If your guilty pleasures include using a mobile device to make your home entertainment system WOW your guests, you might be using Unified Remote. I hope you are extra cautious about what devices you let on that WiFi network. A prolific community member h00die added a module this week that uses a recently published vulnerability from H4RK3NZ0 to leverage an unprotected configuration page exposed on the media service, combined with just a little bit of protocol info the module makes that media server a prime target for pranks and other less friendly activities by guests on the network.
Brought to you by the combined efforts of many members of the Metasploit Community, Linux meterpeter payloads now offer a new way to hunt down passwords in memory on all those delicious Linux sessions you gather with Metasploit. The new post/linux/gather/mimipenguin
module hunts down clear text passwords in Linux memory based on MimiPenguin.
A new module this week makes sharing public code risky business if you are using a bitbucket server to host that repository. Checkout out the nitty gritty in our blog post from earlier this week.
Last week’s update brought with it an awesome way to utilize Metasploit with payload generated by Sliver that even ranked a call out in their latest release notes. Great to see the community promoting these updates for more people to learn about and utilize.
unset
command will now consistently unset previously set datastore values, so that default values are used once again. Explicitly clearing a datastore value can be done with the set --clear OptionName
command. Modules that require protocol specific option names such as SMBUser/FTPUser/BIND_DN/etc can now be consistently set with just username/password/domain options, i.e. set username Administrator
instead of set SMBUser Administrator
. This rewrite is currently behind a feature flag which can be enabled with features set datastore_fallbacks true
.lib/msf/core/post/windows/accounts.rb
, lib/msf/core/post/windows/ldap.rb
, and lib/msf/core/post/windows/wmic.rb
libraries have been updated to replace calls to load_extapi
with ExtAPI compatibility checks which will check if the session supports ExtAPI, since if the sessions supports ExtAPI, it should already be loaded.enum_patches
has had its code updated to output the patches enumerated as a table and store the results long term in a CSV file. Additionally, a check has been added to see if the current session supports the required Meterpreter extension compatibility prior to trying to run the module. Finally, the code and documentation have been cleaned up and modernized.auxiliary/scanner/http/http_login
to report login success when the http status code is in the range 200,201,300-308
. This functionality is user-configurable with set HttpSuccessCodes 200
.get_members
method with get_members_from_group
from the Post API.post/windows/manage/rollback_defender_signatures
module has been updated to work on WoW64 sessions, and has had its code updated so that the default action is now a valid option.sessions
command would show the connection as coming from losthost 127.0.0.1, instead of the correct peer host address for reverse_http Meterpreter sessions.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).