Improved

• PR 15994  - Updates Metasploit’s RPC functionality to support reading the result of external commands which have been executed in a console.

• PR 16010  - This updates the zabbix_script_exec module with support for Zabbix version 5.0 and later. It also adds a new item-based execution technique and support for delivering Linux native payloads.

• PR 16014  - This adds human readable long-form option names to various commands such as save/connect/search and more.

• PR 16112  - This updates the PHP Meterpreter’s delete dir functionality to recursively delete directories, and adds validation to the getsystem command on Windows Meterpreter.

• PR 16113  - A new NOP module, modules/nop/cmd/generic, has been added which supports adding NOPs to command line payloads using spaces for NOP characters.

• PR 16132  - This enhances the MySQL injection library’s blind injection techniques. The usage of the characters < and > is now avoided to improve compatibility.

• PR 16163  - Support has been added for the ClaimsPrincipal .NET deserialization gadget chain, which was found by jang. An exploit that utilizes this enhancement will arrive shortly.

Fixed

• Pro: We updated our installers to better support custom umask values on Linux installs.

• PR 16025  - This fixes an issue with msfdb init on windows when opting not to initialize webservices.

• PR 16066  - This fixes a bug were Meterpreter scripts do not correctly receive arguments as part of the sessions command. Note that Meterpreter scripts are deprecated and have been replaced with Post modules.

• PR 16109  - This fixes a crash in post/windows/gather/enum_domains when no domains are found.

• PR 16114  - A bug was present in PayloadGenerator::prepend_nops whereby if no Nops modules existed for the target payload architecture, the payload would be vaporized and replaced with an array of Nop modules as a string. This has now been fixed and instead if no Nop modules exist for the target payload architecture, the raw shellcode is returned unmodified.

• PR 16119  - This change fixes an incorrect user-agent in modules/auxiliary/dos/http/slowloris.py.

• PR 16121  - This fixes an exception caused by exploits that call rhost() in Msf::Post::Common without a valid session.

• PR 16123  - This fixes the missing full disclosure reference URL in the exploit/linux/http/cisco_ucs_rce module.

• PR 16142  - This fixes an issue with Meterpreter’s getenv command. The getenv command now returns null when querying for a non-existing environment variable.

• PR 16143  - This fixes an issue where a Cygwin SSH session was not correctly identified as a Windows device due to a case sensitivity issue.

• PR 16147  - This fixes a bug where ssh_enumusers would only use one source in the generation of its user word list if both USERNAME and USER_FILE options were set. The module now pulls from all possible datastore options if they are set, including a new option DB_ALL_USERS.

• PR 16160  - This fixes a crash when msfconsole is unable to correctly determine the hostname and current user within a shell prompt.

Modules

• PR 16125  - This module can exploit GXV3140 models now that an ARCH_CMD target has been added.

• PR 16128  - This adds an exploit for various Cisco RV series VPNs / Routers for firmware versions 1.0.03.20 and below. The module exploits both an auth bypass vulnerability and command injection vulnerability to achieve unauthenticated code execution as the www-data user against vulnerable devices.

• PR 16130  - This adds an exploit for CVE-2021-24862 which is an authenticated SQL injection vulnerability within the RegistrationMagic Wordpress plugin.

• PR 16136  - This adds a new auxiliary scanner module that ports the PetitPotam tool to Metasploit. The new module leverages CVE-2021-36942 to coerce Windows hosts to authenticate to a user-specific host, which enables an attacker to capture NTLM credentials for further actions, such as relay attacks.

• PR 16151  - This adds a module that can exploit the QEMU HMP service to execute OS commands. As a result, the HMP TCP service is reachable from emulated devices. It is also possible to escape QEMU by exploiting this vulnerability.

Offline Update

• https://updates.metasploit.com/packages/fdb701acd23af95e47d87e471c74ef72fb1b6920.bin 

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version