Metasploit Recent Releases / Jul 31, 2021

Jul 31, 20214.19.1-2021073101

Improved

  • Pro: We have enhanced credential imports to allow separate username and password files to be enumerated and imported into a workspace.

  • PR 15217 - Removes the Python module ms17_010_eternalblue_win8.py and consolidates the functionality intoexploits/windows/smb/ms17_010_eternalblue.rb - which as a result can now target Windows 7, Windows 8.1, Windows 2012 R2, and Windows 10. This change now removes the need to have Python installed on the host machine, and the automatic targeting functionality will now make this module easier to run.

  • PR 15254 - This updates the AMSI bypass used by modules executing Powershell code to be randomized making it more difficult to be detected using static signatures.

  • PR 15403 - This makes changes to the Powershell session type to report its platform using a value consistent with the other session types. It also adds Powershell session support to some methods within the file mixin.

  • PR 15409 - An update has been made to the PrintNightmare module to improve the way that it checks if a target is vulnerable or not. The update also supports automatically converting UNC paths to use the \??\UNC\host\path\to\dll format to bypass the second and most recent patch at the time of writing. Additionally, a bug was fixed in the DCERPC library where data that was read would be incomplete when the response would not fit into a single fragment. The PrintNightmare module can now read long responses from the target such as when enumerating the installed printer drivers.

  • PR 15440 - This PR updates the payloads gem to include updates to Kiwi. For more information, see rapid7/mimikatz#5 and rapid7/metasploit-payloads#490.

  • PR 15444 - This adds additional support for Powershell sessions to some methods in the file mixin leveraged by post modules.

  • PR 15465 - This updates the local exploit suggester to gracefully handle modules raising unintended exceptions and nil target information.

Fixed

  • Pro: We have restored console access to the database connection.

  • Pro: We adjusted task chain creation to limit credential import to manual or workspace values.

  • Pro: We fixed an issue where tagging was not respecting individual selections.

  • PR 14683 - This replaces a cryptic exception raised by msfvenom when an incompatible EXE template file is used with a specific injection technique. The new exception validates whether or not the EXE is compatible, and reports the reasoning to the user so that they can better understand the problem.

  • PR 15359 - This fixes a bug in the ssh_login_pubkey which would crash out when not connected to the db.

  • PR 15362 - This fixes a regression issue with post/multi/manage/shell_to_meterpreter, and other interactions with command shell based sessions.

  • PR 15420 - This fixes a regression issue were auxiliary/scanner/ssh/eaton_xpert_backdoor failed to load correctly.

  • PR 15436 - This ensures that generated variable names aren't Java keywords.

  • PR 15443 - This adds Python3 support for the wmiexec external module auxiliary/scanner/smb/impacket/wmiexec.

  • PR 15445 - This updates msfconsole's output logs to only show the target's IP when an exploit module is run, rather than a host-hash.

  • PR 15460 - This fixes a localization-related issue in the File libraries copy_file method caused by it searching for a word in the output to determine success.

Modules

  • PR 15154 - This adds a new post module that dumps the memory of any process on the target. This module is able to perform a full or standard dump. It also downloads the file into the local loot database and deletes the temporary file on the target.

  • PR 15163 - This adds a module that will leverage CVE-2021-31802 which is an unauthenticated RCE in Netgear R7000 routers. The vulnerability is leveraged to execute a shellcode stub that will enable telnet which can then be accessed for root privileges on the affected device.

  • PR 15211 - This adds an auxiliary module that retrieves the secret HMAC key from applications that use a vulnerable version of the Apache Tapestry web framework. Retrieving this key will allow an attacker to sign objects in order to exploit a separate Java deserialization vulnerability in Apache Tapestry.

  • PR 15279 - This adds a local privilege escalation module that targets Pi-Hole versions >= 3.0 and <= 5.2.4. In vulnerable versions of the software, a user with sudo privileges can escalate to root by passing shell commands to either the removecustomcname, removecustomdns, or removestaticdhcp function. The functions have minimal sanitization, and they pass the input to the sed command. By default, the www-data user is permitted to run sudo without supplying a password as configured in the sudoers.d/pihole file.

  • PR 15368 - A new module has been added which exploits CVE-2021-3560, an authentication bypass and local privilege elevation vulnerability in polkit, a toolkit for defining and handling authorizations which is installed by default on many Linux systems. Successful exploitation results in the creation of a new user with root permissions, which can then be used to gain a shell as root. Note that exploitation requires that users have a non-interactive session on some systems so users may need to gain a SSH session first before exploiting this vulnerability.

  • PR 15383 - Adds a new exploit module for VMware vCenter Server CVE-2021-21985 which exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user.

  • PR 15386 - A new module has been added which exploits CVE-2021-35464, a pre-authentication Java deserialization vulnerability in OpenAM and ForgeRock AM. Succcessful exploitation allows for remote code execution as the user running the OpenAM service.

  • PR 15400 - This adds a Sage X3 login scanner and CVE-2020-7387 + CVE-2020-7388 exploit.

  • PR 15402 - This adds a module that exploits an authenticated file upload vulnerability in the Wordpress plugin, Backup Guard. For versions below v1.6.0, the plugin permits the upload of arbitrary php code due to insufficient checks on the file format. Once the file is uploaded, code execution can be achieved by requesting the file, located under the /wp-content/uploads/backup-guard directory.

  • PR 15408 - This adds a module that exploits an authenticated file upload vulnerability in the Wordpress plugin, SP Project, and Document Manager. For versions below 4.22, an authenticated user can upload arbitrary PHP code because the security check only blocks the upload of files with a .php extension, meaning that uploading a file with a .pHp extension is allowed. Once uploaded, the requested file will result in code execution as the www-data user.

  • PR 15418 - This adds a module that exploits an authenticated file upload vulnerability in the Wordpress plugin known as Modern Events Calendar. For versions before 5.16.5, an administrative user can upload a php payload via the calendar import feature by setting the content type of the file to text/csv. Code execution with the privileges of the user running the server is achieved by sending a request for the uploaded file.

  • PR 15462 - This adds a new exploit module that exploits a configuration issue in Windows 10 (from version 1809) and 11, identified as CVE-2021-36934. Due to permission issues, any local user is able to read SAM and SYSTEM hives. This module abuses Windows Volume Shadow Copy Service (VSS) to access these files and save them locally.

Offline Update

Metasploit Framework and Pro Installers