Last updated at Fri, 23 Feb 2024 21:39:12 GMT

New Fetch Payload

It has been almost a year since Metasploit released the new fetch payloads and since then, 43 of the 79 exploit modules have had support for fetch payloads. The original payloads supported transferring the second stage over HTTP, HTTPS and FTP. This week, Metasploit has expanded that protocol support to include SMB, allowing payloads to be run using rundll32 which has the added benefit of capturing the NetNTLM hashes of the requestor.

This also streamlines the workflow the user would have previously used by first starting the exploit/windows/smb/smb_delivery module, and then copying the command into another exploit. Now the user can simply select one of the SMB-enabled fetch payloads and Metasploit will manage the service and generate the command.

As an added benefit, since #18680 merged into Metasploit, multiple SMB services can be run simultaneously. This means that multiple SMB-enabled fetch payloads can have their own independent handlers running at the same time.

New module content (2)

Base64 Command Encoder

Author: Spencer McIntyre
Type: Encoder
Pull request: #18807 contributed by zeroSteiner

Description: This adds a new encoder module that leverages base64 encoding to escape bad characters in ARCH_CMD payloads for the Linux and UNIX platforms.

SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager

Authors: Spencer McIntyre, bwatters-r7, and sf stephen_fewer@harmonysecurity.com
Type: Payload (Adapter)
Pull request: #18664 contributed by zeroSteiner

Description: This adds an SMB fetch-payload service and a new payload to use it. The payload invokes rundll32 but handles everything for the user automatically.

This adapter adds the following payloads:

  • cmd/windows/smb/x64/custom/bind_ipv6_tcp
  • cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid
  • cmd/windows/smb/x64/custom/bind_named_pipe
  • cmd/windows/smb/x64/custom/bind_tcp
  • cmd/windows/smb/x64/custom/bind_tcp_rc4
  • cmd/windows/smb/x64/custom/bind_tcp_uuid
  • cmd/windows/smb/x64/custom/reverse_http
  • cmd/windows/smb/x64/custom/reverse_https
  • cmd/windows/smb/x64/custom/reverse_named_pipe
  • cmd/windows/smb/x64/custom/reverse_tcp
  • cmd/windows/smb/x64/custom/reverse_tcp_rc4
  • cmd/windows/smb/x64/custom/reverse_tcp_uuid
  • cmd/windows/smb/x64/custom/reverse_winhttp
  • cmd/windows/smb/x64/custom/reverse_winhttps
  • cmd/windows/smb/x64/encrypted_shell/reverse_tcp
  • cmd/windows/smb/x64/encrypted_shell_reverse_tcp
  • cmd/windows/smb/x64/exec
  • cmd/windows/smb/x64/loadlibrary
  • cmd/windows/smb/x64/messagebox
  • cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp
  • cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid
  • cmd/windows/smb/x64/meterpreter/bind_named_pipe
  • cmd/windows/smb/x64/meterpreter/bind_tcp
  • cmd/windows/smb/x64/meterpreter/bind_tcp_rc4
  • cmd/windows/smb/x64/meterpreter/bind_tcp_uuid
  • cmd/windows/smb/x64/meterpreter/reverse_http
  • cmd/windows/smb/x64/meterpreter/reverse_https
  • cmd/windows/smb/x64/meterpreter/reverse_named_pipe
  • cmd/windows/smb/x64/meterpreter/reverse_tcp
  • cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4
  • cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid
  • cmd/windows/smb/x64/meterpreter/reverse_winhttp
  • cmd/windows/smb/x64/meterpreter/reverse_winhttps
  • cmd/windows/smb/x64/meterpreter_bind_named_pipe
  • cmd/windows/smb/x64/meterpreter_bind_tcp
  • cmd/windows/smb/x64/meterpreter_reverse_http
  • cmd/windows/smb/x64/meterpreter_reverse_https
  • cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp
  • cmd/windows/smb/x64/meterpreter_reverse_tcp
  • cmd/windows/smb/x64/peinject/bind_ipv6_tcp
  • cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid
  • cmd/windows/smb/x64/peinject/bind_named_pipe
  • cmd/windows/smb/x64/peinject/bind_tcp
  • cmd/windows/smb/x64/peinject/bind_tcp_rc4
  • cmd/windows/smb/x64/peinject/bind_tcp_uuid
  • cmd/windows/smb/x64/peinject/reverse_named_pipe
  • cmd/windows/smb/x64/peinject/reverse_tcp
  • cmd/windows/smb/x64/peinject/reverse_tcp_rc4
  • cmd/windows/smb/x64/peinject/reverse_tcp_uuid
  • cmd/windows/smb/x64/pingback_reverse_tcp
  • cmd/windows/smb/x64/powershell_bind_tcp
  • cmd/windows/smb/x64/powershell_reverse_tcp
  • cmd/windows/smb/x64/powershell_reverse_tcp_ssl
  • cmd/windows/smb/x64/shell/bind_ipv6_tcp
  • cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid
  • cmd/windows/smb/x64/shell/bind_named_pipe
  • cmd/windows/smb/x64/shell/bind_tcp
  • cmd/windows/smb/x64/shell/bind_tcp_rc4
  • cmd/windows/smb/x64/shell/bind_tcp_uuid
  • cmd/windows/smb/x64/shell/reverse_tcp
  • cmd/windows/smb/x64/shell/reverse_tcp_rc4
  • cmd/windows/smb/x64/shell/reverse_tcp_uuid
  • cmd/windows/smb/x64/shell_bind_tcp
  • cmd/windows/smb/x64/shell_reverse_tcp
  • cmd/windows/smb/x64/vncinject/bind_ipv6_tcp
  • cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid
  • cmd/windows/smb/x64/vncinject/bind_named_pipe
  • cmd/windows/smb/x64/vncinject/bind_tcp
  • cmd/windows/smb/x64/vncinject/bind_tcp_rc4
  • cmd/windows/smb/x64/vncinject/bind_tcp_uuid
  • cmd/windows/smb/x64/vncinject/reverse_http
  • cmd/windows/smb/x64/vncinject/reverse_https
  • cmd/windows/smb/x64/vncinject/reverse_tcp
  • cmd/windows/smb/x64/vncinject/reverse_tcp_rc4
  • cmd/windows/smb/x64/vncinject/reverse_tcp_uuid
  • cmd/windows/smb/x64/vncinject/reverse_winhttp
  • cmd/windows/smb/x64/vncinject/reverse_winhttps

Enhancements and features (7)

  • #18706 from sjanusz-r7 - Updates multiple PostgreSQL modules to now work with PostgreSQL sessions. This functionality is behind a feature flag which can be enabled with features set postgres_session_type true.
  • #18747 from zgoldman-r7 - Updates the auxiliary/scanner/mssql/mssql_login module with a new CreateSession option which controls the opening of an interactive MSSQL session. This functionality is currently behind a feature flag which can be enabled with features set mssql_session_type true.
  • #18759 from cgranleese-r7 - Updates the multiple MySQL modules to work with a provided MySQL session instead of opening a new connection. This functionality is behind a feature flag which can be enabled with features set mysql_session_type true.
  • #18763 from zgoldman-r7 - Updates multiple MSSQL modules to now work with the new MSSQL session type that is enabled with features set mssql_session_type true.
  • #18806 from cgranleese-r7 - Improves unknown command handling by suggesting similar valid commands.
  • #18809 from zeroSteiner - Makes multiple improvements to the dns command - a new command which mimics the functionality of /etc/resolv.conf and /etc/hosts. This functionality is currently behind a feature flag which can be enabled with features set dns_feature true in msfconsole.
  • #18825 from cgranleese-r7 - Improves the error messages when the current session is not compatible with a post module.

Bugs fixed (13)

  • #18616 from adfoster-r7 - This fixes an issue with the AARCH64 SO ELF template that was causing SIGBUS exceptions to be raised.
  • #18774 from adfoster-r7 - Updates the following modules to now work with newer versions of sqlcmd:
    post/windows/gather/credentials/mssql_local_hashdump and post/windows/manage/mssql_local_auth_bypass.
  • #18786 from lihe07 - This fixes an option name collision between the exploit/linux/local/service_persistence when the payload is set to cmd/unix/reverse_netcat. The option to set the writable path is now BACKDOOR_PATH.
  • #18795 from cgranleese-r7 - Moves the CreateSession option from advanced into basic options for modules, in order to increase discoverability.
  • #18798 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move module's check method that was causing version comparisons to fail.
  • #18799 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2020_17136 module's check method that was causing version comparisons to fail.
  • #18800 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2021_40449 module's check method that was causing version comparisons to fail.
  • #18801 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2022_26904_superprofile module's check method that was causing version comparisons to fail.
  • #18812 from adfoster-r7 - Reverts the auxiliary/scanner/mssql/mssql_login modules's TDSENCRYPTION default value to false.
  • #18813 from adfoster-r7 - Fixes a crash when running the help services or help hosts commands.
  • #18823 from cdelafuente-r7 - Fix module metadata platform list comparison.
  • #18826 from dwelch-r7 - Fixes a regression where the windows/smb/psexec module was not correctly performing cleanup logic.
  • #18828 from dwelch-r7 - Fixes a crash when exploit modules used nops.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro