Bugs Fixed

• PR 12568 - The exploit /windows/local/ms16_032_secondary_logon_handle_privesc module was using an outdated Powershell script and a broken stager. It was also only working when executed under a Powershell of the same architecture as the host. This fix updates the Powershell script, which is now dropped in the %TEMP% directory, and changes the way the stager is generated. This also ensures that no matter the architecture of the meterpreter, a Powershell of the same architecture as the host is being run.
• PR 12823 - Bind payloads for Windows and *nix using the Lua scripting language no longer reference an undefined variable.
• PR 12871 - Fixes module osx/local/persistence. Previously it suggested the wrong removal commands that prevented the deletion of the dropped executable.
• PR 12873 - Resolves an issue where INTERNET_FLAG_NO_COOKIES was not being set. Support was added custom HTTP cookies in reverse HTTP/HTTPS Windows payloads.

Enhancements and Features

• PR 12733 - Adds support for arrays to the POST variables option, vars_post, in the REX HTTP client library.
• PR 12736 - This PR adds functionality to the process library and the exploit/windows/local/payload_inject module to specify a PPID value when creating a process.
• PR 12757 - This randomizes the test string in Msf::Post::File _write_file_unix_shell method.
• PR 12758 - This adds the attributes method to the Msf::Post::File mixin, allowing module developers to list Linux file attributes for a given file. An immutable? method has been provided to check if a file is immutable.
• PR 12773 - This adds an auxiliary module that exploits an unauthenticated directory traversal vulnerability in TVT network surveillance management software-1000 v3.4.1.
• PR 12776 - This updates the auxiliary/scanner/misc/sunrpc_portmapper module with a PROTOCOL option to select between TCP or UDP.
• PR 12790 - This adds the -O option to run an optimized kernel when invoking hashcat from Metasploit.
• PR 12795 - This adds a command stager for binary payloads that utilizes the lwp-request (-m GET) command to fetch a payload over HTTP.
• PR 12808 - Job descriptions for UDP handlers will now show a URI with protocol, host, and port; similar to TCP handlers.
• PR 12845 - This adds a check to webmin_backdoor for whether the server responded with SSL enabled while the module was disabled.
• PR 12857 - This PR updates the LICENSE and COPYRIGHT files to have 2020 as the date instead of 2017.
• PR 12859 - This updated the AF_PACKET chocobo_root Privilege Escalation module.
  • Uses the new Msf::Post::Linux::Compile mixin
  • Updates the chocobo_root.c C exploit code and associated pre-compiled executable, which contains new targets for low latency kernels and other changes.
  • Updates the check method to search the C code for target kernel versions, ensuring a 1 to 1 mapping between the Metasploit module and the C exploit.
• PR 12874 - Adds a fix for rand_text* functions allowing them to take in a range while debugging.
• PR 12882 - This updates the help text to note the option to use the PAYLOADsearch result index.
• PR 12883 - This adds the listm and clearm commands to list and clear the module name stack as modified by the pushm and popm commands.

New Modules

• PR 12751 - This adds a Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation module targeting the Linux kernel.
• PR 12768 - This exploits an unauthenticated command injection vulnerability via the UPnP API available in various D-Link SOHO routers. Code execution as root can be gained by making a request to gena.cgi with the service argument containing malicious code.

Offline Update

• https://updates.metasploit.com/packages/097bbf56ed028cca901ee647b95d90e5179865fb.bin

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version