Improved
- Pro: We improved Task progress to reflect the actual progress completed while running, showing "Completed" once the Task has finished.
- PR 13954 - Updated
cmd_upload()
andcmd_download()
functions in Meterpreter'sfs.rb
command dispatcher extension to properly support expanding local paths. Users can now specify characters such as~
to represent their home directory when specifying the path to a local file. - PR 14294 - Updated the
ms17_010_eternalblue
modulecheck()
logic to validate that the target is x64 and to provide a detailed message if the target is not. For instance, targeting a 32-bit system will now provide a failure message of "This exploit module only support x64 (64-bit) targets". - PR 14341 - Improved the
post/windows/gather/credentials/securecrt
module robustness/error-handling and support of both older and newer SecureCRT versions. - PR 14353 - Improved
msfdb
output content (and format) to better highlight errors/issues/points to the user. - PR 14361 - Added a
COOKIE
option to the exploit/windows/http/sharepoint_ssi_viewstate module, primarily useful when SharePoint is authenticated through a web form. - PR 14365 - Updated the
exploits/linux/misc/tplink_archer_a7_c7_lan_rce
module (a.k.a. TP-Link AC1750 Pwn2Own 2019) with the additional ability to bypass a patch TP-Link issued in early 2020. - PR 14371 - Added impacted version details to the
drupal_views_user_enum.rb
module info. - PR 14373 - Removed unused
NetwareConsole
Session from the codebase. - PR 14387 - Added a library check to ensure
AutoCheck
is only prepended by exploit modules. - PR 14417 - Updated
msfconsole
tip suggestion on startup to wrap at 60 columns. - PR 14419 - Updated external development scripts used to acquire the latest static resources for certain external framework components. Additionally updated two Wordpress wordlists.
Fixed
- Pro: We fixed an issue with Web App data export+import where imports could fail due to lack of proper data encoding in the export file.
- Pro: We fixed project names to properly support additional symbol and punctuation characters.
- Pro: We fixed an issue with Bruteforce Task Chains where non-selected services would also be targeted. Only selected services will be targeted by Bruteforce Task Chains.
- PR 14219 - Fixed a bug in the Brocade "config eater" logic to correctly allow
.
as a valid character in password hashes. - PR 14304 - Updated the
post/windows/manage/execute_dotnet_assembly
module to properly handle different signatures for the entry point of the code it is injecting. - PR 14325 - Updated the four Python shell payloads to be compatible with Python version 3.4+ while retaining compatibility with 2.6+.
- PR 14359 - Fixed a bug where the default options of a target were not being correctly set on initial module load/use.
- PR 14363 - Fixed an edge case with the
auxiliary/scanner/smb/smb_login
module, where valid credentials were recorded as invalid when runningmsfconsole
directly withbundle exec ./msfconsole
. - PR 14370 - Fixed a bug in
msfconsole
's command autocompletion-via-TAB-key logic, where a crash would occur if there were no matching commands.msfconsole
will now return no results if it cannot autocomplete a command. - PR 14372 - Fixed executable bit on
msfdb
. - PR 14378 - Fixed RPC service's job tracking functionality to support concurrent updates safely.
- PR 14381 - Fixed a crash when RHOST_HTTP_URL was used in conjunction with the
check
command. The RHOST_HTTP_URL option can be enabled with the commandfeatures set RHOST_HTTP_URL true
. - PR 14382 - Fixed an issue in the
auxiliary/analyze/apply_pot
module where it was not updated to use the latest version of the supporting library, leading to a crash when the module was run due to an undefined symbol. - PR 14393 - Fixed a crash related to the verbose output of jobs with
jobs -v
, and persistence of jobs withjobs -P
, when auxiliary jobs were present. - PR 14405 - Fixed a crash on attempts to upgrade an existing Meterpreter session with
sessions -u
.The user is now presented with an informative message that this is not allowed. - PR 14408 - Fixed an issue with misaligned Netlogon data structures (via a bump of the RubySMB gem to version 2.0.7), which notably caused the
auxiliary/admin/dcerpc/cve_2020_1472_zerologon
module to fail when the NetBIOS name was of certain lengths. - PR 14412 - Fixed the
ssh_login
module when gathering proof as a low-privilege windows user. This module will now gracefully fall back to using thever
command if the required permissions to runsysteminfo
are missing. - PR 14427 - Fixed the
exploits/multi/http/phpstudy_backdoor_rce
module's use of theTARGET_URI
option to ensure that it is treated as a URI rather than a directory. - PR 14437 - Updated the module cache to no longer mutate a module's internal strings when the cache performs its own encoding.
- PR 14442 - Fixed the
exploits/unix/webapp/sphpblog_file_upload
(Simple PHP Blog) exploit to use the correct session cookie value. - PR 14445 - Fixed
db_import
's XML data parser to avoid a potentialnil
stack trace by implementing more appropriate handling of XML nodes. Additionally, a fix has been applied to ensure that<body>
tags nested within a<web_page>
HTML tag are now appropriately Base64 decoded before being deserialized.
Modules
- PR 14206 - New module
exploits/windows/scada/rockwell_factorytalk_rce
provides an unauthenticated, remote exploit for Rockwell FactoryTalk View SE 2020, combining three vulnerabilities identified as CVE-2020-12027, CVE-2020-12028, and CVE-2020-12029. - PR 14216 - New module
exploits/multi/http/apache_nifi_processor_rce
leverages a weak configuration in Apache NiFi that can lead to remote command execution. When the NiFi API is not properly secured, it is possible to abuse the ExecuteProcess processor and execute arbitrary commands in the context of the user running the Apache NiFi instance. - PR 14241 - New module
exploits/unix/webapp/openmediavault_rpc_rce
exploits an authenticated PHP code injection vulnerability (CVE-2020-26124) in thesortfield
POST parameter of therpc.php
page present in all OpenMediaVault versions prior to 4.1.36 and all 5.x versions prior to 5.5.12.Successful exploitation allows arbitrary command execution on the underlying operating system as theroot
user. - PR 14253 - New module
exploits/multi/http/wp_file_manager_rce
targets versions6.0
through6.8
of thewp-file-manager
plugin for Wordpress, leveraging an exampleconnector.minimal.php
file leftover from the installation to enable-and-achieve unauthenticated code execution through theupload
andmkfile+put
commands. - PR 14264 - New module
exploits/multi/http/kong_gateway_admin_api_rce
achieves RCE on vulnerable Kong API Gateway instances where the Admin API has been made remotely accessible, leveraging route creation and thepre-function
serverless plugin to execute commands without authentication. - PR 14269 - New module
auxiliary/gather/zookeeper_info_disclosure
targets Apache ZooKeeper service instances to extract information about the system environment and service statistics (which also reveal IP addresses of connected clients). - PR 14298 - New module
post/windows/gather/avast_memory_dump
leverages the presence ofAvDump.exe
, an AVAST tool for dumping binaries on the Windows platform from memory, to dump a binary from target memory and collect the results. - PR 14314 - New module
post/windows/gather/credentials/pulse_secure
gathers credentials on targets running Pulse Secure Connect VPN Client for Windows, versions 9.1.x < 9.1R4 and 9.0.x < 9.0R5. Users do not need to be running as an admin for the exploit to work on these versions of the client, however the user will need to be running asSYSTEM
to successfully gather credentials from more recent versions of the software. - PR 14324 - New module
exploits/multi/http/weblogic_admin_handle_rce
achieves RCE as the WebLogic user via a path traversal and Java class instantiation vulnerability within WebLogic (CVE-2020-14882, CVE-2020-14883), and supports both Linux and Windows targets. - PR 14331 - New module
exploits/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
allows an attacker to craft an APK file for use with themsfvenom
tool that, when used by an unsuspecting victim as a template formsfvenom
, provides arbitrary command execution on the victim's system by the attacker.This vulnerability was patched in Metasploit Framework version 6.0.12 and Metasploit Pro version 4.19.0. - PR 14340 - New module
exploits/multi/http/horizontcms_upload_exec
leverages an arbitrary file upload vulnerability in HorizontCMS 1.0.0-beta (and prior) to achieve authenticated RCE (CVE-2020-27387). - PR 14379 - New module
exploits/linux/http/saltstack_salt_api_cmd_exec
exploits two vulnerabilities (authentication bypass and command injection) within vulnerable versions of SaltStack to achieve unauthenticated OS command execution as theroot
user (CVE-2020-16846, CVE-2020-25592). - PR 14394 - New module
auxiliary/admin/http/tomcat_ghostcat
(Apache Tomcat - AJP 'Ghostcat' File Read/Inclusion) can retrieve arbitrary files from anywhere in the target's vulnerable web application, and can process any file in the web application as JSP. - PR 14416 - New module
exploits/multi/http/wp_simple_file_list_rce
achieves unauthenticated PHP code execution within the context of the Wordpress server via the Simple File List Wordpress plugin which contains a vulnerability in versions 4.2.2 and older that allows an attacker to upload a file with a.png
extension and then rename it to use a.php
extension.