Bugs Fixed

• Pro: MS-2982 - When running a custom Social Engineering campaign that serves a web file, Metasploit would show an error in the task log and wouldn't run. The error has been fixed and now customers can run such a campaign without errors.
• Pro: MS-2981 - The REST API v2 Social Engineering Visits endpoint was incorrectly returning a 404 Not Found error. The endpoint now returns the correct data. Customers can now use the REST API endpoint without encountering a 404.
• PR 8632 - This fix resolves an issue preventing the auxiliary/scanner/ftp/colorado_ftp_traversal module from supporting large file transfers.
• PR 9432 - This fix resolves error messages meant for library files getting triggered by using the `edit` command in msfconsole.
• PR 9436 - This fix resolves an undefined method bug in the auxiliary/scanner/ssh/cerberus_sftp_enumusers module due to missing options to net/ssh. The module now executes as expected.
• PR 9438 - This fix resolves issues with the cmd_exec command behaving inconsistently with Meterpreter versus shell payloads. It also resolves some reverse_http issues when reconnecting via Linux/OSX native Meterpreter.
• PR 9445 - The fix resolves an issue caused by the auxiliary/gather/ssllabs_scan module falling out of sync with new additions to the API. It also prevents the module from breaking again just because there is new JSON in the output.
• PR 9446 - This fix resolves a compatibility issue between the check method in the exploits/unix/local/setuid_nmap module and shell sessions. The module now uses the new setuid? method in the post-exploitation API, allowing the module to work on normal shell sessions, not just Meterpreter.
• PR 9466 - This fix resolves a syntax error in PHP Meterpreter that caused the payload stage to fail. PHP Meterpreter now stages and loads stdapi properly.
• PR 9470 - This fix updates the dependencies in the Docker image to also support Python-based modules.
• PR 9475 - This fix resolves an issue preventing Windows Meterpreter reverse_http stagers from establishing a connection via proxy with authentication. HTTP Proxy Authentication now works as expected.

Enhancements and Features

• PR 6611 - Native DNS support is now available as a Rex protocol library that proxies for the dnsruby gem, module mixins, and a pair of sample auxiliary modules. You can store static entries, resolve names over pivots, serve DNS requests across routed session comms, and perform DNS spoofing attacks.
• PR 9205 - Documentation has been added for the exploit/linux/http/kaltura_unserialize_cookie_rce module.
• PR 9267 - Extra targets have been added to the exploits/multi/ssh/sshexec module, which makes it easier to get Meterpreter sessions on hosts with sshd.
• PR 9335 - The new socket bind port option adds the ability to select the port of egress on reverse TCP payloads.
• PR 9354 - The new auxiliary/dos/http/brother_debut_dos module allows you to cause a Denial of Service (DoS) condition on certain Brother printers. The Debut embedded HTTP server, version 1.20 and earlier, allows for a DoS condition via a crafted HTTP request. The printer will be unresponsive from HTTP and printing requests for ~300 seconds, after which the printer will start responding again.
• PR 9379 - The exploit/multi/http/oracle_weblogic_rce module exploits Linux- and Windows-based Oracle WebLogic servers, with versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Powershell and Python payloads have been tested successfully. Authentication is not required to exploit this vulnerability.
• PR 9389 - Documentation has been added for the exploits/windows/misc/commvault_cmd_exec module.
• PR 9398 - Metasploit's pre-commit development tool now allows UTF-8 characters in module and author names.
• PR 9413 - The exploits/multi/misc/java_jmx_server module now works in more environments.
• PR 9424 - The external auxiliary/scanner/wproxy/att_open_proxy module has been added for the open, custom proxy on some AT&T U-verse routers. The module provides a simple interface for single request-response style scanners, such as those that power a large portion of Rapid7's Project Sonar. General enhancements needed to support external scanner modules were also introduced.
• PR 9430 - The post/windows/gather/checkvm module has been updated to remove false positive Hyper-V checks on new Windows versions.
• PR 9431 - The auxiliary/scanner/http/owa_login module can now automatically resolve target hostnames, ensuring any discovered credentials will be properly stored in the workspace.
• PR 9452 - A new `PayloadProcessCommandLine` parameter has been exposed to allow process hiding and impersonation by Linux and OSX Meterpreter sessions.

New Exploits

• PR 9114 - The exploits/linux/http/kaltura_unserialize_cookie_rce module has been added to the framework. It allows remote code execution through Kaltura video server software versions prior to 13.1.0. A valid entry_id is required for this exploit, and can be obtained from any media resource published on the kaltura installation.
• PR 9349 - The exploits/linux/http/goahead_ldpreload module has been added to the framework. This module adds a LD_PRELOAD-based remote code execution against GoAhead embedded web server 2.5 - 3.6.4, based on Daniel Hodson's original research.
• PR 9399 - The exploits/linux/local/apport_abrt_chroot_priv_esc module has been added to the framework. This module attempts to gain root privileges on Ubuntu 14.04 through Apport and on Fedora through ABRT. In both instances, the crash handler does not drop privileges, resulting in code execution as root.
• PR 9416 - The exploits/windows/fileformat/syncbreeze_xml module has been added to the framework. This module adds the ability to craft an XML document for Syncbreeze Enterprise 9.5.16 that will result in payload execution.
• PR 9457 - The exploits/windows/fileformat/dupscout_xml module has been added to the framework. You can use the module to exploit a file format vulnerability in Dup Scout Enterprise v10.4.16 by using the Import Command functionality to import a specially crafted XML file.
• PR 9473 - Auxiliary and exploit modules for EternalSynergy, EternalRomance, and EternalChampion have been added to the framework. The exploits/windows/smb/ms17_010_psexec module exploits SMB with vulnerabilities in MS17-010 to give you the ability to run any command as SYSTEM or stage Meterpreter. This exploit is more reliable than the EternalBlue exploit, but requires a named pipe.

Offline Update

• http://updates.metasploit.com/packages/ea25aa2fa47b2128f6c97980d93ed8a9ed680fea.bin