Improved
- Pro: We added a timeout message to bruteforce tasks. Tasks that hit a timeout will now clearly tell the user instead of stopping without explanation.
Pro: We added the ability for administrative users to download backups via the UI in the Backup section of Global Settings.
Pro: We improved handler cleanup to address an identified issue where exploit runs could potentially hold ports open after project task completion.
PR 14201 - Added a new
msfconsole
command,favorite
, which allows users to easily save favorite / commonly-used modules for quick retrieval later.PR 14617 - Updated the core Meterpreter and console libraries to better handle cases where a given implementation of Meterpreter may not support a certain command. Now, instead of each version of Meterpreter trying to handle invalid commands which previously lead to errors, a check is made to verify that the command is one the Meterpreter supports, with an error message provided if not. Additionally, the output from running the
help
or?
command inside themeterpreter
prompt has been updated to only display the commands which a given Meterpreter implementation supports. Tests have also been updated accordingly to support checking this functionality works as expected.PR 14661 - Updated the
linux/x86/exec
payload to now use metasm, making the source code more readable and adds a new, larger NULL byte free variant.PR 14670 - Updated Rex tables to have word wrapping enabled by default for all Rex tables (except for those output by the
creds
andsearch
commands). This feature can optionally be turned off by issuing thefeatures set wrapped_tables false
command.PR 14732 - Added a new Java deserialization mixin and updated existing Java deserialization exploit modules to use this new mixin. Additionally fixed both the generation of the
ysoserial
payloads and the payloads themselves with improvements to the generation script,find_ysoserial_offsets.rb
, and pinning theysoserial
version that's used in the generation process.PR 14733 - Added the latest rubocop rules.
PR 14735 - Updated the contribution workflow to require all new modules to now pass RuboCop and msftidy.rb checks prior to being merged into the framework. These checks will now be run automatically on PRs to detect issues rather than users having to run these tools manually to detect code quality issues within their contributions.
PR 14740 - Improved the CVE-2021-3156 (a.k.a. Baron Samedit) module with a couple of features that were left out of the first submission due to time constraints (e.g cleanup and randomisation of the payload library).Also added a target for Ubuntu 19.04.
PR 14747 - Updated the
linux/http/saltstack_salt_api_cmd_exec
module to correctly show failure messages to the user under error scenarios.PR 14756 - Updated
msftidy
to warn when a module is missing itsNotes
metadata.PR 14757 - Improved the
exploits/linux/http/nagios_xi_magpie_debug
module to automatically check if the target is vulnerable, as well as improved error handling and documentation. Additionally, the module has been updated so that it supports older versions of Nagios by adding additional writable paths that the exploit can use, and a fallback mechanism has been implemented to gain a shell asapache
if the privilege elevation attempt fails.PR 14762 - Updated Rubocop's ExtraSpacing rules to be ignored on BinData objects.
PR 14783 - Updated the KarjaSoft Sami FTP Server v2.0.2 USER Overflow module, including documentation, RuboCop updates, support for the AutoCheck mixin to automatically check if a target is vulnerable, an updated list of authors, as well as improvements to its exploit strategy that allow it to use only one offset within a DLL shipped with the target for exploitation (instead of relying on an Windows OS DLL whose offsets could change as the OS was updated).
PR 14794 - Improved the
exploits/windows/http/dup_scout_enterprise_login_bof
module to add: support for v9.9.14 of Dup Scout Enterprise, additionalNotes
which may help pentesters determine the potential side effects of the exploit, support for theAutoCheck
mixin to allow users to automatically check if a target is vulnerable prior to exploiting it, support for automatic targeting whereby the exploit will automatically determine the version of the target and will adjust the exploit accordingly if it is vulnerable, and compliance with new RuboCop standards.PR 14838 - Updated the
psexec_ms17_010.rb
library to support additional fingerprinting of Windows Storage Server 2008 R2 targets as potentially exploitable targets, thereby allowing users to exploit Windows Storage Server 2008 R2 targets vulnerable to MS17-010.PR 14877 - Updated the
post/multi/gather/firefox_creds
module to support gathering profiles from newer versions of Firefox which now use the default profile name of.default-release
vs. the old name of.default
.PR 14882 - Improved
lib/msf/core/exploit/remote/http/wordpress/users.rb
to support valid username identification and login identification for newer versions of WordPress up-to-and-including 5.7.
Fixed
- Pro: We fixed an issue where checking for software updates may result in an error.
PR 14602 - Improved length detection for Time Based MySQLi injections and expanded support for empty strings to
hex_encode_strings
.PR 14738 - Fixed
multi/manage/shell_to_meterpreter
on macOS by using Python reflection to upgrade a shell session on macOS to a Meterpreter session, in memory, without dropping a file to disk.PR 14748 - Fixed a bug in
Auxiliary::AuthBrute
that caused a crash when theDB_ALL_USERS
orDB_ALL_PASS
options were set. This has now been addressed.PR 14751 - Fixed a bug within the
msftidy.rb
developer tool whereby a typo was preventing several checks from being run against exploit modules to ensure they conformed to standards. Also corrected some module grammar issues which were raised as a result of this fix.PR 14758 - Fixed the platform check in Meterpreter stdapi
screenshot
command to ensure the Java Meterpreter can take screenshots on Windows platforms and also prevent unnecessarily uploading the screenshot DLL when using thescreenshot
command on non-native Windows sessions.PR 14784 - Fixed a bug in the ScadaBR credential dumping module that prevented it from processing response data.
PR 14789 - Fixed a bug where Meterpreter sessions were incorrectly being validated due to the fact that TLV encryption for the session would take place before session verification. The fix now considers Meterpreter sessions valid if they successfully negotiate TLV encryption. This fix also removes the
AutoVerifySession
datastore option since all valid Meterpreter instances should negotiate TLV encryption automatically.PR 14792 - Fixed 11 modules targeting Windows systems that were improperly checking the environment architecture which led to broken WOW64 detection in some cases.
PR 14802 - Fixed a bug involving the Kiwi library where commands passed to Kiwi via the
kiwi_cmd
command in Metasploit were not properly enclosed in double quotes, which could lead to Kiwi thinking the user had passed it separate commands to execute rather than one space-separated command.PR 14812 - Restored missing requires statement for sock5 proxy support.
PR 14816 - Fixed loading of the
Faker
library to ensure it is correctly loaded by all modules which use it when generating fake data for bypassing WAF etc.PR 14821 - Fixed the
search
command within Meterpreter to properly support searches that start at the root directory, aka/
. These types of searches were previously not returning any results due to a logic bug within the code, which has now been fixed.PR 14824 - Fixed an issue with the
auxiliary/scanner/http/http_traversal
scanner to avoid a NULL pointer crash when a server's response body is empty.Also fixed another bug whereby empty files would be created if the server responded with a 404 response code but the body of the response was empty.PR 14840 - Removed an extraneous
require rex/ui
statement that prevented successful execution ofmsfrpc
.PR 14843 - Fixed issues with PseudoShell not being picked up correctly which lead to missing dependency errors.
PR 14853 - Fixed an edge case with macOS when upgrading from an older version of Metasploit to Metasploit 6.0.32 via the macOS Metasploit Omnibus installer directly (or indirectly via
brew
).PR 14856 - Fixed an issue in the two modules targeting CVE-2010-4221 where the ProFTPD version number without a letter suffix was being incorrectly identified as not vulnerable.
PR 14863 - Fixed db_import functionality whilst connected to the remote data service.
PR 14871 - Fixed loading of the BinData library to ensure it is always available for use within modules.
PR 14874 - Fixed autoloading when utilizing
Msf::RPC::Client
in external tooling.PR 14887 - Fixed a previous feature which added the readability of Meterpreter error messages via replacing the command ID with the command name to now work with older versions of Ruby.
PR 14888 - Fixed two Unicode related bugs preventing recursive download of files or folders containing UTF8 characters, or otherwise open or interact with these files, via Meterpreter. This has now been addressed for common commands such as edit, download and cd.
PR 14897 - Corrected a few instances where module documentation was not using the correct naming convention, preventing the documentation from being accessible.
PR 14899 - Fixed loading of the REXML library to ensure it is always available for usage within modules.
PR 14905 - Fixed an issue where exploit exceptions other than
Interrupt
could skip proper clean-up.
Modules
PR 14067 - New module
auxiliary/sqli/dlink/dlink_central_wifimanager_sqli
utilizes CVE-2019-13375 to dump database information or insert additional users into D-Link Central WiFi Manager CWM(100) versions prior to v1.03R0100_BETA6.This module takes advantage of updated SQLi library in Framework for PostgreSQL targets.PR 14518 - New module
auxiliary/gather/fortios_vpnssl_traversal_creds_leak
leverages a directory traversal vulnerability (CVE-2018-13379) in the SSL VPN web portal of FortiOS 5.4.6 to 5.4.12, FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 to grab the/dev/cmdb/sslvpn_websession
file, which contains the plaintext list of currently connected usernames and their associated passwords. These credentials can then be saved to thecreds
database for use in future attacks.PR 14544 - New module
auxiliary/scanner/http/rdp_web_login
leverages timing behavior of the web RDP authentication process to determine valid users.PR 14576 - New module
auxiliary/scanner/http/wp_chopslider_id_sqli
exploits a SQL injection vulnerability in iDangero.us ChopSlider 3 Wordpress plugin version 3.4 and prior, allowing dumping of usernames and password hashes from the Wordpress database without any authentication. This vulnerability is identified as CVE-2020-11530.PR 14648 - New evasion module
evasion/windows/process_herpaderping
applies the Process Herpaderping evasion technique for Windows payloads.PR 14730 - New module
exploits/windows/local/microfocus_operations_privesc
achieves privilege escalation assuming target is running a vulnerable version of OBM and user already has a session on said machine which supports Powershell. This module writes a payload to specific folder, then sends request to OBM process via the loopback address to trigger payload execution.PR 14744 - New module
exploits/linux/http/klog_server_authenticate_user_unauth_command_injection
targets an unauthenticated command injection vulnerability in Klog Server versions2.4.1
and prior. A POST request toauthenticate.php
can result in code execution on the target due to improper sanitization of theuser
parameter, which gets passed to theshell_exec()
function. Additionally, Klog Server's configuration allows theapache
user to executesudo
without supplying a password, so this exploit ultimately achieves code execution withroot
privileges.PR 14766 - New module
auxiliary/scanner/http/apache_flink_jobmanager_traversal
leverages the directory traversal vulnerability identified as CVE-2020-17519 within Apache Flink to recover files from the affected server. This vulnerability does not require authentication.PR 14771 - New module
exploits/multi/http/apache_flink_jar_upload_exec
leverages Apache Flink job functionality to upload and run an arbitrary JAR file.PR 14809 - New module
exploits/multi/http/vmware_vcenter_uploadova_rce
leverages an unauthenticated OVA file upload and path traversal in VMware vCenter Server to achieve unauthenticated RCE against vulnerable targets (CVE-2021-21972).PR 14846 - New module
exploits/windows/http/hpe_sim_76_amf_deserialization
targets the7.6.x
versions of HPE Systems Insight Manager software, gaining unauthenticated code execution as the user running the HPE SIM software (typically local administrator) by sending a serialized AMF request to the/simsearch/messagebroker/amfsecure
page.PR 14847 - New module
exploits/windows/smb/smb_rras_erraticgopher
leverages an overflow in Routing and Remote Access Service (RRAS) on Windows Server 2003 (identified as CVE-2017-8461), achieving execution of arbitrary commands with SYSTEM user privileges.