• 4.17.1 Product Update 2020-03-18

    • Bugs Fixed

      • PR 12944 - This fixes a bug in the owa_login module to prevent it from failing when the AUTH_TIME option is set to false.
      • PR 12982 - Replaces broken jedicorp links with Way Back Machine equivalents on word_unc_injector module.
      • PR 12984 - This corrects an issue with remote Meterpreter-backed network connections where local socket parameters where not updated properly on connect. This means that SOCKS5 proxy connections, among others, did not work correctly when pivoted through Meterpreter sessions.
      • PR 12985 - This PR switches the powershell payload to a polling read, preventing some issues where we read before we have a message.
      • PR 13029 - This adds filtering to the msfvenom list option to filter by platform and arch.
      • PR 13042 - This fixes a bug in the exchange_ecp_viewstate (CVE-2020-0688) module to properly use the VHOST value. This allows Metasploit to exploit targets where IIS has a Host Name specified in the Bindings section of the web application's configuration.
      • PR 13052 - Adds hex-noslashes as a valid mode for URI encoding. This takes advantage of existing functionality and exposes it to Framework users via the datastore options within the UI.

      Enhancements and Features

      • Pro: MS-4980 - P7zip binary dependency has been updated to latest supported versions for Linux and Windows platforms.
      • Pro: MS-4981 - PCRE binary dependency has been updated to latest supported version 8.44.
      • Pro: MS-4982 - PDCurses binary dependency has been updated to latest supported version 3.9.
      • PR 12929 - This adds the DB_ALL_USERS option to auxiliary/scanner/smb/smb_enumusers, which allows users to store enumerated user names in the database.
      • PR 12989 - Sanitizes user input for module and payload paths, removing starting ., ./ /, [module|payload]/, and /[module|payload]/ from a path. Also trims trailing . and extensions from a path, as well as any possible misspellings of an extension.
      • PR 12990 - This adds new rubocop format rules to make it possible to to use its auto-fixer function, enabled with rubocop -a, to automatically format modules in a consistent fashion. Future iterations of these rules will be used to enable automatic code suggestions in PRs as well.
      • PR 13037 - The Metasploit console now shows useful productivity tips to the user when the console is opened.
      • PR 13041 - The Metasploit console now responds twice as fast when an invalid or unknown command is entered. The time was lowered from 2 seconds to 1 second.

      New Modules

      • PR 12384 - This adds an exploit for Google Chrome CVE-2018-17463 which allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
      • PR 12574 - This adds an exploit for Google Chrome CVE-2019-5825, which allows an remote attacker to exploit heap corruption via a crafted HTML page.
      • PR 12863 - This adds an exploit module for PHP-FPM that a vulnerability in how messages are passed between Nginx and PHP to execute code. This vulnerability is identified as CVE-2019-11043.
      • PR 12910 - This adds a module to exploit CVE-2015-1830, which is a directory traversal vulnerability in Apache Activemq on Windows. It works by uploading and then executing a JSP file.
      • PR 12975 - Exploits deliberate backdoor added to PHPStudy by malicious actors. By sending a request to a Vulnerable PHPStudy server with the Accept-Encoding header set to gzip,deflate, the contents of the Accept-Charset header will be executed if encoded in Base64.
      • PR 13003 - This adds a local exploit module for an out-of-bounds read vulnerability in OpenSMTPD for versions < v6.6.4. Depending on the grammar used by OpenSMTPD, an attacker can gain privileges as either root or the nobody user.
      • PR 13004 - This module allows you to exploit a remote code execution vulnerability in Nagios XI, an application, service and network monitoring software. Versions before 5.6.6 are vulnerable. An account with permissions to modify plugins in Nagios XI is required. The exploit consists of uploading a malicious plugin and sending a specially crafted HTTP request to trigger code execution.
      • PR 13008 - Adds an exploit module for Google Chrome 80. Module starts webpage hosting malicious JavaScript that when visited by a vulnerable version of Chrome allows Remote Code Execution on a remote machine. Currently only possible with --no-sandbox Chrome flag in use.
      • PR 13014 - This adds a remote NT AUTHORITY\SYSTEM exploit against a .NET deserialization vulnerability in the Microsoft Exchange Control Panel, otherwise known as CVE-2020-0688.

      Offline Update

      • https://updates.metasploit.com/packages/cdae4d91828fc316d0703af3d87c5f18e06088d4.bin

      Metasploit Framework and Pro Installers

      • https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version