Metasploit 4.6.0 Released!

We just released Metasploit 4.6.0, so applying this week's update will get you the brand new version. While Chris has a delightful blog post of what all is new in Metasploit Pro, let's take a look at what's exciting and new between Metasploit 4.5.0 and today's update to 4.6.0.

138 new modules

First off, the hacker elves have been cranking out a ton of module content since we released 4.5.0 back in December, 2012. Between then and now, we've got 138 new modules. That's 1.1 new modules per day, including those days that other people call "weekends" and "holidays." Of those, we have 80 new exploits, 44 new auxiliary modules, and 12 new post modules.

Of course, most of the module commits don't originate with us here at Rapid7. Over this release, we have 86 distinct committers contributing to Metasploit, and only 11 of them are employed here at Rapid7. It's this overwhelming strength of the Metasploit exploit development community that keeps me super-excited to do Good Work every day. Seriously, thank you all for that. I'm getting all verklempt here.

A stroll down diff lane

Of course, we did a little more than just sling exploit code for 4.6.0. We also moved the ball forward on a whole bunch of core development and security research. Here are the highlights:

• We got serious about unit testing. Exploit writers are notorious for writing quick, throw-away code, born of the race to get a working PoC together before the next guy (and the next patch!). Since Metasploit Framework is largely written by exploit devs, this habit has been really hard to combat. That said, on the road to 4.6.0, we integrated Travis-CI to run our growing library of RSpec tests. We're a long way from done there, of course, but we've made some pretty significant progress.
• We detailed our peer code review practices for landing new code and new modules. Open source security development means taking risks, leaving your comfort zone, and suffering the slings and arrows of code review. Believe me, it's a lot easier to just pile on hack after hack when you're sitting in your closed-source cubicle farm, but developing in public means that we get to review and critique code from all comers. In the end, we hope we're being helpful, and fewer mistakes are repeated for next time.
• We ported a bunch of 0day for Metasploit users. This kind of fast turnaround immediately puts the tools to test and validate remediation directly in the hands of the people who are best positioned to help: you. In addition, Metasploit exploits are now making it into other projects' regression testing cases, and are used to teach the next wave of security researchers how to quickly turn a found-in-the-wild 0day into a useful, safe, and effective exploit module.
• We implemented a pretty novel new Postgres payload delivery system -- just in time for the recent wave of Postgres vulnerabilities! Nothing proves a vulnerability better than popping shells.
• We invented a portable Ruby command exec payload to take advantage of the wave of Rails vulnerabilities announced these last couple months. While getting a rails server to print "hello world!" on the console is all well and good, it's really all about the shells.
• We updated msfupdate to fully take advantage of our Git-based source code control systems, as well as to use the Metasploit Community and Pro edition update systems. We recognize that most Metasploit users really just want stability and security in their updates, and tracking along a source code tree isn't usually the way to get there. So, now installed versions of Metasploit (including Kali-installed Debian packages) will only update once a week, after the usual in-house QA and validation.
• We turned exploited endpoints into Hollywood-hacker spy systems. Thanks to a user bug, we found that the record_mic feature of Meterpreter had been broken for a little while. So, we fixed it, wrapped it up in a post module, added a webcam activation module and some CCTV controller, and unleashed these A/V-centric modules into the world. I have no idea if real espionage agents actually do this kind of thing or not, but now you can prove that they can on your next pentest engagement. After all, that's kind of the point of a penetration test -- you want to be able to simulate what a real adversary could do in order to bring attention to the real risk of vulnerabilities.
• We put together some UPnP modules to help people scan their enterprises for misconfigured and buggy UPnP endpoints. You are blocking and watching UDP port 1900 by now, right?
• We asked you nicely to msftidy.rb your modules as part of a Git pre-commit hook. Since we started automating msftidy, the module quality we've been seeing shot up considerably, and we've been able to move new modules through the pull request queue a lot faster with a lot fewer common mistakes. Of course, as a result, we now get more pull requests. I'm sure there's an economics lesson about friction in there somewhere.
• We started using a new heap spray technique for our many browser-based exploits. This was on the heels of some very excellent training and collaboration with the Corelan Team. Now, with a little luck, we can write more reliable exploits all the way through Internet Explorer 10, as well as Firefox 54 (or whatever their latest version is by the time this post goes live).
• We now support Kali as an installation target. This was a huge accomplishment, thanks to the teamwork between Rapid7 and Offensive Security, getting a stable, supportable build into the hands of Kali Linux users worldwide. Assuming this ends up working out as we expect, we should be able to start supporting other platforms, such as Ubuntu, Debian, and Mint, with proper Debian packages. (We're also experimenting with a for-real Homebrew tap for you Mac OSX guys, but shhh it's not official yet.)
• We pushed the envelope on WAP/Router hacking by landing a metric ton of exploit and auxilary modules targeting Linksys, D-Link, and Netgear devices, as well as putting together command execution payloads custom built for MIPS computing environments.

So, yeah. Been a busy four months or so. All of those bullets start with the word "we," and like I said, that's not just Rapid7 folks; it's all of you who pitched in with your work, patience, smarts, and gumption to get this thing out the door. Thanks!

Module roundup

If you're upgrading from 4.5.0 to 4.6.0, here's the laundry list of security testing goodness you have to look forward to. Let's be careful out there!

• OpenPLI Webif Arbitrary Command Execution by Michael Messner exploits OSVDB-90230
• HP System Management Anonymous Access Code Execution by agix exploits OSVDB-91812
• Linksys E1500/E2500 apply.cgi Remote Command Injection by juan vazquez and Michael Messner exploits OSVDB-89912
• Netgear DGN1000B setup.cgi Remote Command Execution by juan vazquez and Michael Messner exploits OSVDB-89985
• MongoDB nativeHelper.apply Remote Code Execution by agix exploits CVE-2013-1892
• Novell eDirectory 8 Buffer Overflow by juan vazquez, David Klein, and Gary Nilson exploits CVE-2012-0432
• PostgreSQL for Linux Payload Execution by egyp7, todb, and midnitesnake
• Java Applet AverageRangeStatisticImpl Remote Code Execution by juan vazquez and Unknown exploits CVE-2012-5076
• Java Applet JMX Remote Code Execution by sinn3r, juan vazquez, egyp7, and Unknown exploits CVE-2013-0422
• Java Applet JMX Remote Code Execution by juan vazquez, Adam Gowdiak, SecurityObscurity, and Unknown exploits CVE-2013-0431
• Java Applet Method Handle Remote Code Execution by juan vazquez and Unknown exploits CVE-2012-5088
• eXtplorer v2.1 Arbitrary File Upload Vulnerability by Brendan Coles exploits OSVDB-88751
• Glossword v1.8.8 - 1.8.12 Arbitrary File Upload Vulnerability by AkaStep and Brendan Coles
• Jenkins Script-Console Java Execution by Spencer McIntyre and jamcut
• Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload Vulnerability by Brendan Coles
• Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution by Gary O'Leary-Steele, Kacper Nowak, and Nick Blundell exploits CVE-2013-0209
• Mutiny Remote Command Execution by juan vazquez and Christopher Campbell exploits CVE-2012-3001
• Netwin SurgeFTP Remote Command Execution by sinn3r and Spencer McIntyre
• PolarPearCms PHP File Upload Vulnerability by Fady Mohamed Osman exploits CVE-2013-0803
• Ruby on Rails JSON Processor YAML Deserialization Code Execution by egyp7, jjarmoc, and lian exploits CVE-2013-0333
• Ruby on Rails XML Processor YAML Deserialization Code Execution by hdm, charliesome, espes, and lian exploits CVE-2013-0156
• SonicWALL GMS 6 Arbitrary File Upload by juan vazquez, Julian Vilas, and Nikolas Sotiriu exploits CVE-2013-1359
• Splunk 5.0 Custom App Remote Code Execution by sinn3r, juan vazquez, and marcwickenden
• Apache Struts ParametersInterceptor Remote Code Execution by Meder Kydyraliev, Richard Hicks, and mihi exploits CVE-2011-3923
• STUNSHELL Web Shell Remote PHP Code Execution by bwall
• STUNSHELL Web Shell Remote Code Execution by bwall
• v0pCr3w Web Shell Remote Code Execution by bwall
• Novell ZENworks Configuration Management Remote Execution by juan vazquez and James Burton exploits ZDI-13-049
• Ra1NX PHP Bot PubCall Authentication Bypass Remote Code Execution by bwall exploits OSVDB-91663
• Portable UPnP SDK unique_service_name() Remote Code Execution by hdm, Alex Eubanks, and Richard Harman exploits CVE-2012-5958
• Setuid Tunnelblick Privilege Escalation by juan vazquez and Jason A. Donenfeld exploits CVE-2012-3485
• Viscosity setuid-set ViscosityHelper Privilege Escalation by juan vazquez and Jason A. Donenfeld exploits CVE-2012-4284
• DataLife Engine preview.php PHP Code Injection by juan vazquez and EgiX exploits CVE-2013-1412
• Foswiki MAKETEXT Remote Command Execution by juan vazquez and Brian Carlson exploits CVE-2012-6329
• Joomla Component JCE File Upload Remote Code Execution by Heyder Andrade and Unknown exploits BID-49338
• Nagios3 history.cgi Host Command Execution by Daniele Martini, Jose Selvi, Unknown, and blasty exploits CVE-2012-6096
• Nagios XI Network Monitor Graph Explorer Component Command Injection by sinn3r and Daniel Compton exploits OSVDB-83552
• OpenEMR PHP File Upload Vulnerability by juan vazquez and Gjoko Krstic exploits OSVDB-90222
• PHP-Charts v1.0 PHP Code Execution Vulnerability by AkaStep and Brendan Coles exploits OSVDB-89334
• TWiki MAKETEXT Remote Command Execution by juan vazquez and George Clark exploits CVE-2012-6329
• WordPress Plugin Advanced Custom Fields Remote File Inclusion by Charlie Eriksen exploits OSVDB-87353
• WordPress Asset-Manager PHP File Upload Vulnerability by James Fitts and Sammy FORGIT exploits OSVDB-82653
• WordPress Plugin Google Document Embedder Arbitrary File Disclosure by Charlie Eriksen exploits CVE-2012-4915
• WordPress WP-Property PHP File Upload Vulnerability by James Fitts and Sammy FORGIT exploits OSVDB-82656
• ZoneMinder Video Server packageControl Command Execution by Brendan Coles
• Crystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflow by juan vazquez, Dmitriy Pletnev, and Dr_IDE exploits CVE-2010-2590
• Foxit Reader Plugin URL Processing Buffer Overflow by juan vazquez, Sven Krewitt, and rgod exploits OSVDB-89030
• Honeywell HSC Remote Deployer ActiveX Remote Code Execution by juan vazquez exploits CVE-2013-0108
• Honeywell Tema Remote Installer ActiveX Remote Code Execution by juan vazquez, Billy Rios, and Terry McCorkle exploits OSVDB-76681
• Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability by sinn3r, juan vazquez, Peter Vreugdenhil, eromang, and mahmud ab rahman exploits MS13-008
• InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow by juan vazquez, Alexander Gavrun, Dmitriy Pletnev, and James Fitts exploits ZDI-12-168
• IBM Lotus iNotes dwa85W ActiveX Buffer Overflow by juan vazquez and Gaurav Baruah exploits ZDI-12-132
• Java CMM Remote Code Execution by juan vazquez and Unknown exploits CVE-2013-1493
• Maxthon3 about:history XCS Trusted Zone Code Execution by sinn3r, juan vazquez, and Roberto Suggi Liverani
• Microsoft Internet Explorer Option Element Use-After-Free by sinn3r, juan vazquez, and Ivan Fratric exploits MS11-081
• MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free by Scott Bell exploits MS13-009
• IBM Lotus Notes Client URL Handler Command Injection by juan vazquez, Moritz Jodeit, and Sean de Regge exploits ZDI-12-154
• Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution by juan vazquez and rgod exploits ZDI-13-008
• VMWare OVF Tools Format String Vulnerability by juan vazquez and Jeremy Brown exploits CVE-2012-3569
• IBM Lotus QuickR qp2 ActiveX Buffer Overflow by juan vazquez and Gaurav Baruah exploits ZDI-12-134
• Cool PDF Image Stream Buffer Overflow by juan vazquez, Chris Gabriel, and Francis Provencher exploits CVE-2012-4914
• KingView Log File Parsing Buffer Overflow by juan vazquez, Carlos Mario Penagos Hollman, and Lucas Apa exploits CVE-2012-4711
• VMWare OVF Tools Format String Vulnerability by juan vazquez and Jeremy Brown exploits CVE-2012-3569
• RealPlayer RealMedia File Handling Buffer Overflow by suto exploits CVE-2012-5691
• FreeFloat FTP Server Arbitrary File Upload by sinn3r and juan vazquez exploits OSVDB-88303
• Sami FTP Server LIST Command Buffer Overflow by Doug Prostko and superkojiman exploits OSVDB-90815
• HP Intelligent Management Center Arbitrary File Upload by juan vazquez and rgod exploits ZDI-13-050
• Windows Manage Memory Payload Injection by sinn3r and Carlos Perez
• Windows Manage Persistent Payload Installer by Carlos Perez
• Windows Manage User Level Persistent Payload Installer by Brandon McCann "zeknox" and Thomas McCarthy "smilingraccoon"
• ActFax 5.01 RAW Server Buffer Overflow by juan vazquez, Craig Freyman, and corelanc0d3r exploits OSVDB-89944
• BigAnt Server DUPF Command Arbitrary File Upload by juan vazquez and Hamburgers Maccoy exploits CVE-2012-6274
• BigAnt Server 2 SCH And DUPF Buffer Overflow by juan vazquez and Hamburgers Maccoy exploits CVE-2012-6275
• Enterasys NetSight nssyslogd.exe Buffer Overflow by juan vazquez, Jeremy Brown, and rgod exploits ZDI-11-350
• Firebird Relational Database CNCT Group Number Buffer Overflow by Spencer McIntyre exploits CVE-2013-2492
• HP Data Protector DtbClsLogin Buffer Overflow by juan vazquez and AbdulAziz Hariri exploits ZDI-10-174
• IBM Cognos tm1admsd.exe Overflow by juan vazquez and Unknown exploits ZDI-12-101
• IBM System Director Agent DLL Injection by juan vazquez, Bernhard Mueller, and kingcope exploits CVE-2009-0880
• Microsoft SQL Server Database Link Crawling Command Execution by Antti Rantasaari and Scott Sutherland "nullbind"
• SCADA 3S CoDeSys Gateway Server Directory Traversal by Enrique Sanchez exploits CVE-2012-4705
• Freesshd Authentication Bypass by Aris, Daniele Martini, and kcope exploits CVE-2012-6066
• Linux Gather PPTP VPN chap-secrets Credentials by sinn3r
• Linux Manage Download and Exececute by Joshua D. Abraham
• Multi Manage Record Microphone by sinn3r
• Windows Gather BulletProof FTP Client Saved Password Extraction by juan vazquez
• Razer Synapse Password Extraction by Brandon McCann "zeknox", Matt Howard "pasv", and Thomas McCarthy "smilingraccoon"
• Windows Gather Spark IM Password Extraction by Brandon McCann "zeknox" and Thomas McCarthy "smilingraccoon"
• Steam client session Collector. by Nikolai Rusakov
• Windows Gather AD Enumerate Computers by Ben Campbell
• Windows Gather Local Admin Search by Brandon McCann "zeknox", Royce Davis "r3dy", and Thomas McCarthy "smilingraccoon"
• Windows NetLM Downgrade Attack by Brandon McCann "zeknox" and Thomas McCarthy "smilingraccoon"
• Microsoft Word UNC Path Injector by SphaZ
• Windows Manage Reflective DLL Injection Module by Ben Campbell
• Windows Manage Webcam by sinn3r
• Axigen Arbitrary File Read and Delete by juan vazquez and Zhao Liang exploits CVE-2012-4940
• D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution by Michael Messner exploits OSVDB-89861
• DLink DIR 645 Password Extractor by Michael Messner and Roberto Paleari exploits OSVDB-90733
• Linksys E1500/E2500 Remote Command Execution by Michael Messner exploits OSVDB-89912
• Linksys WRT54GL Remote Command Execution by Michael Messner exploits OSVDB-89421
• Ruby on Rails Devise Authentication Password Reset by jjarmoc and joernchen exploits CVE-2013-0233
• PsExec NTDS.dit And SYSTEM Hive Download Utility by Royce Davis
• Microsoft Word UNC Path Injector by SphaZ
• Dopewars Denial of Service by Doug Prostko exploits CVE-2009-3591
• OpenSSL TLS 1.1 and 1.2 AES-NI DoS by Wolfgang Ettlinger exploits CVE-2012-2686
• DNS Brutefoce Enumeration by Carlos Perez
• DNS Basic Information Enumeration by Carlos Perez
• DNS Reverse Lookup Enumeration by Carlos Perez
• DNS Common Service Record Enumeration by Carlos Perez
• Discover External IP via Ifconfig.me by RageLtMan
• HTTP SSL Certificate Impersonation by Chris John Riley
• W3-Total-Cache Wordpress-plugin 0.9.2.4 (or before) Username and Hash Extract by Christian Mehlmauer and Jason A. Donenfeld exploits OSVDB-88744
• XBMC Web Server Directory Traversal by sinn3r, Lucas "acidgen" Lundgren IOActive, and Matt "hostess" Andreko
• Titan FTP XCRC Directory Traversal Information Disclosure by Brandon McCann @zeknox and jduck exploits OSVDB-65533
• DLink DIR-300A / DIR-320 / DIR-615D HTTP Login Utility by hdm and Michael Messner exploits CVE-1999-0502
• DLink DIR-615H HTTP Login Utility by hdm and Michael Messner exploits CVE-1999-0502
• DLink DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility by hdm and Michael Messner exploits CVE-1999-0502
• Novell Groupwise Agents HTTP Directory Traversal by juan vazquez and r () b13$ exploits CVE-2012-0419
• Joomla Page Scanner by newpid0
• Joomla Plugins Scanner by newpid0
• Joomla Version Scanner by newpid0
• Linksys E1500 Directory Traversal Vulnerability by Michael Messner exploits OSVDB-89911
• Netgear SPH200D Directory Traversal Vulnerability by Michael Messner exploits BID-57660
• Ruby on Rails JSON Processor YAML Deserialization Scanner by hdm and jjarmoc exploits CVE-2013-0333
• Ruby on Rails XML Processor YAML Deserialization Scanner by hdm and jjarmoc exploits CVE-2013-0156
• Simple Web Server 2.3-RC1 Directory Traversal by sinn3r and CwG GeNiuS exploits OSVDB-88877
• SVN wc.db Scanner by Stephen Haywood
• Symantec Messaging Gateway 9.5 Log File Download Vulnerability by sinn3r and Ben Williams exploits CVE-2012-4347
• Titan FTP Administrative Password Disclosure by Spencer McIntyre exploits CVE-2013-1625
• TP-Link Wireless Lite N Access Point Directory Traversal Vulnerability by Michael Messner exploits CVE-2012-5687
• Wordpress Pingback Locator by Brandon McCann "zeknox", Christian Mehlmauer "FireFart", and Thomas McCarthy "smilingraccoon"
• Multiple DVR Manufacturers Configuration Disclosure by juan vazquez and Alejandro Ramos exploits CVE-2013-1391
• Ray Sharp DVR Password Retriever by hdm and someluser
• MYSQL File/Directory Enumerator by Robin Wood
• PostgreSQL Database Name Command Line Flag Injection by hdm exploits CVE-2013-1899
• MS12-020 Microsoft Remote Desktop Checker by Brandon McCann @zeknox and Royce Davis @R3dy_ exploits MS12-020
• SAP ICF /sap/public/info Service Sensitive Information Gathering by Agnivesh Sathasivam, ChrisJohnRiley, and nmonkee
• SAPRouter Admin Request by Chris John Riley, Ian de Villiers, Joris van de Vis, Mariano Nunez, and nomnkee
• ICMP Exfiltration Service by Chris John Riley

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.