New
- Pro: We expanded the information available about module readiness in the individual host modules view and the vulnerability validation findings view.
Improved
PR 16800 - This adds support for OpenSSL 3 compatibility with legacy ciphers.
PR 16833 - This PR adds an option to the host command to make it easier to delete host tags.
PR 16840 - This removes some Meterpreter-only method calls, which allows non-Meterpreter sessions to use read_profile_list and load_missing_hives. This also changes read_profile_list to be able to read profile information for all accounts.
PR 16841 - This updates the
post/windows/gather/enum_powershell_envmodule with a code cleanup and expands the module to support non-Meterpreter session types such as shell sessions and PowerShell sessions.PR 16858 - This updates zerologon to have better error handling in the check method. This will cause the error from an invalid NetBIOS name to be reported with a meaningful message.
PR 16873 - This PR cleans up enum_artifacts, adds documentation, error handling, YAML file parsing and support for non-meterpreter sessions.
PR 16875 - This PR removes the Remove enum_putty meterpreter script in favour for the existing post module.
PR 16876 - Removed the enum_logged_on_users meterpreter script in favour for the existing post module.
PR 16878 - Adds partial support for non-Meterpreter sessions for the enum_logged_on_users post module and makes use of the read_profile_list method. Resolves Rubocop and msftidy_docs violations.
Fixed
Pro: Improved argument parsing and error handling for the CLI.
PR 16820 - This PR fixes an issue in the ldap_query module where if the datastore option "action" wasn't set the module would fail.
PR 16822 - This fixes a bug in
Rex::Ui::Text::Input::Buffer::BufferSockthat was causing data to occasionally be lost due to the rsock monitor routine.PR 16825 - The IMAP credential capture module did not appropriately handle literal strings as specified by RFC3501. The code has been updated to better handle these strings.
PR 16832 - This fix removes an unnecessary echo statement from the ms10_092_schelevator module.
PR 16839 - Fixes shell_registry_enumvals/getvaldata error checking.
PR 16844 - This PR updates the
post/multi/gather/envmodule to support non-meterpreter sessions like shell and powershell.PR 16846 - Updates
auxiliary/scanner/ssh/ssh_loginto gracefully handleErrno::EPIPEexceptions.PR 16848 - Fix a crash when updating session information in Meterpreter.
PR 16872 - This PR fixes shell_registry_getvalinfo which was truncating registry values at the first space and normalize_key which was causing a crash when only a hive name was passed to the function when running on a shell session.
Modules
PR 16758 - This adds a module that leverages a Java deserialization, directory traversal, and a blind XXE injection vulnerability to gain unauthenticated code execution against vulnerable versions of ManageEngine ADAudit Plus.
PR 16788 - This adds a new scanner module that discovers BACnet devices on the network and extracts model name, software version, firmware revision and device description. Once the data is processed, it is displayed on screen and saved to a local xml file.
PR 16796 - This adds two modules for
CVE-2022-30333, a symlink-based path traversal vulnerability in unRAR 6.11 and earlier (open source version 6.1.6 and earlier). The first module creates a.rarwith an arbitrary payload that will extract to an arbitrary location. The other one specifically targets Zimbra versions 9.0.0 Patch 24 (and earlier) and 8.8.15 Patch 31 (and earlier). These versions use unRAR to scan incoming email and arbitrary command execution is possible if the installed UnRAR on the OS is vulnerable to the same symlink-based path traversal vulnerability. This module generate the.rarfile that will need to be emailed to the vulnerable Zimbra server to trigger the payload.PR 16807 - This PR adds a local exploit for Zimbra to go from the zimbra user to root by using a sudo-able executable that can load an arbitrary .so file.
PR 16837 - This adds an exploit for MobileIron which is affected by the Log4Shell vulnerability. The result is unauthenticated remote code execution in the context of the web application user.
PR 16851 - This module exploits an unauthenticated directory traversal vulnerability in Cassandra Web version 0.5.0 and earlier, allowing arbitrary file read with the web server privileges.
PR 16852 - This PR adds in an exploit module for CVE-2022-35405 a.k.a Zoho Password Manager Pro XML-RPC Unauthenticated RCE.
PR 16854 - This module exploits CVE-2022-31660, an LPE disclosed by VMware in VMSA-2022-0021. The underlying flaw is that the /opt/vmware/certproxy/bin/cert-proxy.sh script is writable by the horizon user who can also indirectly execute it by invoking the certproxyService.sh script via sudo which is permitted without a password.
PR 16856 - This module exploits an arbitrary command injection in Webmin versions prior to 1.997.
PR 16857 - This adds a module targeting Cisco PVC2300 IP Cameras that will download the configuration file using hard-coded credentials.