Improved
Pro: We updated session data collection to offer users the option to decide if password cracking should be performed during the task.
PR 15332 - This improves localization support and compatibility in the session post API related to the
rename_file
method.PR 15384 - This consolidates and changes the library code used by exploits that use RDLLs. This change improves the logic used to start a process to host the RDLL so it is no longer
notepad.exe
but randomly selected from a list that can also be updated in the future.PR 15477 - This adds PowerShell session support to the
readable?
andread_file
functions provided by thePost::File
API.PR 15540 - This adds an option to
cmd_execute
to have the command run in a subshell by meterpreter.PR 15556 - This adds shell session compatibility to the
post/windows/gather/enum_unattend
module.PR 15564 - This adds support to the
get_env
andcommand_exists?
post API methods for Powershell session types.PR 15580 - Updates
postgres_payload
exploit modules to specify a valid default PAYLOAD option when changing target architectures.PR 15584 - Updates the list of WordPress plugins and themes which allows users to discover more plugins and themes when running tools such as
auxiliary/scanner/http/wordpress_scanner
.
Fixed
PR 15303 - This PR ensures that the shell
dir
command returns a list.PR 15496 - Users can now specify the SSL version for servers with the
SSLVersion
datastore option, ensuring compatibility with a range of targets old and new.PR 15539 - This fixes the detection of OS version in the
check
method ofexploit/windows/local/cve_2018_8453_win32k_priv_esc
.PR 15546 - This ensures that the UUID URLs of stageless reverse_http(s) payloads are stored in the database so that they can be properly tracked with payload UUID tracking. This also fixes an error caused by accessing contents of a URL list without checking if it's valid first.
PR 15570 - This fixes a bug in the
auxiliary/scanner/smb/smb_enum_gpp
module where the path generated by the module caused an SMB exception to be raised.
Modules
PR 15525 - Adds
linux/http/lucee_admin_imgprocess_file_write
module utilizing an unauthenticated request through theimgProcess.cfm
endpoint, and using thefile
parameter which contains a directory traversal vulnerability, to write a file to an arbitrary location. Combining the two capabilities, this module writes a CFML script to the vulnerable server and achieves unauthenticated code execution as the user running the Lucee server.PR 15561 - Adds an exploit for the ProxyShell attack chain against Microsoft Exchange Server.
PR 15593 - This collects usernames and password hashes from Wordpress installations via an authenticated SQL injection vulnerability that exists in Learnpress plugin versions below
v3.2.6.8
.