Last updated at Tue, 25 Jul 2017 16:38:44 GMT

When it rains, it pours. We released Metasploitable Version 2 , published a technique for scanning vulnerable F5 gear , and put out a module to exploit MySQL's tragically comic authentication bypass problem, all in addition to cooking up this week's update. So, kind of a busy week around here. You're welcome. (:

Encrypted Java Meterpreter

This week's update features Michael Schierl's much anticipated cryptographic update to Java Meterpreter. Now, when using the default Java Meterpreter payload, users can specify an "AESPassword" option, which will encrypt all post-exploit communication with the Java Meterpreter payload. To illustrate, post-exploitation packet captures will go from this, to this.

This should make life a little more challenging for our IDS/IPS signature writing friends, and make Java Meterpreter sessions a little more reliable for penetration testers.

Once we've kicked this new encryption mode around for a couple weeks and make sure everything's copacetic there, I expect to have this option enabled by default for Java exploits.

Ye Olde Tyme Vulnerabilitys

This week's update also features something old -- specifically, open source contributor Patrick's modules for Microsoft Data Access Components (MDAC) vulnerabilites from yesteryear. Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow and Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution both target older IIS installations - issues MS02-065 and MS98-004, respectively. Veteran penetration testers will recognize these Microsoft bulletin numbers from countless vulnerability reports. Just seeing MS98-004 mentioned in a new module makes me misty for the old days.

Having exploits handy for older vulnerabilities like this can be hugely useful. While it might be a foregone conclusion today that there is no way to secure a given NT 4.0 machine effectively, these modules make it much easier to actually prove it to your client.

Other New Modules

Finally, we have a slew of new modules -- thanks again to our community of open source security contributors for the diverse set of exploits this week.


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see the most excellent release notes.