Improved
PR 15796 - We added support for pivoted SSL server connections as used by capture modules and listeners to Metasploit. The support works for both Meterpreter sessions and SSH sessions.
PR 15829 - This makes a couple of improvements to the Kubernetes Exec module to handle slow instances more gracefully by using a configurable exponential back off.
PR 15840 - This changes an error message that was preventing the DCSync operation from running as SYSTEM to a warning to allow it to run. This fixes a instance where the computer account has the necessary privileges to complete the operations which is the case when it is a domain controller.
PR 15846 - The
downloadcommand has been updated so that it now supports tab completion for file paths and file names.PR 15851 - This updates several modules and core libraries. When sending HTTP requests that include user agents, the user agents are modernized, and are randomized at
msfconsolestart time. Users can now request Rex to generate a random user agent from the User Agent pool should they need one for a particular module.PR 15859 - This improves the Meterpreter tab completion functionality on case insensitive filesystems (such as Windows).
PR 15862 - Updates have been made to Linux Meterpreter libraries to support expanding environment variables in several different commands. This should provide users with a smoother experience when using environment variables in the following and similar commands:
cd,ls,download,upload,mkdir.PR 15867 - The example modules have been updated to conform to current RuboCop rules and to better reflect recent changes in the Metasploit Framework coding standards. This will also better showcase various features that may be needed when developing exploits.
PR 15878 - There was an issue whereby tab-completing a remote folder in Meterpreter would append a space onto the end. This change resolves that and provides a smoother tab completion experience for users by not appending the space if we're potentially in the middle of a tab completion journey, and by adding a slash if we've completed a directory.
Fixed
Pro: We fixed discovery errors that occurred during status reporting of the basic service fingerprinting process.
PR 15818 - This fixes an edgecase in the Kubernetes exec module which led to sessions dying when performing partial websocket reads.
PR 15820 - This fixes a regression issue in Meterpreter's named pipe pivoting support.
PR 15838 - This fixes a regression error in
auxiliary/scanner/sap/sap_router_portscannerwhich caused this module to crash when validating host ranges.PR 15845 - This updates Meterpreter to check if it's running as SYSTEM before attempting to escalate as part of
getsystem. This allows it to state that it's already running as SYSTEM instead of displaying an error message that no escalation technique has worked.PR 15875 - This fixes an issue with the reverse Bash command shell payloads where they would not work outside of the context of bash.
PR 15879 - This updates batch scanner modules to no longer crash when unable to correctly calculate a scanner thread's batch size.
Modules
PR 15700 - This change adds a new module to exploit LFI and log poisoning vulnerabilities (CVE-2020-16152) in Aerohive NetConfig, version 10.0r8a build-242466 and older in order to achieve unauthenticated remote code execution as the root user.
PR 15755 - This adds an auxiliary scanner module that leverages a Azure Active Directory authentication flaw to enumerate usernames without generating log events. The module also supports brute-forcing passwords against this tenant.
PR 15776 - This adds an auxiliary module that leverages an unauthenticated arbitrary Wordpress options change vulnerability in the Automatic (wp-automatic) plugin version 3.53.2 and below. The module enables user registration, sets the default user role to admin, and creates a new privileged user with the provided email address.
PR 15802 - This adds a local exploit module that targets versions less than
1.6.8-1of Microsoft's Open Management Infrastructure (OMI) software. Issuing a command execution request against the local socket with the authentication handshake omitted can result in code execution as therootuser.PR 15806 - This adds an auxiliary module that exploits an unauthenticated sql injection vulnerability in BillQuick Web Suite versions before
v22.0.9.1.PR 15834 - This adds a module for CVE-2021-40449 aka CallbackHell, a Windows local privilege escalation exploit caused by a use after free during the NtGdiResetDC callback in vulnerable versions of win32k.sys.
PR 15843 - This adds an auxiliary module that retrieves sensitive files from Jetty versions
9.4.37.v20210219,9.4.38.v20210224,9.4.37-9.4.42,10.0.1-10.0.5, and11.0.1-11.0.5. Protected resources behind theWEB-INFpath can be accessed due to servlet implementations improperly handling URIs containing certain encoded characters.PR 15858 - This adds an exploit for CVE-2021-42237 which is an unauthenticated RCE within the Sitecore Experience Platform. The vulnerability is due to the deserialization of untrusted data submitted by the attacker.