We were happy to host the very first Metasploit framework open source hackathon this past week in the Rapid7 Austin. Eight Metasploit hackers from outside of Rapid7 joined forces with the in-house team and worked on a lot of great projects, small and large.
@bcook started the hackathon working with @sempervictus on his amazing backlog of framework features, including REX library improvements, UDP sessions, TLS encrypted sessions, and support for running framework in Rubinius . We had a lot of good chats on how to move forward with bigger features, and our trees have begun to converge more.
@zerosteiner worked on server support for the Net-ssh library, and gave right after dropped Railgun support for OSX Meterpreter, and gave a talk on it at BSides Cleveland. On the module side, we got the long-awaited DNS injection module from @kingsabri rewritten and enhanced. @bcook worked a lot with @mubix's, whose intense testing and feedback made the module really great. Mubix served a unique role at the hackathon to of testing everyone's ideas and providing a critical eye on usability and reliability in engagements. @bcook also worked with @sure-fire testing public PoC code for CVE-2017-3881 on a variety of Cisco gear, and we were able to convert @artkond's great research into another module PR.
@bperry stopped by with his guitar, and worked on a plugin for the Arachni web scanner. In his words, "This complements the sqlmap plugin well, going from general web app scanning with arachni to full exploitation with sqlmap straight from Metasploit. It's something I've wanted in Metasploit for a while now.". He also composed a song for the occasion.
@bcook worked on a long-awaited search function for the Metasploit RPC interface while @mubix added a nifty new plugin that publishes an RSS feed of shells as they come in. While testing various things, @mubix noticed that his database was taking a long time to delete a workspace. @darkbushido took a look and found that we could speed up deleting workspaces by several orders of magnitude by using a different method.
Joining the hackathon virtually, @oj completed his PR for an all-new crypto layer for Meterpreter transports, which provides application-layer encryption for sessions independent of the transport used. It also has the nice effect of reducing the size of Windows meterpreter 5-fold!
@bwatters-r7, @hdm, @kernelsmith, @acammack-r7, and @izobashi also worked on a number of interesting projects as well, like a socks5 proxy, automated payload testing, selfhash support, and mimipenguins integration. We will be covering those as the make their way into the PR queue. In total, the hackathon was a great success and we look forward to having another one soon.
In the continual game of cat and mouse with Windows password storage, Rogdham has brought the mice back on top this week. SQUEEK! Previously, Windows stored hashes using RC4 hashing, but Windows 10 uses AES128. With this update, the hashdump module will work with the AES128 hashes, too.
No one likes seg faults while you're trying to be stealthy, so kudos to tkmru who added some error handling to our armle reverse_tcp payload. Previously, the payload would segfault if it could not call back. Now, if it fails to call back, it fails silently, because the best kind of failure is the kind no one notices!
Exploit modules (4 new)
Netgear DGN2200 dnslookup.cgi Command Injection by SivertPL and thecarterb exploits CVE-CVE-2017-6334
Symantec Messaging Gateway Remote Code Execution by Mehmet Ince exploits CVE-CVE-2017-6326
Easy File Sharing HTTP Server 7.2 POST Buffer Overflow by Marco Rivoli and bl4ck h4ck3r
Auxiliary and post modules (1 new)
- Riverbed SteelHead VCX File Read by Gregory DRAPERI and h00die
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub: