ruby-like experience. Here's the rundown of what you'll see with this update, and what you can expect Real Soon Now.
The long promised/threatened Android Metepreter is now shipping, thanks largely to the heroic efforts from mihi, Anwar, and Tim, as well as testing support from the usual Metasploit suspects. It's been in the dev tree for a little while now, and was captured in the screenshot pictured at right. The Android Metepreter is _far_more pleasant to use than the (rather hobbled) Linux shell I used to have to use to control compromised Android devices, so I'm pretty ecstatic about this.
Metasploit community committer Spencer McIntyre banged out an updated Python Meterpreter compatable with Python 3.3 and 3.4, which greatly expands the usability of Python as a post-exploit environment. You can read about all the details in the now-closed PR #3411. As you may or may not know, Python is part of the Linux Standard Base, and is quite common to find on production systems, so this is a huge move forward.
Finally, everyone's favorite Meterpreter, the Windows Meterpreter, got a refresh in order to protect against the recent spate of OpenSSL vulnerabilities. Incidentally, Meterpreter for Windows also recently picked up new functionality in the form of the Kiwi extension, which is quite thrilling (see PR #3121 for details) as well as some new sandbox escape funcitonality useful for more recent Internet Explorer exploits (see Meterpreter PR #84). In other news, we are just about to start shipping Meterpreter binaries as a Ruby gem; this will make development life about a million times easier for Meterpreter developers, since it won't require a whole lot of inter-pull request coordination to ensure that the Meterpreter binaries are compiled against a particular commit -- instead, all developers will need to do is increment the version of the meterperter_bins in Metasploit's Gemfile. You should see that switchover land early next week, and hit the weekly update the week after that.
Aside from the Meterpreter work, we have one new auxiliary module this week -- it's a nice one, though, since it's a handy demonstration of the recent OpenSSL memory corruption bug. It's only a DoS today, but there is active investigation into how to tease this into a proper RCE exploit. Race ya!
Auxiliary and post modules
- OpenSSL DTLS Fragment Buffer Overflow DoS by Jon Hart and Juri Aedla exploits ZDI-14-173
In addition to this, we do also have a new hidden TCP bind module from community contrbutor Borja Merino, that's pretty nifty. It's hidden in the sense that you supply the IP address you expect to connect to the shell from, and if a connection comes in from any other IP address, the bind shell will reply with a RST packet, acting like a closed port. These kinds of networking tricks to obfuscate listening shells just warm my heart, so thanks Borja!
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.