Powershell? In my Meterpreter?
It's more likely than you think!
Hot on the heels of his fantastic Python extension, the legendary OJ Reeves has once again busted out an awesome new ability for post-exploitation, this time by putting a fully functional powershell inside your native Windows Meterpreter sessions. Unlike the Python extension, which uploads an embedded interpreter, the new powershell extension loads the .NET runtime from the victim system.
There's a lot of polish and more work to be done here, but the shell is quite functional and gives you access to all kinds of capabilities. The next big improvement here is the ability to import files so you can take advantage of existing PS scripts, which is already in testing and should be out with the next update if everything goes to plan.
Metasploit3 is dead, long live MetasploitModule
Metasploit modules all define a class to implement their functionality. In the original plan, that class's name contained Metasploit's major version number so it would be possible to tell if a module was compatible. The way it really happened is the number just sat there doing nothing since the major version changes very infrequently. The most recent time was just after the project was acquired by Rapid7 a little over six years ago. Before that, the last time the major version changed was when the project was rewritten from scratch in 2005, ported from Perl to Ruby. In the last six years, many things have changed considerably -- APIs have been updated, moved, or deleted; new protocols have been added; someone injected SNES shellcode into Super Mario World by hand -- the world is a different place now.
Basically the idea that the major version would describe whether something is compatible was never real. So we've decided to get rid of the confusing pointless number in modules' class names and just call them
MetasploitModule. Your existing custom modules will continue to work without modification, but with a warning that you should update the module's class name. You can make that update to all your custom modules with this one-liner:
find ~/.msf4/modules -name '*.rb' | xargs sed -i 's/class Metasploit/class MetasploitModule/'
If you're on OS X, your sed(1) is dumb and requires an argumen to
find ~/.msf4/modules -name '*.rb' | xargs sed -i '' 's/class Metasploit/class MetasploitModule/'
Up Up Down Down UDP Select Start
One of my favorite things about Metasploit is its socket abstractions. The ability to create sockets from a Meterpreter session and treat them as a regular Ruby socket is very powerful -- it's what powers port forwarding and routing. Recently it came to long-time contributor sempervictus' attention that UDP didn't behave quite the same way as TCP in this regard. Because UDP sockets created on a Meterpreter session didn't return a normal socket, they couldn't be passed to the low-level
select method. Now that UDP works just like TCP, it opens up some new ways we can use them for
Words, Words, Words
This update comes with several improvements to documentation. The first is a tool called
find_release_notes that allows you to find the release notes for a given pull request or module so you can quickly figure out the historical context of when a thing made it into the stable release. You can find it in the
Next, we've added some new templates for submitting GitHub Issues and Pull Requests which will hopefully standardize the process of contributing and make it a little easier for contributors. Knowing what is expected beforehand means less back-and-forth for new contributors, smoothing out and speeding up the whole Pull Request process.
And my favorite new documentation addition in this update is a way of documenting individual modules. A new directory,
documentation/modules/, matches the layout of the
modules/ and contains markdown files describing how the corresponding module can best be utilized. A handful of the most important modules already have documentation and more are on the way. The great thing about it is it's just markdown, so it's super easy to write, and incidentally writing simple walkthroughs of existing modules is a great place to get started contributing. To check it out, you can use the
info command's new
-d flag (for "documentation") to turn that markdown into a nice HTML page and view it in a browser. There are more details in the wiki article Generating Module Documentation.
Exploit modules (1 new)
- PHP Utility Belt Remote Code Execution by Jay Turla, and WICS
Auxiliary and post modules (5 new)
- Android Stock Browser Iframe DOS by Jean Pascal Pereira, and Jonathan Waggoner exploits CVE-2012-6301
- HTTP Client Information Gather by sinn3r
- EasyCafe Server Remote File Access by Brendan Coles, and R-73eN
- Apache Karaf Default Credentials Command Execution by Nicholas Starke
- Multi Manage Set Wallpaper by timwr
As always, you can update to the latest Metasploit Framework with a simple
msfupdate and the full diff since the last blog post is available on GitHub: 4.11.14...4.11.19