Evasion Modules in MSF5
On Tuesday, we released a new module type in the development branch of Metasploit Framework (MSF5) based on long-term research from Wei Chen on techniques to evade common antivirus software. This new evasion module type allows users to generate evasive payloads and provides a framework for pen testers, red teamers, and developers to write their own evasion modules for all their stealth needs. Read the full paper here.
Metasploit Town Hall 0x4 at DerbyCon
DerbyCon attendees got a preview of one of the first evasion modules to drop in Framework last weekend at Metasploit's fourth annual town hall in Louisville. It's easy for us to forget sometimes that not everyone keeps up-to-date on the latest and greatest additions to MSF, particularly in the 5.x development branch where a lot of the exciting WIP is happening. A few highlights:
- Sweet sweet content: In the year since our last town hall, we've added more than 230 new modules, including exploits for ALPC, Drupalgeddon 2, Struts 2, and more. Thanks to our contributor community, we've also incorporated Metasploit's first Impacket modules and landed a functional iOS Meterpreter.
- Beyond Ruby: We've added support for Python modules, and busterb and team have an open PR that adds initial support for Golang, much to the delight of our Komand fam. There's documentation on writing Python modules for Metasploit here.
- By popular request: SOCKS5 proxy, SMBv2 support, and auto-building Metasploitable3 top the list of recent stuff the Metasploit engineering team has implemented in part because of smart, engaging community feedback. Don't see something you really want in Framework? Join our community on Slack and ask. Better yet, get your hands dirty and start contributing.
You can watch DerbyCon VIII's full Metasploit Town Hall here.
Exploit modules (4 new)
- ifwatchd Privilege Escalation by Brendan Coles, Tim Brown, and cenobyte, which exploits CVE-2014-2533
- VLC Media Player MKV Use After Free by Eugene Ng - GovTech and Winston Ho - GovTech, which exploits CVE-2018-11529
- Windows Net-NTLMv2 Reflection DCOM/RPC by FoxGloveSec, Mumbai, and breenmachine, which exploits CVE-2016-3225
- Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow by ZDI, hubertwslin, and t4rkd3vilz, which exploits ZDI-18-588
- The official Metasploit Docker image is now 150MB smaller than before courtesy of Christian Mehlmauer. To learn more, see the documentation here.
- @bcoles expanded the number of verified vulnerable versions of the lastore-daemon service, which allows arbitrary package installation without authentication on Deepin Linux.
- @wvu-r7 ensured Metasploit now stores references to modules using human-readable names internally, instead of hex-encoded strings. This facilitates module debugging, since it is now possible to easily read which module is affected when there is a backtrace in the logs or
- @h00die updated the Unitrends Universal Enterprise Backup (UEB) exploit module to support both versions 9 and 10, the target being selectable in the module configuration. The module has been renamed ueb_api_rce (it was previously ueb9_api_storage).
- @sinn3r added a new
evasionmodule type to the 5.x branch of Metasploit Framework. These new modules allow developers to build executables specifically to evade antivirus.
- Ever the overachiever, @sinn3r also implemented support for module writers to add to the notes field. This allows developers to keep track of interesting traits about reliability, side effects, and stability, so that in the future these can be searched for and identified programmatically. Currently, module traits are reported in the
info -dMarkdown documentation, and module cache.
As always, you can update to the latest Metasploit Framework with
msfupdate, and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.