Jul 08, 20214.19.1

Improved

  • PR 15358 - This updates the exploit/multi/ssh/sshexec module to now account for cases where the target system does not have the python binary. Using the new binary_exists() class method in lib/msf/base/sessions/command_shell.rb, the module now checks for and uses the valid Python binary found on the target system despite not having a fully-established session.

  • PR 15363 - Enhances the auxiliary/scanner/ipmi/ipmi_dumphashes module to have SESSION_RETRY_DELAY and SESSION_MAX_ATTEMPTS options

  • PR 15366 - This updates how the msfconsole's history file is handled. It adds a size limitation so the number of commands does not grow indefinitely and fixes a locking condition that would occur when the history file had grown exceptionally large (~400,000 lines or more).

Fixed

  • Pro: We have updated the logo on default Social Engineering redirect template with the latest public location.

  • PR 15320 - A bug has been fixed in the read_file method of lib/msf/core/post/file.rb that prevented PowerShell sessions from being able to use the read_file() method. PowerShell sessions should now be able to use this method to read files from the target system.

  • PR 15350 - Fixes a regression issue in the windows/manage/shellcode_inject module which crashed due to a missing mixin

  • PR 15352 - Fixes an issue where running msfdb init on an already initialised database would generate a new password instead of just starting the database

  • PR 15371 - This fixes an issue in the apport_abrt_chroot_priv_esc module where if the apport-cli binary was not in the PATH the check method would fail.

Modules

  • PR 15107 - This adds an exploit for CVE-2019-5736 which is a flaw in Docker that can be leveraged by an attacker to overwrite the runc binary in the host and escape from a container.

  • PR 15282 - This adds a module that leverages CVE-2019-15975 which is an authentication bypass in Cisco's DCNM platform. The module will leverage the vulnerability to add a new administrative user account with known credentials that can be used to access the system.

  • PR 15318 - This post module allows an attacker to perform a privilege escalation on a machine running a vulnerable version of NSClient++. The module retrieves the admin password from a config file at a customizable path, and so long as NSClient++ has both the web interface and ExternalScriptsfeature enabled, gains a SYSTEM shell.

  • PR 15333 - This adds an exploit module targeting a file upload vulnerability within the Cisco Hyperflex application that can be used to obtain unauthenticated remote code execution.

  • PR 15341 - This adds an exploit module that targets versions >= v7.0.0 and <= v7.0.4 of the Wordpress plugin, wpDiscuz. An unauthenticated user has the ability to upload arbitrary files as image attachments through the wpDiscuz plugin due to the PHP functions used to process the attachments. Once uploaded, unauthenticated code execution is achieved by requesting the path of the file uploaded.

  • PR 15349 - This adds an exploit module for rConfig versions <= 3.9.6. An arbitrary file upload vulnerability exists in lib/crud/vendors.crud.php through the vendorLogo parameter. The functionality for uploading vendor logos does not validate the contents of uploaded files, so an authenticated user has the capability of uploading arbitrary php code. Once uploaded, code execution on the server can be achieved by requesting the uploaded php file in the images/vendor path.

  • PR 15385 - A new module has been added to Metasploit to exploit PrintNightmare, aka CVE-2021-1675/CVE-2021-34527, a Remote Code Execution vulnerability in the Print Spooler service of Windows. Successful exploitation results in the ability to load and execute an attacker controlled DLL as the SYSTEM user.

Offline Update

Metasploit Framework and Pro Installers