This week's Metasploit wrap-up ships a new exploit module against Nostromo, a directory traversal vulnerability that allows system commands to be executed remotely. Also, improvements have been made for the grub_creds module for better post exploitation experience against Unix-like machines. Plus a few bugs that have been addressed, including the -s option for NOPs generation, the meterpreter prompt, and reverse_tcp hanging due to newer Ruby versions.

New modules (1)

Enhancements and features

  • PR #12491 by Christophe De La Fuente, updates the .mailmap file.
  • PR #12513 by ducksecops, updates Metasploit's docker file to Alpine 3.10 with Ruby 2.6.5.
  • PR #12505 by Brent Cook, enhances grub_creds module from grub_password module

Bugs fixed

  • PR #12467 by nil0x42, fixes the -s option that is ignored in nops' generate command.
  • PR #12482 by zeroSteiner, fixes the default meterpreter prompt.
  • PR #12500 by bcoles, fixes a couple of modules that use #second instead of #message.
  • PR #12502 by Brent Cook, fixes process migration on reverse_tcp meterpreter sessions with newer Ruby.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).