Improved
Pro: We have improved support for signals to meterpreter sessions in a Linux CLI console.
PR 16186 - This adds an additional Adapter payload type which can be used in scenarios such as wanting to deliver a full Meterpreter session from a command payload.
PR 16249 - This expands on the work done in https://github.com/rapid7/metasploit-framework/pull/16164 and adds a new library named MsfExploitRemoteHTTPExchange which allows for future Exchange library functions.
PR 16250 - This adds new
ListenerBindPortandListenerBindAddressoptions on modules which expose services such as HTTP, SMB, LDAP, FTP, etc. Users can now specify a separate IP/Port to bind to, in addition to the providingSRVHOST/SRVPORTvalues. These additional options are useful if Metasploit is running in a network behind a NAT, or when pivoting through a compromised target. The naming convention is similar to the payload optionsReverseListenerBindAddressandReverseListenerBindPort.PR 16262 - This updates the default payload selection so that
cmd/unix/reverse_bashis chosen overcmd/unix/reverse_netcatby default unlessRequiredCmdis set such that the module cannot execute Bash payloads.PR 16298 - This adds the new "capture" plugin which can be used to easily start and stop credential-capturing services.
PR 16352 - A
discussiontag has been added to allow for more long term discussions. This will replace usage of the repository level "Discussions tab", and issues marked asdiscussionwill not be automatically closed.PR 16361 - This adds documentation for the
adb_server_execmodule.
Fixed
Pro: We fixed an issue where web application tests failed for SSL based sites on recent Ruby versions.
PR 16207 - The VNC libraries and associated modules have been updated to support more modern versions of VNC and to fix a few bugs so that they will work correctly with new VNC versions.
PR 16309 - This fixes an issue where the ssh_login module would crash when the channel used to execute the commands to gather the platform information reported that they failed.
PR 16316 - This ensures individual modules no longer accidentally shutdown joint services that are used across multiple modules/handlers etc, such as HTTP servers. Modules will now correctly unregister interest in the global service, and if there are no longer any interested modules in the running global service, it will be shut down correctly.
PR 16317 - This fixes an issue with multiple modules that listen on UDP sockets where the modules were not closing and freeing the socket when their respective services were stopped.
PR 16324 - This fixes an issue in the DNS native server module where the server would crash upon receiving a query.
PR 16325 - Replaces
IO.readwithFile.binread, in scenarios where it's obvious that we're reading from binaries. This prevents an issue where not all of the file is read correctly due to an additional EOL<->CRLF conversion that happens on Windows.PR 16326 - This fixes SMB signing detection for the
scanner/smb/smb_versionmodule when the target server has SMB1 disabled.PR 16332 - This change fixes a bug in APK injection where the native libraries would not automatically be aligned with zipalign, and would fail to install on a device.
PR 16334 - This change fixes a bug where APK files that were not signed with the v1 scheme would fail during the signing phase of APK file injection with msfvenom.
PR 16340 - This change fixes the APK injection behaviour to use aapt2 if msfvenom is unable to rebuild the APK with apktool, which repairs a bug and allows more APKs to be compatible with msfvenom.
PR 16341 - This fixes a bug where the
auxiliary/server/capture/vncmodule would not output hashes in a format compatible with John The Ripper and also fixes a bug that was causing crashes due to assuming hashes always had an associated username. Additionally, support has been added for exporting VNC hashes into a JTR compatible format for later cracking and thehash_identifyfunction has been updated to properly identify VNC hashes allowing for better hash detection.PR 16347 - This updates the
normalize_hostmethod so that when it attempts and fails to resolve a hostname to an IP address, it will returnnilinstead of raising an exception. Previously this exception would result in modules likeauxiliary/gather/enum_dnscrashing instead of saving the information it had managed to gather on the target so far.PR 16350 - This fixes an unintentional crash when using
payload/windows/x64/encrypted_shell_reverse_tcpwithout having a database configured.PR 16353 - This fixes a bug in the Anemone library, the HTTP crawler libraries, and the related module to allow for the pulling and setting of
ssl_versionfrom standardized options and finer grained user control. Additionally, this helps avoid issues related to missing or depreciated SSL versions in newer Ruby versions, which were at times preventing Metasploit from making successful connections to targets.PR 16358 - This change fixes a bug in the msfvenom APK injection code, where in some situations a suitable hook point could not be found.
PR 16367 - This fixes a bug in the way character escaping was done in
apache_apisix_api_default_token_rce. Several updates have also been made to better handle error cases that may occur when sending HTTP requests to the target.PR 16368 - This improves response time when a cache miss occurs for commands not provided by
msfconsole.PR 16369 - This change fixes shell_to_meterpreter module to allow upgrading (or duplicating) meterpreter sessions.
PR 16371 - This fixes a crash in the WebSocket library used by the kubernetes modules that would occur when a socket method was being called that's only provided by the Rex version.
Modules
PR 16252 - This adds an auxiliary module that enumerates Gitlab user accounts via the GraphQL API which does not require authentication when querying user information.
PR 16284 - A new module has been added that exploits CVE-2021-31166, a UAF bug in
http.syswhen parsingAccept-Encodingheaders, to cause a BSoD and denial of service on vulnerable IIS servers.PR 16344 - This adds a module targeting SpoolFool (AKA CVE-2022-21999), a local privilege escalation targeting the spool service on Windows 10 or Server builds 18362 or earlier.