Improved
PR 15109 - An update has been made so that when a user attempts to load an extension that isn't available for the current Meterpreter type, they will now receive a list of payloads that would yield a Meterpreter session that would be capable of loading the specified extension. Additionally, when a user runs a command that's in an extension that hasn't been loaded yet, Metasploit will now tell the user which extension needs to be loaded for the command to run.
PR 15187 - Updates the msfdb script to now prompt the user before enabling the remote http webservice functionality, defaulting to being disabled. It is still possible to enable this functionality after the fact with
msfdb --component webservice init
PR 15296 - The
command_exists?
method insidepost/common.rb
has been updated to fall back to using thewhich
command to check if a command exists on a target system ifcommand -v
fails to run successfully. This allows users to check whether a command exists or not on systems that might not contain acommand
command, such as ESXi.PR 15299 - The CONTRIBUTING.md documentation has been updated to include additional information on how to request CVEs for vulnerabilities from Rapid7.
PR 15316 - The assembly stub used by the
PrependFork
option for Linux payloads has been updated to callsetsid(2)
in the child process to properly run the payload in the background before callingfork(2)
again. This ensures the payload properly runs when the target environment is expecting the command or payload to return, and ensures the payloads better emulate the Mettle payload'sbackground
command to ensure better consistency across payloads.
Fixed
PR 15257 - The
lib/msf/core/post_mixin.rb
library has been updated to correctly check if missing Meterpreter command IDs are core command IDs or an extension command ID and provide appropriate feedback to end users about this incompatibility. This also fixes an issue where Meterpreter might complain that it couldn't load an extension but wouldn't display what the extension was.PR 15284 - This fixes a localization-related issue in the
post/linux/gather/pptpd_chap_secrets
module. If the file is unreadable, Metasploit would treat the permission denied error as the contents.PR 15290 - Invalid Meterpeter command requirements in mixins no longer raise a Runtime error.
PR 15293 - This fixes two bugs in the Redis extractor module. The first was an issue that would occur when a value was excessively large. The second was a race condition that could be encountered if the server was being actively used by a third-party.
PR 15312 - Ensures that msfconsole now supports setting both
RHOST
andRHOSTS
interchangeably for all scenarios and modulesPR 15319 - This fixes a localization issue in the
post/windows/gather/enum_hyperv_vms
module where on non-English systems the error message would not match the specified regular expression.PR 15328 - The
lib/msf/core/session/provider/single_command_shell.rb
library has been updated to address an issue wherebyshell_read_until_token
may sometimes fail to return output if the randomized token being used to delimit output is contained within the legitimate output as well.PR 15337 - A bug has been fixed in
apache_activemq_upload_jsp.rb
whereby the URI and filesystem path were not separated appropriately. Additionally, extra checks were added to handle error conditions that may arise during module operation.PR 15340 - A bug was identified in
lib/msf/ui/console/command_dispatcher/db.rb
where the-d
flag was not being correctly honored, preventing users from being able to delete hosts from their database. This has now been fixed.
Modules
PR 14836 - This PR adds an aux scanner and module to exploit CVE-2020-26948, an SSRF against emby servers
PR 15215 - Adds a new multi/misc/nomad_exec module for HashiCorp's Nomad product. This module supports the use of the 'raw_exec' and 'exec' drivers to create a job that spawns a shell.
PR 15239 - A new module has been added to exploit CVE-2021-33393, an authenticated command injection vulnerability in the
/cgi-bin/pakfire.cgi
web page of IPFire devices running versions 2.25 Core Update 156 and prior. Successful exploitation results in remote code execution as theroot
user.PR 15281 - Added an exploit for CVE-2021-1497/CVE-2021-1498, a command injection in Cisco HyperFlex HX Data Platform.
PR 15305 - This module allows an attacker with knowledge of the admin password of NSClient++ 0.5.2.35 to start a privilege reverse shell, so long as the attacker has the admin password, and the NSClient++has both the web interface and ExternalScriptsfeature enabled.
PR 15314 - A new exploit for CVE-2021-31181 has been added, which exploits a RCE in SharePoint that was patched in May 2021. Successful exploitation requires the attacker to have login credentials for a SharePoint user who has
SPBasePermissions.ManageLists
permissions on any SharePoint site, and grants the attacker remote code execution as the user running the SharePoint server.