Release Notes

Improved

• Pro: We updated session data collection to offer users the option to decide if password cracking should be performed during the task.

• PR 15332 - This improves localization support and compatibility in the session post API related to the rename_file method.

• PR 15384 - This consolidates and changes the library code used by exploits that use RDLLs. This change improves the logic used to start a process to host the RDLL so it is no longer notepad.exe but randomly selected from a list that can also be updated in the future.

• PR 15477 - This adds PowerShell session support to the readable? and read_file functions provided by the Post::File API.

• PR 15540 - This adds an option to cmd_execute to have the command run in a subshell by meterpreter.

• PR 15556 - This adds shell session compatibility to the post/windows/gather/enum_unattend module.

• PR 15564 - This adds support to the get_env and command_exists? post API methods for Powershell session types.

• PR 15580 - Updates postgres_payload exploit modules to specify a valid default PAYLOAD option when changing target architectures.

• PR 15584 - Updates the list of WordPress plugins and themes which allows users to discover more plugins and themes when running tools such as auxiliary/scanner/http/wordpress_scanner.

Fixed

• PR 15303 - This PR ensures that the shell dir command returns a list.

• PR 15496 - Users can now specify the SSL version for servers with the SSLVersion datastore option, ensuring compatibility with a range of targets old and new.

• PR 15539 - This fixes the detection of OS version in the check method of exploit/windows/local/cve_2018_8453_win32k_priv_esc.

• PR 15546 - This ensures that the UUID URLs of stageless reverse_http(s) payloads are stored in the database so that they can be properly tracked with payload UUID tracking. This also fixes an error caused by accessing contents of a URL list without checking if it's valid first.

• PR 15570 - This fixes a bug in the auxiliary/scanner/smb/smb_enum_gpp module where the path generated by the module caused an SMB exception to be raised.

Modules

• PR 15525 - Adds linux/http/lucee_admin_imgprocess_file_write module utilizing an unauthenticated request through the imgProcess.cfm endpoint, and using the file parameter which contains a directory traversal vulnerability, to write a file to an arbitrary location. Combining the two capabilities, this module writes a CFML script to the vulnerable server and achieves unauthenticated code execution as the user running the Lucee server.

• PR 15561 - Adds an exploit for the ProxyShell attack chain against Microsoft Exchange Server.

• PR 15593 - This collects usernames and password hashes from Wordpress installations via an authenticated SQL injection vulnerability that exists in Learnpress plugin versions below v3.2.6.8.

Offline Update

• https://updates.metasploit.com/packages/b35873222518404cf341ae09b07195d883ed1475.bin

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version