Improved
PR 14622 - Updated the
auxiliary/admin/mssql/mssql_exec
module to add thesp_oacreate
technique, which is a more stealthy alternative to the traditional xp_cmdshell stored procedure.PR 14701 - Renamed the
nagios_xi_authenticated_rce
module tonagios_xi_plugins_check_ping_authenticated_rce
, and also updated the module to take advantage of the Nagios XI mixin. Additionally, the documentation has been updated to reflect these changes and to better explain how the module works.PR 14994 - Updated the
post/windows/gather/screen_spy
module to allow users to specify the PID of a process they would like to migrate into before taking screenshots, rather than forcing users to migrate into anexplorer.exe
process. If no PID is specified, then the module will default to taking screenshots from the current process.PR 14997 - Updated the
payloads/singles/linux/x64/shell_bind_tcp_random_port
shellcode to be more efficient, resulting in its size being reduced by one byte. Additionally, comments have been updated to properly mention that the payload uses the string//bin/sh
, not/bin/sh
.PR 15017 - Updated the
modules/auxiliary/admin/http/tomcat_ghostcat
module to use a defaultRPORT
of 8080 and to add in theAJP_PORT
option to specify where the Apache JServ Protocol Port is, which now defaults to a value of 8009.PR 15028 - Updated the
payloads/singles/linux/x64/exec
payload to be more efficient, thereby reducing the total shellcode size. Additionally, support has been added for generating NULL byte free shellcode, and the code has been refactored to use Metasm to make it easier to understand.PR 15037 - Updated the
auxiliary/scanner/redis/redis_login
module to first check if authentication is required before attempting to bruteforce credentials.PR 15049 - Updated several Meterpreter libraries to raise more specific and descriptive exception messages. These changes should help users and developers more quickly and easily identify the root cause of these exception messages when they are thrown. Additionally, updates have been applied to allow Metasploit to proactively identify when a command will fail in a Meterpreter session due to it not being supported by the remote end.
PR 15051 - Improved shell session behavior by confirming sessions are established and responsive via sending an
echo
command and verifying that a response is received.PR 15072 - Improved the
post/linux/gather/hashdump
module such that, instead of checking if the user isroot
, it will now check if the user has access to the/etc/shadow
file prior to attempting to dump the hashes from the shadow file. This allows users to dump password hashes in the case where the permissions of the/etc/shadow
file may be set up incorrectly, even if they are not theroot
user.
Fixed
PR 14770 - Fixed the
freefloatftp_wbem
,open_ftpd_wbem
,ftp/quickshare_traversal_write
, andhttp/solarwinds_storage_manager_sql
modules to correctly handle error scenarios and perform cleanup gracefully.PR 14985 - Fixed the JSON API to correctly interact with the configured framework database, as well as adding support for running the
msfdb webservice
component in the foreground with the--no-daemon
flag.PR 14996 - Fixed a logic bug in the cracker libraries where
hashcat
wasn't able to be run due to invalid version expectations.PR 15022 - Fixed errors which could occur on the first call to the Metasploit JSON RPC service. Now we ensure that the Metasploit JSON RPC service is warmed and healthy up before accepting requests.
PR 15034 - Fixed broken association handling for remote
msfdb
services command, where this issue previously caused a crash when running theservices
command after connecting to another remote database.PR 15038 - Fixed a NameError in the
pulse_secure_gzip_rce
module which was preventing it from functioning correctly.PR 15043 - Fixed a bug on the
python/meterpreter/reverse_http
payload handler where, if the LURI option did not begin with a slash, the payload would fail to stage.PR 15047 - Fixed a bug in DNS reverse lookups due to an invalid answer attribute.
PR 15063 - Fixed a bug in the
check
logic of thenagios_xi_plugins_check_ping_authenticated_rce
module whereby older versions of Nagios XI may have caused the module to crash instead of correctly reporting a target as being vulnerable or not.PR 15064 - Fixed an undefined constant error in the
f5_bigip_known_privkey
module by adding a missing import.PR 15065 - Fixed an issue in the
post/linux/gather/checkvm
module where a physical machine was detected as a virtual machine.PR 15067 - Fixed logic in
lib/metasploit/framework/login_scanner/ssh.rb
so that it now correctly handles cases where a connection might be reset by a client and will now continue scanning instead of throwing a stack trace.
Modules
PR 14699 - New module
exploits/linux/http/nagios_xi_snmptrap_authenticated_rce
exploits CVE-2020-5792, an authenticated command injection vulnerability in theincludes/components/nxti/index.php
page of Nagios XI prior to 5.7.4. Successful exploitation results in RCE as theapache
user.PR 14700 - New module
exploits/linux/http/nagios_xi_plugins_filename_authenticated_rce
exploits CVE-2020-35578, an RCE in Nagios XI versions prior to 5.8.0 that utilizes a command injection when uploading plugins to allow authenticated administrative users to gain remote code execution as theapache
user on affected systems.PR 14833 - New module
post/linux/gather/haserl_read
leverages an arbitrary read in haserl prior to 0.9.36. This vulnerability is identified as CVE-2021-29133 and allows an attacker to read any file on the target filesystem without any specific privileges.PR 15007 - New module
exploits/multi/browser/chrome_simplifiedlowering_overflow
adds an exploit for Google Chrome <= 87.0.4280.66 (CVE-2020-16040). The module starts a webpage hosting malicious JavaScript that when visited by a vulnerable version of Chrome allows Remote Code Execution on a remote machine, and requires the--no-sandbox
Chrome flag, as no sandbox escape is present.PR 15058 - New module
exploits/multi/http/cockpit_cms_rce
exploits CVE-2020-35846 and CVE-2020-35847 in vulnerable CockpitCMS targets (specifically versions 0.10.0 through 0.11.1). This module uses two NoSQL injections to get the user list, and password reset token list, enumerate the tokens to the users, reset a password, login, then a command injection for RCE.