Improved

• PR 14622  - Updated the auxiliary/admin/mssql/mssql_exec module to add the sp_oacreate technique, which is a more stealthy alternative to the traditional xp_cmdshell stored procedure.

• PR 14701  - Renamed the nagios_xi_authenticated_rce module to nagios_xi_plugins_check_ping_authenticated_rce, and also updated the module to take advantage of the Nagios XI mixin. Additionally, the documentation has been updated to reflect these changes and to better explain how the module works.

• PR 14994  - Updated the post/windows/gather/screen_spy module to allow users to specify the PID of a process they would like to migrate into before taking screenshots, rather than forcing users to migrate into an explorer.exe process. If no PID is specified, then the module will default to taking screenshots from the current process.

• PR 14997  - Updated the payloads/singles/linux/x64/shell_bind_tcp_random_port shellcode to be more efficient, resulting in its size being reduced by one byte. Additionally, comments have been updated to properly mention that the payload uses the string //bin/sh, not /bin/sh.

• PR 15017  - Updated the modules/auxiliary/admin/http/tomcat_ghostcat module to use a default RPORT of 8080 and to add in the AJP_PORT option to specify where the Apache JServ Protocol Port is, which now defaults to a value of 8009.

• PR 15028  - Updated the payloads/singles/linux/x64/exec payload to be more efficient, thereby reducing the total shellcode size. Additionally, support has been added for generating NULL byte free shellcode, and the code has been refactored to use Metasm to make it easier to understand.

• PR 15037  - Updated the auxiliary/scanner/redis/redis_login module to first check if authentication is required before attempting to bruteforce credentials.

• PR 15049  - Updated several Meterpreter libraries to raise more specific and descriptive exception messages. These changes should help users and developers more quickly and easily identify the root cause of these exception messages when they are thrown. Additionally, updates have been applied to allow Metasploit to proactively identify when a command will fail in a Meterpreter session due to it not being supported by the remote end.

• PR 15051  - Improved shell session behavior by confirming sessions are established and responsive via sending an echo command and verifying that a response is received.

• PR 15072  - Improved the post/linux/gather/hashdump module such that, instead of checking if the user is root, it will now check if the user has access to the /etc/shadow file prior to attempting to dump the hashes from the shadow file. This allows users to dump password hashes in the case where the permissions of the /etc/shadow file may be set up incorrectly, even if they are not the root user.

Fixed

• PR 14770  - Fixed the freefloatftp_wbem, open_ftpd_wbem, ftp/quickshare_traversal_write, and http/solarwinds_storage_manager_sql modules to correctly handle error scenarios and perform cleanup gracefully.

• PR 14985  - Fixed the JSON API to correctly interact with the configured framework database, as well as adding support for running the msfdb webservice component in the foreground with the --no-daemon flag.

• PR 14996  - Fixed a logic bug in the cracker libraries where hashcat wasn’t able to be run due to invalid version expectations.

• PR 15022  - Fixed errors which could occur on the first call to the Metasploit JSON RPC service. Now we ensure that the Metasploit JSON RPC service is warmed and healthy up before accepting requests.

• PR 15034  - Fixed broken association handling for remote msfdb services command, where this issue previously caused a crash when running the services command after connecting to another remote database.

• PR 15038  - Fixed a NameError in the pulse_secure_gzip_rce module which was preventing it from functioning correctly.

• PR 15043  - Fixed a bug on the python/meterpreter/reverse_http payload handler where, if the LURI option did not begin with a slash, the payload would fail to stage.

• PR 15047  - Fixed a bug in DNS reverse lookups due to an invalid answer attribute.

• PR 15063  - Fixed a bug in the check logic of the nagios_xi_plugins_check_ping_authenticated_rce module whereby older versions of Nagios XI may have caused the module to crash instead of correctly reporting a target as being vulnerable or not.

• PR 15064  - Fixed an undefined constant error in the f5_bigip_known_privkey module by adding a missing import.

• PR 15065  - Fixed an issue in the post/linux/gather/checkvm module where a physical machine was detected as a virtual machine.

• PR 15067  - Fixed logic in lib/metasploit/framework/login_scanner/ssh.rb so that it now correctly handles cases where a connection might be reset by a client and will now continue scanning instead of throwing a stack trace.

Modules

• PR 14699  - New module exploits/linux/http/nagios_xi_snmptrap_authenticated_rce exploits CVE-2020-5792 , an authenticated command injection vulnerability in the includes/components/nxti/index.php page of Nagios XI prior to 5.7.4. Successful exploitation results in RCE as the apache user.

• PR 14700  - New moduleexploits/linux/http/nagios_xi_plugins_filename_authenticated_rce exploits CVE-2020-35578 , an RCE in Nagios XI versions prior to 5.8.0 that utilizes a command injection when uploading plugins to allow authenticated administrative users to gain remote code execution as the apache user on affected systems.

• PR 14833  - New module post/linux/gather/haserl_read leverages an arbitrary read in haserl prior to 0.9.36. This vulnerability is identified as CVE-2021-29133  and allows an attacker to read any file on the target filesystem without any specific privileges.

• PR 15007  - New module exploits/multi/browser/chrome_simplifiedlowering_overflow adds an exploit for Google Chrome <= 87.0.4280.66 (CVE-2020-16040 ). The module starts a webpage hosting malicious JavaScript that when visited by a vulnerable version of Chrome allows Remote Code Execution on a remote machine, and requires the —no-sandbox Chrome flag, as no sandbox escape is present.

• PR 15058  - New module exploits/multi/http/cockpit_cms_rce exploits CVE-2020-35846  and CVE-2020-35847  in vulnerable CockpitCMS targets (specifically versions 0.10.0 through 0.11.1). This module uses two NoSQL injections to get the user list, and password reset token list, enumerate the tokens to the users, reset a password, login, then a command injection for RCE.

Offline Update

• https://updates.metasploit.com/packages/d07e1405411accb3ab7d22900f3245bbf0ef7ef3.bin 

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version