Improved

• PR 12217  - This adds the f5 load balancer cookie to notes, and cleans up the module (rubocop/documentation/refs).

• PR 15656  - This enables the vmware_vcenter_vmdir_auth_bypass module to create an admin user even if the target is not vulnerable to CVE-2020-3952, assuming valid credentials to the vCenter LDAP directory were obtained.

• PR 15904  - This adds the logic to support a 5th getsystem option using SeImpersonatePrivilege to gain SYSTEM privileges using the Print Spooler primitive on Windows. It is the framework side of https://github.com/rapid7/metasploit-payloads/pull/509 .

• PR 15924  - This adds the NTDS technique to the Windows Secrets Dump module, enabling it to be used against Domain Controllers. It also pulls in RubySMB changes that include many DCERPC related improvements and features.

• PR 16020  - The exploit/scanner/auxiliary/scada/modbusclient module has been enhanced to support command 0x2B which gives clear text info about a device. Additionally, the module’s code has been updated to comply with RuboCop standards.

• PR 16021  - This adds additional tests for Meterpreter’s mkdir/rmdir functionality to ensure uniform implementations across all Meterpreters.

• PR 16024  - This adds in a new command to Meterpreter that allows the end user to kill all channels simultaneously.

• PR 16040  - This removes Ruby 2.5 support as it is officially end of life.

• PR 16075  - The post/multi/manage/sudo module has been enhanced to print out a warning message and exit early if the session type that is attempting to upgrade via sudo is Meterpreter, as Meterpreter does not support sudo elevation at present.

• PR 16090  - A new method user_data_directory has been added to lib/msf/base/config.rb. It allows users that utilize private Metasploit modules to organize module resources in the same way that MSF does for core modules, while keeping their ~/.msf4 directory portable between installs.

• PR 16096  - The implementation of the ReverseListenerComm and ListenerComm datastore options have now been updated to support specifying -1 as a reference to the most recently created session without having to either remember what it was or change it when a new session is created.

• PR 16106  - This updates the stdapi_fs_delete_dir command to recursively delete the directory.

Fixed

• PR 15727  - This adds more robust NTLM message parsing with better error handling and messaging when pulling out the NTLM hashes.

• PR 15982  - This fixes a bug where modules using the SMB client would crash when the SMBUser datastore option had been explicitly unset.

• PR 16015  - This fixes a regression in tab completion for the RHOSTS datastore option.

• PR 16016  - This fixes an issue in the auxiliary/scanner/dcerpc/hidden module where the RHOSTS datastore option was not available, resulting in hosts not being scanned.

• PR 16027  - This fixes an issue with tab completion for the generate command. Completion now works with both the -f and -o flags.

• PR 16029  - A bug existed in the normalize function of lib/msf/core/opt_path.rb whereby the path parameter passed in wasn’t checked to see if it was empty prior to calling File.expand_path on it. In these cases the path returned would be that of the current directory, which could lead to unexpected results. This has been fixed with improved validation to ensure that the path parameter is not an empty string prior to expanding the path.

• PR 16043  - This fixes a crash in the auxiliary/scanner/http/wordpress_scanner.rb module when attempting to scan themes.

• PR 16054  - This updates JTR compatibility by altering the flag used to prevent logging.

• PR 16058  - This change fixes a bug where a stack trace was printed in post/multi/recon/local_exploit_suggester when an invalid session option was specified.

• PR 16063  - A bug has been fixed in the local_admin_search_enum module whereby a typo was causing the module to crash on an undefined variable. The typo has been corrected, which should now make the module access the appropriate variable.

• PR 16104  - This fixes a crash in the portfwd command which occurred when pivoting a reverse_http Python Meterpreter through a reverse_tcp Windows Meterpreter.

Modules

• PR 15903  - This adds a new exploit module that implements the Shadow Attack, SMB Direct Session takeover. Before running this module, a MiTM attack needs to be performed to let it intercept SMB authentication requests between a client and a server. This can be done by using any kind of ARP spoofer/poisoner tools in addition to Metasploit. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload.

• PR 15969  - This adds an exploit for HTTP servers that are affected by the Log4J/Log4Shell vulnerability via header stuffing. This vulnerability is identified as CVE-2021-44228.

• PR 15988  - This adds an exploit for the Catch Themes Demo Import Wordpress plugin for versions below 1.8. The functionality for importing a theme does not properly sanitize file formats, allowing an authenticated user to upload a php payload. Requesting the uploaded file achieves code execution as the user running the web server.

• PR 16012  - This adds an auxiliary module that executes commands against Pi-Hole versions <= 5.5. This also introduces a Pi-Hole library for common functionality required in exploits against the service.

• PR 16036  - A new module has been added in that exploits CVE-2019-10655, an unauthenticated remote code execution bug in Grandstream GXV3175. Authentication is bypassed via a buffer overflow in the way the phonecookie cookie is parsed, after which a command injection vulnerability in the ‘settimezone’ action’s ‘timezone’ parameter is exploited to gain RCE as the root user.

• PR 16041  - This adds a module that exploits an authenticated command injection vulnerability in multiple versions of the SonicWALL SMA 100 series web interface. In the SSL certificate deletion functionality, the sanitization logic permits the \n character which acts as a terminator when passed to a call to system(). Because of this, an authenticated attacker can execute arbitrary commands as the root user.

• PR 16050  - This adds a vCenter-specific exploit leveraging the Log4Shell vulnerability to achieve unauthenticated RCE as root / SYSTEM. This exploit has been tested on both Windows and Linux targets.

• PR 16053  - A module has been added to exploit CVE-2021-44228, an unauthenticated RCE in the Ubiquiti Unifi controller application versions 5.13.29 through 6.5.53 in the remember field of a POST request to the /api/login page. Successful exploitation results in OS command execution in the context of the server application.

• PR 16056  - A new exploit module for CVE-2020-5722 has been added which exploits an unauthenticated SQL injection vulnerability and a command injection vulnerability affecting the Grandstream UCM62xx IP PBX series of devices to go from an unauthenticated remote user to root level code execution.

Offline Update

• https://updates.metasploit.com/packages/faf6fcfeb34b4d7477160eeb0949a80080270ff7.bin 

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version