Last updated at Fri, 23 Feb 2024 21:39:12 GMT
New Fetch Payload
It has been almost a year since Metasploit released the new fetch payloads and since then, 43 of the 79 exploit modules have had support for fetch payloads. The original payloads supported transferring the second stage over HTTP, HTTPS and FTP. This week, Metasploit has expanded that protocol support to include SMB, allowing payloads to be run using rundll32
which has the added benefit of capturing the NetNTLM hashes of the requestor.
This also streamlines the workflow the user would have previously used by first starting the exploit/windows/smb/smb_delivery
module, and then copying the command into another exploit. Now the user can simply select one of the SMB-enabled fetch payloads and Metasploit will manage the service and generate the command.
As an added benefit, since #18680 merged into Metasploit, multiple SMB services can be run simultaneously. This means that multiple SMB-enabled fetch payloads can have their own independent handlers running at the same time.
New module content (2)
Base64 Command Encoder
Author: Spencer McIntyre
Type: Encoder
Pull request: #18807 contributed by zeroSteiner
Description: This adds a new encoder module that leverages base64 encoding to escape bad characters in ARCH_CMD payloads for the Linux and UNIX platforms.
SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager
Authors: Spencer McIntyre, bwatters-r7, and sf stephen_fewer@harmonysecurity.com
Type: Payload (Adapter)
Pull request: #18664 contributed by zeroSteiner
Description: This adds an SMB fetch-payload service and a new payload to use it. The payload invokes rundll32
but handles everything for the user automatically.
This adapter adds the following payloads:
cmd/windows/smb/x64/custom/bind_ipv6_tcp
cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid
cmd/windows/smb/x64/custom/bind_named_pipe
cmd/windows/smb/x64/custom/bind_tcp
cmd/windows/smb/x64/custom/bind_tcp_rc4
cmd/windows/smb/x64/custom/bind_tcp_uuid
cmd/windows/smb/x64/custom/reverse_http
cmd/windows/smb/x64/custom/reverse_https
cmd/windows/smb/x64/custom/reverse_named_pipe
cmd/windows/smb/x64/custom/reverse_tcp
cmd/windows/smb/x64/custom/reverse_tcp_rc4
cmd/windows/smb/x64/custom/reverse_tcp_uuid
cmd/windows/smb/x64/custom/reverse_winhttp
cmd/windows/smb/x64/custom/reverse_winhttps
cmd/windows/smb/x64/encrypted_shell/reverse_tcp
cmd/windows/smb/x64/encrypted_shell_reverse_tcp
cmd/windows/smb/x64/exec
cmd/windows/smb/x64/loadlibrary
cmd/windows/smb/x64/messagebox
cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp
cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid
cmd/windows/smb/x64/meterpreter/bind_named_pipe
cmd/windows/smb/x64/meterpreter/bind_tcp
cmd/windows/smb/x64/meterpreter/bind_tcp_rc4
cmd/windows/smb/x64/meterpreter/bind_tcp_uuid
cmd/windows/smb/x64/meterpreter/reverse_http
cmd/windows/smb/x64/meterpreter/reverse_https
cmd/windows/smb/x64/meterpreter/reverse_named_pipe
cmd/windows/smb/x64/meterpreter/reverse_tcp
cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4
cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid
cmd/windows/smb/x64/meterpreter/reverse_winhttp
cmd/windows/smb/x64/meterpreter/reverse_winhttps
cmd/windows/smb/x64/meterpreter_bind_named_pipe
cmd/windows/smb/x64/meterpreter_bind_tcp
cmd/windows/smb/x64/meterpreter_reverse_http
cmd/windows/smb/x64/meterpreter_reverse_https
cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp
cmd/windows/smb/x64/meterpreter_reverse_tcp
cmd/windows/smb/x64/peinject/bind_ipv6_tcp
cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid
cmd/windows/smb/x64/peinject/bind_named_pipe
cmd/windows/smb/x64/peinject/bind_tcp
cmd/windows/smb/x64/peinject/bind_tcp_rc4
cmd/windows/smb/x64/peinject/bind_tcp_uuid
cmd/windows/smb/x64/peinject/reverse_named_pipe
cmd/windows/smb/x64/peinject/reverse_tcp
cmd/windows/smb/x64/peinject/reverse_tcp_rc4
cmd/windows/smb/x64/peinject/reverse_tcp_uuid
cmd/windows/smb/x64/pingback_reverse_tcp
cmd/windows/smb/x64/powershell_bind_tcp
cmd/windows/smb/x64/powershell_reverse_tcp
cmd/windows/smb/x64/powershell_reverse_tcp_ssl
cmd/windows/smb/x64/shell/bind_ipv6_tcp
cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid
cmd/windows/smb/x64/shell/bind_named_pipe
cmd/windows/smb/x64/shell/bind_tcp
cmd/windows/smb/x64/shell/bind_tcp_rc4
cmd/windows/smb/x64/shell/bind_tcp_uuid
cmd/windows/smb/x64/shell/reverse_tcp
cmd/windows/smb/x64/shell/reverse_tcp_rc4
cmd/windows/smb/x64/shell/reverse_tcp_uuid
cmd/windows/smb/x64/shell_bind_tcp
cmd/windows/smb/x64/shell_reverse_tcp
cmd/windows/smb/x64/vncinject/bind_ipv6_tcp
cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid
cmd/windows/smb/x64/vncinject/bind_named_pipe
cmd/windows/smb/x64/vncinject/bind_tcp
cmd/windows/smb/x64/vncinject/bind_tcp_rc4
cmd/windows/smb/x64/vncinject/bind_tcp_uuid
cmd/windows/smb/x64/vncinject/reverse_http
cmd/windows/smb/x64/vncinject/reverse_https
cmd/windows/smb/x64/vncinject/reverse_tcp
cmd/windows/smb/x64/vncinject/reverse_tcp_rc4
cmd/windows/smb/x64/vncinject/reverse_tcp_uuid
cmd/windows/smb/x64/vncinject/reverse_winhttp
cmd/windows/smb/x64/vncinject/reverse_winhttps
Enhancements and features (7)
- #18706 from sjanusz-r7 - Updates multiple PostgreSQL modules to now work with PostgreSQL sessions. This functionality is behind a feature flag which can be enabled with
features set postgres_session_type true
. - #18747 from zgoldman-r7 - Updates the
auxiliary/scanner/mssql/mssql_login
module with a newCreateSession
option which controls the opening of an interactive MSSQL session. This functionality is currently behind a feature flag which can be enabled withfeatures set mssql_session_type true
. - #18759 from cgranleese-r7 - Updates the multiple MySQL modules to work with a provided MySQL session instead of opening a new connection. This functionality is behind a feature flag which can be enabled with
features set mysql_session_type true
. - #18763 from zgoldman-r7 - Updates multiple MSSQL modules to now work with the new MSSQL session type that is enabled with
features set mssql_session_type true
. - #18806 from cgranleese-r7 - Improves unknown command handling by suggesting similar valid commands.
- #18809 from zeroSteiner - Makes multiple improvements to the
dns
command - a new command which mimics the functionality of/etc/resolv.conf
and/etc/hosts
. This functionality is currently behind a feature flag which can be enabled withfeatures set dns_feature true
in msfconsole. - #18825 from cgranleese-r7 - Improves the error messages when the current session is not compatible with a post module.
Bugs fixed (13)
- #18616 from adfoster-r7 - This fixes an issue with the AARCH64 SO ELF template that was causing SIGBUS exceptions to be raised.
- #18774 from adfoster-r7 - Updates the following modules to now work with newer versions of
sqlcmd
:
post/windows/gather/credentials/mssql_local_hashdump
andpost/windows/manage/mssql_local_auth_bypass
. - #18786 from lihe07 - This fixes an option name collision between the
exploit/linux/local/service_persistence
when the payload is set tocmd/unix/reverse_netcat
. The option to set the writable path is nowBACKDOOR_PATH
. - #18795 from cgranleese-r7 - Moves the CreateSession option from advanced into basic options for modules, in order to increase discoverability.
- #18798 from upsidedwn - This fixes an issue in the
exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move
module's check method that was causing version comparisons to fail. - #18799 from upsidedwn - This fixes an issue in the
exploit/windows/local/cve_2020_17136
module's check method that was causing version comparisons to fail. - #18800 from upsidedwn - This fixes an issue in the
exploit/windows/local/cve_2021_40449
module's check method that was causing version comparisons to fail. - #18801 from upsidedwn - This fixes an issue in the
exploit/windows/local/cve_2022_26904_superprofile
module's check method that was causing version comparisons to fail. - #18812 from adfoster-r7 - Reverts the
auxiliary/scanner/mssql/mssql_login
modules'sTDSENCRYPTION
default value tofalse
. - #18813 from adfoster-r7 - Fixes a crash when running the
help services
orhelp hosts
commands. - #18823 from cdelafuente-r7 - Fix module metadata platform list comparison.
- #18826 from dwelch-r7 - Fixes a regression where the
windows/smb/psexec
module was not correctly performing cleanup logic. - #18828 from dwelch-r7 - Fixes a crash when exploit modules used nops.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro