Last updated at Tue, 16 Jan 2024 01:49:54 GMT

Why can't I hold all these Pull Requests?

It has been a busy month here in Metasploit-land, with the holidays, the holiday community contributions, and our community CTF. It doesn't help that the last few months have seen our open pull request count keep climbing as well, reaching over 90 at times. Our fearless leader, busterb, decided to take on the challenge and landed over 20 PRs by himself in the last two weeks, with nearly 50 total in the release since the last write-up. I won't be able to give a shout-out to all the amazing stuff that landed and all the invaluable community members who contributed, so be sure to peruse the landed PRs.

WebSphere ALL THE THINGS

One of the things that stands out even in the middle of all this development is the IBM WebSphere work contributed by pkb1s. Thanks to them, we now have login and channel brute forcing and version enumeration. They have been tested with versions 7.5 through 9, so if you come across some of these in the wild be sure to give these a look! Also, big props to asoto-r7 for a thorough job testing against such a... fun... target.

New Modules

Exploit modules (8 new)

Auxiliary and post modules (7 new)

Improvements

  • PR #11035 - This PR improves Cisco SSL VPN fingerprinting the the auxiliary/scanner/http/cisco_ssl_vpn module.
  • PR #11032 - This updates the documentation for exploit/linux/local/af_packet_chocobo_root_priv_esc, noting that the exploit does not bypass SMAP.
  • PR #11019 - This fixes nagios_xi_chained_rce_2_electric_boogaloo and ppr_flatten_rec to properly respect the WfsDelay option.
  • PR #11017 - This fixes the userns_enabled? method for Linux kernel post module capability detection when the unprivileged_userns_clone or proc file entries are unavailable.
  • PR #11015 - This fixes various issues related to Linux targets in the Xorg X11 Server SUID privilege escalation module.
  • PR #11011 - This PR fixes incorrect capitalization used for a datastore option in the iis_shortname_scanner module.
  • PR #11002 - This adds Python 3.7 support for external python scanner modules, and raises the minimum Python 3 version to 3.5.3.
  • PR #11001 - This improves error handling when certain payloads cannot be generated as position-independent shellcode, only executables.
  • PR #10998 - When unregistering options for a module, aliases will now also be unregistered. Also, to avoid option name conflicts, the list of available options is checked before the list of aliases.
  • PR #10997 - This removes the default command string for the php/exec payload, requiring the user to specify one instead. This prevents the user from accidentally overwriting the /etc/passwd file on the target if the exploit is sufficiently privileged.
  • PR #10996 - Correctly check the code returned by the check method before attempting to dump memory for MS15-034.
  • PR #10989 - This fixes an issue where saving and restoring datastore state leads to an incorrect message about the payload handler being disabled.
  • PR #10984 - This prevents the ms15_034_ulonglongadd DoS module from failing if it does not receive a response from the target.
  • PR #10981 - This modernizes the printjob_capture module and fixes up loot storage.
  • PR #10977 - This updates the freesshd_authbypass module to work more reliably in the presence of antivirus by avoiding writes to disk.
  • PR #10975 - This adds documentation for the following modules: * auxiliary/server/capture/postgresql * auxiliary/server/capture/telnet * auxiliary/server/capture/vnc
  • PR #10973 - This enables support for ISO 8601 style dates for disclosure dates in modules.
  • PR #10972 - This improves session / module compatibility checking to have fewer false warnings about session incompatibility.
  • PR #10971 - This fixes a formatting error when printing messages while running the check command from local exploit modules.
  • PR #10949 - This adds the ForceExploit option to Linux local exploits to opt out of a check method's return value during the exploitation phase.
  • PR #10872 - This adds a --pad-nops option for msfvenom to pad a payload up to -n nops bytes. This is useful when replacing shellcode in an exploit with a fixed-length payload.
  • PR #10802 - The format (-f) option for msfvenom is no longer case-sensitive, allowing for formats like C and Python.
  • PR #10727 - This fixes a nil dereference in the shim layer of external module loading, allowing external modules without notes to be loaded successfully.
  • PR #10509 - This adds a source command for shell sessions that allows running a local shell script remotely in a single step.
  • PR #10352 - This adds an additional vulnerability check to the jboss_vulnscan auxiliary module. Now the module will check for a deserialization RCE vulnerability referenced in CVE-2017-12149.
  • PR #9915 - This improves reliability and compatibility of the influxdb_enum scanner module.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.