Release Notes

Improved

• Pro: We improved the host "Disclosed Vulnerabilities" view to include port and service information.

• Pro: We improved supported options and available help in many of the Pro command line scripts.

• Pro: We improved the backup script with new options for running completely unattended.

• Pro: We improved the restore script to accept a command line option specifying the backup file to restore.

• PR 13234 - Added a new Metasploit plugin which can import reports from beSECURE's API and use that information to launch exploits against imported targets.

• PR 14202 - Updated Metasploit to only load core library files when they are explicitly required. Previously, all core library files would be loaded eagerly on console start up. This initial work will reduce console start up time by around 0.5 seconds. Future releases will build upon this initial effort of lazily loading internal library files to further improve both the console and msfvenom's startup performance.

• PR 14401 - Added Window target support to the exploit/multi/misc/consul_service_exec module.

• PR 14409 - Updated the Server Permissions local exploit module to add a new registry-based technique that can notably be used to escalate permissions on fully patched Windows 7 and Server 2008 systems.

• PR 14410 - Added synchronization to the DLL payload template for ensuring that even if a target machine loads a DLL multiple times, users will only get one session on the host, preventing cases where a user may get multiple shells from a single exploit, which can result in excessive activity that could easily reduce the stealthiness of a user's attack.

• PR 14423 - Updated the Wordpress Scanner module to also identify common themes and plugins.

• PR 14431 - Added a configuration option to the console and the RPC service for specifying the required metasploit logsink.

• PR 14458 - Updated the AutoCheck mixin to allow it to support auxiliary modules. Previously, the AutoCheck mixin would only run successfully with Metasploit's exploit modules. These new changes should now allow auxiliary modules to automatically check if a target is vulnerable using the module's check method prior to attempting to perform any actions against that target.

• PR 14463 - Added the SyncAppvPublishingServer target to the web_delivery module. This technique works on Windows 10 Builds <= 1709.

• PR 14472 - Updated the hard-coded port in lib/msf/core/auxiliary/epmp's final_cookie with the user-configurable rport.

• PR 14476 - Improved session OS identification for SSH connections to Windows targets using Cygwin to provide SSH services.

• PR 14478 - Enhanced the check in exploit/multi/http/weblogic_admin_handle_rce, specifically for CVE-2020-14882.

• PR 14479 - Enhanced the check in exploit/linux/http/saltstack_salt_api_cmd_exec, specifically for CVE-2020-25592.

• PR 14482 - Updated the Druva inSync Privilege Escalation module to use CVE-2020-5752 path traversal bypass for CVE-2019-3999. The vulnerability is related to improper validation of user-supplied program paths in RPC type 5 messages and allows execution of arbitrary commands as SYSTEM.

• PR 14509 - Added a Java target to the Apache Solr RCE exploit module. This makes it platform independent, as long as the target system is able to make HTTP requests back to the attacker host. This also fixes quoting issues with several payloads by putting the command in a parameter instead of directly in the template.

• PR 14522 - Replaced the hardcoded default Shiro encryption key within the shiro_rememberme_v124_deserialize module with a new datastore option named ENC_KEY which allows users to specify the key used to encrypt the rememberMe cookie. This in turn allows the module to target more recent versions provided the user knows the right encryption key value.

• PR 14528 - Updated the descriptions of Windows Meterpreter payloads to clarify support for only Windows XP SP2 or newer targets.

• PR 14538 - Improved Metasploit's XML importer to throw a more descriptive error message when importing data whose response body is not appropriately Base64 encoded.

• PR 14562 - Improved the readability of Meterpreter error messages by replacing the command ID with the command name.

• PR 14600 - Updated the FileSystem mixin via some reorganization and adding a number of function aliases to assist developers in using the module. Additionally, new YARD documentation has been added to better explain the functionality of several of the FileSystem mixin's functions to assist developers in determining when to use these functions.

• PR 14606 - Added a new banner commemorating all of the teams that participated in the Q4 2020 CTF.

Fixed

• Pro: We fixed an issue when checking for available Pro updates on Windows where an error modal might appear.

• Pro: We fixed an issue where task logs for some actions were not displayed correctly.

• Pro: We fixed instances where icons for "next page" and "previous page" were missing in the UI.

• Pro: We fixed identification of Cygwin shells as Windows machines.

• Pro: We fixed the restore script for Linux systems to set correct permissions on restored log files.

• PR 14334 - Fixed a bug in x86 Linux bind shell payloads where the initial socket was not properly being closed.

• PR 14444 - Fixed a couple of missing methods in the remote data services for adding/deleting routes.

• PR 14448 - Fixed a bug where Railgun datatypes were not entirely accurate.

• PR 14467 - Fixed the exploits/windows/nimsoft/nimcontroller_bof module to implement a missing check for cases where a server may disconnect during the execution of the check method, which may cause the response object to be empty or nil. The new code within the check method will now ensure a CheckCode::Unknown error is appropriately thrown in these instances to let the user know that it was not possible to determine if the target is exploitable or not as the server disconnected during the execution of the check method.

• PR 14470 - Updated the exploits/windows/http/sharepoint_ssi_viewstate exploit module for CVE-2020-16952 to include a server-side tag to load a component that is necessary in certain configurations for the SSI to be triggered.

• PR 14475 - Fixed a bug where the EICAR canary would be checked too late to be useful.

• PR 14477 - Fixed a bug when importing some XML files into the database while using a direct database connection.

• PR 14499 - Fixed a recently-introduced regression which stopped msfdb init from successfully completing.

• PR 14500 - Fixed a definition used by Meterpreter's Railgun which was causing a bug when fetching the version of files on disk.

• PR 14515 - Fixed an issue with both cmd/unix/reverse_awk and cmd/unix/bind_awk payloads which were not correctly terminating after a session was closed. This was causing endless session creations and high CPU consumption on the target.

• PR 14517 - Fixed stderr capture and sending in the osx/x64/shell_reverse_tcp payload.Also moved payload generation for osx/x64/shell_reverse_tcp to Metasm.

• PR 14525 - Fixed a regression introduced in Metasploit 6.0.22 which stopped Windows consoles from starting.

• PR 14530 - Fixed a failing test on macOS caused by IPv6 vs IPv4 result precedence.

• PR 14532 - Fixed a NoMethodError exception caused by the Msf::Post::Common mixin not being included in post/android/capture/screen.

• PR 14589 - Fixed a regression issue with the Android Meterpreter's download command. It is now possible to download files again.

• PR 14605 - Fixed an issue where the VHOST option was not being correctly populated when the RHOST option was a domain name.

• PR 14613 - Fixed a regression error with modules depending on NTLM, such as cve_2019_0708_bluekeep.

• PR 14614 - Fixed a bug within the module for CVE-2020-17136 where a relative path was used instead of an absolute path when attempting to load the C# exploit exe. The code has been replaced with a call to File.expand_path() to allow the module to dynamically determine the full path to this file, allowing users to use the module regardless of which directory they are in when running msfconsole.

Modules

• PR 14046 - New module exploits/windows/local/bits_ntlm_token_impersonation provides an exploit to leverage a behavior of the BITS service, which connects to the local Windows Remote Management server (WinRM) at startup. This module launches a fake WinRM server and enables an attacker to elevate privileges to the SYSTEM user.

• PR 14330 - New module exploits/freebsd/webapp/spamtitan_unauth_rce exploits an improper input sanitization in SpamTitan Gateway versions 7.01, 7.02, 7.03 and 7.07 to inject command directives into the SNMP configuration file and achieve remote code execution as root. Note that only version 7.03 needs authentication and no authentication is required for versions 7.01, 7.02 and 7.07.

• PR 14339 - New module exploits/windows/http/flexdotnetcms_upload_exec adds an exploit for FlexDotNetCMS versions 1.5.8 and prior. This module exploits an authenticated file upload vulnerability where a valid user can upload a malicious file with an incorrect extension, rename it with the proper extension, and get code execution as the user running the server on the target.

• PR 14368 - New module exploits/linux/http/pulse_secure_gzip_rce adds an exploit for an authenticated vulnerability within the Pulse Connect Secure appliance identified as CVE-2020-8260. The vulnerability is related to the mishandling of a compressed file that when uploaded to the server allows a CGI script to be modified which leads to code execution as root.

• PR 14418 - New module auxiliary/scanner/http/wp_email_sub_news_sqli adds an exploit for CVE-2019-20361 which is a SQLi in the Email Subscribers & Newsletters Wordpress plugin. The vulnerability can be leveraged to leak usernames and their password hashes.

• PR 14422 - New module exploits/multi/http/gitlab_file_read_rce adds an exploit which leverages both a file read vulnerability and a deserialization vulnerability to gain authenticated code execution against various versions of GitLab Community Edition and GitLab Enterprise Edition.

• PR 14429 - New module auxiliary/gather/shodan_host has been added, allowing users with a Shodan account to enumerate which ports are publicly accessible on a host or set of hosts using Shodan's API.

• PR 14435 - New module exploits/windows/local/cve_2020_1054_drawiconex_lpe adds a new local exploit which leverages a local privilege escalation vulnerability identified as CVE-2020-1054 and targeting Windows 7 x64 SP1 (fully patched until Microsoft stopped supporting it). This vulnerability is related to an out-of-bounds write in Win32k, which leads to an elevated session as the SYSTEM user.

• PR 14446 - New module exploits/solaris/ssh/pam_username_bof adds an exploit for a vulnerability (identified as CVE-2020-14871) with the parse_user_name() function of the PAM module that is used by the Solaris SunSSH service. This allows an unauthenticated user to achieve remote code execution as root.

• PR 14466 - New module exploits/linux/misc/aerospike_database_udf_cmd_exec adds an exploit for Aerospike database versions prior to 5.1.0.3. Vulnerable versions of Aerospike allow users to create user-defined functions (UDFs), which permit the usage of the os.execute() and io.popen() Lua functions. This module creates and registers a UDF that leverages os.execute() to achieve unauthenticated code execution as the user running the Aerospike service.

• PR 14474 - New auxiliary module auxiliary/scanner/http/wp_easy_wp_smtp leverages a permissions-related vulnerability in the "Easy WP SMTP" plugin, where by under certain configurations a password reset token can be acquired and used to access a target account.

• PR 14497 - New auxiliary module auxiliary/scanner/http/wp_duplicator_file_read exploits an unauthenticated arbitrary file read in vulnerable versions of the WordPress plugin "Duplicator".

• PR 14521 - New module exploits/multi/http/struts2_multi_eval_ognl supports exploiting Apache Struts Framework vulnerabilities CVE-2019-0230 and CVE-2020-17530, which are both issues resulting in Struts2 evaluating OGNL expressions multiple times. Successful exploitation results in unauthenticated remote attackers gaining RCE as the root user.

• PR 14566 - Removed the auxiliary/server/socks4a and auxiliary/server/socks5 modules from Metasploit. Their functionality is now combined into a single module, auxiliary/server/socks_proxy, to prevent code duplication.

• PR 14568 - New auxiliary module auxiliary/scanner/http/wp_total_upkeep_downloader collects user creds, server info, and backup files from Wordpress via a vulnerability in the Total Upkeep plugin versions below 1.14.10.

• PR 14572 - New module exploits/multi/http/wp_ait_csv_rce adds an exploit for various versions of the AIT CSV Import / Export plugin for Wordpress. For plugin versions below v3.0.4, this module exploits an unauthenticated file upload vulnerability to gain code execution against Wordpress installations.

• PR 14582 - New post module post/windows/manage/vss consolidates and improves existing VSS modules into one new single module with multiple actions.This also adds the possibility to run post module actions as commands.

• PR 14585 - New module exploits/windows/local/cve_2020_17136 adds in support for exploiting CVE-2020-17136, an arbitrary file write vulnerability within cldflt.sys. The result yields local code execution as the Network Service account which is suitable for escalating to SYSTEM via documented techniques.

Offline Update

• https://updates.metasploit.com/packages/e9f9b5776196f226a03c24407fa8a237d82f3230.bin

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version