Google Summer of Code

Metasploit participated in Google's Summer of Code (GSoC) again this year, mentoring two students through their respective projects. Both projects are nearing completion with parts having already been merged into Metasploit. One project focused on user and module developer experience by allowing module options to be hidden under conditions where they aren't relevant. This, for example, allows HTTP server options to be hidden when the module is not configured to start an HTTP server. The second project brings enhanced SQL injection capabilities to the framework, allowing module authors to leverage the library to more easily create modules to leverage a few common types of SQLi flaws. Thanks to everyone involved - both red0xff and mariabelenTC for participating in this year's GSoC, as well as jmartin-r7 and smcintyre-r7 for their mentorship.

Search improvements

The search command has been improved by adfoster-r7 to require all text search terms to be matched. For example, with the command search postgresql login - only modules matching both postgresql and login will be returned. The previous search functionality would return all results which contained either postgresql, or login.

After running a module search, it is now also possible to use info <search_index> to view the module's information, thanks to cgranleese-r7. This change aligns the info command with the use command, which also supports the use <search_index> syntax.

Reflective PE Payloads

Metasploit now provides a new reflective PE file loader as a payload stage thanks to the work of EgeBalci. This enables the user to specify an arbitrary EXE or DLL and have it injected into the target process and executed as the payload stage without recompiling it for compatibility using something like ReflectiveDLLInjection.

New modules (1)

  • Peplink Balance routers SQLi by Redouane NIBOUCHA and X41 D-Sec GmbH, which exploits CVE-2017-8835. This PR adds a new gather module taking advantage of CVE-2017-8835 using sql injection against Peplink devices with firmware before 7.0.1 to hijack a logged in user's account and extract configuration details including the device license key. This module utilizes extended mixin support for SQLite provided through GSoC student contribution.

Bugs Fixed

  • PR #14061 from dwelch-r7 Fixes performance regression in msfvenom. Reduces msfvenom loading time by loading only the relevant module sets for the command being performed.
  • PR #14050 from mhagan-r7 Fixes an issue with db_import when attempting to import zip files exported by Metasploit Pro.

Enhancements and features

  • PR #14083 from 247arjun This update alters the behavior of the enum_patches.rb module so that it not only reports what patches are installed on a Windows system, but also when they were installed, which can be useful information for pentesters who want to gather information on an organization's patch history.
  • PR #14075 from ggkitsas Add support for generating ZIP files for the zip_slip exploit.
  • PR #14072 from Reelix This improves the Python method for shell interaction by updating the PTY shim to be Python 3 compatible. This also fixes the technique in environments where the python3 binary is available and in the PATH but the python binary is not.
  • PR #14068 from zeroSteiner This updates the auxiliary/scanner/smb/smb_enum_gpp module to use RubySMB instead of the old Rex client allowing support for SMB version 1-3.
  • PR #14065 from dwelch-r7 We now lazily load the faker module as it is not needed at bootup and is only used in a few limited scenarios. By lazily loading this module, Metasploit now will boot up slight faster than it would before this change was implemented.
  • PR #14064 from cgranleese-r7 This fixes a bug when HTML module documentation is generated from module content where OSVDB links were broken and some CVE links were missing.
  • PR #14062 from todb-r7 This adds a SECURITY.md file to the Metasploit Framework so users that have security issues know how they can be reported to the project maintainers. This file will be rendered through the GitHub interface as it follows the standard naming convention.
  • PR #14053 from cgranleese-r7 After running a module search, it is now possible to use info <search_index> to view the module's information
  • PR #14040 from wvu-r7 Updates the exploit/multi/misc/java_rmi_server module to provide a check command. This check command is now implemented by auxiliary/scanner/misc/java_rmi_server.
  • PR #14021 from adfoster-r7 Updates the search functionality for modules to require all text search terms to be matched. Now when searching for search postgresql login - only modules matching both postgresql and login will be returned.
  • PR #13919 from mariabelenTC This allows auxiliary modules that expose actions to have those invoked as commands when the user has changed context into the module through the "use" command within msfconsole.
  • PR #13980 from EgeBalci This adds a new Reflective PE file loader as a payload stage. This enables the user to specify an arbitrary EXE or DLL and have it injected into the target process and executed as the payload stage without recompiling it for compatibility using something like ReflectiveDLLInjection.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).