Improved
PR 11257 - Added the ability to wrap some PowerShell used for exploitation purposes with RC4 for obfuscation.
PR 14831 - Updated the HttpClient mixin with with a new cookie jar implementation which correctly updates and merges the
Set-Cookieheader responses when using thesend_request_cgikeep_cookiesoption.PR 15000 - Replaced the use of the
whichcommand withcommand -v, providing a more portable solution.PR 15014 - Added the ability to specify an individual private key as a string parameter for the
auxiliary/scanner/ssh/ssh_login_pubkeymodule.PR 15087 - Improved the
exploit/windows/local/microfocus_operations_privescmodule so that it now supports both vulnerable Operations Bridge Manager installations and vulnerable Operations Bridge Reporter installations, with the new additional target being Operations Bridge Reporter.PR 15096 - Added shell session support to the
post/windows/gather/checkvmmodule. This also notably added cross-platform support for getting a list of running processes using shell and Meterpreter sessions.PR 15110 - Added the necessary functionality to the Java Meterpreter for resolving hostnames over DNS, closing a feature gap that had been present with other Meterpreters.
PR 15136 - Updated the
exploit/multi/http/microfocus_ucmdb_unauth_desermodule default Linux payload fromcmd/unix/generictocmd/unix/reverse_python.PR 15138 - Cleaned up the
auxiliary/scanner/http/dell_idracmodule code and added thelast_attempted_atfield tocreate_credential_loginto prevent a crash. Also added documentation for the module.
Fixed
Pro: We improved date parsing for Acunetix imports within Metasploit Framework.
PR 14953 - Fixed python string formatting compatibility in
auxiliary/scanner/http/rdp_web_login.PR 15050 - Fixed a crash in Metasploit's console when the user tried to tab complete values, such as file paths, which were missing their final closing quote.
PR 15081 - Updated the Microsoft SQL Server interesting data finder module to correctly handle the scenario where no interesting data is found. Previously, this would result in a module crash.
PR 15094 - Fixed a bug in how certain Meterpreters would execute command issued through
sessions -c, where some would use a subshell while others would not.PR 15111 - Fixed an issue in how some Meterpreter session types would inconsistently run commands issued through
sessions -c.PR 15114 - Updated the
auxiliary/scanner/redis/file_uploadmodule to correctly handle Redis instances which require authenticated access.PR 15116 - Fixed a bug that would occur when importing newer Acunetix reports into the database due to a change in how the timestamp is formatted.
PR 15120 - Fixed a regression within
tools/modules/module_author.rbso that it runs without crashing.PR 15140 - Fixed
msftidy_docs.rbso it doesn't double warn on optional (and missing)Optionsheaders.
Modules
PR 11130 - New module
post/multi/gather/unix_cached_ad_hashesretrieves cached AD credentials from two different solutions on UNIX (SSSD and VAS).PR 11130 - New module
post/multi/gather/unix_kerberos_ticketsretrieves cached Kerberos tickets from two different solutions on UNIX (SSSD and VAS).PR 14702 - New module
auxiliary/gather/redis_extractorretrieves all data from a Redis instance (version 2.8.0 and above).PR 14947 - New module
exploits/linux/misc/igel_command_injectionexploits an unauthenticated command injection vulnerability in the Secure Terminal and Secure Shadow services in various versions of IGEL OS.PR 14977 - New module
exploits/linux/http/apache_druid_js_rcetargets Apache Druid versions prior to0.20.1. An authenticated user can send a single request that both enables the execution of user-provided JavaScript code and executes the code on the server with the privileges of the user running the Apache Druid process. By default, Apache Druid does not require authentication.PR 15005 - New module
exploits/linux/http/vmware_vrops_mgr_ssrf_rceexploits both a pre-auth SSRF and a post-auth file write via directory traversal to get code execution as theadminuser on vulnerable VMware vRealize Operations Manager installs.PR 15021 - New module
post/android/local/koffeeleverages the CVE-2020-8539 vulnerability on certain Kia Motors head units. This vulnerability is also known as KOFFEE.PR 15030 - New module
exploits/linux/http/gravcms_execleverages an unauthenticated arbitrary YAML write/update vulnerability to get remote code execution on vulnerable GravCMS targets under the context of the web server user. This vulnerability is identified as CVE-2021-21425 and has been fixed in the admin component version 1.10.10, which was released with GravCMS version 1.7.9.PR 15086 - New module
exploits/linux/ssh/microfocus_obr_shrboadminprovides an exploit for CVE-2020-11857, which is a hardcoded SSH password in Micro Focus Operations Bridge Manager instances.PR 15090 - New module
exploits/linux/http/microfocus_obr_cmd_injectionadds an exploit for CVE-2021-22502, which is an unauthenticated OS command injection vulnerability in the Micro Focus Operations Bridge Reporter.PR 15105 - New module
exploits/multi/browser/chrome_cve_2021_21220_v8_insufficient_validationexploits CVE-2021-21220, a Chrome V8 XOR typer OOB Access RCE that was found in the 2021 Pwn2Own competition by Dataflow Security's Niklas Baumstark (@niklasb) and Bruno Keith (@bkth).Note that this module will require you to run Chrome without the sandbox enabled, as it does not come with a sandbox escape.