Aug 30, 20224.21.1-2022083001

Improved

  • Pro: We improved Vulnerability Validation Task findings to generate more accurate reporting when modules exit before attempting an exploit.

  • Pro: We improved detailed Result Code information about modules listed in the Findings view of a Vulnerability Validation task.

  • PR 16701 - This improves the original auxiliary/scanner/http/cisco_asa_asdm scanner module by adding the ability to brute force the Cisco ASA's Clientless SSL VPN (webvpn) interface. The old module has been replaced by two new modules, this one and auxiliary/scanner/http/cisco_asa_asdm_bruteforce, which provide brute force of the Cisco ASA's ASDM interface directly.

  • PR 16833 - This PR adds an option to the host command to make it easier to delete host tags.

  • PR 16884 - This PR deprecates the credcollect script as it has effectively been replaced by post/windows/gather/credentials/credential_collector.

  • PR 16898 - This adds a Msf::Post::Windows::Accounts.domain_controller? method and removes is_dc? methods from several modules in favor of using the new method.

  • PR 16899 - This removes the domain_list_gen meterpreter script which has been replaced by the post/windows/gather/enum_domain_group_users post module.

  • PR 16902 - The scripts/meterpreter/killav.rb script has been removed since scripts have been depreciated for over 5 years. It has been replaced with post/windows/manage/killav.

  • PR 16905 - The scripts/meterpreter/panda_2007_pavsrv51.rb script has been removed and replaced by exploit/windows/local/service_permissions. Note that scripts have been deprecated for over 5 years and are no longer supported.

  • PR 16907 - This improves the MS10-092 LPE exploit module. It uses the new task manager mixin, adds additional module metadata and documentation.

  • PR 16908 - The ./scripts/meterpreter/dumplinks.rb script is replaced by post/windows/gather/dumplink, which provides similar function as a proper post module. Meterpreter scripts have not been supported for several years.

  • PR 16909 - scripts/meterpreter/get_pidgin_creds.rb has been removed since scripts have been depreciated for some time now and are no longer supported. It has been replaced by post/multi/gather/pidgin_cred.

  • PR 16910 - The scripts/meterpreter/arp_scanner.rb script has been replaced with post/windows/gather/arp_scanner which implements the same logic with an improved OUI database to help fingerprint the MAC vendor.

  • PR 16912 - This removes the sound recorder Meterpreter script. It has been replaced by the record_mic post module.

  • PR 16938 - The ldap_query module has been updated to allow the stored query templates to specify a Base DN prefix. Additionally, two ADCS-related queries that then use this to enumerate certificate authorities and certificate templates.

Fixed

  • Pro: We fixed a report generation failure for social engineering campaign reports.

  • Pro: We fixed an issue in update packaging that resulted in reports failing to generate.

  • Pro: We have improved error handling during the email send phase of social engineering campaigns.

  • PR 16881 - This fixes a crash in the post/windows/manage/forward_pageant module caused by the removal of Dir::Tmpname.make_tmpname() in Ruby 2.5.0. This also makes some improvements to the code.

  • PR 16925 - This fixes some issues with the payload generation in the UnRAR generic exploit module (CVE-2022-30333). This also adds the option to provide its own custom payload.

  • PR 16931 - A bug has been fixed in Rex::Post::Meterpreter::Extensions::Stdapi::AudioOutput.play_file whereby a channel would be opened before the path parameter was verified. This could lead to dangling channels being opened which would not be closed until Meterpreter was shut down.

  • PR 16935 - Fixes multiple SSH warnings when loading msfconsole on Ubuntu 22.04 or the latest Kali version.

  • PR 16936 - Fixes a crash when using evasion modules when mingw is not present on the host machine for generating encrypted payloads.

Modules

  • PR 16809 - This adds an exploit module that leverages a command injection vulnerability in Advantech iView (CVE-2022-2143) to get remote command execution as the SYSTEM user. Versions below 5.7.04.6469 are vulnerable and do not require authentication. Version 5.7.04.6469 is still vulnerable but requires valid credentials to be exploited. Also, this version only gets you RCE as the LOCAL SERVICE user.

  • PR 16913 - This adds a scanner module to brute force the Cisco ASA's ASDM interface in it's default configuration.

  • PR 16915 - A new module has been added for CVE-2022-23277 which is another ChainedSerializationBinder bypass that results in RCE on vulnerable versions of Exchange prior to the March 8th 2022 security updates.

  • PR 16922 - Adds in a module for CVE-2022-27925 and CVE-2022-37042. An attacker can exploit these issues to bypass authentication and then exploit a ZIP file path directory traversal vulnerability to gain RCE as the zimbra user.

Offline Update

Metasploit Framework and Pro Installers