Improved
- Pro: We improved the designation of hosts with "Unknown" operating systems in Passive Network Discovery PDF reports.
- PR 13919 - Improvement for auxiliary modules which expose actions, allowing invocation of those exposed actions by the user as commands when the user has changed context into the module through the
use
command within msfconsole. - PR 13980 - Added a new Reflective PE file loader as a payload stage, enabling users to specify an arbitrary EXE or DLL and have it injected into the target process and executed as the payload stage without recompiling it for compatibility using something like ReflectiveDLLInjection.
- PR 14021 - Updated the module search functionality to only return results where all provided text search terms match. Example:
search postgresql login
will only return modules matching bothpostgresql
andlogin
. - PR 14040 - Updated the
exploit/multi/misc/java_rmi_server
module to provide acheck
method, which is implemented byauxiliary/scanner/misc/java_rmi_server
. - PR 14053 - Improved the
info
command such that, following a module search, it is now possible to useinfo
to view a specific module's information. - PR 14062 - Added a
SECURITY.md
file to the Metasploit Framework so that users who discover security issues know how those issues can/should be reported to the project maintainers. This file will be rendered through the GitHub interface, as it follows the standard naming convention. - PR 14065 - Reduced
msfconsole
boot time a bit by lazily loading the faker module, which is unneeded at bootup and is only used in a few limited scenarios. - PR 14068 - Updated the
auxiliary/scanner/smb/smb_enum_gpp
module to use RubySMB instead of the old Rex client, allowing support for SMB versions 1-3. - PR 14072 - Improved the Python method for shell interaction by updating the PTY shim to be Python 3 compatible. Also fixed the technique in environments where the
python3
binary is available and in the PATH, but thepython
binary is not. - PR 14075 - Updated
exploits/multi/fileformat/zip_slip
to support generating ZIP files. - PR 14083 - Updated
post/windows/gather/enum_patches
to additionally report when patches were installed on a Windows target. - PR 14089 - Updated
auxiliary/scanner/smb/smb_version
for backwards compatibility with older Ruby versions. - PR 14090 - Added an example of using
info
to output from thesearch
command. - PR 14106 - Updated the
search
command to always show an additional note on how interact with the search module results.
Fixed
- Pro: We fixed an issue where invalid project XML exports would occur when certain characters were present within the project name. Project attributes are now properly XML encoded to ensure valid XML generation on project export.
- Pro: We fixed an issue where Web Application testing would offer detected aliases which were not DNS compliant as virtual host targets. Only DNS compliant detected aliases are now offered as virtual target hosts by Web Application testing.
- Pro: We fixed an issue when exporting project data as a Zip archive, where the export was failing to complete under some circumstances. We also fixed an issue with project import of Zip data failing to correctly import. Both operations should now function as-expected.
- PR 14050 - Fixed an issue with
db_import
when attempting to import project Zip files exported by Metasploit Pro. - PR 14061 - Fixed a performance regression in
msfvenom
, reducingmsfvenom
loading time by loading only the relevant module sets for the command being performed. - PR 14064 - Fixed HTML module documentation generated from module content, where OSVDB links were broken and some CVE links were missing. CVE links should all now be present and OSVDB entries display their number but are now unlinked.
- PR 14099 - Fixed the user PowerShell profile path in
post/windows/gather/enum_powershell_env
when targeting newer versions of Windows.
Modules
- PR 12983 - New module
exploits/windows/local/dnsadmin_serverlevelplugindll
achieves local privilege escalation on Windows Server 2003 and later targets, gaining SYSTEM level code execution if the current user is a member of theDnsAdmins
group and also has permissions to restart the DNS service. - PR 13836 - New module
auxiliary/scanner/scada/modbus_banner_grabbing
scans targets running the ModBus protocol and performs banner grabbing, saving returned information (which can include manufacturer, model number, etc.) as a note. - PR 13847 - New gather module
auxiliary/gather/peplink_bauth_sqli
takes advantage of CVE-2017-8835, using sql injection against Peplink target devices running firmware before 7.0.1 to hijack a logged in user's account and extract configuration details (including the device license key). This module utilizes extended mixin support for SQLite provided thru GSoC student contribution. - PR 13992 - New module
exploits/osx/local/cfprefsd_race_condition
leverages a race condition that allows arbitrary trusted file write (CVE-2020-9839), exploiting this to gain root by overwriting the/etc/pam.d/login
file to allow a root login without a password, logging in without a password, and then returning the file to its original state after gaining root permissions.