Improved
PR 15665 - This adds additional metadata to exploit modules to specify Meterpreter command requirements. Metadata information is used to add a descriptive warning when running modules with a Meterpreter implementation that doesn't support the required command functionality.
PR 15681 - This adds support for reverse port forwarding via established SSH sessions.
PR 15778 - This adds documentation for the http trace scanner.
PR 15782 - This updates the iis_internal_ip module to include coverage for the PROPFIND internal IP address disclosure as described by CVE-2002-0422.
PR 15788 - When a generated Powershell command payload exceeds the maximum length allowed to successfully execute, it will now gracefully fall back to omitting an AMSI bypass.
PR 15803 - This adds f5_bigip_virtual_server scanner documentation.
Fixed
Pro: Scheduled tasks will now report accurate next start times for different user timezones.
PR 15799 - This fixes a crash in the
iis_internal_ipmodule.PR 15805 - This bumps the metasploit-payloads version to include two bug fixes for the Python Meterpreter.
Modules
PR 15558 - This adds a post module that allows the user to view the Meterpreter sessions filesystem via a locally hosted web page.
PR 15754 - This adds a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires
mod_cgito be enabled and can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.PR 15756 - This adds a module that leverages CVE-2021-31806 and CVE-2021-31807 to trigger a denial of service condition in vulnerable Squid proxy servers.
PR 15761 - This exploits an authentication bypass which leads to arbitrary code execution in versions
3.7.1.4and below of the Wordpress plugin,pie-register. Supplying a valid admin ID to theuser_id_social_siteparameter in a POST request returns a valid session cookie. Using that session cookie a PHP payload is uploaded as a plugin then requested, resulting in code execution.PR 15765 - This adds an auxiliary module that leverages an information disclosure vulnerability in the BulletproofSecurity plugin for Wordpress. This vulnerability is identified as CVE-2021-39327. The module retrieves a publicly accessible backup file and extracts user credentials from the database backup.
PR 15783 - This adds an exploit for CVE-2020-25223. CVE-2020-25223 is an unauthenticated RCE within the Sophos UTM WebAdmin service. Exploitation of CVE-2020-25223 results in OS command execution as the root user.
PR 15800 - This adds a remote exploit for Microsoft OMI "OMIGOD" CVE-2021-38647.
PR 15816 - This adds an exploit for an unauthenticated remote command injection in GitLab via a separate vulnerability within ExifTool. These vulnerabilities are identified as CVE-2021-22204 and CVE-2021-22205.