Improved
- Pro: We improved output from Web App scanning and auditing to read more clearly when no vulnerabilities have been found.
- PR 14171 - Replaced calls to the depreciated get_service() method with calls to services(), and removed support for the
get_service()
method from Metasploit. This also fixed imports of Acunetix XML files via thedb_import
command. - PR 14172 - Added a new
RUN_NOW
option topost/windows/manage/persistence_exe
which will indicate if the exe should be automatically executed when the module is run. - PR 14178 - Added an example to
Gemfile.local.example
of how to use Metasploit with local copies of Metasploit's Gem dependencies withinGemfile.local
. This change accompanies the new Wiki page which provides additional context and information around this. - PR 14183 - Updated the debug command to additionally output Metasploit's web server logs. This command is used when creating a GitHub issue.
- PR 14187 - Renamed the
exploit/windows/local/anyconnect_path_traversal_lpe
Cisco AnyConnect LPE module toexploits/windows/local/anyconnect_lpe
and added the ability to exploit vulnerable targets via DLL hijacking (CVE-2020-3433). - PR 14204 - Updated module documentation for Zerologon (
auxiliary/admin/dcerpc/cve_2020_1472_zerologon
) to demonstrate how to utilize the newauxiliary/gather/windows_secrets_dump
module to form a complete attack chain without relying on external tools such as Impacket. - PR 14213 - Added new RuboCop rules and associated rspec checks to ensure all Metasploit modules do include disclosure dates and that they are formatted in the ISO8601 format, aka YYYY-MM-DD. This ensures that all modules will have a consistent date format within their
info
output. - PR 14215 - Updated the Metasploit
Dockerfile
to use bundler 2.x. - PR 14238 - Updated
auxiliary/scanner/sap/sap_service_discovery
to detect and report SAP Internet Graphics servers running on port 40080. - PR 14242 - Removed the following modules from Metasploit
- Framework:
auxiliary/admin/smb/psexec_command
,exploits/windows/smb/psexec_psh
, auxiliary/scanner/smb/smb1
, andauxiliary/scanner/smb/smb2
. These modules have passed their depreciated date and have been replaced by exploit/windows/smb/psexec and auxiliary/scanner/smb/smb_version
, respectively.
Fixed
- Pro: We fixed an issue where adding a new Nexpose Console with an invalid character in the Address field could lead to multiple Nexpose Console entries (and a UI hang on following attempts to import from a Nexpose Console). The value of the Address field is now verified (and enforced) to be valid.
- PR 14129 - Updated
Dockerfile
to include a missing dependency forimpacket
(and its associated dependencies). This omission was the cause of several modules not running properly within Metasploit Docker installs. - PR 14177 - Fixed a bug in payload generation brought about by the changes to the Windows API block call in Windows payloads. By adding obfuscation to the code block that gives access to the Windows API, we inadvertently lengthened the payloads. Unfortunately, a second bug skipped the additional space required for encoders. The additional (known) length of the API block changes combined with the (unknown) increase for the encoder led us to hit a bug where the size was larger than the supported size. Here, we just add a small arbitrary length to any payload requiring encoding, so the added length is covered when selecting a payload.
- PR 14199 - Fixed an error handling issue in the
post/windows/gather/credentials/securecrt
module when SecureCRT is not installed on the target, and also added support for targets where SecureCRT is a portable installation via a newSESSION_PATH
module option. - PR 14200 - Fixed a bug with the
db_import
command where some OpenVAS XML files would trigger a stack trace and fail to import properly. Those OpenVAS files should now properly import. - PR 14203 - Fixed an ActiveRecord exception (and stack trace) in calls to db_manager's
report_note()
due to an incorrect host object being used. - PR 14211 - Fixed a regression issue when using the creds command with the remote data service. It is now again possible to view creds which were associated with a particular service.
- PR 14226 - Fixed a
nil
dereference stack trace triggered by some modules and libraries attempting to usemyworkspace.id
when no database is connected. - PR 14233 - Fixed an issue where the
info
command would not show the available actions that a module has. Available module actions should now be properly shown when theinfo
command is run.
Modules
- PR 13996 - New module
exploits/osx/browser/safari_in_operator_side_effect
exploits three bugs in Safari on macOS to achieve RCE in user mode outside of the sandbox. - PR 14157 - New module
exploits/windows/local/cve_2020_1313_system_orchestrator
targets various builds of Windows 10 x64, leveraging the ability of a lower-privileged user to schedule a job (for arbitrary command/code provided) that will be run as SYSTEM by the Windows Update Orchestrator Service (CVE-2020-1313). - PR 14161 - New modules
auxiliary/admin/networking/vyos_config and post/networking/gather/enum_vyos
support importing VyOS device configuration offline and gathering information via current session to a VyOS device, respectively. - PR 14163 - New module
auxiliary/admin/sap/sap_igs_xmlchart_xxe
targets older versions of SAP IGS servers, supporting arbitrary file read and DoS attacks against vulnerable targets (CVE-2018-2392, CVE-2018-2393). - PR 14175 - New module
exploits/multi/http/maracms_upload_exec
leverages an arbitrary file upload vulnerability in MaraCMS 7.5 and prior to achieve remote code execution (CVE-2020-25042).
Offline Update
https://updates.metasploit.com/packages/856e61558d67be8fd8c4cf9cd475cbb4313479a2.bin
Metasploit Framework and Pro Installers
https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version