Metasploit Recent Releases / Mar 29, 2021

Mar 29, 20214.19.1

New

Improved

  • Pro: We updated Metasploit Pro service discovery to utilize Nmap 7.91.

  • Pro: We updated Metasploit Pro database services to utilize PostgreSQL 12.6.

  • PR 14878 - Wrapped and retained the recently introduced Zeitwerk loader in a more flexible way. Additionally, lib/msf_autoload.rb is now marked as a singleton class to ensure that only one instance of the loader can exist at any one time. The loading process has also been broken down into separate methods to allow for additional tweaking, extension, and suppression as needed.

  • PR 14893 - Updated post/windows/gather/avast_memory_dump with additional paths to check for the avdump.exe utility, which should help Metasploit users in cases where the tool is bundled in with other Avast software besides the standard AV solution.

  • PR 14917 - Improved the search command by adding new -s and -r flags. The -s flag allows one to search by rank, disclosure date, module name, module type, or if the module implements a check method or not. The results will be ordered in ascending order, however users can show the results in descending order by using the -r flag.

  • PR 14927 - Updated Ruby scripts under tools/exploits/* to capture signals and handle them gracefully instead of stack tracing.

  • PR 14938 - Added a new time command to msfconsole, allowing users and developers to time how long certain commands take to execute.

Fixed

  • Pro: We made a fix to host exploitation via better exception handling to cover top-level exceptions and avoid presenting the user with long running exploitations which appear to never finish.

  • PR 14430 - Added guards and user feedback when attempting to use UUID tracking without an active DB connection.

  • PR 14815 - Replaced deprecated uses of ::Rex:Socket.gethostbyname in favor of the newer ::Rex::Socket.getaddress functionality in preparation of Ruby 3 support.

  • PR 14844 - Moved the on_session_open event until after the session has been bootstrapped, which is necessary to expose some functionality required by plugins (such as auto_add_route).

  • PR 14879 - Updated the auxiliary/scanner/ssh/ssh_login_pubkey module support specifying the path to a private key for the KEY_PATH option, and improved error handling in several places to reduce stack traces and make error messages are more understandable.

  • PR 14896 - Updated the explot/multi/http/apache_activemq_upload_jsp module so that it can successfully exploit vulnerable systems running Java 8. Additionally, module documentation has been added.

  • PR 14910 - Fixed post/multi/gather/filezilla_client_cred to prevent it from falsely identifying strings as being Base64 encoded when they are not. The new code now checks that the string is marked as being Base64 encoded before attempting to decode it.

  • PR 14911 - Updated the auxiliary/gather/impersonate_ssl module to add a new SNI option for retrieving the SSL Certificate, allowing it to properly retrieve SSL certificates in cases where the SNI option needs to be appropriately specified. In addition, RuboCop changes have also been applied to tidy up the code and remove some dangerous code in favor of safer solutions.

  • PR 14912 - Updated the auxiliary/admin/http/netgear_r6700_pass_reset module to fix a typo that could occasionally cause the check function to fail, and to fix a stack trace caused by calling a method on a nil object.

  • PR 14930 - Fixed a bug where the highlighting in msfconsole's search command would break when the search term was certain single letter queries.

  • PR 14934 - Fixed a bug in the download command in Meterpreter, where attempts to download a directory containing UTF-8 characters would result in an error. This has been resolved by enforcing the correct encoding.

  • PR 14941 - Updated the exploits/windows/smb/smb_relay module to force the use of Rex::Proto::SMB::Client, which fixes several issues that were being encountered due to the module accidentally using ruby_smb vs Rex::Proto::SMB::Client.

Modules

  • PR 14830 - New module exploits/windows/http/fortilogger_arbitrary_fileupload provides an unauthenticated arbitrary file upload exploit for FortiLogger 4.4.2.2, achieving RCE on vulnerable targets (CVE-2021-3378)

  • PR 14860 - New module auxiliary/scanner/http/exchange_proxylogon checks if a Microsoft Exchange Server target is vulnerable to a Server-Side Request Forgery (SSRF) identified as CVE-2021-26855.

  • PR 14860 - New module auxiliary/gather/exchange_proxylogon_collector dumps, for a given email address, the mailboxes on vulnerable Microsoft Exchange Server targets, including emails, attachments, and contact information. This module leverages the same SSRF vulnerability identified as CVE-2021-26855.

  • PR 14860 - New module exploits/windows/http/exchange_proxylogon_rce achieves an unauthenticated Remote Code Execution on vulnerable Microsoft Exchange Server targets, allowing for execution of arbitrary commands as the SYSTEM user. This module leverages the same SSRF vulnerability identified as CVE-2021-26855 and also a post-auth arbitrary-file-write vulnerability identified as CVE-2021-27065.

  • PR 14875 - New module exploits/linux/http/vmware_view_planner_4_6_uploadlog_rce achieves RCE on vulnerable targets via an arbitrary file upload vulnerability within VMWare View Planner Harness prior to 4.6 Security Patch 1 (CVE-2021-21978).

  • PR 14907 - New module exploits/windows/local/cve_2021_1732_win32k achieves privilege escalation on vulnerable win32k targets via CVE-2021-1732.

  • PR 14920 - New module exploits/windows/http/advantech_iview_unauth_rce adds an exploit for CVE-2021-22652 which allows an unauthenticated user to make configuration changes on a remote Advantech iView server. The vulnerability can be leveraged to obtain remote code execution within the context of the server application which runs as SYSTEM by default.

Offline Update

Metasploit Framework and Pro Installers