Windows Meterpreter payload improvements
Community contributor OJ has made improvements to Windows Meterpreter payloads. Specifically reducing complexity around extension building and loading. This change comes with the benefit of removing some fingerprint artifacts, as well reducing the payload size as a side-effect.
Note that Windows meterpreter sessions that are open prior to this bump will not be able to load new extensions after the bump if they connect with a new instance of msfconsole.
Improving support for tags on hosts
Our very own adamgalway-r7 has updated the remote dataservice to include support for tags on hosts. Not familiar with tags? It’s a simple way to label your targets with a more meaningful description which can be searched and filtered on later. Be sure to check out our full blog on Using Host Tagging in Metasploit for Penetration Testing.
New modules (2)
- Apache Shiro v1.2.4 Cookie RememberME Deserial RCE by L / l-codes, which exploits CVE-2016-4437
- Docker-Credential-Wincred.exe Privilege Escalation by Morgan Roman and bwatters-r7, which exploits CVE-2019-15752
Enhancements and features
- PR #13340 from todb-r7 This PR fixes up the PKS link used by import-dev-keys.sh to use the Ubuntu PKS (public key server) rather than MIT's PKS since MIT has been having a lot of issues with their key server as of late.
- PR #13330 from busterb and OJ This PR bumps the version of the Meterpreter payloads gem to 1.4.1, which pulls in the changes made in rapid7/metasploit-payloads#388 and rapid7/metasploit-payloads#389 to Windows Meterpeter payloads and helps to reduce the complexity of extension building and loading as well as remove some fingerprint artifacts. On top of this, the new versions of these Windows Meterpreter payloads should also now be smaller than they were before.
- PR #13316 from adamgalway-r7 Adds the ability for the
RemoteHttpDataServiceto deal with tags
- PR #13315 from h00die This sets the
GatherProofadvanced option to
trueby default for the
auxiliary/scanner/ssh/ssh_login_pubkeymodules in order to address the common case when scanning SSH servers.
- PR #13281 from gwillcox-r7 This fixes an issue with Meterpreter's
screenshotcommand on Windows. When the Meterpreter session is opened as a service the
screenshotcommand will cause Explorer to crash due to restricted desktops. This checks that desktops are available to avoid that condition and prevents the user from accidentally triggering the crash.
- PR #13100 from timwr This PR updates the OSX stager to add support for cases where the dyld macho might not be loaded into the expected location. It also adds MeterpreterDebugLevel support to the OSX stager to allow users to view debug output coming from the payload.
- PR #13257 from zeroSteiner This improves the .NET deserialization library by adding two new chains (TypeConfuseDelegate, WindowsIdentity) and a new formatter (SoapFormatter) and updating the applicable modules to use them.
- PR #13363 from adfoster-r7 This PR fixes up a deprecation error that was occurring when generating the HTTP and HTTPS Meterpreter shells using Ruby 2.7.x by replacing a URI.decode call with a CGI.unescape call.
- PR #13360 from dwelch-r7 The msfconsole will no longer output ActiveRecord warning messages on start up when using Ruby 2.7.x
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).