Improved
Pro: We have updated Metasploit Pro to use the latest version of Log4j. While we do not believe Metasploit Pro was vulnerable to the Log4Shell exploit, we have proactively upgraded to the latest library version to mitigate any other potential vulnerabilities.
PR 15842 - Several libraries within the
libfolder have now been updated to declare Meterpreter compatibility requirements, which will allow users to more easily determine when they are using a library that the current session does not support.PR 15888 - This adds anonymized database statistics to msfconsole's
debugcommand, which is used to help developers track down database issues as part of user generated error reports.PR 15905 - Updates the post processing of db_import to only call
normalize_oson hosts that are new or have been updated during the import.PR 15908 - Updates the save command with additional flags,
-dfor deleting saved state,-lfor loading saved state, and-rfor reloading the default module options.PR 15929 - This adds nine new Windows 2003 SP2 targets that the
exploit/windows/smb/ms08_067_netapimodule can exploit.PR 15936 - The wordlists for Tomcat Manager have been updated with new default usernames and passwords that can be used by various scanner and exploit modules when trying to find and exploit Tomcat Manager installations with default usernames and/or passwords.
PR 15944 - Adds long form option names to the sessions command, for example
sessions --upgrade 1PR 15965 - Adds a TCP URI scheme for setting
RHOSTS, which allows a user to specify the username, password, and port if it's specified as a string such astcp://user:a b c@example.comwhich would translate into the usernameuser, passworda b c, and hostexample.comon the default port used by the module in question.
Fixed
Pro: We have corrected the next scheduled occurrence when suspend is removed from existing schedule for a task chain.
PR 15779 - The code of
lib/msf/core/auxiliary/report.rbhas been improved to fix an error where thereport_vuln()would crash ifvulnwasnilprior to callingframework.db.report_vuln_attempt(). This has been fixed by checking the value ofvulnand raising a ValidationError if it is set tonil.PR 15808 - This fixes a compatibility issue with Powershell
read_fileon Windows Server 2012 by using the old style Powershell syntax (New-Object).PR 15939 - This fixes a bug where the meterpreter dir/ls function would show the creation date instead of the modified date for the directory contents.
PR 15945 - This change fixes the meterpreter > ls command, in the case where one of the files or folders within the listed folder was inaccessible.
PR 15952 - This adds a fix for the
creds -dcommand which crashed on someNTLMhashes.PR 15957 - A bug, that existed where a value was not correctly checked to ensure it was not
nilprior to being used when saving credentials with Kiwi, has been fixed by adding improved error checking and handling.PR 15963 - A bug that prevented users using Go 1.17 from being able to run Go modules within Metasploit has been fixed. Additionally, the boot process has been altered so that messages about modules not loading are now logged to disk so users will not be confused about errors in modules they don’t plan on using.
Modules
PR 15742 - This adds an exploit for CVE-2021-40444 which is a vulnerability that affects Microsoft Word. Successful exploitation results in code execution in the context of the user running Microsoft Word.
PR 15953 - This adds an exploit for CVE-2021-24917, which is an information disclosure bug in WPS Hide Login WordPress plugin before 1.9.1. This vulnerability allows unauthenticated users to get the secret login page by setting a random referer string and making a request to
/wp-admin/options.php. Additionally, several WordPress modules were updated to more descriptively report which plugin they found as being vulnerable on a given target.PR 15958 - This module performs a generic scan of a given target for the Log4Shell vulnerability by injecting it into a series of header fields as well as the URI path.