Bugs Fixed
- PR 13035 - The PHP web_delivery command now ignores invalid SSL certificates, which is required on the latest OSX (tested on Mojave 10.14.2).
- PR 13036 - Updates the JSON RPC results tracking functionality to evict old results to keep memory usage from growing out of control.
- PR 13054 - This fixes an undefined method crash in the `post/windows/manage/migrate` module.
- PR 13059 - This fix limits the size of string options when appropriate to ensure they will fit in defined buffers.
- PR 13063 - This fixes an issue where persistence was not well-supported by the PowerShell amsi bypass option.
- PR 13064 - Fixes an issue where an argument was missing when creating the channel class in the Meterpreter `shell` command.
- PR 13069 - Updates the Meterpreter powershell_shell command to fix a bug where an argument was missing when creating the channel class.
- PR 13070 - This fix updates the regular expression used in the Cisco DCNM Upload exploit module to find directories when they contain spaces in them.
- PR 13079 - This fixes a bug in the tool workflow which generates the data files for YSoSerial Java payloads.
- PR 13118 - This fixes a typo in the Linux privesc example module so it acts like a local exploit instead of a remote one.
- PR 13130 - This fix addresses issues in OSX where the reverse_tcp handler doesn't distinguish between stager and Meterpreter connections, as well as issues with pivoting SOCKS5 traffic over reverse_http(s) connections.
- PR 13143 - This fixes a bug with the `check` command when using the `exploit/linux/redis/redis_unauth_exec` module. Previously the console reported this module as not supporting the check command, but now it successfully executes the check method as expected.
Enhancements and Features
- Pro: MS-5240 - A login notification to highlight the open customer survey.
- PR 12988 - Windows APIs can be leveraged for managing local and domain users and groups over Meterpreter. Additionally a handful of modules are updated to utilize this functionality rather than relying on OS command execution.
- PR 13057 - Profiling tools for looking at memory and CPU utilization have been added.
- PR 13124 - Updates the tip for `info -d` to note that it includes additional information and is thus the "enhanced" version of the module info.
- PR 13146 - Octokit was updated to latest rubygem.
New Modules
- PR 12851 - The Tautulli Shutdown exploit has been added to the framework. It targets versions 2.1.9 and earlier, which are vulnerable to denial of service via the /shutdown URL.
- PR 12901 - This adds an exploit module for Centreon `v19.10.5`. Authenticated remote code execution can be achieved via a `Poller` configuration.
- PR 13030 - The Install Python module automates and install of an embedded Python version of their choice on a target.
- PR 13040 - The SQL Server Reporting Services ViewState module allows you to exploit a .NET serialization vulnerability in the SSRS serialized data submitted in a POST request. An account with, at least, the _Browser_ role on the site is necessary in order to leverage this vulnerability.
- PR 13066 - The Rconfig 3.x Chained RCE module exploits multiple vulnerabilities in rConfig version 3.9 and prior in order to execute arbitrary commands. The module first add a temporary admin user to the application by exploiting an SQL injection (CVE-2020-10220). Next, the module authenticates as the newly created user in order to abuse a command injection vulnerability in the `path` parameter of the ajaxArchiveFiles functionality within the rConfig web interface (CVE-2019-19509) to trigger RCE.
- PR 13071 - This adds an RCE module for the ManageEngine Desktop Central Java Deserialization vulnerability identified as CVE-2020-10189.
- PR 13082 - An exploit module is available for the Horde Data API that gets bundled with software such as Horde Groupware Webmail Edition Suite. The Horde Data API before and including `v2.1.4` has functionality to handle importing/exporting data such as from CSV files, but fails to properly escape strings while parsing the data. An authenticated user can gain code execution by uploading a CSV file and submitting the payload in the `quote` parameter of a POST request to `mnemo/data.php`.
- PR 13122 - An exploit for CVE-2020-0646 targeting a vulnerability in Microsoft SharePoint has been added to the framework. It can be leveraged remotely to execute C# code by escaping a value from XOML data.