New
Pro: We added new global setting view for the Web Server to enable administrators to manage session timeout and lockout thresholds.
Pro: We added the option to upload a backup file for restore in the Administration Global Settings.
Improved
PR 16135 - This adds support for logging Meterpreter's TLV Packets with
setg SessionTlvLogging true. Other values for theSessionTlvLoggingoption includeconsole,false, andfile:<file_location>.PR 16141 - This adds service manager commands to
msfconsole.PR 16219 - This updates the packet inspection for the
enumextcmdandloadlibcommands to log human readable string identifiers in addition to the integer value command ids that were introduced as part of Metasploit 6.PR 16258 - This improves Meterpreter's TLV logging support to show human readable names for the Meterpreter TLV values. To view this functionality run
setg SessionTlvLogging truewith a Meterpreter session open. Next, run a Meterpreter command such asdir.PR 16269 - This improves validation for Android payloads to verify Java is correctly installed and apktool.jar exists in the same directory as apktool.
PR 16270 - This improves validation for Android payloads to notify the user if a keytool error is present, such as being unable to parse the provided APK file or certificate.
PR 16282 - This adds the
lcatcommand to Meterpreter which allows the user to cat a local file.PR 16288 - This change displays the output of apktool if it contains Java exceptions, which is useful for debugging errors in Android APK injection.
Fixed
PR 16145 - This fixes a case sensitivity issue with option handling for the
to_handlercommand on Metasploit payloads. Previously, setting anLPORTvalue within a payload would not correctly override the previously setlportvalue.PR 16153 - This fixes a bug in the
auxiliary/client/smtp/emailerwhich previously handled multiline SMTP responses incorrectly, stopping the module from emailing the payload successfully.PR 16228 - This fixes a bug where the framework failed to check if a payload would fit in the space defined by an exploit if the payload was not encoded.
PR 16235 - This change fixes an issue with apk injection. In some configurations an invalid apktool version string would cause injection to fail.
PR 16251 - This fixes an error when executing commands using the Python Meterpreter where not all results were returned to msfconsole.
PR 16254 - This fixes an issue in the shodan search module where recent changes to randomize the user agent were causing the results returned to the module to be in an unexpected format.
PR 16255 - This fixes a parsing issue with kiwi_cmd arguments which contained spaces, such as
kiwi_cmd 'base64 /in:off /out:off'.PR 16257 - This change adds a warning when a user tries to inject the android payload into an apk using an older version of apktool.
PR 16264 - This fixes a crash when attempting to create local module documentation with the
info -dcommand when the provided Github credentials are invalid.PR 16265 - This fixes an edgecase which led to a running job being cleaned up twice, causing unintended errors. Now the job is only cleaned up once.
PR 16266 - This fixes a bug in how msfconsole tab completes directory paths.
PR 16268 - This updates the check method of the
exploit/windows/local/bypassuac_comhijackmodule to identify Windows 10 versions 1903 and later as not being affected. This also switches the module to run the check method automatically which will help inform users when the target system is or is not vulnerable.PR 16283 - This change fixes an error when attempting to inject into an unsigned APK file. A suitable error message is now displayed.
PR 16286 - This fixes a payload truncation issue in
post/windows/manage/persistence_exeon Windows systems caused by the usage ofIO.read.PR 16294 - This change fixes the Android APK injection functionality of
msfvenomto use the new signing toolapksignerinstead ofjarsigner, which allows the applications to install successfully on the latest version of Android 11.PR 16310 - This fixes an edge case where setting multiple RHOST values for a module which does not support this option would cause the module to run multiple times instead of once.
PR 16311 - This updates msfconsole's search functionality to include the 64 bit variant of
payload_windows/x64/encrypted_shellpayloads.PR 16312 - This fixes two issues with the pwnkit exploit for CVE-2021-4034. The first issue fixed was a compatibility check between the target host architecture and the payload. The second issue fixed was with the on session callback that sets the current working directory.
PR 16322 - This fixes a regression issue with the
hostscommand tab completion and the--searchoption's functionality.
Modules
PR 16098 - This updates the SMB relay module to support relaying to targets over SMB 2 and SMB 3. This module also adds intelligent targeting for multiple hosts so if the incoming authentication information is incompatible with one, the next target host will be tried.
PR 16103 - This adds an LPE exploit for CVE-2021-4034 which leverages a flaw in polkit's pkexec utility. It also adds support to Metasploit for generating Linux SO library payloads in the AARCH64 architecture.
PR 16131 - This exploits an unauthenticated SQL injection vulnerability in the Modern Events Calendar plugin for Wordpress.
PR 16182 - A new module has been added to exploit CVE-2021-24931, an unauthenticated SQLi vulnerability in the
sccp_idparameter of theays_sccp_results_export_fileAJAX action in Secure Copy Content Protection and Content Locking WordPress plugin versions before 2.8.2. Successful exploitation allows attackers to dump usernames and password hashes from thewp_userstable which can then be cracked offline to gain valid login credentials for the affected WordPress installation.PR 16185 - This adds a module for CVE-2020-26950, a use after free browser exploit targeting Firefox and Thunderbird.
PR 16190 - The "Apps" feature in Axis IP cameras allows third party developers to upload and execute 'eap' applications on the device, however no validation is performed to ensure the application comes from a trusted source. This module takes advantage of this vulnerability to allow authenticated attackers to upload and execute malicious applications and gain RCE.Once the application has been installed and the shell has been obtained, the module will then automatically delete the malicious application. No CVE is assigned to this issue as a patch has not been released as of the time of writing.
PR 16202 - This adds an exploit for CVE-2022-21882 which is a patch bypass for CVE-2021-1732. It updates and combines both techniques into a single mega-exploit module that will use the updated technique as necessary. No configuration is necessary outside of the SESSION and payload datastore options.
PR 16204 - This module exploits an unauthenticated command injection in a variety of Hikvision IP cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an HTTP PUT request sent to the /SDK/webLanguage endpoint, resulting in command execution as the root user.
PR 16227 - This adds an auxiliary module that leverages a sanitization issue in the Wordpress plugin MasterStudy to create an admin account in Wordpress.
PR 16245 - This adds a module that exploits an authenticated arbitrary file creation vulnerability in the pfSense HTTP interface.
PR 16248 - This adds an unauthenticated exploit targeting Apache APISIX. It leverages two vulnerabilities, the first of which is a default API key and the second is an IP restriction bypass. The result is OS command execution as the service user.
PR 16303 - This exploits a privilege escalation vulnerability in the Linux kernel starting with version
5.8. The module leverages the vulnerability to overwrite an SUID binary in order to gain privileges as therootuser.