Oct 12, 20204.18.0

Improved

  • Pro: We improved output from Web App scanning and auditing to read more clearly when no vulnerabilities have been found.
  • PR 14171 - Replaced calls to the depreciated get_service() method with calls to services(), and removed support for the get_service() method from Metasploit. This also fixed imports of Acunetix XML files via the db_import command.
  • PR 14172 - Added a new RUN_NOW option to post/windows/manage/persistence_exe which will indicate if the exe should be automatically executed when the module is run.
  • PR 14178 - Added an example to Gemfile.local.example of how to use Metasploit with local copies of Metasploit's Gem dependencies within Gemfile.local. This change accompanies the new Wiki page which provides additional context and information around this.
  • PR 14183 - Updated the debug command to additionally output Metasploit's web server logs. This command is used when creating a GitHub issue.
  • PR 14187 - Renamed the exploit/windows/local/anyconnect_path_traversal_lpe Cisco AnyConnect LPE module to exploits/windows/local/anyconnect_lpe and added the ability to exploit vulnerable targets via DLL hijacking (CVE-2020-3433).
  • PR 14204 - Updated module documentation for Zerologon (auxiliary/admin/dcerpc/cve_2020_1472_zerologon) to demonstrate how to utilize the new auxiliary/gather/windows_secrets_dump module to form a complete attack chain without relying on external tools such as Impacket.
  • PR 14213 - Added new RuboCop rules and associated rspec checks to ensure all Metasploit modules do include disclosure dates and that they are formatted in the ISO8601 format, aka YYYY-MM-DD. This ensures that all modules will have a consistent date format within their info output.
  • PR 14215 - Updated the Metasploit Dockerfile to use bundler 2.x.
  • PR 14238 - Updated auxiliary/scanner/sap/sap_service_discovery to detect and report SAP Internet Graphics servers running on port 40080.
  • PR 14242 - Removed the following modules from Metasploit
  • Framework: auxiliary/admin/smb/psexec_command, exploits/windows/smb/psexec_psh, auxiliary/scanner/smb/smb1, and auxiliary/scanner/smb/smb2. These modules have passed their depreciated date and have been replaced by exploit/windows/smb/psexec and auxiliary/scanner/smb/smb_version, respectively.

Fixed

  • Pro: We fixed an issue where adding a new Nexpose Console with an invalid character in the Address field could lead to multiple Nexpose Console entries (and a UI hang on following attempts to import from a Nexpose Console). The value of the Address field is now verified (and enforced) to be valid.
  • PR 14129 - Updated Dockerfile to include a missing dependency for impacket (and its associated dependencies). This omission was the cause of several modules not running properly within Metasploit Docker installs.
  • PR 14177 - Fixed a bug in payload generation brought about by the changes to the Windows API block call in Windows payloads. By adding obfuscation to the code block that gives access to the Windows API, we inadvertently lengthened the payloads. Unfortunately, a second bug skipped the additional space required for encoders. The additional (known) length of the API block changes combined with the (unknown) increase for the encoder led us to hit a bug where the size was larger than the supported size. Here, we just add a small arbitrary length to any payload requiring encoding, so the added length is covered when selecting a payload.
  • PR 14199 - Fixed an error handling issue in the post/windows/gather/credentials/securecrt module when SecureCRT is not installed on the target, and also added support for targets where SecureCRT is a portable installation via a new SESSION_PATH module option.
  • PR 14200 - Fixed a bug with the db_import command where some OpenVAS XML files would trigger a stack trace and fail to import properly. Those OpenVAS files should now properly import.
  • PR 14203 - Fixed an ActiveRecord exception (and stack trace) in calls to db_manager's report_note() due to an incorrect host object being used.
  • PR 14211 - Fixed a regression issue when using the creds command with the remote data service. It is now again possible to view creds which were associated with a particular service.
  • PR 14226 - Fixed a nil dereference stack trace triggered by some modules and libraries attempting to use myworkspace.id when no database is connected.
  • PR 14233 - Fixed an issue where the info command would not show the available actions that a module has. Available module actions should now be properly shown when the info command is run.

Modules

  • PR 13996 - New module exploits/osx/browser/safari_in_operator_side_effect exploits three bugs in Safari on macOS to achieve RCE in user mode outside of the sandbox.
  • PR 14157 - New module exploits/windows/local/cve_2020_1313_system_orchestrator targets various builds of Windows 10 x64, leveraging the ability of a lower-privileged user to schedule a job (for arbitrary command/code provided) that will be run as SYSTEM by the Windows Update Orchestrator Service (CVE-2020-1313).
  • PR 14161 - New modules auxiliary/admin/networking/vyos_config and post/networking/gather/enum_vyos support importing VyOS device configuration offline and gathering information via current session to a VyOS device, respectively.
  • PR 14163 - New module auxiliary/admin/sap/sap_igs_xmlchart_xxe targets older versions of SAP IGS servers, supporting arbitrary file read and DoS attacks against vulnerable targets (CVE-2018-2392, CVE-2018-2393).
  • PR 14175 - New module exploits/multi/http/maracms_upload_exec leverages an arbitrary file upload vulnerability in MaraCMS 7.5 and prior to achieve remote code execution (CVE-2020-25042).

Offline Update

https://updates.metasploit.com/packages/856e61558d67be8fd8c4cf9cd475cbb4313479a2.bin

Metasploit Framework and Pro Installers

https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version