Last updated at Wed, 17 Jan 2024 01:11:52 GMT
A more useful use command
From among the many musings of longtime contributor/team member Brent Cook, in a combined effort with the ever-present wvu, the use command has become so much more useful. PR 11724 takes new functionality from search -u one step further by automatically appying it when use is called with a unique partial module name. The user is always given a full list of possible module matches and metadata as well, to help ensure that the intended module was selected or to help refine the search term.
Practice what you preach
We love coordinated disclosure. We’re grateful to Luca Carettoni for disclosing a vulnerability CVE-2019-5624 in Zip imports on Metasploit Framework and Metasploit Pro. We shipped a fix this release cycle; more information on Rapid7's disclosure practices is available here.
New modules (3)
- Cisco RV130W Routers Management Interface Remote Command Execution by Haoliang Lu, Quentin Kaiser, T. Shiomitsu, and Yu Zhang, which exploits CVE-2019-1663
- LibreOffice Macro Code Execution by Alex Inführ and Shelby Pace, which exploits CVE-2018-16858
- WordPress Google Maps Plugin SQL Injection by Thomas Chauchefoin (Synacktiv), which exploits CVE-2019-10692
Enhancements and features
- New Android appapi commands by Islam Nofl. Android Meterpreter now implements commands to manipulate applications on the target device.
useintelligent search by wvu. Improvements to theusecommand take advantage of intelligent search.- POSIX Meterpreter refelective loading by Adam Cammack. Adds two methods for executing files on Linux without filesystem artifacts.
- Reduce gem package size by Jeffrey Martin. Shrinks payload packaging by eliminating packaging tools in the gem builds.
- POSIX Meterpreter signed iOS libs by timwr. Artifacts now provide signed dylib packages for both iOS architectures.
- POSIX Meterpreter iOS clipboard by timwr. Support for the clipboard API on iOS.
Bugs fixed
- Mitigation of Zip directory traversal reported by Luca Carettoni and addressed by Sonny Gonzalez. This closes a possible attack on the import process in Metasploit where a user importing an untrusted ZIP file could lead to code exectuion.
- POSIX Meterpreter subshell by timwr. Improves execution of
shellcommands to only use subshell when required. - POSIX Meterpreter stability by Brent Cook. Avoid a hanging bug with the
lscommand.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from
GitHub:
We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git,you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).
