Improved
Pro: We improved the host "Disclosed Vulnerabilities" view to include port and service information.
Pro: We improved supported options and available help in many of the Pro command line scripts.
Pro: We improved the backup script with new options for running completely unattended.
Pro: We improved the restore script to accept a command line option specifying the backup file to restore.
PR 13234 - Added a new Metasploit plugin which can import reports from beSECURE's API and use that information to launch exploits against imported targets.
PR 14202 - Updated Metasploit to only load core library files when they are explicitly required. Previously, all core library files would be loaded eagerly on console start up. This initial work will reduce console start up time by around 0.5 seconds. Future releases will build upon this initial effort of lazily loading internal library files to further improve both the console and msfvenom's startup performance.
PR 14401 - Added Window target support to the
exploit/multi/misc/consul_service_exec
module.PR 14409 - Updated the Server Permissions local exploit module to add a new registry-based technique that can notably be used to escalate permissions on fully patched Windows 7 and Server 2008 systems.
PR 14410 - Added synchronization to the DLL payload template for ensuring that even if a target machine loads a DLL multiple times, users will only get one session on the host, preventing cases where a user may get multiple shells from a single exploit, which can result in excessive activity that could easily reduce the stealthiness of a user's attack.
PR 14423 - Updated the Wordpress Scanner module to also identify common themes and plugins.
PR 14431 - Added a configuration option to the console and the RPC service for specifying the required metasploit logsink.
PR 14458 - Updated the AutoCheck mixin to allow it to support auxiliary modules. Previously, the AutoCheck mixin would only run successfully with Metasploit's exploit modules. These new changes should now allow auxiliary modules to automatically check if a target is vulnerable using the module's
check
method prior to attempting to perform any actions against that target.PR 14463 - Added the
SyncAppvPublishingServer
target to the web_delivery module. This technique works on Windows 10 Builds <= 1709.PR 14472 - Updated the hard-coded port in
lib/msf/core/auxiliary/epmp
'sfinal_cookie
with the user-configurablerport
.PR 14476 - Improved session OS identification for SSH connections to Windows targets using Cygwin to provide SSH services.
PR 14478 - Enhanced the check in exploit/multi/http/weblogic_admin_handle_rce, specifically for CVE-2020-14882.
PR 14479 - Enhanced the check in exploit/linux/http/saltstack_salt_api_cmd_exec, specifically for CVE-2020-25592.
PR 14482 - Updated the Druva inSync Privilege Escalation module to use CVE-2020-5752 path traversal bypass for CVE-2019-3999. The vulnerability is related to improper validation of user-supplied program paths in RPC type 5 messages and allows execution of arbitrary commands as SYSTEM.
PR 14509 - Added a Java target to the Apache Solr RCE exploit module. This makes it platform independent, as long as the target system is able to make HTTP requests back to the attacker host. This also fixes quoting issues with several payloads by putting the command in a parameter instead of directly in the template.
PR 14522 - Replaced the hardcoded default Shiro encryption key within the
shiro_rememberme_v124_deserialize
module with a new datastore option namedENC_KEY
which allows users to specify the key used to encrypt therememberMe
cookie. This in turn allows the module to target more recent versions provided the user knows the right encryption key value.PR 14528 - Updated the descriptions of Windows Meterpreter payloads to clarify support for only Windows XP SP2 or newer targets.
PR 14538 - Improved Metasploit's XML importer to throw a more descriptive error message when importing data whose response body is not appropriately Base64 encoded.
PR 14562 - Improved the readability of Meterpreter error messages by replacing the command ID with the command name.
PR 14600 - Updated the
FileSystem
mixin via some reorganization and adding a number of function aliases to assist developers in using the module. Additionally, new YARD documentation has been added to better explain the functionality of several of theFileSystem
mixin's functions to assist developers in determining when to use these functions.PR 14606 - Added a new banner commemorating all of the teams that participated in the Q4 2020 CTF.
Fixed
Pro: We fixed an issue when checking for available Pro updates on Windows where an error modal might appear.
Pro: We fixed an issue where task logs for some actions were not displayed correctly.
Pro: We fixed instances where icons for "next page" and "previous page" were missing in the UI.
Pro: We fixed identification of Cygwin shells as Windows machines.
Pro: We fixed the restore script for Linux systems to set correct permissions on restored log files.
PR 14334 - Fixed a bug in x86 Linux bind shell payloads where the initial socket was not properly being closed.
PR 14444 - Fixed a couple of missing methods in the remote data services for adding/deleting routes.
PR 14448 - Fixed a bug where Railgun datatypes were not entirely accurate.
PR 14467 - Fixed the
exploits/windows/nimsoft/nimcontroller_bof
module to implement a missing check for cases where a server may disconnect during the execution of thecheck
method, which may cause theresponse
object to be empty ornil
. The new code within thecheck
method will now ensure aCheckCode::Unknown
error is appropriately thrown in these instances to let the user know that it was not possible to determine if the target is exploitable or not as the server disconnected during the execution of thecheck
method.PR 14470 - Updated the
exploits/windows/http/sharepoint_ssi_viewstate
exploit module for CVE-2020-16952 to include a server-side tag to load a component that is necessary in certain configurations for the SSI to be triggered.PR 14475 - Fixed a bug where the EICAR canary would be checked too late to be useful.
PR 14477 - Fixed a bug when importing some XML files into the database while using a direct database connection.
PR 14499 - Fixed a recently-introduced regression which stopped
msfdb init
from successfully completing.PR 14500 - Fixed a definition used by Meterpreter's Railgun which was causing a bug when fetching the version of files on disk.
PR 14515 - Fixed an issue with both
cmd/unix/reverse_awk
andcmd/unix/bind_awk
payloads which were not correctly terminating after a session was closed. This was causing endless session creations and high CPU consumption on the target.PR 14517 - Fixed stderr capture and sending in the
osx/x64/shell_reverse_tcp
payload.Also moved payload generation forosx/x64/shell_reverse_tcp
to Metasm.PR 14525 - Fixed a regression introduced in Metasploit 6.0.22 which stopped Windows consoles from starting.
PR 14530 - Fixed a failing test on macOS caused by IPv6 vs IPv4 result precedence.
PR 14532 - Fixed a
NoMethodError
exception caused by theMsf::Post::Common
mixin not being included inpost/android/capture/screen
.PR 14589 - Fixed a regression issue with the Android Meterpreter's download command. It is now possible to download files again.
PR 14605 - Fixed an issue where the
VHOST
option was not being correctly populated when theRHOST
option was a domain name.PR 14613 - Fixed a regression error with modules depending on NTLM, such as cve_2019_0708_bluekeep.
PR 14614 - Fixed a bug within the module for CVE-2020-17136 where a relative path was used instead of an absolute path when attempting to load the C# exploit exe. The code has been replaced with a call to
File.expand_path()
to allow the module to dynamically determine the full path to this file, allowing users to use the module regardless of which directory they are in when runningmsfconsole
.
Modules
PR 14046 - New module
exploits/windows/local/bits_ntlm_token_impersonation
provides an exploit to leverage a behavior of the BITS service, which connects to the local Windows Remote Management server (WinRM) at startup. This module launches a fake WinRM server and enables an attacker to elevate privileges to the SYSTEM user.PR 14330 - New module
exploits/freebsd/webapp/spamtitan_unauth_rce
exploits an improper input sanitization in SpamTitan Gateway versions 7.01, 7.02, 7.03 and 7.07 to inject command directives into the SNMP configuration file and achieve remote code execution as root. Note that only version 7.03 needs authentication and no authentication is required for versions 7.01, 7.02 and 7.07.PR 14339 - New module
exploits/windows/http/flexdotnetcms_upload_exec
adds an exploit for FlexDotNetCMS versions1.5.8
and prior. This module exploits an authenticated file upload vulnerability where a valid user can upload a malicious file with an incorrect extension, rename it with the proper extension, and get code execution as the user running the server on the target.PR 14368 - New module
exploits/linux/http/pulse_secure_gzip_rce
adds an exploit for an authenticated vulnerability within the Pulse Connect Secure appliance identified as CVE-2020-8260. The vulnerability is related to the mishandling of a compressed file that when uploaded to the server allows a CGI script to be modified which leads to code execution as root.PR 14418 - New module
auxiliary/scanner/http/wp_email_sub_news_sqli
adds an exploit for CVE-2019-20361 which is a SQLi in the Email Subscribers & Newsletters Wordpress plugin. The vulnerability can be leveraged to leak usernames and their password hashes.PR 14422 - New module
exploits/multi/http/gitlab_file_read_rce
adds an exploit which leverages both a file read vulnerability and a deserialization vulnerability to gain authenticated code execution against various versions of GitLab Community Edition and GitLab Enterprise Edition.PR 14429 - New module
auxiliary/gather/shodan_host
has been added, allowing users with a Shodan account to enumerate which ports are publicly accessible on a host or set of hosts using Shodan's API.PR 14435 - New module
exploits/windows/local/cve_2020_1054_drawiconex_lpe
adds a new local exploit which leverages a local privilege escalation vulnerability identified as CVE-2020-1054 and targeting Windows 7 x64 SP1 (fully patched until Microsoft stopped supporting it). This vulnerability is related to an out-of-bounds write in Win32k, which leads to an elevated session as the SYSTEM user.PR 14446 - New module
exploits/solaris/ssh/pam_username_bof
adds an exploit for a vulnerability (identified as CVE-2020-14871) with theparse_user_name()
function of the PAM module that is used by the Solaris SunSSH service. This allows an unauthenticated user to achieve remote code execution as root.PR 14466 - New module
exploits/linux/misc/aerospike_database_udf_cmd_exec
adds an exploit for Aerospike database versions prior to 5.1.0.3. Vulnerable versions of Aerospike allow users to create user-defined functions (UDFs), which permit the usage of theos.execute()
andio.popen()
Lua functions. This module creates and registers a UDF that leveragesos.execute()
to achieve unauthenticated code execution as the user running the Aerospike service.PR 14474 - New auxiliary module
auxiliary/scanner/http/wp_easy_wp_smtp
leverages a permissions-related vulnerability in the "Easy WP SMTP" plugin, where by under certain configurations a password reset token can be acquired and used to access a target account.PR 14497 - New auxiliary module
auxiliary/scanner/http/wp_duplicator_file_read
exploits an unauthenticated arbitrary file read in vulnerable versions of the WordPress plugin "Duplicator".PR 14521 - New module
exploits/multi/http/struts2_multi_eval_ognl
supports exploiting Apache Struts Framework vulnerabilities CVE-2019-0230 and CVE-2020-17530, which are both issues resulting in Struts2 evaluating OGNL expressions multiple times. Successful exploitation results in unauthenticated remote attackers gaining RCE as theroot
user.PR 14566 - Removed the
auxiliary/server/socks4a
andauxiliary/server/socks5
modules from Metasploit. Their functionality is now combined into a single module,auxiliary/server/socks_proxy
, to prevent code duplication.PR 14568 - New auxiliary module
auxiliary/scanner/http/wp_total_upkeep_downloader
collects user creds, server info, and backup files from Wordpress via a vulnerability in the Total Upkeep plugin versions below1.14.10
.PR 14572 - New module
exploits/multi/http/wp_ait_csv_rce
adds an exploit for various versions of theAIT CSV Import / Export
plugin for Wordpress. For plugin versions belowv3.0.4
, this module exploits an unauthenticated file upload vulnerability to gain code execution against Wordpress installations.PR 14582 - New post module
post/windows/manage/vss
consolidates and improves existing VSS modules into one new single module with multiple actions.This also adds the possibility to run post module actions as commands.PR 14585 - New module
exploits/windows/local/cve_2020_17136
adds in support for exploiting CVE-2020-17136, an arbitrary file write vulnerability within cldflt.sys. The result yields local code execution as the Network Service account which is suitable for escalating to SYSTEM via documented techniques.