Bugs Fixed

• Pro: MS-5806 - We fixed the Vulnerability Validation Wizard reporting feature. Previously requesting a report during wizard configuration would produce no report.
• PR 13442 - The winrm_login module previously had an issue with the Content-Lenght being 0 and on successful login, the server would return HTTP 411 - Length Required instead of 200 OK. The module now sends a valid HTTP request.
• PR 13468 - The memcached_extractor auxiliary module was fixed to work correctly with memcached servers that implement LRU. This applies to memchached servers of versions 1.5.4 and above.
• PR 13583 - This PR ensures that lib/msf/core/post/windows.rb requires msf/core/post/windows/filesystem so that one doesn't get uninitialized constant errors when using modules that include the Msf::Post::Windows::FileSystem mixin, such as in PR #13554.
• PR 13589 - Module description data is no longer lost when running rubocop -a.

Enhancements and Features

• PR 13306 - Theenum_xchat module was updated by adding documentation, dumping credentials to the database, adding Windows support, adding HexChat support, cleaning up the code, and using libraries when available. The new multi-module is named enum_hexchat.
• PR 13562 - The iis_internal_ip scanner module was updated with documentation and prints the modules statues. The iis_internal_ip scanner module CVE-2000-0649 against IIS versions 5.1 and below.
• PR 13566 - Framework was updated to select a default payload for a module when it is used instead of when it is run. This allows the user to see the payload that will be used, offering them an opportunity to configure or change it prior to exploitation.
• PR 13576 - The exploit/windows/smb/psexec_psh module is being deprecated on or about 2020-09-16 because it is a duplicate of exploit/windows/smb/psexec.
• PR 13579 - Updated the IIS Internal IP module info to reflect how to exploit CVE-2000-0649 affects IIS versions 7 and above.
• PR 13734 - The Shodan API key is validated to be 32 characters.

New Modules

• PR 13170 - The Zivif Camera iptest.cgi Blind Remote Command Execution module exploits a vulnerability in the Web Interface of Zivif brand IP cameras of version 2.3.4.2103 and below, facilitating blind RCE.
• PR 13303 - The Arista Restricted Shell Escape (with privesc) module takes advantage of poorly configured Arista switches with versions 4.23.1F and below, allowing for privesc by bypassing controls intended to prevent “Read-Only” users from executing bash commands, and by breaking out of a restricted SSH shell.
• PR 13384 - The Cisco UCS Director Cloupia Script RCE module exploits an authentication bypass and directory traversals in Cisco UCS Director versions below 6.7.4.0 to leak the administrator's REST API key and execute a Cloupia script containing an arbitrary root command.
• PR 13444 - The GOG GalaxyClientService Privilege Escalation module that targets vulnerable versions of the gaming software known as GOG Galaxy Client. The GalaxyClientService runs as system and listens locally on port 9978 for commands. A user can connect to this service and issue commands to run, allowing for escalation to SYSTEM.
• PR 13525 - The Windows Gather Xshell and Xftp Passwords can decrypt the stored passwords of xshell and xftp.
• PR 13534 - This adds the auxiliary/gather/qnap_lfi module to download arbitrary files from a QNAP device running Photo Station application versions that are vulnerable to CVE-2019-7192 and CVE-2019-7194 or CVE-2019-7195.
• PR 13537 - The LinuxKI Toolset 6.01 Remote Command Execution exploits a RCE in LinuxKI Toolset v6.01 and earlier. This vulnerability is related to an improper input validation of an HTTP GET parameter. An attacker can leverage this to execute arbitrary commands in the context of the webserver. This vulnerability is identified as CVE-2020-7209.
• PR 13554 - This adds a local exploit for [CVE-2020-0787](https://nvd.nist.gov/vuln/detail/CVE-2020-0787), an elevation of privilege vulnerability in the Windows Background Intelligent Transfer Service (BITS).
• PR 13607 - Cayin CMS NTP Server RCE and Cayin xPost wayfinder_seqid SQLi to RCE modules exploit Cayin software. The Cayin xPost module exploits a blind SQL injection vulnerability that results in code execution as SYSTEM. The Cayin CMS NTP module gets authenticated code execution by injecting code into the ntpIP parameter in a request to system_service.cgi.

Offline Update

• https://updates.metasploit.com/packages/9f3ca1e27b2e76449f3daf3feb7b67a6e57de253.bin

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version