Bugs Fixed
- Pro: MS-6243 - We fixed an issue where Tasks run prior upgrading to 4.18.0 that had replay capabilities would cause the task list for a project to error during generation. These tasks should now function as-expected under 4.18.0.
- Pro: MS-6232 - We fixed an issue where UI-based restore of a backup would not restart services or report progress.
- Pro: MS-6197 - We fixed an issue where XML imports did not correctly parse references, now the "Modules" tab should function as-expected in the host view.
- PR 13951 - Fixed a bug where
msfvenom
would throw a cryptic error message when invoked without specifying a required payload. - PR 13979 - Fixed an issue with the 64-bit segment injector logic used by 64-bit PE templates. The injector now properly handles the arguments and stack alignment.
- PR 14002 - Fixed a regression in payload encoding where whitespace bad characters were not being encoded away.
- PR 14006 - Fixed an incorrect executable path in the
enum_osx
module, which caused the module to fail when downloading keychains. - PR 14007 - Fixed a path traversal vulnerability in Framework library code that could lead to RCE, such as via
post/osx/gather/enum_osx
(CVE-2020-7376), reported by @bcoles. - PR 14014 - Improved the
squid_pivot_scanning
module to correctly handle redirect HTTP response codes, as well as adding more detailed verbose logging. - PR 14034 - Fixed a path traversal in
auxiliary/admin/http/telpho10_credential_dump
(CVE-2020-7377), reported by @bcoles. - PR 14043 - Fixed a bug in the
auxiliary/scanner/http/jupyter_login
module when scanning a range of targets, where non-Juypter targets would cause a stack trace and fail out of the scan operation. The module will now log non-Juypter targets it encounters and continue on with scanning remaining systems in the range of targets. - PR 14048 - Fixed an error handling issue with auxiliary scanners where an entire scan operation would abort when a single scanned host failed with a call to
fail_with
. This update allows modules to skip hosts and continue onfail_with
. Note that this new behavior is optional and can be disabled by using theabort:
kwargs.
Enhancements and Features
- Pro: MS-6244 - We updated Pro's JRE (Java Runtime Environment).
- PR 13846 - Added support for Nmap's
vulners
script, allowing users who run NMAP service version scans with thevulners
script to get detailed information on which vulnerabilities their targets are potentially vulnerable to, save this information into Metasploit's database (if it is connected), and then see if Metasploit has a module to exploit those vulnerabilities. - PR 13974 - Improved the
winrm_login
module to correctly negotiate authentication, where previously it would always assume that basic auth is required. - PR 13998 - Greatly improved the performance of Metasploit Framework's
module.search
rpc call by searching the module cache instead of Framework's previous slow search functionality. - PR 14045 - Improved the new
features
logic to automatically reload the current module when toggling a feature ON/OFF to ensure feature-flagged options, such asRHOST_HTTP_URL
, appear properly.
New Modules
- PR 13870 - New module
auxiliary/admin/networking/arista_config
imports Arista switch configuration into the Framework database. A new library for processing Arista switch configurations was also added. - PR 13906 - New module
auxiliary/gather/ldap_hashdump
dumps passwords and hashes stored as attributes in LDAP servers. - PR 13911 - New module
exploits/apple_ios/browser/safari_jit
adds a Safari exploit for IOS 7.1.2 to obtain a root-level shell by leveraging multiple exploits chained together (CVE-2016-4669, CVE-2018-4162). iPhone 4 was specifically targeted and verified for this exploit. - PR 13982 - New external module
auxiliary/admin/http/cisco_7937g_ssh_privesc
targets Cisco Unified IP Conference Station 7937G devices, resetting the ssh administrative credentials on the target via an http request tolocalmenus.cgi
(CVE-2020-16137). Firmware versionsSCCP-1-4-5-5
andSCCP-1-4-5-7
are vulnerable, and both thehttp
andssh
services need to be enabled on the target. - PR 13984 - New external module
auxiliary/dos/cisco/cisco_7937g_dos_reboot
targets Cisco Unified IP Conference Station 7937G devices with a Denial-of-Service attack via specially crafted packets, causing vulnerable targets to reboot (CVE-2020-16139). Firmware versionsSCCP-1-4-5-5
andSCCP-1-4-5-7
are vulnerable. - PR 13985 - New external module
auxiliary/dos/cisco/cisco_7937g_dos
targets Cisco Unified IP Conference Station 7937G devices with a Denial-of-Service attack that attempts to connect to the target's SSH service using an incompatible key exchange, causing vulnerable targets to become unresponsive until power cycled (CVE-2020-16138). Firmware versionsSCCP-1-4-5-5
andSCCP-1-4-5-7
are vulnerable. - PR 13986 - New module
exploits/linux/http/geutebruck_testaction_exec
targets Geutebruck G-Cam (camera) and G-Code (encoder) devices, leveraging an authenticated command injection vulnerability to gain root-level RCE on vulnerable targets (CVE-2020-16205). Firmware versions1.12.0.25
and prior,1.12.13.2
, and1.12.14.5
are vulnerable, and other manufacturers of similar devices are known to have used some of these same firmwares. - PR 13989 - New module
auxiliary/server/teamviewer_uri_smb_redirect
targets remote desktop software TeamViewer Desktop for Windows, creating an SMB connection with a vulnerable target via an unquoted parameter call within the TeamViewer URI handler (CVE-2020-13699). - PR 13994 - New module
exploits/windows/http/dlink_central_wifimanager_rce
targets D-Link Central WiFi Manager software for Windows platforms, achieving unauthenticated code execution on vulnerable targets by sending malicious php code via a cookie, which gets passed toeval()
without any sanitization (CVE-2019-13372). - PR 14000 - New module
exploits/linux/http/apache_ofbiz_deserialiation
targets Apache OFBiz ERP software versions prior to 17.12.04, where a Java deserialization vulnerability in the unauthenticated XML-RPC endpoint/webtools/control/xmlrpc
can be exploited to gain code execution (CVE-2020-9496).