Metasploit Framework 4.2.0

“The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool. The framework includes hundreds of working remote exploits for a variety of platforms. Payloads, encoders, and nop slide generators can be mixed and matched with exploit modules to solve almost any exploit-related task.“

Official change log for Metasploit Framework 4.2.0:

• IPv6 Coverage:
  Metasploit 4.2 now ships with thirteen brand new payloads, all added to support opening command sessions and shells on IPv6 networks. In addition, Metasploit’s existing arsenal of payloads has been updated to support IPv6 as well. The database back end now fully supports IPv6 addressing for discovered and compromised hosts. Rex, Metasploit’s general purpose socket and protocol library, is now compatible with IPv6 networks. The ability to launch attacks over IPv6, even in otherwise IPv4 networks, is crucial in the modern penetration testing environment, so if you’re not yet up to speed on auditing a client network’s IPv6 exposure, be sure to catch HD Moore’s free IPv6 security online training on March 28.
• Virtualization as an Attack Vector
  With this release comes a pile of new modules targeting VMware vSphere/ESX SOAP interface, as well as a pair of new brute force modules to audit password strength for both vmauthd and Virtual Web Services. Here’s the quick list of the new virtual target hotness:

• vmauthd_version : Discovers the version details for a vmauthd service
• esx_fingerprint : Fingerprints (down to the build number) of a stand-alone ESX server
• vmware_http_login : Attempts to brute force local VMware credentials via the Web Services interface
• vmauthd_login : Attempts to brute force local VMware credentials via the vmauthd service
• vmware_enum_users : Enumerates both local and domain VMware user accounts
• vmware_enum_permissions : Enumerates locally-defined user and group permissions on aVMware instance
• vmware_enum_sessions : Enumerates active VMware login sessions
• vmware_enum_vms : Enumerates all local virtual machines on the local VMware instance
• vmware_host_details : Discovers host hardware and software details of the VMware host machine
• poweroff_vm : Powers off a virtual machine via the VMware Web Services interface
• poweron_vm : Powers on a virtual machine via the VMware Web Services interface
• tag_vm : Writes a user-defined “tag” to the VMware logs as proof of compromise
• vmware_screenshot_stealer : Grabs screenshots of VMware guest operating systems as proof of compromise
• terminate_esx_sessions : Disconnects a user from the ESX server

Virtual machine targets in a network often offer unique avenues of attack for penetration testers, and are sometimes overlooked by IT departments and security infrastructure groups alike. Rapid7′s David Maloney, aka, TheLightCosine, wrote most of these modules. For a deep-dive into virtualization security, please join his webcast on March 21.

New Resource Scripts
Metasploit 4.2 now ships with fourteen new resource scripts, nearly all of which were provided byopen source community contributors. These scripts demonstrate the power of Metasploit’s extensible architecture, allowing programmatic Metasploit module usage through the powerful Ruby scripting language. By automating away penetration testing tasks common to most engagements, Metasploit expert users can free up valuable time for more interesting avenues of research and exploitation. Note that while these scripts are useful on their own, they’re also great examples of using this entry point and really getting your hands dirty with Metasploit internals. Finally, most of these scripts were submitted by open source contributor m-1-k-3, while the Oracle-centric scripts come from nebulous.

Module Changes

• Novell eDirectory eMBox Unauthenticated File Access
• JBoss Seam 2 Remote Command Execution
• NAT-PMP Port Mapper
• TFTP File Transfer Utility
• VMWare Power Off Virtual Machine
• VMWare Power On Virtual Machine
• VMWare Tag Virtual Machine
• VMWare Terminate ESX Login Sessions
• John the Ripper AIX Password Cracker
• 7-Technologies IGSS 9 IGSSdataServer.exe DoS
• Microsoft IIS FTP Server <= 7.0 LIST Stack Exhaustion
• DNS and DNSSEC fuzzer
• CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure
• CorpWatch Company ID Information Search
• CorpWatch Company Name Information Search
• General Electric D20 Password Recovery
• NAT-PMP External Address Scanner
• Shodan Search
• H.323 Version Scanner
• Drupal Views Module Users Enumeration
• Ektron CMS400.NET Default Password Scanner
• Generic HTTP Directory Traversal Utility
• Microsoft IIS HTTP Internal IP Disclosure
• Outlook Web App (OWA) Brute Force Utility
• Squiz Matrix User Enumeration Scanner
• Sybase Easerver 6.3 Directory Traversal
• Yaws Web Server Directory Traversal
• OKI Printer Default Login Credential Scanner
• MSSQL Schema Dump
• MYSQL Schema Dump
• NAT-PMP External Port Scanner
• pcAnywhere TCP Service Discovery
• pcAnywhere UDP Service Discovery
• Postgres Schema Dump
• SSH Public Key Acceptance Scanner
• Telnet Service Encyption Key ID Overflow Detection
• IpSwitch WhatsUp Gold TFTP Directory Traversal
• VMWare ESX/ESXi Fingerprint Scanner
• VMWare Authentication Daemon Login Scanner
• VMWare Authentication Daemon Version Scanner
• VMWare Enumerate Permissions
• VMWare Enumerate Active Sessions
• VMWare Enumerate User Accounts
• VMWare Enumerate Virtual Machines
• VMWare Enumerate Host Details
• VMWare Web Login Scanner
• VMWare Screenshot Stealer
• Capture: HTTP JavaScript Keylogger
• Oracle DB SQL Injection via SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION
• Asterisk Manager Login Utility
• FreeBSD Telnet Service Encryption Key ID Buffer Overflow
• Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow
• Java Applet Rhino Script Engine Remote Code Execution
• Family Connections less.php Remote Command Execution
• Gitorious Arbitrary Command Execution
• Horde 3.3.12 Backdoor Arbitrary PHP Code Execution
• OP5 license.php Remote Command Execution
• OP5 welcome Remote Command Execution
• Plone and Zope XMLTools Remote Command Execution
• PmWiki <= 2.2.34 pagelist.php Remote PHP Code Injection Exploit
• Support Incident Tracker <= 3.65 Remote Command Execution
• Splunk Search Remote Code Execution
• Traq admincp/common.php Remote Code Execution
• vBSEO <= 3.6.0 proc_deutf() Remote PHP Code Injection
• Mozilla Firefox 3.6.16 mChannel Use-After-Free
• CTEK SkyRouter 4200 and 4300 Command Execution
• Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow
• Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute
• HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution
• Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control
• Java MixerSequencer Object GM_Song Structure Handling Vulnerability
• MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution
• MS12-004 midiOutPlayNextPolyEvent Heap Overflow
• Viscom Software Movie Player Pro SDK ActiveX 6.8
• Adobe Reader U3D Memory Corruption Vulnerability
• Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow
• BS.Player 2.57 Buffer Overflow
• CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow
• Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow
• McAfee SaaS MyCioScan ShowReport Remote Command Execution
• Mini-Stream RM-MP3 Converter v3.1.2.1 PLS File Stack Buffer Overflow
• MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow
• Ability Server 2.34 STOR Command Stack Buffer Overflow
• AbsoluteFTP 1.9.6 – 2.2.10 LIST Command Remote Buffer Overflow
• Serv-U FTP Server < 4.2 Buffer Overflow
• HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow
• XAMPP WebDAV PHP Upload
• Avid Media Composer 5.5 – Avid Phonetic Indexer Buffer Overflow
• Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0×40020000 Buffer Overflow
• HP Diagnostics Server magentservice.exe Overflow
• StreamDown 6.8.0 Buffer Overflow
• Wireshark console.lua Pre-Loading Script Execution
• Oracle Job Scheduler Named Pipe Command Execution
• SCADA 3S CoDeSys CmpWebServer <= v3.4 SP4 Patch 2 Stack Buffer Overflow
• Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0×57
• OpenTFTP SP 1.4 Error Packet Overflow
• AIX Gather Dump Password Hashes
• Linux Gather Saved mount.cifs/mount.smbfs Credentials
• Multi Gather VirtualBox VM Enumeration
• UNIX Gather .fetchmailrc Credentials
• Multi Gather VMWare VM Identification
• UNIX Gather .netrc Credentials
• Multi Gather Mozilla Thunderbird Signon Credential Collection
• Multiple Linux / Unix Post Sudo Upgrade Shell
• Windows Escalate SMB Icon LNK dropper
• Windows Escalate Get System via Administrator
• Windows Gather RazorSQL Credentials
• Windows Gather File and Registry Artifacts Enumeration
• Windows Gather Enumerate Computers
• Post Windows Gather Forensics Duqu Registry Check
• Windows Gather Privileges Enumeration
• Windows Manage Download and/or Execute
• Windows Manage Create Shadow Copy
• Windows Manage List Shadow Copies
• Windows Manage Mount Shadow Copy
• Windows Manage Set Shadow Copy Storage Space
• Windows Manage Get Shadow Copy Storage Info
• Windows Recon Computer Browser Discovery
• Windows Recon Resolve Hostname
• Windows Gather Wireless BSS Info
• Windows Gather Wireless Current Connection Info
• Windows Disconnect Wireless Connection
• Windows Gather Wireless Profile