Improved
PR 15609 - Adds additional metadata to exploit modules to specify Meterpreter command requirements. This information is used to add a descriptive warning when running modules with a Meterpreter implementation that doesn't support the required command functionality.
PR 15632 - This improves Metasploit's WinRM capabilities by allowing shell sessions to be established over the protocol. The shell sessions are interactive and able to be used with post modules.
PR 15674 - Updates the Apache Tomcat Ghostcat module to correctly handle a larger range of possible success status codes when verifying if the module was successful.
PR 15684 - Improves interactive shell performance for pasted user input.
PR 15696 - This updates the RDP scanner module to extract and show additional information gathered from the NTLM handshake used for Network Level Authentication (NLA).
Fixed
Pro: We fixed credential file imports to ensure failure notifications are generated.
PR 15600 - This fixes an issue with encrypted payloads during session setup. The logic that gathers session info is now located in the bootstrap method, which ensures that this functionality is always carried out before any commands are sent.
PR 15666 - This fixes an issue found in Meterpreter's
downloadfunctionality where downloading a file with a name containing unicode characters would fail due to incompatible encoding.PR 15667 - Fixes powershell_reverse_tcp file operations and updates the file operations test module.
PR 15679 - Fixes a bug where the tomcat_mgr_upload module was not correctly undeploying the app after exploitation occurred.
PR 15686 - This fixes a crash in
msfrpcthat occurs due to theexploit/linux/misc/saltstack_salt_unauth_rcemodule'sMINIONSoption default being a regex instead of a string.PR 15695 - This fixes a crash in the
exploit/unix/local/setuid_nmapmodule and adds logging to print the result of the exploit's last command so the user can view what happened in the event of a failure.PR 15697 - This updates the HTTP NTLM information enumeration module to use the
Net::NTLMlibrary for consistent data processing without a custom parser.
Modules
PR 14631 - This obtains usernames on Jira Server by exploiting an information disclosure vulnerability that exists at the
/ViewUserHover.jspaendpoint.PR 15506 - This adds a new evasion module that uses direct syscalls on 64-bit versions of Windows to evade detection.
PR 15601 - A newpost exploitation module has been added which allows one to take a session on a Geutebruck Camera shell and either freeze the current display stream, replace the current display stream with a static image, or restore the display stream such that it will display the current live feed from the camera.
PR 15604 - This module exploits an unauthenticated buffer overflow vulnerability within the
actionparameter of the/uapi-cgi/instantrec.cgiendpoint in various Geutebruck G-Cam and G-Code devices. The exploit results in code execution as therootuser on target devices.PR 15624 - This adds an exploit for CVE-2020-27955 which is a vulnerability in the Git version control system. The module can be used to execute code in the context of a user that can be convinced to clone a malicious repository.
PR 15658 - This adds an exploit for CVE-2021-32682 which is an unauthenticated RCE in the elFinder PHP application. The vulnerability is due to a flaw that allows a malicious argument to be passed to the zip command when an archive action is performed.
PR 15670 - The
exploit/multi/http/opmanager_sumpdu_deserializationmodule implements an exploit (CVE-2020-28653) and patch bypass (CVE-2021-3287) for a Java deserialization vulnerability that exists in numerous versions of ManageEngine's OpManager software. Arbitrary code execution as theNT AUTHORITY\SYSTEMuser on Windows or therootuser on Linux is achieved by sending a PDU to the SmartUpdateManager handler.