Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/04/15/metasploit-wrap-up-152/
Meterpreter Debugging
A consistent message Metasploit hears from users is that debugging and general logging support could be improved. The gaps in functionality make it difficult for users to understand what happens when things go wrong and for new and existing developers to fix bugs and add new features. The Metasploit team has been trying to improve this in various parts of the framework, the most recent being Meterpreter. Meterpreter payloads now have additional debugging options that can be used to inspect the internal workings of the payload as it is running. These options include MeterpreterDebugLogging, which can be used to select where the log file is placed on the remote machine, and MeterpreterDebugBuild, which controls whether or not the deployed Meterpreter supports debugging. For many Meterpreter builds, the additional debugging information would include large, easily signature-able strings that should not be present for typical operations. For this reason, users on active engagements that do not require additional logging should leave this setting off.
This functionality pairs nicely with the recently added SessionTlvLogging option, which can display the C2 traffic used by Meterpreter. With these options, both the internal state and the individual requests and responses can be inspected to understand what is happening. This should hopefully contribute to making Meterpreter a little less enigmatic.
WordPress Library Improvement
Metasploit contains quite a few modules targeting various WordPress vulnerabilities, many of which are in plugins. Almost all of these modules utilize the common WordPress library that Metasploit provides. This week that library was improved to properly handle target WordPress configurations that do not place the REST API under the standard /index.php/ path. This should improve the reliability of these modules by properly accounting for the target’s configuration.
Enhancements and features (5)
- #16377 from sjanusz-r7 – The Python Meterpreter payload now supports creation of a debug build with the
MeterpreterDebugBuilddatastore option. By default logging will be output to the console that the payload was run in. A newMeterpreterDebugLoggingdatastore option allows writing these log files on the host that ran the payload. - #16396 from sjanusz-r7 – The PHP Meterpreter payload now supports creation of a debug build with the
MeterpreterDebugBuilddatastore option. By default logging will be output to the console the payload was run in. A newMeterpreterDebugLoggingdatastore option allows for writing these log files on the host that ran the payload. - #16411 from jmartin-r7 – Improves the RPC analyze host functionality to return additional module suggestion metadata such as invalid options or missing module requirements.
- #16418 from adfoster-r7 – This adds the boilerplate for placing the debugging Meterpreter sessions wiki page to the docs site.
- #16451 from dwelch-r7 – This ensures that if
MeterpreterDebugBuildis enabled, that the debug versions of the extensions are also used. This allows extensions can now also output debug messages visible via tools such asdbgview, which can be helpful when debugging payloads or Meterpreter extensions.
Bugs fixed (2)
- #16221 from gwillcox-r7 – This fixes WordPress support to work with sites where the REST API is not under
/index.php/. - #16455 from adfoster-r7 – This removed the requirement for
railgunsupport in modules that used thePost::Filemixin, enabling better identification of modules usable against an existing session.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).