Jun 24, 20224.21.1-2022062401

Improved

  • Pro: We updated the task log path to enable access to task logs restored from a backup of a Metasploit Pro instance.

  • PR 16651 - The test_vulnerable methods in the various SQL injection libraries has been updated so that it will now use the specified encoder if one is specified, ensuring that characters are appropriately encoded as needed.

  • PR 16654 - This PR adds documentation for using named pipe pivoting with Windows Meterpreter.

  • PR 16661 - The impersonate_ssl module has been enhanced to allow Subject Alternative Names (SAN) fields to be added to the generated SSL certificate.

  • PR 16650 - This PR implements the method #read_from_file for PostgreSQL and MSSQL, and fixes the MySQL implementation. It also updates the test module to better handle multiline data returned from SQL queries.

  • PR 16692 - Updates various links to https://docs.metasploit.com

Fixed

  • Pro: We improved the report generation when installed on an OS that uses non UTF-8 character sets.

  • Pro: We fixed the creation of activity reports on a fresh install of Metasploit Pro.

  • PR 16602 - If a user restarted a service using lib/msf/core/post/windows/services.rb an exception would be thrown as a integer instead of as a string, which would cause an error to occur. This has been fixed by rewriting the code for the service_restart to use more appropriate logic. Additionally, the documentation has been updated for lib/msf/core/post/windows/services.rb to note which functions may throw exceptions.

  • PR 16615 - A bug in the IPv6 library, when creating solicited-multicast addresses, has been fixed by finding leading zeros in last 16 bits of link-local address and removing them.

  • PR 16627 - The tools/modules/update_payload_cached_sizes.rb script has been updated to contain additional exception handling to appropriately handle any exceptions that may be thrown during runs, and then print out a list of those exceptions at the end of the run.

  • PR 16630 - The auxiliary/server/capture/smb module no longer stores duplicate Net-NTLM hashes in the database.

  • PR 16643 - The exploits/multi/http/php_fpm_rce module has been updated to be compatible with Ruby 3.0 changes.

  • PR 16653 - This PR fixes an issue where named pipe pivots failed to establish the named pipes in intermediate connections.

  • PR 16665 - A missing import has been fixed in /tools/exploit/random_compile_c.rb, allowing it to now compile C files as expected.

  • PR 16597 - This fixes an issue with the encrypted shell payload stage that prevented it from being used with the new Powershell command adapter. In addition to this, a number of payload modules have been updated to include an opts hash as a parameter for compatibility.

  • PR 16680 - This PR adds support for Windows targets to the atlassian_confluence_namespace_ognl_injection module and fixes an issue where the check method would fail to properly identify that Windows targets were even vulnerable due to how the command was being executed.

Modules

  • PR 16571 - This module extracts the vmdir / vmafd certificates from an offline copy of the service database (i.e. a vCenter backup). It now pulls the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated.

  • PR 16635 - This PR adds a module supporting CVE-2022-30190 (AKA Follina) Windows fileformat vulnerability.

  • PR 16644 - This module exploits an OGNL injection in Atlassian Confluence servers (CVE-2022-26134). A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.

  • PR 16676 - This adds a new getsystem technique that leverages the EFSRPC API to elevate a user with the SeImpersonatePrivilege permission to NT AUTHORITY\SYSTEM. This technique is often referred to as "EfsPotato".

Offline Update

Metasploit Framework and Pro Installers