Aug 03, 20204.17.1

Bugs Fixed

  • Pro: MS-6045 - We fixed a potential Nexpose credential leak in a local Metasploit Pro log file which could occur under certain workflow conditions.
  • Pro: MS-6026 - Following a successful Bruteforce login, subsequent "Attempt Login" actions should be fixed to run as-expected.
  • Pro: MS-5969 - We fixed an issue where duplicate host tags could appear in UI list views when multiple hosts were grouped in the same tag.
  • PR 13883 - Fixed a syntax error in Hardware Bridge.
  • PR 13884 - Removed the unused and dangerous download_cmd method from Msf::Post::Linux::Priv.
  • PR 13886 - Fixed the post/multi/manage/sudo module support for passwords containing shell substitution and meta characters.
  • PR 13898 - Fixed module post/multi/gather/wlan_geolocate error handling where the API error message was not parsed correctly when an invalid API_KEY was passed to the geolocation API.
  • PR 13899 - Updated the post/multi/manage/sudo module to automatically remove clear text sudo passwords from temporary files created in /tmp/ upon completion.
  • PR 13900 - Fixed a bug in the logic responsible for checking for the presence of an HTTP header in a request or response by updating it to be case insensitive. Being case insensitive is consistent with the existing logic for fetching HTTP header values and is also specified in both RFC 7230 section 3.2 and RFC 7540 8.1.2.

Enhancements and Features

  • PR 13830 - Added a new target setting for the CVE-2019-0708 (BlueKeep) exploit for vulnerable Windows 7 SP1 / Server 2008 systems that are virtualized within a QEMU environment.
  • PR 13853 - Improved the bpf_sign_extension_priv_esc exploit module with updated code style, giving the option to compile the exploit on the target, leveraging the AutoChec mixin, and making the module information more descriptive.
  • PR 13854 - Improved the robustness of the exploit/linux/http/f5_bigip_tmui_rce module (CVE-2020-5902) and set Meterpreter as the default payload type.
  • PR 13859 - Removed fail_with() call from check method in the exim4_deliver_message_priv_esc module, as this was crashing the local exploit suggester module.
  • PR 13861 - Improved the exploit/freebsd/local/intel_sysret_priv_esc module with code cleanup, adding the Msf::Exploit::Remote::AutoCheck mixin, preferring cc over gcc, and background payload execution.
  • PR 13868 - Added hash dumping to the auxiliary/gather/vmware_vcenter_vmdir_ldap module (CVE-2020-3952).
  • PR 13873 - Enhanced module check() behavior by preemptively warning about a missing check() method before options are validated, such as when verifying that required options are set.
  • PR 13885 - Added LDAPS (SSL/TLS) support to the LDAP mixin and updated the VMware vCenter Server vmdir (CVE-2020-3952) modules to use it.
  • PR 13895 - Added a check() method and a REMOVE user action to the auxiliary/admin/sap/cve_2020_6287 SAP "RECON" module (CVE-2020-6287).

New Modules

  • PR 13828 - New exploit module exploits/windows/http/zentao_pro_rce targets Zentao Pro versions 8.8.2 and below, achieving SYSTEM privileges by exploiting an authenticated command injection vulnerability (CVE-2020-7361).
  • PR 13837 - New module exploits/freebsd/local/ip6_setpktopt_uaf_priv_esc facilitates a local privilege escalation via a Use After Free vulnerability in the network stack of FreeBSD kernel versions 9.0 - 12.1 (CVE-2020-7457).
  • PR 13852 - New module auxiliary/admin/sap/cve_2020_6287_ws_add_user creates an admin user in SAP by exploiting the "RECON" vulnerability (CVE-2020-6287).
  • PR 13878 - New auxiliary module auxiliary/client/telegram/send_message allows users to automatically receive Telegram notifications when their exploit spawns a new session. To run this module, users must first register for a Telegram bot free of charge via Telegram's BotFather bot, then open up a new chat session with the registered bot and provide the bot's API key as well as the chat ID to the module.
  • PR 13891 - New module exploits/multi/http/baldr_upload_exec exploits a file upload vulnerability in the Baldr Botnet control panel, achieving RCE.
  • PR 13920 - New module exploits/windows/http/sharepoint_data_deserialization achieves RCE on versions of SharePoint containing an XML deserialization vulnerability (CVE-2020-1147).

Offline Update

Metasploit Framework and Pro Installers