Ghost(script) in the shell

There has been a lot of buzz the last couple weeks about Google Project Zero's Tavis Ormandy's new Ghostscript -dSAFER bypass, now complete with a Metasploit module. With some valiant work by wvu and taviso himself, the latest way to break out of a PDF is now at your fingertips. If you pulled an advanced copy from the PR, make sure to use the refined version in the latest Metasploit release!

More payload documentation

Did you know that, like other modules, payloads can have full fledged module documentation? Thanks to agrawalarpit14, we now have documentation that explains options and demonstrates usage for another one: windows/shell/reverse_ord_tcp. To view it, run msfconsole -x 'use payloads/windows/shell/reverse_ord_tcp; info -d'.

SITREP: External modules

Earlier this week I posted an update on how our support for modules that run as separate executables is progressing. These modules can be written in Ruby, Python, or anything else that can speak JSON over stdin and stdout. If you are interested in writing a module in Python, be sure to check out jrobles-r7's guide after reading the blog post!

Remote data service usability

The Metasploit 5-only external data service got a big enhancement this week allowing the db_connect command to connect to both Postgres and HTTP data services, thanks to jbarnett-r7. The new db_connect functionality replaces the previous data_services command. This also introduces the db_save command to save a default data service that will be restored when starting msfconsole. This was used by mkienow-r7 to prompt users initializing a remote data service with msfdb to save the connection for automatic use on startup.

New modules

Exploit modules (1 new)

Auxiliary and post modules (2 new)

Improvements

  • DisableNops can now be set per target by a module, thanks to wvu. This helps when certain payload types or injection methods have a small, fixed space to work with.
  • OS X command shells now work with sessions -u to smoothly upgrade to our native OS X meterpreter, courtesy of timwr.
  • windows/shell/reverse_ord_tcp now has documentation by agrawalarpit14.
  • The post-exploitation API for Solaris has been expanded a bit to more closely match the capabilities we have for Linux by h00die.

Metasploit 5

  • jbarnett-r7 modified db_connect so it now works with remote data services, and added a new command: db_save.
  • msfdb now prompts to save connection information for automatic reuse, via mkienow-r7.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers,or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.