Last updated at Wed, 23 Aug 2017 16:42:50 GMT
Multi-Transport Meterpreter
Over the last couple weeks, OJ TheColonial Reeves has been fleshing out some new documentation on how Meterpreter's multiple transport system has been coming along. You can read up on it all at the GitHub wiki, but here's the tl,dr:
- Meterpreter sessions now have the ability to cycle between several transport protocols. This means that if a session is started on a basic TCP connection, you now have the option to "move" the session over to an HTTPS transport, assuming you have an appropriate listener set up (with, say, the multi/handler module). This is all easily done on the Meterpreter command line.
- If configured with multiple transports, sessions can and will fail over to alternate transports automatically. This is part of the overall goal of sessions resiliancy.
- You needn't name the same endpoint for your transports. This means you can hand over a session that you established on a target to a friend.
Yes, it's all kind of super rad, and huge thanks to OJ, Brent, HD, and Tim for making this all happen.
Of course, like all software, it's not quite "done," but that's on purpose. Since we believe in incremental, open development, right now, this very Friday afternoon, is a great time for you to jump in with this feature set and give feedback on how it's going. Love something? Say so on the Metasploit Freenode IRC channel or tweet us at @metasploit. Found a bug? File a GitHub issue, or even better, a Pull Request to either the Meterpreter repo or the Framework repo with a fix. It's all very fluid right now, but since working on Meterpreter has gotten to be quite pleasant, there's nothing stopping you from throwing in, too. It's an exciting time to be working on payload and post-exploit enhancements on long-term persistence. Just ask the shadowy puppet-masters behind Duqu 2.0.
New Modules
As indicated last week on my tweet, you really should check out m-1-k-3 and Ricky HeadlessZeke Lawshae's module for SOAP-based command execution on SOHO routers shipping with a vulnerable Realtek chipset. All told, we have eight new modules since the last blog post. For the entire diffs on Metasploit Framework, check out the compare, here.
Incidentally, if you haven't heard, msfencode and msfpayload will no longer be shipping with Metasploit. Instead, they've been replaced by msfvenom, which has the same functionality as both, and more. Consider this last call.
Exploit modules
- Airties login-cgi Buffer Overflow by Batuhan Burakcin and Michael Messner
- D-Link Devices HNAP SOAP Action-Header Command Execution by Craig Heffner, Michael Messner, and Samuel Huntley
- Realtek SDK Miniigd UPnP SOAP Command Execution by Michael Messner and Ricky "HeadlessZeke" Lawshae exploits ZDI-15-155
- ProFTPD 1.3.5 Mod_Copy Command Execution by Vadim Melihow and xistence exploits CVE-2015-3306
Auxiliary and post modules
- AVTECH 744 DVR Account Information Retrieval by nstarke
- ColdFusion Version Scanner by sinn3r and nebulus
- VMware Server Directory Traversal Vulnerability by CG exploits CVE-2009-3733
- VMWare Update Manager 4 Directory Traversal by sinn3r and Alexey Sintsov exploits CVE-2011-4404
