Community contributor Yann Castel has contributed an exploit module for NSClient++ which targets an authenticated command execution vulnerability. Users that are able to authenticate to the service as admin can leverage the external scripts feature to execute commands with SYSTEM level privileges. This allows the underlying server to be compromised. Castel is also working on another exploit module for NSClient++ which happens to be a local privilege escalation so stay tuned for more NSClient++ content.
Community member Smashery returned to improve the Framework’s REDIS dumping capabilities. This week two bugs were fixed to ensure that REDIS data can be more easily accessed using the auxiliary/gather/redis_extractor
module. This module has seen a number of improvements lately and is capable of dumping data from both authenticated and unauthenticated instances.
Google Summer of Code student and community member pingport80 has been hard at work making a number of improvements to the POST API used by modules to interact with sessions. The bulk of the improvements have been focused on closing feature gaps in various scenarios. One excellent example of this is the new Process library that allows both shell and Meterpreter sessions to enumerate running processes on multiple platforms. This makes it easier for module developers to write content without worrying about the different capabilities of the various session types.
Pingport80 has also been testing various scenarios to find issues related to localization. This has involved finding instances where error messages that are assumed to be in English are used to determine various outcomes and updating them to function regardless of the underlying locale.
command_exists?
method inside post/common.rb
has been updated to fall back to using the which
command to check if a command exists on a target system if command -v
fails to run successfully. This allows users to check whether a command exists or not on systems that might not contain a command
command, such as ESXi. lib/msf/core/post_mixin.rb
library has been updated to correctly check if missing Meterpreter command IDs are core command IDs or an extension command ID and provide appropriate feedback to end users about this incompatibility. This also fixes an issue where Meterpreter might complain that it couldn’t load an extension but wouldn’t display what the extension was.post/linux/gather/pptpd_chap_secrets
module. If the file is unreadable, Metasploit would treat the permission denied error as the contents.RHOST
and RHOSTS
interchangeably for all scenarios and modulesAs always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).