Improved
PR 15109 - An update has been made so that when a user attempts to load an extension that isn't available for the current Meterpreter type, they will now receive a list of payloads that would yield a Meterpreter session that would be capable of loading the specified extension. Additionally, when a user runs a command that's in an extension that hasn't been loaded yet, Metasploit will now tell the user which extension needs to be loaded for the command to run.
PR 15187 - Updates the msfdb script to now prompt the user before enabling the remote http webservice functionality, defaulting to being disabled. It is still possible to enable this functionality after the fact with
msfdb --component webservice initPR 15296 - The
command_exists?method insidepost/common.rbhas been updated to fall back to using thewhichcommand to check if a command exists on a target system ifcommand -vfails to run successfully. This allows users to check whether a command exists or not on systems that might not contain acommandcommand, such as ESXi.PR 15299 - The CONTRIBUTING.md documentation has been updated to include additional information on how to request CVEs for vulnerabilities from Rapid7.
PR 15316 - The assembly stub used by the
PrependForkoption for Linux payloads has been updated to callsetsid(2)in the child process to properly run the payload in the background before callingfork(2)again. This ensures the payload properly runs when the target environment is expecting the command or payload to return, and ensures the payloads better emulate the Mettle payload'sbackgroundcommand to ensure better consistency across payloads.
Fixed
PR 15257 - The
lib/msf/core/post_mixin.rblibrary has been updated to correctly check if missing Meterpreter command IDs are core command IDs or an extension command ID and provide appropriate feedback to end users about this incompatibility. This also fixes an issue where Meterpreter might complain that it couldn't load an extension but wouldn't display what the extension was.PR 15284 - This fixes a localization-related issue in the
post/linux/gather/pptpd_chap_secretsmodule. If the file is unreadable, Metasploit would treat the permission denied error as the contents.PR 15290 - Invalid Meterpeter command requirements in mixins no longer raise a Runtime error.
PR 15293 - This fixes two bugs in the Redis extractor module. The first was an issue that would occur when a value was excessively large. The second was a race condition that could be encountered if the server was being actively used by a third-party.
PR 15312 - Ensures that msfconsole now supports setting both
RHOSTandRHOSTSinterchangeably for all scenarios and modulesPR 15319 - This fixes a localization issue in the
post/windows/gather/enum_hyperv_vmsmodule where on non-English systems the error message would not match the specified regular expression.PR 15328 - The
lib/msf/core/session/provider/single_command_shell.rblibrary has been updated to address an issue wherebyshell_read_until_tokenmay sometimes fail to return output if the randomized token being used to delimit output is contained within the legitimate output as well.PR 15337 - A bug has been fixed in
apache_activemq_upload_jsp.rbwhereby the URI and filesystem path were not separated appropriately. Additionally, extra checks were added to handle error conditions that may arise during module operation.PR 15340 - A bug was identified in
lib/msf/ui/console/command_dispatcher/db.rbwhere the-dflag was not being correctly honored, preventing users from being able to delete hosts from their database. This has now been fixed.
Modules
PR 14836 - This PR adds an aux scanner and module to exploit CVE-2020-26948, an SSRF against emby servers
PR 15215 - Adds a new multi/misc/nomad_exec module for HashiCorp's Nomad product. This module supports the use of the 'raw_exec' and 'exec' drivers to create a job that spawns a shell.
PR 15239 - A new module has been added to exploit CVE-2021-33393, an authenticated command injection vulnerability in the
/cgi-bin/pakfire.cgiweb page of IPFire devices running versions 2.25 Core Update 156 and prior. Successful exploitation results in remote code execution as therootuser.PR 15281 - Added an exploit for CVE-2021-1497/CVE-2021-1498, a command injection in Cisco HyperFlex HX Data Platform.
PR 15305 - This module allows an attacker with knowledge of the admin password of NSClient++ 0.5.2.35 to start a privilege reverse shell, so long as the attacker has the admin password, and the NSClient++has both the web interface and ExternalScriptsfeature enabled.
PR 15314 - A new exploit for CVE-2021-31181 has been added, which exploits a RCE in SharePoint that was patched in May 2021. Successful exploitation requires the attacker to have login credentials for a SharePoint user who has
SPBasePermissions.ManageListspermissions on any SharePoint site, and grants the attacker remote code execution as the user running the SharePoint server.