Bugs Fixed

• PR 10428 - This fix updates the binaries for the `multi/mysql/mysql_udf_payload` module and gives proper attribution to the sqlmap project.
• PR 10685 - This fixes a missing variable crash in Meterpreter's `shell` command due to a variable having been renamed during refactor but incompletely reverted. Android Meterpreter is known to be affected.
• PR 10699 - This fix resolves an issue that caused frequent backtraces in msfconsole output when port forward, routing, or other Meterpreter network activity were used. This issue only occurs on systems running Ruby 2.5 or newer.
• PR 10713 - This adds initial support for Ed25519 gem SSH keys.
• PR 10725 - This renames the `post/android/sub_info` module to `post/android/gather/sub_info`.
• PR 10732 - This fixes an issue getting target geolocation on Android sessions by adding an option for specifying an API key for Google maps. This also adds Android as a supported platform to the `post/multi/gather/wlan_geolocate` module.

Enhancements and Features

• PR 10427 - A gather module that extracts VNC passwords from OS X Meterpreter sessions that are running as root has been added to the framework.
• PR 10534 - The `auxiliary/scanner/http/frontpage_credential_dump` module has been added to the framework. It downloads and parses the `_vti_pvt/service.pwd`, `vti_pvt/administrators.pwd`, and `_vti_pvt/authors.pwd` files used by FrontPage to find credentials.
• PR 10575 - This adds a native `chmod` command to Linux Meterpreter.
• PR 10625 - This adds a `repeat` command to `msfconsole`, allowing a user to repeat a `;`-separated list of commands for `-n` number of times and for `-t` seconds.
• PR 10628 - This adds an arbitrary file read module for Solaris systems using NetCommander 3.2.3 to 3.2.5, allowing a user to dump the first line of any file. By default, the module steals the password hash for the *root* user from `/etc/shadow`.
• PR 10680 - This adds the `LEAK_COUNT` option to the Heartbleed scanner, allowing a user to specify the number of memory leaks to attempt per `SCAN` or `DUMP` action.
• PR 10686 - This enhances the `upload_exec` module by adding `TIMEOUT` and `ARGS` commands, as well as extra debug features. It also exposes a new `chmod` post module API on supported platforms.
• PR 10687 - This adds the `pry` command to Meterpreter, which offers an enhanced debugging interface for the payload.
• PR 10692 - An RSpec test has been added for tab completion.
• PR 10703 - The metasploit-payloads gem version is now 1.3.51. Kiwi support for Windows 10 v1803 is included.
• PR 10705 - This adds the `-a` or `--all` option to the `reload_lib` command in `msfconsole`, allowing a developer to reload all changed Ruby library files in the Git repository. Metasploit modules and non-Ruby files are excluded as before.
• PR 10712 - This makes the `axis_srv_parhand_rce` module more reliable by increasing the `WfsDelay` value and backgrounding a subshell in the command injection.
• PR 10741 - The Docker file now uses multi-stage builds.

New Exploits

• PR 10643 - This adds a local privilege escalation exploit for Windows 8 and later targeting the Windows ALPC scheduler.
• PR 10663 - The Solaris EXTREMEPARR dtappgather module has been added to the framework. It exploits a direct traversal vulnerability in the dtappgather executable that is included on unpatched Solaris systems 10u11 and older. You can achieve root access with this exploit.
• PR 10704 - The `exploit/multi/http/navigate_cms_rce` module exploits login bypass and directory traversal vulnerabilities in Navigate CMS v2.8 to upload and execute PHP code.
• PR 10738 - The `exploit/windows/fileformat/zahir_enterprise_plus_csv` module generates a CSV file that triggers a buffer overflow in the Zahir Enterprise 6 Import File feature, which can lead to code execution.

Offline Update

• https://updates.metasploit.com/packages/4343d681568a08e865d9a1a1f7b594a980eb5551.bin