Bugs Fixed
- Pro: MS-6045 - We fixed a potential Nexpose credential leak in a local Metasploit Pro log file which could occur under certain workflow conditions.
- Pro: MS-6026 - Following a successful Bruteforce login, subsequent "Attempt Login" actions should be fixed to run as-expected.
- Pro: MS-5969 - We fixed an issue where duplicate host tags could appear in UI list views when multiple hosts were grouped in the same tag.
- PR 13883 - Fixed a syntax error in Hardware Bridge.
- PR 13884 - Removed the unused and dangerous
download_cmd
method fromMsf::Post::Linux::Priv
. - PR 13886 - Fixed the
post/multi/manage/sudo
module support for passwords containing shell substitution and meta characters. - PR 13898 - Fixed module
post/multi/gather/wlan_geolocate
error handling where the API error message was not parsed correctly when an invalidAPI_KEY
was passed to the geolocation API. - PR 13899 - Updated the
post/multi/manage/sudo
module to automatically remove clear text sudo passwords from temporary files created in/tmp/
upon completion. - PR 13900 - Fixed a bug in the logic responsible for checking for the presence of an HTTP header in a request or response by updating it to be case insensitive. Being case insensitive is consistent with the existing logic for fetching HTTP header values and is also specified in both RFC 7230 section 3.2 and RFC 7540 8.1.2.
Enhancements and Features
- PR 13830 - Added a new target setting for the CVE-2019-0708 (BlueKeep) exploit for vulnerable Windows 7 SP1 / Server 2008 systems that are virtualized within a QEMU environment.
- PR 13853 - Improved the
bpf_sign_extension_priv_esc
exploit module with updated code style, giving the option to compile the exploit on the target, leveraging theAutoChec
mixin, and making the module information more descriptive. - PR 13854 - Improved the robustness of the
exploit/linux/http/f5_bigip_tmui_rce
module (CVE-2020-5902) and set Meterpreter as the default payload type. - PR 13859 - Removed
fail_with()
call from check method in theexim4_deliver_message_priv_esc
module, as this was crashing the local exploit suggester module. - PR 13861 - Improved the
exploit/freebsd/local/intel_sysret_priv_esc
module with code cleanup, adding theMsf::Exploit::Remote::AutoCheck
mixin, preferringcc
overgcc
, and background payload execution. - PR 13868 - Added hash dumping to the
auxiliary/gather/vmware_vcenter_vmdir_ldap
module (CVE-2020-3952). - PR 13873 - Enhanced module
check()
behavior by preemptively warning about a missingcheck()
method before options are validated, such as when verifying that required options are set. - PR 13885 - Added LDAPS (SSL/TLS) support to the LDAP mixin and updated the VMware vCenter Server vmdir (CVE-2020-3952) modules to use it.
- PR 13895 - Added a
check()
method and aREMOVE
user action to theauxiliary/admin/sap/cve_2020_6287
SAP "RECON" module (CVE-2020-6287).
New Modules
- PR 13828 - New exploit module
exploits/windows/http/zentao_pro_rce
targets Zentao Pro versions 8.8.2 and below, achieving SYSTEM privileges by exploiting an authenticated command injection vulnerability (CVE-2020-7361). - PR 13837 - New module
exploits/freebsd/local/ip6_setpktopt_uaf_priv_esc
facilitates a local privilege escalation via a Use After Free vulnerability in the network stack of FreeBSD kernel versions 9.0 - 12.1 (CVE-2020-7457). - PR 13852 - New module
auxiliary/admin/sap/cve_2020_6287_ws_add_user
creates an admin user in SAP by exploiting the "RECON" vulnerability (CVE-2020-6287). - PR 13878 - New auxiliary module
auxiliary/client/telegram/send_message
allows users to automatically receive Telegram notifications when their exploit spawns a new session. To run this module, users must first register for a Telegram bot free of charge via Telegram's BotFather bot, then open up a new chat session with the registered bot and provide the bot's API key as well as the chat ID to the module. - PR 13891 - New module
exploits/multi/http/baldr_upload_exec
exploits a file upload vulnerability in the Baldr Botnet control panel, achieving RCE. - PR 13920 - New module
exploits/windows/http/sharepoint_data_deserialization
achieves RCE on versions of SharePoint containing an XML deserialization vulnerability (CVE-2020-1147).