Last updated at Sat, 20 Jan 2024 23:05:36 GMT
Setting module options just got easier!
Rapid7's own Dean Welch added a new option to framework called RHOST_HTTP_URL, which allows users to set values for multiple URL components, such as RHOSTS, RPORT, and SSL, by specifying a single option value. For example, instead of typing set RHOSTS example.com, set RPORT 5678, set SSL true, you can now accomplish the same thing with the command set RHOST_HTTP_URL https://example.com:5678. This functionality is currently opt-in. The steps for enabling this feature can be seen within msfconsole’s help features command.
None of your OFBiz(ness)!
Milestone PR #14000 from our own wvu adds a new module targeting a pre-auth RCE vulnerability in Apache's OFBiz ERP software version 17.12.03. This module exploits CVE-2020-9496, and takes advantage of a Java deserialization method within an unauthenticated XML-RPC interface. Latest OFBiz version 17.12.04 fixed this vuln.
More speed!
Speaking of usability improvements, Metasploit's RPC module search just got faster! Thanks to an enhancement by Alan Foster, the module.search RPC call now utilizes the module cache instead of the previous slow search functionality.
New modules (6)
- Safari Webkit JIT Exploit for iOS 7.1.2 by Ian Beer, WanderingGlitch, kudima, and timwr, which exploits CVE-2018-4162
- Apache OFBiz XML-RPC Java Deserialization by wvu and Alvaro Muñoz, which exploits CVE-2020-9496
- Geutebruck testaction.cgi Remote Command Execution by Davy Douhine, which exploits CVE-2020-16205
- D-Link Central WiFi Manager CWM(100) RCE by M3 and Redouane NIBOUCHA, which exploits CVE-2019-13372
- Arista Configuration Importer by h00die
- TeamViewer Unquoted URI Handler SMB Redirect by Jeffrey Hofmann and h00die, which exploits CVE-2020-13699
Enhancements and features
- PR #14011 from seska451 adds markdown documentation for the
auxiliary/scanner/http/brute_dirsmodule. - PR #13998 from adfoster-r7 greatly improves the speed of Metasploit's
module.searchRPC call. This updated performance is achieved by searching the module's cache instead of framework's slow search functionality. - PR #13961 from dwelch-r7 adds a new
RHOST_HTTP_URLoption, which allows users to set values forRHOSTS,RPORT, andSSLby specifying a single URL. - PR #13846 from dwelch-r7 adds support for Nmap's
vulnersscript, allowing users to import information on targets' vulnerabilities into the database.
Bugs fixed
- PR #14007 from bcoles fixes a directory path traversal vulnerability with
Msf::Post::File.file_local_writethat could lead to remote code execution. - PR #14006 from 5tevebaker fixes an incorrect executable path in the
post/osx/gather/enum_osxmodule, which caused failures when downloading keychains. - PR #14002 from wvu-r7 fixes a regression in payload encoding where whitespace bad characters were not being encoded away.
- PR #13974 from dwelch-r7 fixes an authentication bug with the
lib/metasploit/framework/login_scanner/winrmmodule which caused failures with servers that did not accept 'Basic' authentication. - PR #13951 from gwillcox-r7 improves the error message that occurs with
msfvenomwhen a payload module is not specified.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
