Improved
Pro: We have enhanced credential imports to allow separate username and password files to be enumerated and imported into a workspace.
PR 15217 - Removes the Python module
ms17_010_eternalblue_win8.py
and consolidates the functionality intoexploits/windows/smb/ms17_010_eternalblue.rb
- which as a result can now target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. This change now removes the need to have Python installed on the host machine, and the automatic targeting functionality will now make this module easier to run.PR 15254 - This updates the AMSI bypass used by modules executing Powershell code to be randomized making it more difficult to be detected using static signatures.
PR 15403 - This makes changes to the Powershell session type to report its platform using a value consistent with the other session types. It also adds Powershell session support to some methods within the file mixin.
PR 15409 - An update has been made to the PrintNightmare module to improve the way that it checks if a target is vulnerable or not. The update also supports automatically converting UNC paths to use the
\??\UNC\host\path\to\dll
format to bypass the second and most recent patch at the time of writing. Additionally, a bug was fixed in the DCERPC library where data that was read would be incomplete when the response would not fit into a single fragment. The PrintNightmare module can now read long responses from the target such as when enumerating the installed printer drivers.PR 15440 - This PR updates the payloads gem to include updates to Kiwi. For more information, see rapid7/mimikatz#5 and rapid7/metasploit-payloads#490.
PR 15444 - This adds additional support for Powershell sessions to some methods in the file mixin leveraged by post modules.
PR 15465 - This updates the local exploit suggester to gracefully handle modules raising unintended exceptions and nil target information.
Fixed
Pro: We have restored console access to the database connection.
Pro: We adjusted task chain creation to limit credential import to manual or workspace values.
Pro: We fixed an issue where tagging was not respecting individual selections.
PR 14683 - This replaces a cryptic exception raised by msfvenom when an incompatible EXE template file is used with a specific injection technique. The new exception validates whether or not the EXE is compatible, and reports the reasoning to the user so that they can better understand the problem.
PR 15359 - This fixes a bug in the ssh_login_pubkey which would crash out when not connected to the db.
PR 15362 - This fixes a regression issue with
post/multi/manage/shell_to_meterpreter
, and other interactions with command shell based sessions.PR 15420 - This fixes a regression issue were
auxiliary/scanner/ssh/eaton_xpert_backdoor
failed to load correctly.PR 15436 - This ensures that generated variable names aren't Java keywords.
PR 15443 - This adds Python3 support for the wmiexec external module
auxiliary/scanner/smb/impacket/wmiexec
.PR 15445 - This updates msfconsole's output logs to only show the target's IP when an exploit module is run, rather than a host-hash.
PR 15460 - This fixes a localization-related issue in the File libraries
copy_file
method caused by it searching for a word in the output to determine success.
Modules
PR 15154 - This adds a new post module that dumps the memory of any process on the target. This module is able to perform a full or standard dump. It also downloads the file into the local loot database and deletes the temporary file on the target.
PR 15163 - This adds a module that will leverage CVE-2021-31802 which is an unauthenticated RCE in Netgear R7000 routers. The vulnerability is leveraged to execute a shellcode stub that will enable telnet which can then be accessed for root privileges on the affected device.
PR 15211 - This adds an auxiliary module that retrieves the secret HMAC key from applications that use a vulnerable version of the Apache Tapestry web framework. Retrieving this key will allow an attacker to sign objects in order to exploit a separate Java deserialization vulnerability in Apache Tapestry.
PR 15279 - This adds a local privilege escalation module that targets Pi-Hole versions >=
3.0
and <=5.2.4
. In vulnerable versions of the software, a user withsudo
privileges can escalate toroot
by passing shell commands to either theremovecustomcname
,removecustomdns
, orremovestaticdhcp
function. The functions have minimal sanitization, and they pass the input to thesed
command. By default, thewww-data
user is permitted to runsudo
without supplying a password as configured in thesudoers.d/pihole
file.PR 15368 - A new module has been added which exploits CVE-2021-3560, an authentication bypass and local privilege elevation vulnerability in polkit, a toolkit for defining and handling authorizations which is installed by default on many Linux systems. Successful exploitation results in the creation of a new user with
root
permissions, which can then be used to gain a shell asroot
. Note that exploitation requires that users have a non-interactive session on some systems so users may need to gain a SSH session first before exploiting this vulnerability.PR 15383 - Adds a new exploit module for VMware vCenter Server CVE-2021-21985 which exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user.
PR 15386 - A new module has been added which exploits CVE-2021-35464, a pre-authentication Java deserialization vulnerability in OpenAM and ForgeRock AM. Succcessful exploitation allows for remote code execution as the user running the OpenAM service.
PR 15400 - This adds a Sage X3 login scanner and CVE-2020-7387 + CVE-2020-7388 exploit.
PR 15402 - This adds a module that exploits an authenticated file upload vulnerability in the Wordpress plugin, Backup Guard. For versions below
v1.6.0
, the plugin permits the upload of arbitrary php code due to insufficient checks on the file format. Once the file is uploaded, code execution can be achieved by requesting the file, located under the/wp-content/uploads/backup-guard
directory.PR 15408 - This adds a module that exploits an authenticated file upload vulnerability in the Wordpress plugin, SP Project, and Document Manager. For versions below
4.22
, an authenticated user can upload arbitrary PHP code because the security check only blocks the upload of files with a.php
extension, meaning that uploading a file with a.pHp
extension is allowed. Once uploaded, the requested file will result in code execution as thewww-data
user.PR 15418 - This adds a module that exploits an authenticated file upload vulnerability in the Wordpress plugin known as Modern Events Calendar. For versions before
5.16.5
, an administrative user can upload a php payload via the calendar import feature by setting the content type of the file totext/csv
. Code execution with the privileges of the user running the server is achieved by sending a request for the uploaded file.PR 15462 - This adds a new exploit module that exploits a configuration issue in Windows 10 (from version 1809) and 11, identified as CVE-2021-36934. Due to permission issues, any local user is able to read SAM and SYSTEM hives. This module abuses Windows Volume Shadow Copy Service (VSS) to access these files and save them locally.