Metasploit Recent Releases / Sep 28, 2020

Sep 28, 20204.18.0

Improved

  • PR 13571 - Updated the Session Notifier plugin to support sending notifications using DingTalk webhooks. This allows users to receive Framework session notifications via their DingTalk client.
  • PR 14111 - Removed unused code which previously tracked payload sizes when Metasploit was starting up.
  • PR 14139 - Updated the HTTP client library that is used by many Metasploit modules to be more compliant across standards in regards to redirection handling. Also added a new feature to more easily manage cookies.

Fixed

  • Pro: We updated PostgreSQL from 12.1 to 12.4, fixing an issue preventing Windows systems from restoring backups into a fresh install via the Pro web interface.
  • Pro: We fixed an issue where module search results would fail to populate when configuring a Module Run task within a Task Chain.
  • PR 14035 - Fixed an issue in the exploits/linux/samba/is_known_pipename exploit module which targets samba. There was an incorrect SMB version 1 data structure definition that was causing the module to fail to verify a writeable directory.
  • PR 14120 - Fixed an issue which caused services -S to return results from all workspaces instead of the current workspace.
  • PR 14125 - Added missing SCREEN_EFFECTS and ARTIFACTS_ON_DISK "side effects" notes to the post/osx/escalate/tccbypass module.
  • PR 14145 - Fixed an issue with the report_loot method to ensure that data is always base64 encoded prior to sending it to the web service, which always expects base64 encoded data. Application of this fix ensures that report_loot will not send any unencoded data which could cause an exception.
  • PR 14153 - Fixed CMDSTAGER so that the SRVHOST and SRVPORT options are displayed to the user when the CMDSTAGER::FLAVOR option is set to auto.
  • PR 14176 - Fixed an issue with the show exploits command to ensure the correct rank is displayed.

Modules

  • PR 13942 - New module post/osx/escalate/tccbypass leverages CVE-2020-9934 to allow a session to bypass the macOS Transparency, Consent, and Control (TCC) Framework for unauthorized access to sensitive user data.
  • PR 14023 - New module exploits/windows/local/cve_2020_1048_printerdemon adds a local exploit which targets the Spooler service on Windows, taking advantage of an arbitrary file write vulnerability to gain code execution as NT AUTHORITY\SYSTEM.
  • PR 14025 - New module exploits/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection targets Artica Proxy software versions v4.30.000000, achieving unauthenticated code execution as root. This is accomplished by first exploiting a SQL injection vulnerability in the apikey parameter on the fw.login.php page. Once a session is obtained, commands can be sent via the service-cmds-peform parameter to the cyrus.index.php page to execute code on the target.
  • PR 14074 - New module exploits/linux/http/mida_solutions_eframework_ajaxreq_rce provides an exploit for Mida Solutions eFramework versions 2.9.0 and below, allowing unauthenticated shell commands to be executed as the apache user via the PARAM parameter in requests to ajaxreq.php. Because the sudo configuration allows the apache user to execute commands without requiring a password, this vector ultimately achieves code execution as the root user.
  • PR 14117 - New module post/windows/gather/enum_hyperv_vms checks if a target is a Hyper-V host and attempts to gather information about all Hyper-V VMs present.
  • PR 14118 - New module post/windows/gather/credentials/securecrt.rb gathers SecureCRT session files from compromised targets, storing the corresponding IP address, port number, username, and the decrypted password into loot. This can help users to easily determine other assets on the network that they may be able to gain access to, as well as identify potential usernames and passwords that they can use for further attacks.
  • PR 14122 - New module exploits/linux/http/jenkins_cli_deserialization achieves unauthenticated remote code execution against Jenkins CLI remoting component targets (versions prior to v2.54) via a Java object deserialization vulnerability (identified as CVE-2017-1000353).
  • PR 14123 - New module exploits/linux/ssh/vyos_restricted_shell_privesc provides a shell escape and privilege escalation on VyOS devices running vulnerable software. This is the first VyOS module and exploit for the Metasploit Framework.
  • PR 14126 - New module exploits/windows/http/exchange_ecp_dlp_policy adds an authenticated RCE exploit for Microsoft Exchange which leverages the flaw identified as CVE-2020-16875 to inject code when processing a new DLP policy. The user must have the "Data Loss Prevention" role assigned in order to exploit this vulnerability.
  • PR 14135 - New module exploits/linux/http/tp_link_ncxxx_bonjour_command_injection targets various models of TP-Link cameras, achieving authenticated code execution as root on vulnerable devices. When setting an alias name via /setsysname.fcgi, the target software checks the length of the alias to be set, but does not check the contents. The alias name is later passed to a shell command, which enables code execution as root.
  • PR 14140 - New module post/multi/gather/enum_software_versions enumerates the installed software and version information on a compromised target (many platforms are supported by this module) and saves that information as loot.
  • PR 14151 - New module auxiliary/admin/dcerpc/cve_2020_1472_zerologon exploits the Zerologon (CVE-2020-1472) vulnerability, leveraging a newly created Netlogon implementation.
  • PR 14173 - New module auxiliary/server/socks_proxy consolidates the two separate SOCKS proxy modules in Framework into a single module capable of handling both SOCKS 4a and SOCKS 5 traffic via a VERSION option value. The older modules have been marked as depreciated starting December 29th, 2020 as part of this transition.

Offline Update

Metasploit Framework and Pro Installers