• 4.17.1 Product Update 2020-07-07

    • Bugs Fixed

      • PR 13600 - Fixed a bug that stopped users from stopping a job by ID if the job was running an auxiliary module.
      • PR 13605 - IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution module now ensures the payload is sent base64 encoded then base64 decoded upon execution. This mitigates potential payload corruption issues due to quoting or URL encoding of request data on the server side.
      • PR 13725 - The exploit/linux/http/atutor_filemanager_traversal exploit previously would not run if credentials were not provided even though credentials were not required. Now the exploit will run without credentials.
      • PR 13782 - Fixed an issue which allowed for the use of a database in conjunction with the alternate method of authenticating the Metasploit RPC web service using a preshared authentication set in an environment variable. This is useful for running the Metasploit RPC web service with a database attached.

      Enhancements and Features

      • PR 13430 - A debug command was added that can be used directly in Metasploit console to output the current module, datastore, logs and software versions. This command will be useful to help improve the quality of bug reports raised on Github and when helping Metasploit users debug their issues.
      • PR 13601 - Added support to msfvenom to allow users to generate x86 and x64 exe-service payloads with arbitrary service names by using the --service-name flag.
      • PR 13608 - Updates the Error Logging API to take an error object and updates the existing elog calls within the codebase to use this new API.
      • PR 13740 - The Directory Traversal in Spring Cloud Config Server auxiliary module that leverages a directory traversal vulnerability in Spring Cloud Config to download arbitrary files.
      • PR 13755 - Previously, multi payloads were being automatically selected. The selected payloads were not usable. Modules now have platform-specific payloads selected for them.
      • PR 13773 - Bumped Metasploit payloads to 1.4.4 to to fix bugs in the handling of stderr output in the Java Meterpreter.
      • PR 13787 - AutoCheck was refactored to use Ruby's Module#prepend method instead of Module#include. This simplifies the developer experience while using AutoCheck. Additionally, the ForceExploit advanced option has been added to the mixin, allowing a user to override the module's check result.
      • PR 13795 - A helpful tip on using the use command after a user has run the search command. Now the user is informed they may select a module by name or index.

      New Modules

      • PR 12277 - The Agent Tesla Panel Remote Code Execution module exploits a command injection vulnerability in Agent Tesla Panel. Versions of Agent Tesla Panel released after September 12th, 2018 require authentication to successfully exploit this vulnerability.
      • PR 13521 - The Bolt CMS 3.7.0 - Authenticated Remote Code Execution exploits multiple vulnerabilities in Bolt CMS that allows for arbitrary commands to be run as root. This affects Bolt CMS versions 3.6.x through 3.7.0.
      • PR 13604 - The Inductive Automation Ignition Remote Code Execution module exploits an Remote Code Execution vulnerability in versions 8.0.0 to 8.0.7. of the Inductive Automation Ignition SCADA product. Due to multiple issues related to sensitive resource access control, insecure Java deserialization and the use of an insecure Java library, a remote unauthenticated attacker is able to execute arbitrary commands in the context of the SYSTEM user. This module leverages vulnerabilities identified as CVE-2020-10644 and CVE-2020-12004.
      • PR 13610 - The ATutor 2.2.4 - Directory Traversal / Remote Code Execution exploits a directory traversal vulnerability to place a malicious PHP file in the server's webroot. That PHP file can then be utilized to execute arbitrary code on the server. Exploiting this vulnerability requires authentication first. ATutor versions 2.2.4 and below are affected. This vulnerability is identified as CVE-2019-12169.
      • PR 13645 - The Trend Micro Web Security (Virtual Appliance) Remote Code Execution uses three exploits, that when chained together allows for remote code execution in Trend Micro WebSecurity 6.5. The vulnerabilities are identified as :
        • CVE-2020-8604
        • CVE-2020-8605
        • CVE-2020-8606
      • PR 13733 - The AnyDesk GUI Format String Write exploits a format string vulnerability in the AnyDesk GUI that is remotely exploitable. The vulnerability is identified as CVE-2020-13160.
      • PR 13739 - The Cisco AnyConnect Priv Esc through Path Traversal is a path/directory traversal vulnerability within vpndownloader.exe on Cisco AnyConnect Secure Mobility Client for Windows versions prior to 4.8.02042. Local attackers who successfully exploit this vulnerability will gain arbitrary code execution as the SYSTEM user on affected machines. This vulnerability is identified as CVE-2020-3153.
      • PR 13768 - The Netgear R6700v3 Unauthenticated LAN Admin Password Reset module adds support for CVE-2020-10923 (ZDI-20-0703) and CVE-2020-10924 (ZDI-20-0704), and allows unauthenticated attackers on the same network as a Netgear R6700v3 router running firmware versions 1.0.4.82 or 1.0.4.84 to reset the password for the admin user back to the factory default of password.

        Attackers can then manually change the admin user's password and log into it after enabling telnet using the exploit/linux/telnet/netgear_telnetenable module, which will grant the attacker a remote shell with root privileges.

        This module was exploited by the Flashback team (Pedro Ribeiro and Radek Domanski) during Pwn2Own Toyko 2019.
      • PR 13789 - The OpenSIS Unauthenticated PHP Code Execution module exploits multiple vulnerabilities in OpenSIS 7.4 and lower to execute arbitrary PHP code with the permissions of the webserver user. The vulnerabilities are identified as:
        • CVE-2020-13381
        • CVE-2020-13382
        • CVE-2020-13383
      • PR 13807 - The F5 BIG-IP TMUI Directory Traversal and File Upload RCE module exploits a directory traversal vulnerability within the F5 BIG-IP appliance, identified as CVE-2020-5902. The vulnerability is unauthenticated and can be leveraged to obtain remote code execution.

      Offline Update

      • https://updates.metasploit.com/packages/a063b8090fc6917557014a2bcbde781b07ce941a.bin

      Metasploit Framework and Pro Installers

      • https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version