Improved
PR 11257 - Added the ability to wrap some PowerShell used for exploitation purposes with RC4 for obfuscation.
PR 14831 - Updated the HttpClient mixin with with a new cookie jar implementation which correctly updates and merges the
Set-Cookie
header responses when using thesend_request_cgi
keep_cookies
option.PR 15000 - Replaced the use of the
which
command withcommand -v
, providing a more portable solution.PR 15014 - Added the ability to specify an individual private key as a string parameter for the
auxiliary/scanner/ssh/ssh_login_pubkey
module.PR 15087 - Improved the
exploit/windows/local/microfocus_operations_privesc
module so that it now supports both vulnerable Operations Bridge Manager installations and vulnerable Operations Bridge Reporter installations, with the new additional target being Operations Bridge Reporter.PR 15096 - Added shell session support to the
post/windows/gather/checkvm
module. This also notably added cross-platform support for getting a list of running processes using shell and Meterpreter sessions.PR 15110 - Added the necessary functionality to the Java Meterpreter for resolving hostnames over DNS, closing a feature gap that had been present with other Meterpreters.
PR 15136 - Updated the
exploit/multi/http/microfocus_ucmdb_unauth_deser
module default Linux payload fromcmd/unix/generic
tocmd/unix/reverse_python
.PR 15138 - Cleaned up the
auxiliary/scanner/http/dell_idrac
module code and added thelast_attempted_at
field tocreate_credential_login
to prevent a crash. Also added documentation for the module.
Fixed
Pro: We improved date parsing for Acunetix imports within Metasploit Framework.
PR 14953 - Fixed python string formatting compatibility in
auxiliary/scanner/http/rdp_web_login
.PR 15050 - Fixed a crash in Metasploit's console when the user tried to tab complete values, such as file paths, which were missing their final closing quote.
PR 15081 - Updated the Microsoft SQL Server interesting data finder module to correctly handle the scenario where no interesting data is found. Previously, this would result in a module crash.
PR 15094 - Fixed a bug in how certain Meterpreters would execute command issued through
sessions -c
, where some would use a subshell while others would not.PR 15111 - Fixed an issue in how some Meterpreter session types would inconsistently run commands issued through
sessions -c
.PR 15114 - Updated the
auxiliary/scanner/redis/file_upload
module to correctly handle Redis instances which require authenticated access.PR 15116 - Fixed a bug that would occur when importing newer Acunetix reports into the database due to a change in how the timestamp is formatted.
PR 15120 - Fixed a regression within
tools/modules/module_author.rb
so that it runs without crashing.PR 15140 - Fixed
msftidy_docs.rb
so it doesn't double warn on optional (and missing)Options
headers.
Modules
PR 11130 - New module
post/multi/gather/unix_cached_ad_hashes
retrieves cached AD credentials from two different solutions on UNIX (SSSD and VAS).PR 11130 - New module
post/multi/gather/unix_kerberos_tickets
retrieves cached Kerberos tickets from two different solutions on UNIX (SSSD and VAS).PR 14702 - New module
auxiliary/gather/redis_extractor
retrieves all data from a Redis instance (version 2.8.0 and above).PR 14947 - New module
exploits/linux/misc/igel_command_injection
exploits an unauthenticated command injection vulnerability in the Secure Terminal and Secure Shadow services in various versions of IGEL OS.PR 14977 - New module
exploits/linux/http/apache_druid_js_rce
targets Apache Druid versions prior to0.20.1
. An authenticated user can send a single request that both enables the execution of user-provided JavaScript code and executes the code on the server with the privileges of the user running the Apache Druid process. By default, Apache Druid does not require authentication.PR 15005 - New module
exploits/linux/http/vmware_vrops_mgr_ssrf_rce
exploits both a pre-auth SSRF and a post-auth file write via directory traversal to get code execution as theadmin
user on vulnerable VMware vRealize Operations Manager installs.PR 15021 - New module
post/android/local/koffee
leverages the CVE-2020-8539 vulnerability on certain Kia Motors head units. This vulnerability is also known as KOFFEE.PR 15030 - New module
exploits/linux/http/gravcms_exec
leverages an unauthenticated arbitrary YAML write/update vulnerability to get remote code execution on vulnerable GravCMS targets under the context of the web server user. This vulnerability is identified as CVE-2021-21425 and has been fixed in the admin component version 1.10.10, which was released with GravCMS version 1.7.9.PR 15086 - New module
exploits/linux/ssh/microfocus_obr_shrboadmin
provides an exploit for CVE-2020-11857, which is a hardcoded SSH password in Micro Focus Operations Bridge Manager instances.PR 15090 - New module
exploits/linux/http/microfocus_obr_cmd_injection
adds an exploit for CVE-2021-22502, which is an unauthenticated OS command injection vulnerability in the Micro Focus Operations Bridge Reporter.PR 15105 - New module
exploits/multi/browser/chrome_cve_2021_21220_v8_insufficient_validation
exploits CVE-2021-21220, a Chrome V8 XOR typer OOB Access RCE that was found in the 2021 Pwn2Own competition by Dataflow Security's Niklas Baumstark (@niklasb) and Bruno Keith (@bkth).Note that this module will require you to run Chrome without the sandbox enabled, as it does not come with a sandbox escape.