Metasploit Recent Releases / Mar 17, 2021

Mar 17, 20214.19.0

Improved

Customer Requested
  • Pro: We added a timeout message to bruteforce tasks. Tasks that hit a timeout will now clearly tell the user instead of stopping without explanation.

  • Pro: We added the ability for administrative users to download backups via the UI in the Backup section of Global Settings.

  • Pro: We improved handler cleanup to address an identified issue where exploit runs could potentially hold ports open after project task completion.

  • PR 14201 - Added a new msfconsole command, favorite, which allows users to easily save favorite / commonly-used modules for quick retrieval later.

  • PR 14617 - Updated the core Meterpreter and console libraries to better handle cases where a given implementation of Meterpreter may not support a certain command. Now, instead of each version of Meterpreter trying to handle invalid commands which previously lead to errors, a check is made to verify that the command is one the Meterpreter supports, with an error message provided if not. Additionally, the output from running the help or ? command inside the meterpreter prompt has been updated to only display the commands which a given Meterpreter implementation supports. Tests have also been updated accordingly to support checking this functionality works as expected.

  • PR 14661 - Updated the linux/x86/exec payload to now use metasm, making the source code more readable and adds a new, larger NULL byte free variant.

  • PR 14670 - Updated Rex tables to have word wrapping enabled by default for all Rex tables (except for those output by the creds and search commands). This feature can optionally be turned off by issuing the features set wrapped_tables false command.

  • PR 14732 - Added a new Java deserialization mixin and updated existing Java deserialization exploit modules to use this new mixin. Additionally fixed both the generation of the ysoserial payloads and the payloads themselves with improvements to the generation script, find_ysoserial_offsets.rb, and pinning the ysoserial version that's used in the generation process.

  • PR 14733 - Added the latest rubocop rules.

  • PR 14735 - Updated the contribution workflow to require all new modules to now pass RuboCop and msftidy.rb checks prior to being merged into the framework. These checks will now be run automatically on PRs to detect issues rather than users having to run these tools manually to detect code quality issues within their contributions.

  • PR 14740 - Improved the CVE-2021-3156 (a.k.a. Baron Samedit) module with a couple of features that were left out of the first submission due to time constraints (e.g cleanup and randomisation of the payload library).Also added a target for Ubuntu 19.04.

  • PR 14747 - Updated the linux/http/saltstack_salt_api_cmd_exec module to correctly show failure messages to the user under error scenarios.

  • PR 14756 - Updated msftidy to warn when a module is missing its Notes metadata.

  • PR 14757 - Improved the exploits/linux/http/nagios_xi_magpie_debug module to automatically check if the target is vulnerable, as well as improved error handling and documentation. Additionally, the module has been updated so that it supports older versions of Nagios by adding additional writable paths that the exploit can use, and a fallback mechanism has been implemented to gain a shell as apache if the privilege elevation attempt fails.

  • PR 14762 - Updated Rubocop's ExtraSpacing rules to be ignored on BinData objects.

  • PR 14783 - Updated the KarjaSoft Sami FTP Server v2.0.2 USER Overflow module, including documentation, RuboCop updates, support for the AutoCheck mixin to automatically check if a target is vulnerable, an updated list of authors, as well as improvements to its exploit strategy that allow it to use only one offset within a DLL shipped with the target for exploitation (instead of relying on an Windows OS DLL whose offsets could change as the OS was updated).

  • PR 14794 - Improved the exploits/windows/http/dup_scout_enterprise_login_bof module to add: support for v9.9.14 of Dup Scout Enterprise, additional Notes which may help pentesters determine the potential side effects of the exploit, support for the AutoCheck mixin to allow users to automatically check if a target is vulnerable prior to exploiting it, support for automatic targeting whereby the exploit will automatically determine the version of the target and will adjust the exploit accordingly if it is vulnerable, and compliance with new RuboCop standards.

  • PR 14838 - Updated the psexec_ms17_010.rb library to support additional fingerprinting of Windows Storage Server 2008 R2 targets as potentially exploitable targets, thereby allowing users to exploit Windows Storage Server 2008 R2 targets vulnerable to MS17-010.

  • PR 14877 - Updated the post/multi/gather/firefox_creds module to support gathering profiles from newer versions of Firefox which now use the default profile name of .default-release vs. the old name of .default.

  • PR 14882 - Improved lib/msf/core/exploit/remote/http/wordpress/users.rb to support valid username identification and login identification for newer versions of WordPress up-to-and-including 5.7.

Fixed

Customer Requested
  • Pro: We fixed an issue where checking for software updates may result in an error.

  • PR 14602 - Improved length detection for Time Based MySQLi injections and expanded support for empty strings to hex_encode_strings.

  • PR 14738 - Fixed multi/manage/shell_to_meterpreter on macOS by using Python reflection to upgrade a shell session on macOS to a Meterpreter session, in memory, without dropping a file to disk.

  • PR 14748 - Fixed a bug in Auxiliary::AuthBrute that caused a crash when the DB_ALL_USERS or DB_ALL_PASS options were set. This has now been addressed.

  • PR 14751 - Fixed a bug within the msftidy.rb developer tool whereby a typo was preventing several checks from being run against exploit modules to ensure they conformed to standards. Also corrected some module grammar issues which were raised as a result of this fix.

  • PR 14758 - Fixed the platform check in Meterpreter stdapi screenshot command to ensure the Java Meterpreter can take screenshots on Windows platforms and also prevent unnecessarily uploading the screenshot DLL when using the screenshot command on non-native Windows sessions.

  • PR 14784 - Fixed a bug in the ScadaBR credential dumping module that prevented it from processing response data.

  • PR 14789 - Fixed a bug where Meterpreter sessions were incorrectly being validated due to the fact that TLV encryption for the session would take place before session verification. The fix now considers Meterpreter sessions valid if they successfully negotiate TLV encryption. This fix also removes the AutoVerifySession datastore option since all valid Meterpreter instances should negotiate TLV encryption automatically.

  • PR 14792 - Fixed 11 modules targeting Windows systems that were improperly checking the environment architecture which led to broken WOW64 detection in some cases.

  • PR 14802 - Fixed a bug involving the Kiwi library where commands passed to Kiwi via the kiwi_cmd command in Metasploit were not properly enclosed in double quotes, which could lead to Kiwi thinking the user had passed it separate commands to execute rather than one space-separated command.

  • PR 14812 - Restored missing requires statement for sock5 proxy support.

  • PR 14816 - Fixed loading of the Faker library to ensure it is correctly loaded by all modules which use it when generating fake data for bypassing WAF etc.

  • PR 14821 - Fixed the search command within Meterpreter to properly support searches that start at the root directory, aka /. These types of searches were previously not returning any results due to a logic bug within the code, which has now been fixed.

  • PR 14824 - Fixed an issue with the auxiliary/scanner/http/http_traversal scanner to avoid a NULL pointer crash when a server's response body is empty.Also fixed another bug whereby empty files would be created if the server responded with a 404 response code but the body of the response was empty.

  • PR 14840 - Removed an extraneous require rex/ui statement that prevented successful execution of msfrpc.

  • PR 14843 - Fixed issues with PseudoShell not being picked up correctly which lead to missing dependency errors.

  • PR 14853 - Fixed an edge case with macOS when upgrading from an older version of Metasploit to Metasploit 6.0.32 via the macOS Metasploit Omnibus installer directly (or indirectly via brew).

  • PR 14856 - Fixed an issue in the two modules targeting CVE-2010-4221 where the ProFTPD version number without a letter suffix was being incorrectly identified as not vulnerable.

  • PR 14863 - Fixed db_import functionality whilst connected to the remote data service.

  • PR 14871 - Fixed loading of the BinData library to ensure it is always available for use within modules.

  • PR 14874 - Fixed autoloading when utilizing Msf::RPC::Client in external tooling.

  • PR 14887 - Fixed a previous feature which added the readability of Meterpreter error messages via replacing the command ID with the command name to now work with older versions of Ruby.

  • PR 14888 - Fixed two Unicode related bugs preventing recursive download of files or folders containing UTF8 characters, or otherwise open or interact with these files, via Meterpreter. This has now been addressed for common commands such as edit, download and cd.

  • PR 14897 - Corrected a few instances where module documentation was not using the correct naming convention, preventing the documentation from being accessible.

  • PR 14899 - Fixed loading of the REXML library to ensure it is always available for usage within modules.

  • PR 14905 - Fixed an issue where exploit exceptions other than Interrupt could skip proper clean-up.

Modules

  • PR 14067 - New module auxiliary/sqli/dlink/dlink_central_wifimanager_sqli utilizes CVE-2019-13375 to dump database information or insert additional users into D-Link Central WiFi Manager CWM(100) versions prior to v1.03R0100_BETA6.This module takes advantage of updated SQLi library in Framework for PostgreSQL targets.

  • PR 14518 - New module auxiliary/gather/fortios_vpnssl_traversal_creds_leak leverages a directory traversal vulnerability (CVE-2018-13379) in the SSL VPN web portal of FortiOS 5.4.6 to 5.4.12, FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 to grab the /dev/cmdb/sslvpn_websession file, which contains the plaintext list of currently connected usernames and their associated passwords. These credentials can then be saved to the creds database for use in future attacks.

  • PR 14544 - New module auxiliary/scanner/http/rdp_web_login leverages timing behavior of the web RDP authentication process to determine valid users.

  • PR 14576 - New module auxiliary/scanner/http/wp_chopslider_id_sqli exploits a SQL injection vulnerability in iDangero.us ChopSlider 3 Wordpress plugin version 3.4 and prior, allowing dumping of usernames and password hashes from the Wordpress database without any authentication. This vulnerability is identified as CVE-2020-11530.

  • PR 14648 - New evasion module evasion/windows/process_herpaderping applies the Process Herpaderping evasion technique for Windows payloads.

  • PR 14730 - New module exploits/windows/local/microfocus_operations_privesc achieves privilege escalation assuming target is running a vulnerable version of OBM and user already has a session on said machine which supports Powershell. This module writes a payload to specific folder, then sends request to OBM process via the loopback address to trigger payload execution.

  • PR 14744 - New module exploits/linux/http/klog_server_authenticate_user_unauth_command_injection targets an unauthenticated command injection vulnerability in Klog Server versions 2.4.1 and prior. A POST request to authenticate.php can result in code execution on the target due to improper sanitization of the user parameter, which gets passed to the shell_exec() function. Additionally, Klog Server's configuration allows the apache user to execute sudo without supplying a password, so this exploit ultimately achieves code execution with root privileges.

  • PR 14766 - New module auxiliary/scanner/http/apache_flink_jobmanager_traversal leverages the directory traversal vulnerability identified as CVE-2020-17519 within Apache Flink to recover files from the affected server. This vulnerability does not require authentication.

  • PR 14771 - New module exploits/multi/http/apache_flink_jar_upload_exec leverages Apache Flink job functionality to upload and run an arbitrary JAR file.

  • PR 14809 - New module exploits/multi/http/vmware_vcenter_uploadova_rce leverages an unauthenticated OVA file upload and path traversal in VMware vCenter Server to achieve unauthenticated RCE against vulnerable targets (CVE-2021-21972).

  • PR 14846 - New module exploits/windows/http/hpe_sim_76_amf_deserialization targets the 7.6.x versions of HPE Systems Insight Manager software, gaining unauthenticated code execution as the user running the HPE SIM software (typically local administrator) by sending a serialized AMF request to the /simsearch/messagebroker/amfsecure page.

  • PR 14847 - New module exploits/windows/smb/smb_rras_erraticgopher leverages an overflow in Routing and Remote Access Service (RRAS) on Windows Server 2003 (identified as CVE-2017-8461), achieving execution of arbitrary commands with SYSTEM user privileges.

Offline Update

Metasploit Framework and Pro Installers