Fall is finally here! While the weather may be getting cooler, things are hot in Metasploit-land. We've had some fun modules land recently. In our expanding arsenal of code-execution-by-design attacks, Patrick Thomas brings us the nodejs_v8_debugger module, which allows exploiting misconfigured debug services with Node.js applications. On the payloads side, Domain Fronting support with Meterpreter is just about complete and should be landing shortly. Improved support for Mainframe payloads is also in the tree, with bind and reverse TCP payloads in JCL thanks to bigendiansmalls.
The New Metasploit.com
Astute observers may have noticed that this week we launched some major new shiny: a refreshed Metasploit.com! Our sweet new website celebrates Metasploit Framework and highlights all the ways the community (hey, that's you!) helps make and keep us awesome. Check it out to see who's contributing, what's landing in Framework, and how you can get involved—whether that's contributing code or learning how to pop more shells. We’ve hidden a few “classic” Metasploit Project elements in the site for those who feel like taking the time to find them.
Metasploit 5 or Bust
We've been planning and preparing for what will be a busy 2018 for the Metasploit team here at Rapid7, so I thought I would take some time to update our readers on where we are today and where we're planning to go in the future.
Metasploit has been at version 4 for over 6 years, and it has improved substantially. We've added over a thousand new modules and doubled the number of payloads to almost 500. To keep up the pace, we are also working on some foundational changes that will keep Metasploit useful for newer workloads and module types, and for expanding integration with other tools. This is going to mean some big changes coming down the pipe!
To support this effort, we are going to be creating a Metasploit 4 stable branch in Github very soon, and making Metasploit master the Metasploit 5 development branch. If you are a bleeding-edge user, note that the master branch will soon become more exciting! If you are not, we will be working with distributions and packagers to start tracking the appropriate branches shortly.
Curious what we have planned for Metasploit 5? Stay tuned! In the mean time, check out a sneak preview of our new database subsystem 'goliath' in action.
Exploit modules (5 new)
- DenyAll Web Application Firewall Remote Code Execution by Mehmet Ince exploits CVE-2017-14706
- Supervisor XML-RPC Authenticated Remote Code Execution by Calum Hutton exploits CVE-2017-11610
- NodeJS Debugger Command Injection by Patrick Thomas
- Qmail SMTP Bash Environment Variable Injection (Shellshock) by Gabriel Follon (Metasploit module), Kyle George (Vulnerability discovery), and Mario Ledo (Metasploit module) exploits CVE-2014-6271
- Disk Pulse Enterprise GET Buffer Overflow by Chance Johnson and Nipun Jaswal & Anurag Srivastava
Auxiliary and post modules (2 new)
As always, you can update to the latest Metasploit Framework by simply updating to the latest version provided by BlackArch Linux, Kali Linux, Metasploit Pro, or by using the Nightly installer's
msfupdate command. You can also get more details on changes since the last wrap-up from the Github project.