Google Summer of Code
Metasploit participated in Google's Summer of Code (GSoC) again this year, mentoring two students through their respective projects. Both projects are nearing completion with parts having already been merged into Metasploit. One project focused on user and module developer experience by allowing module options to be hidden under conditions where they aren't relevant. This, for example, allows HTTP server options to be hidden when the module is not configured to start an HTTP server. The second project brings enhanced SQL injection capabilities to the framework, allowing module authors to leverage the library to more easily create modules to leverage a few common types of SQLi flaws. Thanks to everyone involved - both red0xff and mariabelenTC for participating in this year's GSoC, as well as jmartin-r7 and smcintyre-r7 for their mentorship.
The search command has been improved by adfoster-r7 to require all text search terms to be matched. For example, with the command
search postgresql login - only modules matching both
login will be returned. The previous search functionality would return all results which contained either
After running a module search, it is now also possible to use
info <search_index> to view the module's information, thanks to cgranleese-r7. This change aligns the
info command with the
use command, which also supports the
use <search_index> syntax.
Reflective PE Payloads
Metasploit now provides a new reflective PE file loader as a payload stage thanks to the work of EgeBalci. This enables the user to specify an arbitrary EXE or DLL and have it injected into the target process and executed as the payload stage without recompiling it for compatibility using something like ReflectiveDLLInjection.
New modules (1)
- Peplink Balance routers SQLi by Redouane NIBOUCHA and X41 D-Sec GmbH, which exploits CVE-2017-8835. This PR adds a new gather module taking advantage of CVE-2017-8835 using sql injection against Peplink devices with firmware before 7.0.1 to hijack a logged in user's account and extract configuration details including the device license key. This module utilizes extended mixin support for SQLite provided through GSoC student contribution.
- PR #14061 from dwelch-r7 Fixes performance regression in msfvenom. Reduces msfvenom loading time by loading only the relevant module sets for the command being performed.
- PR #14050 from mhagan-r7 Fixes an issue with
db_importwhen attempting to import zip files exported by Metasploit Pro.
Enhancements and features
- PR #14083 from 247arjun This update alters the behavior of the
enum_patches.rbmodule so that it not only reports what patches are installed on a Windows system, but also when they were installed, which can be useful information for pentesters who want to gather information on an organization's patch history.
- PR #14075 from ggkitsas Add support for generating ZIP files for the zip_slip exploit.
- PR #14072 from Reelix This improves the Python method for shell interaction by updating the PTY shim to be Python 3 compatible. This also fixes the technique in environments where the
python3binary is available and in the PATH but the
pythonbinary is not.
- PR #14068 from zeroSteiner This updates the auxiliary/scanner/smb/smb_enum_gpp module to use RubySMB instead of the old Rex client allowing support for SMB version 1-3.
- PR #14065 from dwelch-r7 We now lazily load the faker module as it is not needed at bootup and is only used in a few limited scenarios. By lazily loading this module, Metasploit now will boot up slight faster than it would before this change was implemented.
- PR #14064 from cgranleese-r7 This fixes a bug when HTML module documentation is generated from module content where OSVDB links were broken and some CVE links were missing.
- PR #14062 from todb-r7 This adds a
SECURITY.mdfile to the Metasploit Framework so users that have security issues know how they can be reported to the project maintainers. This file will be rendered through the GitHub interface as it follows the standard naming convention.
- PR #14053 from cgranleese-r7 After running a module search, it is now possible to use
info <search_index>to view the module's information
- PR #14040 from wvu-r7 Updates the
exploit/multi/misc/java_rmi_servermodule to provide a
checkcommand. This check command is now implemented by
- PR #14021 from adfoster-r7 Updates the search functionality for modules to require all text search terms to be matched. Now when searching for
search postgresql login- only modules matching both
loginwill be returned.
- PR #13919 from mariabelenTC This allows auxiliary modules that expose actions to have those invoked as commands when the user has changed context into the module through the "use" command within msfconsole.
- PR #13980 from EgeBalci This adds a new Reflective PE file loader as a payload stage. This enables the user to specify an arbitrary EXE or DLL and have it injected into the target process and executed as the payload stage without recompiling it for compatibility using something like ReflectiveDLLInjection.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).