Improved
PR 15358 - This updates the
exploit/multi/ssh/sshexec
module to now account for cases where the target system does not have thepython
binary. Using the newbinary_exists()
class method inlib/msf/base/sessions/command_shell.rb
, the module now checks for and uses the valid Python binary found on the target system despite not having a fully-established session.PR 15363 - Enhances the
auxiliary/scanner/ipmi/ipmi_dumphashes
module to haveSESSION_RETRY_DELAY
andSESSION_MAX_ATTEMPTS
optionsPR 15366 - This updates how the msfconsole's history file is handled. It adds a size limitation so the number of commands does not grow indefinitely and fixes a locking condition that would occur when the history file had grown exceptionally large (~400,000 lines or more).
Fixed
Pro: We have updated the logo on default Social Engineering redirect template with the latest public location.
PR 15320 - A bug has been fixed in the
read_file
method oflib/msf/core/post/file.rb
that prevented PowerShell sessions from being able to use theread_file()
method. PowerShell sessions should now be able to use this method to read files from the target system.PR 15350 - Fixes a regression issue in the
windows/manage/shellcode_inject
module which crashed due to a missing mixinPR 15352 - Fixes an issue where running
msfdb init
on an already initialised database would generate a new password instead of just starting the databasePR 15371 - This fixes an issue in the
apport_abrt_chroot_priv_esc
module where if theapport-cli
binary was not in the PATH the check method would fail.
Modules
PR 15107 - This adds an exploit for CVE-2019-5736 which is a flaw in Docker that can be leveraged by an attacker to overwrite the
runc
binary in the host and escape from a container.PR 15282 - This adds a module that leverages CVE-2019-15975 which is an authentication bypass in Cisco's DCNM platform. The module will leverage the vulnerability to add a new administrative user account with known credentials that can be used to access the system.
PR 15318 - This post module allows an attacker to perform a privilege escalation on a machine running a vulnerable version of NSClient++. The module retrieves the admin password from a config file at a customizable path, and so long as NSClient++ has both the web interface and ExternalScriptsfeature enabled, gains a SYSTEM shell.
PR 15333 - This adds an exploit module targeting a file upload vulnerability within the Cisco Hyperflex application that can be used to obtain unauthenticated remote code execution.
PR 15341 - This adds an exploit module that targets versions >=
v7.0.0
and <=v7.0.4
of the Wordpress plugin, wpDiscuz. An unauthenticated user has the ability to upload arbitrary files as image attachments through the wpDiscuz plugin due to the PHP functions used to process the attachments. Once uploaded, unauthenticated code execution is achieved by requesting the path of the file uploaded.PR 15349 - This adds an exploit module for rConfig versions <=
3.9.6
. An arbitrary file upload vulnerability exists inlib/crud/vendors.crud.php
through thevendorLogo
parameter. The functionality for uploading vendor logos does not validate the contents of uploaded files, so an authenticated user has the capability of uploading arbitrary php code. Once uploaded, code execution on the server can be achieved by requesting the uploaded php file in theimages/vendor
path.PR 15385 - A new module has been added to Metasploit to exploit PrintNightmare, aka CVE-2021-1675/CVE-2021-34527, a Remote Code Execution vulnerability in the Print Spooler service of Windows. Successful exploitation results in the ability to load and execute an attacker controlled DLL as the
SYSTEM
user.