Release Notes

Improved

• Pro: We've improved the "dry run" process within Vulnerability Validation to better reflect the current progress and ensure applicable exploit modules are listed.

• PR 14813 - Updated the exploit/windows/http/dupscts_bof module with additional coverage for six more vulnerable versions of the Dup Scout Enterprise software, leveraging auto-targeting, and adding module traits and references.

• PR 14937 - Improved the performance of the various show commands within the console. For instance, show exploits now takes ~0.5 seconds instead of ~14 seconds.

• PR 14945 - Updated the ProxyLogon RCE module to use an RPC request to identify the backend server's FQDN.

• PR 14951 - Improved Mettle (our Linux Meterpreter implementation) to support the search command, allowing users to search for files on a compromised system.

Fixed

• PR 14873 - Fixed an issue when running the show payloads command or msfvenom -l payloads, where individual modules that failed to load would stop the remaining modules from loading successfully.

• PR 14918 - Fixed an issue where the VHOST option was not being correctly populated when the RHOST option was specified with domain names.

• PR 14962 - Updated the nexpose_connect login functionality to correctly handle the @ symbol being present in the password.

• PR 14966 - Addressed an issue in the ProxyLogon RCE module where a payload would be run twice.

• PR 14969 - Fixed a bug in the Python Meterpreter's DNS resolving function.

• PR 14975 - Fixed an issue in the cve_2020_1054_drawiconex_lpe module, which would throw an exception when the target was not vulnerable.

• PR 14987 - Fixed an issue where users were only getting three attempts when brute forcing via the auxiliary/scanner/mysql/mysql_login module.

• PR 14988 - Fixed validation of custom wordlist values, restoring auxiliary cracker module functions when no custom wordlist file is supplied.

• PR 14991 - Fixed a regression that caused the NTP protocol fuzzer modules to crash when being run.

• PR 14992 - Updated the auto_target_host logic() to additionally handle rhost being nil.

• PR 14998 - Changed CVE references from CVE Details to NVD.

Modules

• PR 14697 - New module auxiliary/scanner/http/nagios_xi_scanner will scan for Nagios XI installations and try to detect their version, then suggest applicable exploit modules in Metasploit based on discovered Nagios XI versions. Additionally, a new set of libraries have been added to support developers wishing to target Nagios XI machines, which should help to supply developers with several commonly used pieces of functionality.

• PR 14869 - New post module post/windows/gather/exchange enumerates and extracts mailboxes on Exchange severs.

• PR 14924 - New module auxiliary/admin/sap/cve_2020_6207_solman_rce targets versions of SAP Solution Manager vulnerable to CVE-2020-6207, achieving command execution vulnerable targets.

• PR 14924 - New module exploit/multi/sap/cve_2020_6207_solman_rs targets version of SAP Solution Manager vulnerable to CVE-2020-6207, achieving a reverse shell on vulnerable targets.

• PR 14935 - New module exploits/linux/http/f5_icontrol_rest_ssrf_rce exploits an unauthenticated SSRF vulnerability in F5's iControl REST API that is then leveraged to execute code as the root user on various versions of F5's BIG-IP and BIG-IQ devices (CVE-2021-22986).

• PR 14950 - New module exploits/linux/http/saltstack_salt_wheel_async_rce exploits an authentication bypass (CVE-2021-25281) and a directory traversal vulnerability (CVE-2021-25282) in versions 3002.5 and below of SaltStack Salt's REST API. Code execution as the root user is achieved by writing a custom grain module to the extension module directory and waiting until a recurring maintenance check executes the malicious grain module.

• PR 14965 - New post module post/multi/sap/smdagent_get_properties leverages an insecure password storage vulnerability identified as CVE-2019-0307 to retrieve credentials such as SLD user connection and Solman user communication. Improvements were also made to the cve_2020_6207_solman_rce auxiliary module by adding a new SECTORE action performing the same attack remotely by leveraging an authentication bypass identified as CVE-2020-6207.

• PR 14971 - New module exploits/linux/http/apache_ofbiz_deserialization_soap targets Apache OFBiz versions prior to v17.12.06, which are vulnerable to a Java deserialization vulnerability (CVE-2021-26295). By sending a serialized payload to the webtools/control/SOAPService endpoint, unauthenticated remote code execution as the user running the Apache OFBiz service can be achieved.

• PR 14978 - New module exploit/multi/http/gogs_git_hooks_rce leverages a git hooks setting to achieve authenticated remote code execution against vulnerable versions of Gogs (self-hosted Git service). With valid credentials and the permission to create git hooks, this module creates a repo and uploads a payload as a post-receive hook. Upon creating an additional file in the repo, the post-receive hook will be triggered, which will grant code execution as the user running the software.

• PR 14978 - New module exploit/multi/http/gitea_git_hooks_rce leverages a git hooks setting to achieve authenticated remote code execution against vulnerable versions of Gitea (self-hosted Git service). With valid credentials and the permission to create git hooks, this module creates a repo and uploads a payload as a post-receive hook. Upon creating an additional file in the repo, the post-receive hook will be triggered, which will grant code execution as the user running the software.

Offline Update

• https://updates.metasploit.com/packages/577bc3c5c6248859bf1800f682bef3aa46d21d02.bin

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version