Improved
Pro: We updated the task log path to enable access to task logs restored from a backup of a Metasploit Pro instance.
PR 16651 - The
test_vulnerable
methods in the various SQL injection libraries has been updated so that it will now use the specified encoder if one is specified, ensuring that characters are appropriately encoded as needed.PR 16654 - This PR adds documentation for using named pipe pivoting with Windows Meterpreter.
PR 16661 - The impersonate_ssl module has been enhanced to allow Subject Alternative Names (SAN) fields to be added to the generated SSL certificate.
PR 16650 - This PR implements the method #read_from_file for PostgreSQL and MSSQL, and fixes the MySQL implementation. It also updates the test module to better handle multiline data returned from SQL queries.
PR 16692 - Updates various links to https://docs.metasploit.com
Fixed
Pro: We improved the report generation when installed on an OS that uses non UTF-8 character sets.
Pro: We fixed the creation of activity reports on a fresh install of Metasploit Pro.
PR 16602 - If a user restarted a service using
lib/msf/core/post/windows/services.rb
an exception would be thrown as a integer instead of as a string, which would cause an error to occur. This has been fixed by rewriting the code for theservice_restart
to use more appropriate logic. Additionally, the documentation has been updated forlib/msf/core/post/windows/services.rb
to note which functions may throw exceptions.PR 16615 - A bug in the IPv6 library, when creating solicited-multicast addresses, has been fixed by finding leading zeros in last 16 bits of link-local address and removing them.
PR 16627 - The
tools/modules/update_payload_cached_sizes.rb
script has been updated to contain additional exception handling to appropriately handle any exceptions that may be thrown during runs, and then print out a list of those exceptions at the end of the run.PR 16630 - The
auxiliary/server/capture/smb
module no longer stores duplicate Net-NTLM hashes in the database.PR 16643 - The
exploits/multi/http/php_fpm_rce
module has been updated to be compatible with Ruby 3.0 changes.PR 16653 - This PR fixes an issue where named pipe pivots failed to establish the named pipes in intermediate connections.
PR 16665 - A missing import has been fixed in
/tools/exploit/random_compile_c.rb
, allowing it to now compile C files as expected.PR 16597 - This fixes an issue with the encrypted shell payload stage that prevented it from being used with the new Powershell command adapter. In addition to this, a number of payload modules have been updated to include an opts hash as a parameter for compatibility.
PR 16680 - This PR adds support for Windows targets to the
atlassian_confluence_namespace_ognl_injection
module and fixes an issue where the check method would fail to properly identify that Windows targets were even vulnerable due to how the command was being executed.
Modules
PR 16571 - This module extracts the vmdir / vmafd certificates from an offline copy of the service database (i.e. a vCenter backup). It now pulls the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated.
PR 16635 - This PR adds a module supporting CVE-2022-30190 (AKA Follina) Windows fileformat vulnerability.
PR 16644 - This module exploits an OGNL injection in Atlassian Confluence servers (CVE-2022-26134). A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.
PR 16676 - This adds a new getsystem technique that leverages the EFSRPC API to elevate a user with the
SeImpersonatePrivilege
permission to NT AUTHORITY\SYSTEM. This technique is often referred to as "EfsPotato".