Improved

• PR 15109  - An update has been made so that when a user attempts to load an extension that isn’t available for the current Meterpreter type, they will now receive a list of payloads that would yield a Meterpreter session that would be capable of loading the specified extension. Additionally, when a user runs a command that’s in an extension that hasn’t been loaded yet, Metasploit will now tell the user which extension needs to be loaded for the command to run.

• PR 15187  - Updates the msfdb script to now prompt the user before enabling the remote http webservice functionality, defaulting to being disabled. It is still possible to enable this functionality after the fact with msfdb --component webservice init

• PR 15296  - The command_exists? method inside post/common.rb has been updated to fall back to using the which command to check if a command exists on a target system if command -v fails to run successfully. This allows users to check whether a command exists or not on systems that might not contain a command command, such as ESXi.

• PR 15299  - The CONTRIBUTING.md documentation has been updated to include additional information on how to request CVEs for vulnerabilities from Rapid7.

• PR 15316  - The assembly stub used by the PrependFork option for Linux payloads has been updated to call setsid(2) in the child process to properly run the payload in the background before calling fork(2) again. This ensures the payload properly runs when the target environment is expecting the command or payload to return, and ensures the payloads better emulate the Mettle payload’s background command to ensure better consistency across payloads.

Fixed

• PR 15257  - The lib/msf/core/post_mixin.rb library has been updated to correctly check if missing Meterpreter command IDs are core command IDs or an extension command ID and provide appropriate feedback to end users about this incompatibility. This also fixes an issue where Meterpreter might complain that it couldn’t load an extension but wouldn’t display what the extension was.

• PR 15284  - This fixes a localization-related issue in the post/linux/gather/pptpd_chap_secrets module. If the file is unreadable, Metasploit would treat the permission denied error as the contents.

• PR 15290  - Invalid Meterpeter command requirements in mixins no longer raise a Runtime error.

• PR 15293  - This fixes two bugs in the Redis extractor module. The first was an issue that would occur when a value was excessively large. The second was a race condition that could be encountered if the server was being actively used by a third-party.

• PR 15312  - Ensures that msfconsole now supports setting both RHOST and RHOSTS interchangeably for all scenarios and modules

• PR 15319  - This fixes a localization issue in the post/windows/gather/enum_hyperv_vms module where on non-English systems the error message would not match the specified regular expression.

• PR 15328  - The lib/msf/core/session/provider/single_command_shell.rb library has been updated to address an issue whereby shell_read_until_token may sometimes fail to return output if the randomized token being used to delimit output is contained within the legitimate output as well.

• PR 15337  - A bug has been fixed in apache_activemq_upload_jsp.rb whereby the URI and filesystem path were not separated appropriately. Additionally, extra checks were added to handle error conditions that may arise during module operation.

• PR 15340  - A bug was identified in lib/msf/ui/console/command_dispatcher/db.rb where the -d flag was not being correctly honored, preventing users from being able to delete hosts from their database. This has now been fixed.

Modules

• PR 14836  - This PR adds an aux scanner and module to exploit CVE-2020-26948, an SSRF against emby servers

• PR 15215  - Adds a new multi/misc/nomad_exec module for HashiCorp’s Nomad product. This module supports the use of the ‘raw_exec’ and ‘exec’ drivers to create a job that spawns a shell.

• PR 15239  - A new module has been added to exploit CVE-2021-33393, an authenticated command injection vulnerability in the /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156 and prior. Successful exploitation results in remote code execution as the root user.

• PR 15281  - Added an exploit for CVE-2021-1497 /CVE-2021-1498 , a command injection in Cisco HyperFlex HX Data Platform.

• PR 15305  - This module allows an attacker with knowledge of the admin password of NSClient++ 0.5.2.35 to start a privilege reverse shell, so long as the attacker has the admin password, and the NSClient++has both the web interface and ExternalScriptsfeature enabled.

• PR 15314  - A new exploit for CVE-2021-31181 has been added, which exploits a RCE in SharePoint that was patched in May 2021. Successful exploitation requires the attacker to have login credentials for a SharePoint user who has SPBasePermissions.ManageLists permissions on any SharePoint site, and grants the attacker remote code execution as the user running the SharePoint server.

Offline Update

• https://updates.metasploit.com/packages/92ab581eee39c645ae2c96adc470daa601c3ece5.bin 

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version