Improved
Pro: We improved Vulnerability Validation Task findings to generate more accurate reporting when modules exit before attempting an exploit.
Pro: We improved detailed
Result Code
information about modules listed in theFindings
view of a Vulnerability Validation task.PR 16701 - This improves the original
auxiliary/scanner/http/cisco_asa_asdm
scanner module by adding the ability to brute force the Cisco ASA's Clientless SSL VPN (webvpn) interface. The old module has been replaced by two new modules, this one andauxiliary/scanner/http/cisco_asa_asdm_bruteforce
, which provide brute force of the Cisco ASA's ASDM interface directly.PR 16833 - This PR adds an option to the host command to make it easier to delete host tags.
PR 16884 - This PR deprecates the credcollect script as it has effectively been replaced by post/windows/gather/credentials/credential_collector.
PR 16898 - This adds a
Msf::Post::Windows::Accounts.domain_controller?
method and removesis_dc?
methods from several modules in favor of using the new method.PR 16899 - This removes the
domain_list_gen
meterpreter script which has been replaced by thepost/windows/gather/enum_domain_group_users
post module.PR 16902 - The
scripts/meterpreter/killav.rb
script has been removed since scripts have been depreciated for over 5 years. It has been replaced withpost/windows/manage/killav
.PR 16905 - The
scripts/meterpreter/panda_2007_pavsrv51.rb
script has been removed and replaced byexploit/windows/local/service_permissions
. Note that scripts have been deprecated for over 5 years and are no longer supported.PR 16907 - This improves the MS10-092 LPE exploit module. It uses the new task manager mixin, adds additional module metadata and documentation.
PR 16908 - The
./scripts/meterpreter/dumplinks.rb
script is replaced bypost/windows/gather/dumplink
, which provides similar function as a properpost
module. Meterpreter scripts have not been supported for several years.PR 16909 -
scripts/meterpreter/get_pidgin_creds.rb
has been removed since scripts have been depreciated for some time now and are no longer supported. It has been replaced bypost/multi/gather/pidgin_cred
.PR 16910 - The
scripts/meterpreter/arp_scanner.rb
script has been replaced withpost/windows/gather/arp_scanner
which implements the same logic with an improved OUI database to help fingerprint the MAC vendor.PR 16912 - This removes the sound recorder Meterpreter script. It has been replaced by the record_mic post module.
PR 16938 - The
ldap_query
module has been updated to allow the stored query templates to specify a Base DN prefix. Additionally, two ADCS-related queries that then use this to enumerate certificate authorities and certificate templates.
Fixed
Pro: We fixed a report generation failure for social engineering campaign reports.
Pro: We fixed an issue in update packaging that resulted in reports failing to generate.
Pro: We have improved error handling during the email send phase of social engineering campaigns.
PR 16881 - This fixes a crash in the
post/windows/manage/forward_pageant
module caused by the removal ofDir::Tmpname.make_tmpname()
in Ruby 2.5.0. This also makes some improvements to the code.PR 16925 - This fixes some issues with the payload generation in the UnRAR generic exploit module (CVE-2022-30333). This also adds the option to provide its own custom payload.
PR 16931 - A bug has been fixed in
Rex::Post::Meterpreter::Extensions::Stdapi::AudioOutput.play_file
whereby a channel would be opened before the path parameter was verified. This could lead to dangling channels being opened which would not be closed until Meterpreter was shut down.PR 16935 - Fixes multiple SSH warnings when loading msfconsole on Ubuntu 22.04 or the latest Kali version.
PR 16936 - Fixes a crash when using evasion modules when
mingw
is not present on the host machine for generating encrypted payloads.
Modules
PR 16809 - This adds an exploit module that leverages a command injection vulnerability in Advantech iView (CVE-2022-2143) to get remote command execution as the SYSTEM user. Versions below 5.7.04.6469 are vulnerable and do not require authentication. Version 5.7.04.6469 is still vulnerable but requires valid credentials to be exploited. Also, this version only gets you RCE as the LOCAL SERVICE user.
PR 16913 - This adds a scanner module to brute force the Cisco ASA's ASDM interface in it's default configuration.
PR 16915 - A new module has been added for CVE-2022-23277 which is another ChainedSerializationBinder bypass that results in RCE on vulnerable versions of Exchange prior to the March 8th 2022 security updates.
PR 16922 - Adds in a module for CVE-2022-27925 and CVE-2022-37042. An attacker can exploit these issues to bypass authentication and then exploit a ZIP file path directory traversal vulnerability to gain RCE as the
zimbra
user.