Bugs Fixed
- Pro: MS-6243 - We fixed an issue where Tasks run prior upgrading to 4.18.0 that had replay capabilities would cause the task list for a project to error during generation. These tasks should now function as-expected under 4.18.0.
- Pro: MS-6232 - We fixed an issue where UI-based restore of a backup would not restart services or report progress.
- Pro: MS-6197 - We fixed an issue where XML imports did not correctly parse references, now the "Modules" tab should function as-expected in the host view.
- PR 13951 - Fixed a bug where
msfvenomwould throw a cryptic error message when invoked without specifying a required payload. - PR 13979 - Fixed an issue with the 64-bit segment injector logic used by 64-bit PE templates. The injector now properly handles the arguments and stack alignment.
- PR 14002 - Fixed a regression in payload encoding where whitespace bad characters were not being encoded away.
- PR 14006 - Fixed an incorrect executable path in the
enum_osxmodule, which caused the module to fail when downloading keychains. - PR 14007 - Fixed a path traversal vulnerability in Framework library code that could lead to RCE, such as via
post/osx/gather/enum_osx(CVE-2020-7376), reported by @bcoles. - PR 14014 - Improved the
squid_pivot_scanningmodule to correctly handle redirect HTTP response codes, as well as adding more detailed verbose logging. - PR 14034 - Fixed a path traversal in
auxiliary/admin/http/telpho10_credential_dump(CVE-2020-7377), reported by @bcoles. - PR 14043 - Fixed a bug in the
auxiliary/scanner/http/jupyter_loginmodule when scanning a range of targets, where non-Juypter targets would cause a stack trace and fail out of the scan operation. The module will now log non-Juypter targets it encounters and continue on with scanning remaining systems in the range of targets. - PR 14048 - Fixed an error handling issue with auxiliary scanners where an entire scan operation would abort when a single scanned host failed with a call to
fail_with. This update allows modules to skip hosts and continue onfail_with. Note that this new behavior is optional and can be disabled by using theabort:kwargs.
Enhancements and Features
- Pro: MS-6244 - We updated Pro's JRE (Java Runtime Environment).
- PR 13846 - Added support for Nmap's
vulnersscript, allowing users who run NMAP service version scans with thevulnersscript to get detailed information on which vulnerabilities their targets are potentially vulnerable to, save this information into Metasploit's database (if it is connected), and then see if Metasploit has a module to exploit those vulnerabilities. - PR 13974 - Improved the
winrm_loginmodule to correctly negotiate authentication, where previously it would always assume that basic auth is required. - PR 13998 - Greatly improved the performance of Metasploit Framework's
module.searchrpc call by searching the module cache instead of Framework's previous slow search functionality. - PR 14045 - Improved the new
featureslogic to automatically reload the current module when toggling a feature ON/OFF to ensure feature-flagged options, such asRHOST_HTTP_URL, appear properly.
New Modules
- PR 13870 - New module
auxiliary/admin/networking/arista_configimports Arista switch configuration into the Framework database. A new library for processing Arista switch configurations was also added. - PR 13906 - New module
auxiliary/gather/ldap_hashdumpdumps passwords and hashes stored as attributes in LDAP servers. - PR 13911 - New module
exploits/apple_ios/browser/safari_jitadds a Safari exploit for IOS 7.1.2 to obtain a root-level shell by leveraging multiple exploits chained together (CVE-2016-4669, CVE-2018-4162). iPhone 4 was specifically targeted and verified for this exploit. - PR 13982 - New external module
auxiliary/admin/http/cisco_7937g_ssh_privesctargets Cisco Unified IP Conference Station 7937G devices, resetting the ssh administrative credentials on the target via an http request tolocalmenus.cgi(CVE-2020-16137). Firmware versionsSCCP-1-4-5-5andSCCP-1-4-5-7are vulnerable, and both thehttpandsshservices need to be enabled on the target. - PR 13984 - New external module
auxiliary/dos/cisco/cisco_7937g_dos_reboottargets Cisco Unified IP Conference Station 7937G devices with a Denial-of-Service attack via specially crafted packets, causing vulnerable targets to reboot (CVE-2020-16139). Firmware versionsSCCP-1-4-5-5andSCCP-1-4-5-7are vulnerable. - PR 13985 - New external module
auxiliary/dos/cisco/cisco_7937g_dostargets Cisco Unified IP Conference Station 7937G devices with a Denial-of-Service attack that attempts to connect to the target's SSH service using an incompatible key exchange, causing vulnerable targets to become unresponsive until power cycled (CVE-2020-16138). Firmware versionsSCCP-1-4-5-5andSCCP-1-4-5-7are vulnerable. - PR 13986 - New module
exploits/linux/http/geutebruck_testaction_exectargets Geutebruck G-Cam (camera) and G-Code (encoder) devices, leveraging an authenticated command injection vulnerability to gain root-level RCE on vulnerable targets (CVE-2020-16205). Firmware versions1.12.0.25and prior,1.12.13.2, and1.12.14.5are vulnerable, and other manufacturers of similar devices are known to have used some of these same firmwares. - PR 13989 - New module
auxiliary/server/teamviewer_uri_smb_redirecttargets remote desktop software TeamViewer Desktop for Windows, creating an SMB connection with a vulnerable target via an unquoted parameter call within the TeamViewer URI handler (CVE-2020-13699). - PR 13994 - New module
exploits/windows/http/dlink_central_wifimanager_rcetargets D-Link Central WiFi Manager software for Windows platforms, achieving unauthenticated code execution on vulnerable targets by sending malicious php code via a cookie, which gets passed toeval()without any sanitization (CVE-2019-13372). - PR 14000 - New module
exploits/linux/http/apache_ofbiz_deserialiationtargets Apache OFBiz ERP software versions prior to 17.12.04, where a Java deserialization vulnerability in the unauthenticated XML-RPC endpoint/webtools/control/xmlrpccan be exploited to gain code execution (CVE-2020-9496).