New
- Pro: We added support to Metasploit Pro for complete integration with systemd on Linux systems that run it. See https://docs.rapid7.com/metasploit/restarting-metasploit-services#Linux for more details.
Improved
Pro: We updated Metasploit Pro service discovery to utilize Nmap 7.91.
Pro: We updated Metasploit Pro database services to utilize PostgreSQL 12.6.
PR 14878 - Wrapped and retained the recently introduced Zeitwerk loader in a more flexible way. Additionally,
lib/msf_autoload.rb
is now marked as a singleton class to ensure that only one instance of the loader can exist at any one time. The loading process has also been broken down into separate methods to allow for additional tweaking, extension, and suppression as needed.PR 14893 - Updated
post/windows/gather/avast_memory_dump
with additional paths to check for theavdump.exe
utility, which should help Metasploit users in cases where the tool is bundled in with other Avast software besides the standard AV solution.PR 14917 - Improved the
search
command by adding new-s
and-r
flags. The-s
flag allows one to search by rank, disclosure date, module name, module type, or if the module implements a check method or not. The results will be ordered in ascending order, however users can show the results in descending order by using the-r
flag.PR 14927 - Updated Ruby scripts under
tools/exploits/*
to capture signals and handle them gracefully instead of stack tracing.PR 14938 - Added a new
time
command tomsfconsole
, allowing users and developers to time how long certain commands take to execute.
Fixed
Pro: We made a fix to host exploitation via better exception handling to cover top-level exceptions and avoid presenting the user with long running exploitations which appear to never finish.
PR 14430 - Added guards and user feedback when attempting to use UUID tracking without an active DB connection.
PR 14815 - Replaced deprecated uses of
::Rex:Socket.gethostbyname
in favor of the newer::Rex::Socket.getaddress
functionality in preparation of Ruby 3 support.PR 14844 - Moved the
on_session_open
event until after the session has been bootstrapped, which is necessary to expose some functionality required by plugins (such asauto_add_route
).PR 14879 - Updated the
auxiliary/scanner/ssh/ssh_login_pubkey
module support specifying the path to a private key for theKEY_PATH
option, and improved error handling in several places to reduce stack traces and make error messages are more understandable.PR 14896 - Updated the
explot/multi/http/apache_activemq_upload_jsp
module so that it can successfully exploit vulnerable systems running Java 8. Additionally, module documentation has been added.PR 14910 - Fixed
post/multi/gather/filezilla_client_cred
to prevent it from falsely identifying strings as being Base64 encoded when they are not. The new code now checks that the string is marked as being Base64 encoded before attempting to decode it.PR 14911 - Updated the
auxiliary/gather/impersonate_ssl
module to add a new SNI option for retrieving the SSL Certificate, allowing it to properly retrieve SSL certificates in cases where the SNI option needs to be appropriately specified. In addition, RuboCop changes have also been applied to tidy up the code and remove some dangerous code in favor of safer solutions.PR 14912 - Updated the
auxiliary/admin/http/netgear_r6700_pass_reset
module to fix a typo that could occasionally cause thecheck
function to fail, and to fix a stack trace caused by calling a method on anil
object.PR 14930 - Fixed a bug where the highlighting in msfconsole's search command would break when the search term was certain single letter queries.
PR 14934 - Fixed a bug in the
download
command in Meterpreter, where attempts to download a directory containing UTF-8 characters would result in an error. This has been resolved by enforcing the correct encoding.PR 14941 - Updated the
exploits/windows/smb/smb_relay
module to force the use ofRex::Proto::SMB::Client
, which fixes several issues that were being encountered due to the module accidentally usingruby_smb
vsRex::Proto::SMB::Client
.
Modules
PR 14830 - New module
exploits/windows/http/fortilogger_arbitrary_fileupload
provides an unauthenticated arbitrary file upload exploit for FortiLogger 4.4.2.2, achieving RCE on vulnerable targets (CVE-2021-3378)PR 14860 - New module
auxiliary/scanner/http/exchange_proxylogon
checks if a Microsoft Exchange Server target is vulnerable to a Server-Side Request Forgery (SSRF) identified as CVE-2021-26855.PR 14860 - New module
auxiliary/gather/exchange_proxylogon_collector
dumps, for a given email address, the mailboxes on vulnerable Microsoft Exchange Server targets, including emails, attachments, and contact information. This module leverages the same SSRF vulnerability identified as CVE-2021-26855.PR 14860 - New module
exploits/windows/http/exchange_proxylogon_rce
achieves an unauthenticated Remote Code Execution on vulnerable Microsoft Exchange Server targets, allowing for execution of arbitrary commands as the SYSTEM user. This module leverages the same SSRF vulnerability identified as CVE-2021-26855 and also a post-auth arbitrary-file-write vulnerability identified as CVE-2021-27065.PR 14875 - New module
exploits/linux/http/vmware_view_planner_4_6_uploadlog_rce
achieves RCE on vulnerable targets via an arbitrary file upload vulnerability within VMWare View Planner Harness prior to 4.6 Security Patch 1 (CVE-2021-21978).PR 14907 - New module
exploits/windows/local/cve_2021_1732_win32k
achieves privilege escalation on vulnerable win32k targets via CVE-2021-1732.PR 14920 - New module
exploits/windows/http/advantech_iview_unauth_rce
adds an exploit for CVE-2021-22652 which allows an unauthenticated user to make configuration changes on a remote Advantech iView server. The vulnerability can be leveraged to obtain remote code execution within the context of the server application which runs as SYSTEM by default.