Well after a long wait, Metasploit 3.2 has been released with more evil deeds. The evil deeds integrated into the new framework can be briefed as below:

Version 3.2 includes exploit modules for recent Microsoft flaws, such as MS08-041, MS08-053, MS08-059, MS08-067, MS08-068, and many more.

The module format has been changed in version 3.2. The new format removes the previous naming and location restrictions and paved the way to an improved module loading and caching backend. For users, this means being able to copy a module into nearly any subdirectory and be able to immediately use it without edits.

The Byakugan WinDBG extension developed by Pusscat has been integrated with this release, enabling exploit developers to quickly exploit new vulnerabilities using the best Win32 debugger available today.

The Context-Map payload encoding system development by I)ruid is now enabled in this release, allowing for any chunk of known process memory to be used as an encoding key for Windows payloads.

The Incognito token manipulation toolkit, written by Luke Jennings, has been integrated as a Meterpreter module. This allows an attacker to gain new privleges through token hopping. The most common use is to hijack domain admin credentials once remote system access is obtained.

The PcapRub, Scruby, and Packetfu libraries have all been linked into the Metasploit source tree, allowing easy packet injection and capture.

The METASM pure-Ruby assembler, written by Yoann Guillot and Julien Tinnes, has gone through a series of updates. The latest version has been integrated with Metasploit and now supports MIPS assembly and the ability to compile C code.

The Windows payload stagers have been updated to support targets with NX CPU support. These stagers now allocate a read/write/exec segment of memory for all payload downloads and execution.

Executables which have been generated by msfpayload or msfencode now support NX CPUs. The generated executable is now smaller and more reliable, opening the door to a wider range of uses. The psexec and
smb_relay modules now use an executable template thats acts like a real Windows service, improving the reliability and cleanup requirements of these modules.

The Reflective DLL Injection technique pioneered by Stephen Fewer of Harmony Security has been integrated into the framework. The new payloads use the “reflectivedllinjection” stager prefix and share the same binaries as the older DLL injection method.

Client-side browser exploits now benefit from a set of new javascript obfuscation techniques developed by Egypt. This improvement leads to a greater degree of anti-virus bypass for client-side exploits.

Metasploit contains dozens of exploit modules for web browsers and third-party plugins. The new browser_autopwn module ties many of these together with advanced fingerprinting techniques to deliver more shells than most pen-testers know what to do with.

This release includes a set of man-in-the-middle, authentication relay, and authentication capture modules. These modules can be integrated with a fake proxy (WPAD), a malicious access point (Karmetasploit), or basic network traffic interception to gain access to client machines. These
modules tie together browser_autopwn, SMB relaying, and HTTP credential and form capturing to pillage data from client systems.

Nearly all Metasploit modules now support IPv6 transports. IPv6 stagers exist for the Windows and Linux platforms, opening the door for penetration testing of pure IPv6 networks. The VNCInject and Meterpreter payloads have been extensively tested over IPv6 sockets.

Efrain Torres’s WMAP project has been merged into Metasploit. WMAP is general purpose web application scanning framework that can be automated through integration with an attack proxy (ratproxy) or be accessed as individual auxiliary modules.

Egypt’s new PHP payloads provide complete bind, reverse, and findsock support for PHP web application exploits. If you are sick of C99 and R57 and looking to gain a “real” shell from one of the hundreds of RFI flaws listed on milw0rm, the new PHP payloads work great against multiple operating systems.

The db_autopwn command has been revamped to support port-based limits, regex-based module matching, and limits on the number of spawned jobs. The end result is a way to quickly launch specific modules against a specific set of target machines. These changes were suggested and implemented by
Marcell ‘SkyOut’ Dietl (Helith).

The latest version of the Metasploit Framework, as well as screen shots, video demonstrations, documentation and installation instructions for many platforms, can be found online at http://metasploit.com/framework/

Similar Posts you might be interested in:

• Metasploit 3.2 Offers More ‘Evil Deeds’
• Microsoft released IE out-of-band patch
• Adding exploit to Metasploit 3.1