Improved
PR 15253 - Updates Metasploit to support URI arguments to set module datastore values. The currently supported protocols are http, smb, mysql, postgres, and ssh.
PR 15278 - The
zoomeye_searchmodule has been enhanced to add theOUTFILEandDATABASEoptions, which allow users to save results to a local file or to the local database respectively. Additionally, the output saved has been improved to provide better information about the target and error handling has been added for potential edge cases.PR 15522 - Adds support for fully interactive shells against Linux environments with
shell -it. This functionality is behind a feature flag and can be enabled withfeatures set fully_interactive_shells true.PR 15537 - Adds support for Ruby 3.
PR 15548 - This updates the SMB capture server to be compatible with clients using the SMB 2 and SMB 3 dialects. SMB 1 has not been enabled in Windows 10 since v1709 was released in 2017. This allows the module to be compatible with recent releases.
PR 15560 - This adds powershell support for write_file method that is binary safe.
PR 15582 - The code for
Msf::Post::Linux::Kernel.unprivileged_bpf_disabled?has been updated to support new values supported bykernel.unprivileged_bpf_disabledwhich were introduced in Linux kernels since 5.13 and 5.14-rc+HEAD. In particular the value2which meansUnprivileged calls to bpf() are disabled, whereas the value1is now used to indicateUnprivileged calls to bpf() are disabled without recovery.PR 15606 - Improves Python Meterpreter to gracefully handle unsupported command IDs, and to clean up process objects correctly. Additionally enhances mingw build support for Windows Meterpreter, and now correctly interprets a transport session time of 0 as never expiring.
PR 15621 - Updates the Metasploit docker container to additionally include
Goas a dependency.PR 15623 - The
credscommand has been updated to support several new features:- Improved NetNTLMv1 and NetNTLMv2 hash support for both the JtR and Hashcat formatters.
- Full output of hashes when writing them to a CSV file.
- Filtering based on the realm.
- Filtering based on the JtR format type name.
- Support for applying the same filtering to output files that can be applied when generating the
credstable.
PR 15627 - This removes explicit calls to
catand replaces them with file reads from the file library for broader support.
Fixed
Pro: We fixed the Vulnerability Validation & Web Application launch wizards to correct the CSRF values submitted.
Pro: We fixed a condition where sonar import would cause an error and stop processing host imports, when no services are found for a reported host.
Pro: We restored SSH session support when executing
Bruteforcetasks.PR 15375 - This fixes a bug that would cause Metasploit to crash when remote LDAP servers returned a null character in the base_dn stringi. It also enhances
modules/auxiliary/gather/ldap_hashdump.rbto handle sha256 hashes and skip hashes in cases of LK (locked account) and NP (no password) credentials.PR 15572 - This implements a fix to correctly handle quoted console options and whitespace.
PR 15573 - The
simplify_modulefunction has been updated so that by default it will not load LHOST/RHOST from the config file and instead use the values set in the options.PR 15590 - This fixes an issue that prevented external modules from properly handling the encoding of UTF-8 characters.
PR 15596 - This fixes an issue in
docker_credential_wincredwhere the regex would sometimes match on IP addresses and other invalid entries instead of the expected Docker version string by tightening the regex to make it more specific and restrictive.PR 15628 - This ensures the session table is refreshed whenever the sysinfo command is run, and whenever stdapi is loaded manually.
PR 15629 - Fixes a regression issue where msfconsole crashed on startup when running on Windows environments.
PR 15634 - This fixes an issue in
exploit/multi/misc/erlang_cookie_rcewhere a missing bitwise flag caused the exploit to fail in some circumstances.PR 15636 - Fixes a regression in datastore serialization that caused some event processing to fail.
PR 15637 - Fixes a regression issue where Metasploit incorrectly marked ipv6 address as having an 'invalid protocol'.
PR 15639 - This fixes a bug in the
rename_filesmethod that would occur when run on a non-Windows shell session.PR 15640 - Updates
modules/auxiliary/gather/office365userenum.pyto require python3.PR 15652 - A missing dependency,
py3-pip, was preventing certain external modules such asauxiliary/gather/office365userenumfrom working due torequestsrequiringpy3-pipto run properly. This has been fixed by updating the Docker container to install the missingpy3-pipdependency.PR 15654 - A bug has been fixed in
lib/msf/core/payload/windows/encrypted_reverse_tcp.rbwhere a call torecv()was not being passed the proper arguments to receive the full payload before returning. This could result in cases where only part of the payload was received before continuing, which would have resulted in a crash. This has been fixed by adding a flag to therecv()function call to ensure it receives the entire payload before returning.PR 15655 - This cleans up the MySQL client-side options that are used within the library code.
Modules
PR 15532 - This adds an exploit module for CVE-2021-21300 and a set of mixins that aid in exploiting Git clients over the Smart HTTP protocol. This also updates older Git-related exploits to use some of the new code.
PR 15567 - This adds a module that uses @chompie1337's CVE-2021-3490 PoC code to elevate privileges to
rooton affected Linux systems. It has been tested to work on clean installs of Ubuntu 21.04, Ubuntu 20.10, Ubuntu 20.04.02, as well as Fedora running affected versions of the 5.7, 5.8, 5.9, 5.10 and 5.11 kernels.PR 15603 - A new module has been added which bypasses authentication and exploits CVE-2021-33544, CVE-2021-33548, and CVE-2021-33550-33554 on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.27, as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation can result in remote code execution as the
rootuser.PR 15645 - This adds an exploit module targeting an OGNL injection vulnerability (CVE-2021-26084) in Atlassian Confluence's WebWork component to execute commands as the Tomcat user.