Metasploit Recent Releases / Dec 07, 2020

Dec 07, 20204.19.0

Improved

  • Pro: We improved Task progress to reflect the actual progress completed while running, showing "Completed" once the Task has finished.
  • PR 13954 - Updated cmd_upload() and cmd_download() functions in Meterpreter's fs.rb command dispatcher extension to properly support expanding local paths. Users can now specify characters such as ~ to represent their home directory when specifying the path to a local file.
  • PR 14294 - Updated the ms17_010_eternalblue module check() logic to validate that the target is x64 and to provide a detailed message if the target is not. For instance, targeting a 32-bit system will now provide a failure message of "This exploit module only support x64 (64-bit) targets".
  • PR 14341 - Improved the post/windows/gather/credentials/securecrt module robustness/error-handling and support of both older and newer SecureCRT versions.
  • PR 14353 - Improved msfdb output content (and format) to better highlight errors/issues/points to the user.
  • PR 14361 - Added a COOKIE option to the exploit/windows/http/sharepoint_ssi_viewstate module, primarily useful when SharePoint is authenticated through a web form.
  • PR 14365 - Updated the exploits/linux/misc/tplink_archer_a7_c7_lan_rce module (a.k.a. TP-Link AC1750 Pwn2Own 2019) with the additional ability to bypass a patch TP-Link issued in early 2020.
  • PR 14371 - Added impacted version details to the drupal_views_user_enum.rb module info.
  • PR 14373 - Removed unused NetwareConsole Session from the codebase.
  • PR 14387 - Added a library check to ensure AutoCheck is only prepended by exploit modules.
  • PR 14417 - Updated msfconsole tip suggestion on startup to wrap at 60 columns.
  • PR 14419 - Updated external development scripts used to acquire the latest static resources for certain external framework components. Additionally updated two Wordpress wordlists.

Fixed

  • Pro: We fixed an issue with Web App data export+import where imports could fail due to lack of proper data encoding in the export file.
  • Pro: We fixed project names to properly support additional symbol and punctuation characters.
  • Pro: We fixed an issue with Bruteforce Task Chains where non-selected services would also be targeted. Only selected services will be targeted by Bruteforce Task Chains.
  • PR 14219 - Fixed a bug in the Brocade "config eater" logic to correctly allow . as a valid character in password hashes.
  • PR 14304 - Updated the post/windows/manage/execute_dotnet_assembly module to properly handle different signatures for the entry point of the code it is injecting.
  • PR 14325 - Updated the four Python shell payloads to be compatible with Python version 3.4+ while retaining compatibility with 2.6+.
  • PR 14359 - Fixed a bug where the default options of a target were not being correctly set on initial module load/use.
  • PR 14363 - Fixed an edge case with the auxiliary/scanner/smb/smb_login module, where valid credentials were recorded as invalid when running msfconsole directly with bundle exec ./msfconsole.
  • PR 14370 - Fixed a bug in msfconsole's command autocompletion-via-TAB-key logic, where a crash would occur if there were no matching commands. msfconsole will now return no results if it cannot autocomplete a command.
  • PR 14372 - Fixed executable bit on msfdb.
  • PR 14378 - Fixed RPC service's job tracking functionality to support concurrent updates safely.
  • PR 14381 - Fixed a crash when RHOST_HTTP_URL was used in conjunction with the check command. The RHOST_HTTP_URL option can be enabled with the command features set RHOST_HTTP_URL true.
  • PR 14382 - Fixed an issue in the auxiliary/analyze/apply_pot module where it was not updated to use the latest version of the supporting library, leading to a crash when the module was run due to an undefined symbol.
  • PR 14393 - Fixed a crash related to the verbose output of jobs with jobs -v, and persistence of jobs with jobs -P, when auxiliary jobs were present.
  • PR 14405 - Fixed a crash on attempts to upgrade an existing Meterpreter session with sessions -u.The user is now presented with an informative message that this is not allowed.
  • PR 14408 - Fixed an issue with misaligned Netlogon data structures (via a bump of the RubySMB gem to version 2.0.7), which notably caused the auxiliary/admin/dcerpc/cve_2020_1472_zerologon module to fail when the NetBIOS name was of certain lengths.
  • PR 14412 - Fixed the ssh_login module when gathering proof as a low-privilege windows user. This module will now gracefully fall back to using the ver command if the required permissions to run systeminfo are missing.
  • PR 14427 - Fixed the exploits/multi/http/phpstudy_backdoor_rce module's use of the TARGET_URI option to ensure that it is treated as a URI rather than a directory.
  • PR 14437 - Updated the module cache to no longer mutate a module's internal strings when the cache performs its own encoding.
  • PR 14442 - Fixed the exploits/unix/webapp/sphpblog_file_upload (Simple PHP Blog) exploit to use the correct session cookie value.
  • PR 14445 - Fixed db_import's XML data parser to avoid a potential nil stack trace by implementing more appropriate handling of XML nodes. Additionally, a fix has been applied to ensure that <body> tags nested within a <web_page> HTML tag are now appropriately Base64 decoded before being deserialized.

Modules

  • PR 14206 - New module exploits/windows/scada/rockwell_factorytalk_rce provides an unauthenticated, remote exploit for Rockwell FactoryTalk View SE 2020, combining three vulnerabilities identified as CVE-2020-12027, CVE-2020-12028, and CVE-2020-12029.
  • PR 14216 - New module exploits/multi/http/apache_nifi_processor_rce leverages a weak configuration in Apache NiFi that can lead to remote command execution. When the NiFi API is not properly secured, it is possible to abuse the ExecuteProcess processor and execute arbitrary commands in the context of the user running the Apache NiFi instance.
  • PR 14241 - New module exploits/unix/webapp/openmediavault_rpc_rce exploits an authenticated PHP code injection vulnerability (CVE-2020-26124) in the sortfield POST parameter of the rpc.php page present in all OpenMediaVault versions prior to 4.1.36 and all 5.x versions prior to 5.5.12.Successful exploitation allows arbitrary command execution on the underlying operating system as the root user.
  • PR 14253 - New module exploits/multi/http/wp_file_manager_rce targets versions 6.0 through 6.8 of the wp-file-manager plugin for Wordpress, leveraging an example connector.minimal.php file leftover from the installation to enable-and-achieve unauthenticated code execution through the upload and mkfile+put commands.
  • PR 14264 - New module exploits/multi/http/kong_gateway_admin_api_rce achieves RCE on vulnerable Kong API Gateway instances where the Admin API has been made remotely accessible, leveraging route creation and the pre-function serverless plugin to execute commands without authentication.
  • PR 14269 - New module auxiliary/gather/zookeeper_info_disclosure targets Apache ZooKeeper service instances to extract information about the system environment and service statistics (which also reveal IP addresses of connected clients).
  • PR 14298 - New module post/windows/gather/avast_memory_dump leverages the presence of AvDump.exe, an AVAST tool for dumping binaries on the Windows platform from memory, to dump a binary from target memory and collect the results.
  • PR 14314 - New module post/windows/gather/credentials/pulse_secure gathers credentials on targets running Pulse Secure Connect VPN Client for Windows, versions 9.1.x < 9.1R4 and 9.0.x < 9.0R5. Users do not need to be running as an admin for the exploit to work on these versions of the client, however the user will need to be running as SYSTEM to successfully gather credentials from more recent versions of the software.
  • PR 14324 - New module exploits/multi/http/weblogic_admin_handle_rce achieves RCE as the WebLogic user via a path traversal and Java class instantiation vulnerability within WebLogic (CVE-2020-14882, CVE-2020-14883), and supports both Linux and Windows targets.
  • PR 14331 - New module exploits/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection allows an attacker to craft an APK file for use with the msfvenom tool that, when used by an unsuspecting victim as a template for msfvenom, provides arbitrary command execution on the victim's system by the attacker.This vulnerability was patched in Metasploit Framework version 6.0.12 and Metasploit Pro version 4.19.0.
  • PR 14340 - New module exploits/multi/http/horizontcms_upload_exec leverages an arbitrary file upload vulnerability in HorizontCMS 1.0.0-beta (and prior) to achieve authenticated RCE (CVE-2020-27387).
  • PR 14379 - New module exploits/linux/http/saltstack_salt_api_cmd_exec exploits two vulnerabilities (authentication bypass and command injection) within vulnerable versions of SaltStack to achieve unauthenticated OS command execution as the root user (CVE-2020-16846, CVE-2020-25592).
  • PR 14394 - New module auxiliary/admin/http/tomcat_ghostcat (Apache Tomcat - AJP 'Ghostcat' File Read/Inclusion) can retrieve arbitrary files from anywhere in the target's vulnerable web application, and can process any file in the web application as JSP.
  • PR 14416 - New module exploits/multi/http/wp_simple_file_list_rce achieves unauthenticated PHP code execution within the context of the Wordpress server via the Simple File List Wordpress plugin which contains a vulnerability in versions 4.2.2 and older that allows an attacker to upload a file with a .png extension and then rename it to use a .php extension.

Offline Update

Metasploit Framework and Pro Installers