UPDATE: The Social-Engineer Toolkit 3.7.1 has been released which adds the java zero day natively to the SET java applet attack. New video released below! This one was a bit funny, we actually coded the applet to pop up so it looks legit. When they hit cancel, it still executes.
TrustedSec is proud to announce the release of The Social-Engineer Toolkit (SET) v3.7 codename “Street Cred”. This version has a number of new features including the ability to utilize the SET interactive shell to directly paste shellcode straight into memory and be executed on the victim machine (demo video below). In addition, the new Java Applet zero day has now been incorporated into SET under the Metasploit Web Attack Vector. This version also fixes a number of known bugs including fixes towards the Arduino attack vectors. Additionally, the Metasploit Attack Vectors now incorporate dates to let you know which exploitsare more recent. A full changelog can be found after the video below.
* added better xp_cmdshell restore options in the MSSQL attack vector for Fast-Track
* minor changes to the java applet around parameter names and signing
* added the ability to do native shellcode injection into the SET interactive shell
* added the ability to do native injection in x86 and x64 now
* reliability update to the shellcode injection attack
* added better handling around corrupt stack injection in the shellcode injection
* added AES256 support for the communication around the SET interactive shell and the new shellcode injection attack
* added the new zero day exploit from the Metasploit Framework – Java 7 Applet Remote Code Execution
* fixed a bug that caused the browser autopwn to not function properly when selected and would move to the java applet instead
* bug fixes for teensy powershell downloader (thanks John Strand)
* fixed a number of menu system bugs including moving back and forward
* fixed a multiattack issue when using java applet and metasploit client attacks
* added dates to all of the metasploit exploits to show how recent they are
Author: David Kennedy
Security expert, keynote speaker, avid gamer and the go-to for protecting companies from threats.