Improved

• Pro: We’ve improved the “dry run” process within Vulnerability Validation to better reflect the current progress and ensure applicable exploit modules are listed.

• PR 14813  - Updated the exploit/windows/http/dupscts_bof module with additional coverage for six more vulnerable versions of the Dup Scout Enterprise software, leveraging auto-targeting, and adding module traits and references.

• PR 14937  - Improved the performance of the various show commands within the console. For instance, show exploits now takes ~0.5 seconds instead of ~14 seconds.

• PR 14945  - Updated the ProxyLogon RCE module to use an RPC request to identify the backend server’s FQDN.

• PR 14951  - Improved Mettle (our Linux Meterpreter implementation) to support the search command, allowing users to search for files on a compromised system.

Fixed

• PR 14873  - Fixed an issue when running the show payloads command or msfvenom -l payloads, where individual modules that failed to load would stop the remaining modules from loading successfully.

• PR 14918  - Fixed an issue where the VHOST option was not being correctly populated when the RHOST option was specified with domain names.

• PR 14962  - Updated the nexpose_connect login functionality to correctly handle the @ symbol being present in the password.

• PR 14966  - Addressed an issue in the ProxyLogon RCE module where a payload would be run twice.

• PR 14969  - Fixed a bug in the Python Meterpreter’s DNS resolving function.

• PR 14975  - Fixed an issue in the cve_2020_1054_drawiconex_lpe module, which would throw an exception when the target was not vulnerable.

• PR 14987  - Fixed an issue where users were only getting three attempts when brute forcing via the auxiliary/scanner/mysql/mysql_login module.

• PR 14988  - Fixed validation of custom wordlist values, restoring auxiliary cracker module functions when no custom wordlist file is supplied.

• PR 14991  - Fixed a regression that caused the NTP protocol fuzzer modules to crash when being run.

• PR 14992  - Updated the auto_target_host logic() to additionally handle rhost being nil.

• PR 14998  - Changed CVE references from CVE Details to NVD.

Modules

• PR 14697  - New module auxiliary/scanner/http/nagios_xi_scanner will scan for Nagios XI installations and try to detect their version, then suggest applicable exploit modules in Metasploit based on discovered Nagios XI versions. Additionally, a new set of libraries have been added to support developers wishing to target Nagios XI machines, which should help to supply developers with several commonly used pieces of functionality.

• PR 14869  - New post module post/windows/gather/exchange enumerates and extracts mailboxes on Exchange severs.

• PR 14924  - New module auxiliary/admin/sap/cve_2020_6207_solman_rce targets versions of SAP Solution Manager vulnerable to CVE-2020-6207 , achieving command execution vulnerable targets.

• PR 14924  - New module exploit/multi/sap/cve_2020_6207_solman_rs targets version of SAP Solution Manager vulnerable to CVE-2020-6207 , achieving a reverse shell on vulnerable targets.

• PR 14935  - New module exploits/linux/http/f5_icontrol_rest_ssrf_rce exploits an unauthenticated SSRF vulnerability in F5’s iControl REST API that is then leveraged to execute code as the root user on various versions of F5’s BIG-IP and BIG-IQ devices (CVE-2021-22986 ).

• PR 14950  - New module exploits/linux/http/saltstack_salt_wheel_async_rce exploits an authentication bypass (CVE-2021-25281 ) and a directory traversal vulnerability (CVE-2021-25282 ) in versions 3002.5 and below of SaltStack Salt’s REST API. Code execution as the root user is achieved by writing a custom grain module to the extension module directory and waiting until a recurring maintenance check executes the malicious grain module.

• PR 14965  - New post module post/multi/sap/smdagent_get_properties leverages an insecure password storage vulnerability identified as CVE-2019-0307  to retrieve credentials such as SLD user connection and Solman user communication. Improvements were also made to the cve_2020_6207_solman_rce auxiliary module by adding a new SECTORE action performing the same attack remotely by leveraging an authentication bypass identified as CVE-2020-6207 .

• PR 14971  - New module exploits/linux/http/apache_ofbiz_deserialization_soap targets Apache OFBiz versions prior to v17.12.06, which are vulnerable to a Java deserialization vulnerability (CVE-2021-26295 ). By sending a serialized payload to the webtools/control/SOAPService endpoint, unauthenticated remote code execution as the user running the Apache OFBiz service can be achieved.

• PR 14978  - New module exploit/multi/http/gogs_git_hooks_rce leverages a git hooks setting to achieve authenticated remote code execution against vulnerable versions of Gogs (self-hosted Git service). With valid credentials and the permission to create git hooks, this module creates a repo and uploads a payload as a post-receive hook. Upon creating an additional file in the repo, the post-receive hook will be triggered, which will grant code execution as the user running the software.

• PR 14978  - New module exploit/multi/http/gitea_git_hooks_rce leverages a git hooks setting to achieve authenticated remote code execution against vulnerable versions of Gitea (self-hosted Git service). With valid credentials and the permission to create git hooks, this module creates a repo and uploads a payload as a post-receive hook. Upon creating an additional file in the repo, the post-receive hook will be triggered, which will grant code execution as the user running the software.

Offline Update

• https://updates.metasploit.com/packages/577bc3c5c6248859bf1800f682bef3aa46d21d02.bin 

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version