Improved
- PR 13571 - Updated the Session Notifier plugin to support sending notifications using DingTalk webhooks. This allows users to receive Framework session notifications via their DingTalk client.
- PR 14111 - Removed unused code which previously tracked payload sizes when Metasploit was starting up.
- PR 14139 - Updated the HTTP client library that is used by many Metasploit modules to be more compliant across standards in regards to redirection handling. Also added a new feature to more easily manage cookies.
Fixed
- Pro: We updated PostgreSQL from 12.1 to 12.4, fixing an issue preventing Windows systems from restoring backups into a fresh install via the Pro web interface.
- Pro: We fixed an issue where module search results would fail to populate when configuring a
Module Run
task within aTask Chain
. - PR 14035 - Fixed an issue in the
exploits/linux/samba/is_known_pipename
exploit module which targets samba. There was an incorrect SMB version 1 data structure definition that was causing the module to fail to verify a writeable directory. - PR 14120 - Fixed an issue which caused
services -S
to return results from all workspaces instead of the current workspace. - PR 14125 - Added missing
SCREEN_EFFECTS
andARTIFACTS_ON_DISK
"side effects" notes to thepost/osx/escalate/tccbypass
module. - PR 14145 - Fixed an issue with the
report_loot
method to ensure that data is always base64 encoded prior to sending it to the web service, which always expects base64 encoded data. Application of this fix ensures thatreport_loot
will not send any unencoded data which could cause an exception. - PR 14153 - Fixed
CMDSTAGER
so that theSRVHOST
andSRVPORT
options are displayed to the user when theCMDSTAGER::FLAVOR
option is set toauto
. - PR 14176 - Fixed an issue with the
show exploits
command to ensure the correct rank is displayed.
Modules
- PR 13942 - New module
post/osx/escalate/tccbypass
leverages CVE-2020-9934 to allow a session to bypass the macOS Transparency, Consent, and Control (TCC) Framework for unauthorized access to sensitive user data. - PR 14023 - New module
exploits/windows/local/cve_2020_1048_printerdemon
adds a local exploit which targets theSpooler
service on Windows, taking advantage of an arbitrary file write vulnerability to gain code execution asNT AUTHORITY\SYSTEM
. - PR 14025 - New module
exploits/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection
targets Artica Proxy software versionsv4.30.000000
, achieving unauthenticated code execution asroot
. This is accomplished by first exploiting a SQL injection vulnerability in theapikey
parameter on thefw.login.php
page. Once a session is obtained, commands can be sent via theservice-cmds-peform
parameter to thecyrus.index.php
page to execute code on the target. - PR 14074 - New module
exploits/linux/http/mida_solutions_eframework_ajaxreq_rce
provides an exploit for Mida Solutions eFramework versions2.9.0
and below, allowing unauthenticated shell commands to be executed as theapache
user via thePARAM
parameter in requests toajaxreq.php
. Because thesudo
configuration allows theapache
user to execute commands without requiring a password, this vector ultimately achieves code execution as theroot
user. - PR 14117 - New module
post/windows/gather/enum_hyperv_vms
checks if a target is a Hyper-V host and attempts to gather information about all Hyper-V VMs present. - PR 14118 - New module
post/windows/gather/credentials/securecrt.rb
gathers SecureCRT session files from compromised targets, storing the corresponding IP address, port number, username, and the decrypted password intoloot
. This can help users to easily determine other assets on the network that they may be able to gain access to, as well as identify potential usernames and passwords that they can use for further attacks. - PR 14122 - New module
exploits/linux/http/jenkins_cli_deserialization
achieves unauthenticated remote code execution against Jenkins CLI remoting component targets (versions prior to v2.54) via a Java object deserialization vulnerability (identified as CVE-2017-1000353). - PR 14123 - New module
exploits/linux/ssh/vyos_restricted_shell_privesc
provides a shell escape and privilege escalation on VyOS devices running vulnerable software. This is the first VyOS module and exploit for the Metasploit Framework. - PR 14126 - New module
exploits/windows/http/exchange_ecp_dlp_policy
adds an authenticated RCE exploit for Microsoft Exchange which leverages the flaw identified as CVE-2020-16875 to inject code when processing a new DLP policy. The user must have the "Data Loss Prevention" role assigned in order to exploit this vulnerability. - PR 14135 - New module
exploits/linux/http/tp_link_ncxxx_bonjour_command_injection
targets various models of TP-Link cameras, achieving authenticated code execution asroot
on vulnerable devices. When setting an alias name via/setsysname.fcgi
, the target software checks the length of the alias to be set, but does not check the contents. The alias name is later passed to a shell command, which enables code execution asroot
. - PR 14140 - New module
post/multi/gather/enum_software_versions
enumerates the installed software and version information on a compromised target (many platforms are supported by this module) and saves that information as loot. - PR 14151 - New module
auxiliary/admin/dcerpc/cve_2020_1472_zerologon
exploits the Zerologon (CVE-2020-1472) vulnerability, leveraging a newly created Netlogon implementation. - PR 14173 - New module
auxiliary/server/socks_proxy
consolidates the two separate SOCKS proxy modules in Framework into a single module capable of handling both SOCKS 4a and SOCKS 5 traffic via aVERSION
option value. The older modules have been marked as depreciated starting December 29th, 2020 as part of this transition.