Improved
- We've added support for installing Metasploit Pro on Ubuntu 18.04 LTS and RHEL 8, as well as Windows Server 2019 and 2016. For the full list of supported Operating Systems, visit the System Requirements page.
Pro: We've improved the "dry run" process within Vulnerability Validation to better reflect the current progress and ensure applicable exploit modules are listed.
PR 14813 - Updated the
exploit/windows/http/dupscts_bof
module with additional coverage for six more vulnerable versions of the Dup Scout Enterprise software, leveraging auto-targeting, and adding module traits and references.PR 14937 - Improved the performance of the various
show
commands within the console. For instance,show exploits
now takes ~0.5 seconds instead of ~14 seconds.PR 14945 - Updated the ProxyLogon RCE module to use an RPC request to identify the backend server's FQDN.
PR 14951 - Improved Mettle (our Linux Meterpreter implementation) to support the
search
command, allowing users to search for files on a compromised system.
Fixed
- We fixed an issue where VPN pivoting was returning an 'undefined_method extension_id' error. VPN pivoting should now be working as-expected.
PR 14873 - Fixed an issue when running the
show payloads
command ormsfvenom -l payloads
, where individual modules that failed to load would stop the remaining modules from loading successfully.PR 14918 - Fixed an issue where the
VHOST
option was not being correctly populated when theRHOST
option was specified with domain names.PR 14962 - Updated the
nexpose_connect
login functionality to correctly handle the@
symbol being present in the password.PR 14966 - Addressed an issue in the ProxyLogon RCE module where a payload would be run twice.
PR 14969 - Fixed a bug in the Python Meterpreter's DNS resolving function.
PR 14975 - Fixed an issue in the
cve_2020_1054_drawiconex_lpe
module, which would throw an exception when the target was not vulnerable.PR 14987 - Fixed an issue where users were only getting three attempts when brute forcing via the
auxiliary/scanner/mysql/mysql_login
module.PR 14988 - Fixed validation of custom wordlist values, restoring auxiliary cracker module functions when no custom wordlist file is supplied.
PR 14991 - Fixed a regression that caused the NTP protocol fuzzer modules to crash when being run.
PR 14992 - Updated the auto_target_host logic() to additionally handle rhost being nil.
PR 14998 - Changed CVE references from CVE Details to NVD.
Modules
PR 14697 - New module
auxiliary/scanner/http/nagios_xi_scanner
will scan for Nagios XI installations and try to detect their version, then suggest applicable exploit modules in Metasploit based on discovered Nagios XI versions. Additionally, a new set of libraries have been added to support developers wishing to target Nagios XI machines, which should help to supply developers with several commonly used pieces of functionality.PR 14869 - New post module
post/windows/gather/exchange
enumerates and extracts mailboxes on Exchange severs.PR 14924 - New module
auxiliary/admin/sap/cve_2020_6207_solman_rce
targets versions of SAP Solution Manager vulnerable to CVE-2020-6207, achieving command execution vulnerable targets.PR 14924 - New module
exploit/multi/sap/cve_2020_6207_solman_rs
targets version of SAP Solution Manager vulnerable to CVE-2020-6207, achieving a reverse shell on vulnerable targets.PR 14935 - New module
exploits/linux/http/f5_icontrol_rest_ssrf_rce
exploits an unauthenticated SSRF vulnerability in F5's iControl REST API that is then leveraged to execute code as theroot
user on various versions of F5's BIG-IP and BIG-IQ devices (CVE-2021-22986).PR 14950 - New module
exploits/linux/http/saltstack_salt_wheel_async_rce
exploits an authentication bypass (CVE-2021-25281) and a directory traversal vulnerability (CVE-2021-25282) in versions3002.5
and below of SaltStack Salt's REST API. Code execution as theroot
user is achieved by writing a custom grain module to the extension module directory and waiting until a recurring maintenance check executes the malicious grain module.PR 14965 - New post module
post/multi/sap/smdagent_get_properties
leverages an insecure password storage vulnerability identified as CVE-2019-0307 to retrieve credentials such as SLD user connection and Solman user communication. Improvements were also made to thecve_2020_6207_solman_rce
auxiliary module by adding a new SECTORE action performing the same attack remotely by leveraging an authentication bypass identified as CVE-2020-6207.PR 14971 - New module
exploits/linux/http/apache_ofbiz_deserialization_soap
targets Apache OFBiz versions prior tov17.12.06
, which are vulnerable to a Java deserialization vulnerability (CVE-2021-26295). By sending a serialized payload to thewebtools/control/SOAPService
endpoint, unauthenticated remote code execution as the user running the Apache OFBiz service can be achieved.PR 14978 - New module
exploit/multi/http/gogs_git_hooks_rce
leverages a git hooks setting to achieve authenticated remote code execution against vulnerable versions of Gogs (self-hosted Git service). With valid credentials and the permission to create git hooks, this module creates a repo and uploads a payload as apost-receive
hook. Upon creating an additional file in the repo, thepost-receive
hook will be triggered, which will grant code execution as the user running the software.PR 14978 - New module
exploit/multi/http/gitea_git_hooks_rce
leverages a git hooks setting to achieve authenticated remote code execution against vulnerable versions of Gitea (self-hosted Git service). With valid credentials and the permission to create git hooks, this module creates a repo and uploads a payload as apost-receive
hook. Upon creating an additional file in the repo, thepost-receive
hook will be triggered, which will grant code execution as the user running the software.