May 24, 20224.21.0-2022052401

Improved

  • Pro: We have updated the Java runtime utilized in report generation to maintain a strong security posture.

  • PR 16430 - This adds support for logging AS-REP Roastable accounts, as well as storing the generated Kerberos token within the creds database. Additionally, this improves error handling.

  • PR 16442 - This adds a new vars_form_data field to the Rex HTTP Client for uploading files/form values to a remote HTTP server with ease:

vars_form_data = [
{ 'name' => 'nsp', 'data' => @csrf_token },
{ 'name' => 'upload', 'data' => 1 },
{ 'name' => 'MAX_FILE_SIZE', 'data' => 1000000 },
{ 'name' => 'uploadedfile', 'data' => payload_zip, 'mime_type' => 'application/zip', 'encoding' => 'binary', 'filename' => zip_filename }
]

res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'vars_form_data' => vars_form_data
)
  • PR 16529 - This updates Mettle payloads to support logging to file and to use the same options as the other Meterpreters. For example within msfconsole:
use osx/x64/meterpreter_reverse_tcp
generate -f macho -o shell MeterpreterDebugbuild=true MeterpreterDebugLogging='rpath:/tmp/foo.txt'
to_handler
  • PR 16538 - The Python Meterpreter loader library has been updated to address the deprecation warnings that display when running payloads using Python 3.4 and later.

  • PR 16551 - The documentation for tomcat_mgr_upload.rb has been updated to include additional information on setting up a vulnerable Docker instance to test the module on.

  • PR 16553 - This updates Metasploit's .github/SECURITY.md file with the latest steps to follow when raising security issues with Rapid7's open source projects.

  • PR 16555 - This moves a duplicated retry_until_truthy function into a centralized location for better reuse. This function is useful for retrying operations that may fail the first time, such as checking if Kubernetes containers are ready yet.

Fixed

  • PR 16485 - This updates the version check for the exploit/windows/local/s4u_persistence module to allow it to run on later Windows versions.

  • PR 16487 - This fixes a deprecation warning within the auxiliary/capture/server/mssql warning as well as outputs a valid johntheripper format for offline password cracking.

  • PR 16491 - This fixes a bug whereby Meterpreter sessions and modules would crash when encountering a timeout issue due to using an invalid or deprecated error name.

  • PR 16499 - This fixes an issue where SSL connections made by Metasploit would fail when the Server Name Indicator (SNI) extension was in use.

  • PR 16505 - This fixes an issue in the auxiliary/scanner/lotus/lotus_domino_hashes #dump_hashes parsing logic.

  • PR 16531 - This fixes a crash in various pihole modules when login authentication is required.

  • PR 16533 - This updates the Meterpreter reg command to correctly handle setting the KEY_WOW64 flag with -w 32 or -w 64. Previously these flag values were unintentionally ignored.

  • PR 16540 - This fixes an issue with zeitwerk trying to load go packages as part of the boot up process.

  • PR 16542 - This fixes a bug in msfconsole's internal book keeping to ensure that closed channels are no longer tracked.

  • PR 16544 - This updates post module windows/gather/ad_to_sqlite to no longer crash. This module will now additionally store the extracted information as loot.

  • PR 16560 - This updates the nessus_connect login functionality to correctly handle the @ symbol being present in the password.

  • PR 16570 - This fixes a bug in the generation of aarch 64 stagers so that when the stage is received and written to memory, the stage can execute in a lower-privileged process.

  • PR 16572 - A bug has been fixed whereby a PayloadSpaceViolation exception might be raised when the --smallest flag was used with msfvenom, due to msfvenom setting the space available to 0 instead of a positive number. The code should now appropriately account for this case.

  • PR 16588 - This adds a check to the two new Powershell adapter payload modules. The size check ensures that payloads that are too large (like unstaged Meterpreters) are marked as incompatible.

Modules

  • PR 16169 - A new module has been added which exploits CVE-2022-20699, an unauthenticated stack overflow RCE vulnerability in the Cisco RV 340 VPN Gateway router. Successful exploitation results in RCE as the root user. This exploit can be triggered over the internet and does not require the attacker to be on the same network as the victim.

  • PR 16406 - This adds a module to retrieve bookmarks from Internet Explorer, Opera, Google Chrome, and Edge.

  • PR 16423 - This adds a module that targets CVE-2022-22965, a remote code execution vulnerability in some installations of Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older. To be vulnerable, the application must be running on JDK 9+ and packaged and deployed as a war file. It may be possible to bypass these limitations later.

  • PR 16484 - This module forges valid SAML credentials for vCenter server using the vCenter SSO IdP certificate, IdP private key, and VMCA root certificate as input objects.

  • PR 16548 - This adds a new payload adapter for converting native x86 and x64 Windows payloads to command payloads using Powershell.

  • PR 16549 - A new module has been added for CVE-2022-1388, a vulnerability in F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions. By making a special request, one can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the root user on affected systems.

  • PR 16563 - A new module has been added to exploit CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the nobody user.

Offline Update

Metasploit Framework and Pro Installers