Metasploit 6 is in progress!!!
It's here (at least in baby form)! Yesterday we announced that Metasploit Framework 6.0 is under active development and is available now for testing. Initial features include end-to-end encryption of Meterpreter communications, SMBv3 client support, and a new polymorphic payload generation routine for Windows shellcode.
This isn’t a stable major release yet, so users should expect breaking changes and more features in the coming months. Of note: Metasploit 6 includes backwards-incompatible changes for payload communication, so users should not update to Metasploit 6 during active operations unless they are prepared to lose their sessions. We’ve asked Kali and other distros to keep shipping Metasploit 5 until 6 is ready for primetime release.
Everything is OSSM
We held our annual open-source security meetup virtually last night in lieu of an in-person gathering in Vegas. While we hope to meet folks IRL at hacker summer camp next year, we were lucky to host a great group on YouTube this time around. The full recording is here and features:
- A look at new Metasploit 6 features with OJ Reeves and Spencer McIntyre
- A primer on how to get started as a Metasploit contributor with longtime Meta-friend h00die
- An overview of Recog (“one of the most underrated open source security projects of all time”) and Rumble Network Discovery’s additions to the project, courtesy of HD Moore
- A summary of LibreSSL, six years later (!) from Brent Cook
- A guided demonstration on writing a login scanner for Metasploit with Spencer McIntyre
- An update on new AttackerKB features and futures with James Barnett
You can't contain me!
We have a brand new privileged Docker container escape from stealthcopter. This escape works by abusing the "notification on release" feature found in Linux cgroup. The exploit should work against any container started with the following flags:
Documalis JPEG buffer overflow
Documalis Free PDF Editor version 184.108.40.206 and Documalis Free PDF Scanner version 220.127.116.11 do not appropriately validate the contents of JPEG images contained within a PDF and now thanks to metacom27 you can now exploit this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the user running the Documalis Free PDF Editor or Documalis Free PDF Scanner software.
New modules (4)
- Docker Privileged Container Escape by stealthcopter
- Documalis Free PDF Editor and Scanner JPEG Stack Buffer Overflow by metacom and metacom27
- CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow by wetw0rk, which exploits CVE-2020-8012
- Linux Container Enumeration by stealthcopter
Enhancements and features
PR #13832 from zeroSteiner adds the necessary infrastructure to load and process polymorphic assembly stubs from external data files and uses it to dynamically reorder the instructions for the Block API stub that powers all of the x86 and x64 native Windows payloads.
PR #13764 from zeroSteiner updates the SMB version scanning module that, in addition to host OS information, now reports information such as supported SMB versions, preferred dialect of SMB, SMB 3.1.1 encryption and compression capabilities, server's GUID value and how long the server has been online. This also deprecates the smb1 and smb2 modules.
PR #13529 from OJ removes the Mimikatz Meterpreter extension in favor of the newer Kiwi extension. The Mimikatz extension name is currently an alias for Kiwi that will print a warning message for a period of time to allow users to smoothly transition to the new workflow. The
post/windows/gather/credentials/ssomodule was also updated to use Kiwi instead of Mimikatz.
PR #13476 from OJ changes the reflective DLL injection capabilities used by Metasploit for payloads and exploits to resolve functions by either ordinal or name. This allows the Framework to take advantage of recent payload updates that remove string names and instead resolve the necessary values by ordinal. The Framework changes are backwards compatible with Reflective DLLs that use the standard ReflectiveLoader name.
PR #13417 cdelafuente-r7 adds SMBv3 support for client operations. Modules that already used the new SMB client will now be capable of connecting to servers with all 3 SMB v3 dialects (3.0, 3.0.2, 3.1.1). In cases where an SMB 3.x dialect is negotiated, the default behavior will be to encrypt the communications to the server. Users can disable this by setting SMB::AlwaysEncrypt to false.
PR #13400 from OJ changes the RSA key that is used to negotiate TLV encryption for Meterpreter to being transmitted in the binary DER format instead of the text-based PEM format. This makes the key smaller, easier to process and removes the static "BEGIN PUBLIC KEY" string.
- Updates to sharphound v3
- Adds the ability to write the exe to disk and run it, this was favored over ps1 due to permissions and policies.
- Adds the option to EncryptZip, set to true by default. This adds some protection to the file, and the output is stored as a note
- Adds NoSaveCache option to avoid writing a file to disk and leaving it there
- Avoids using parameters if they are the default, which makes the command to run (and command passed on the wire) significantly shorter.
PR #13191 by h00die makes changes to tools/dev/check_external_scripts.rb to include additional JohnTheRipper and sqlmap related files. This allows tools/dev/check_external_scripts.rb, to provide additional assurance that all JohnTheRipper and sqlmap related libraries and configuration files are kept up to date.
PR #13939 by our own gwillcox-r7 fixes an extreme edge case bug where it is possible but unlikely a race condition occurs during a socket read, and the data sent to the postgres parser is of nil value. This verifies the data is not nil before attempting to parse the data.
PR #13783 from zeroSteiner fixes a bug that came in with updates to recent cryptography changes; previously, we assumed all Java releases would be able to support 256-bit encryption, but some older environments cannot support that. Here, we add AES-128-CBC as an additional option for TLV encryption as a fallback if the remote Java version cannot negotiate 256-bit.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).