Skip to Content
Release NotesMetasploitIndex

Sep 12, 2022

We improved uniqueness of tracking data across campaigns and improved report settings for task chains.

Improved

  • Pro: We updated tracking IDs for new Social Engineering campaigns to generated identifiers more uniquely across installs for the same license.

  • PR 16746 - This updates the MSSQL login scanner to catch exceptions and continue running.

  • PR 16900 - This adds a new #kill_process method that supports shell, powershell, and meterpreter sessions on different platforms.

  • PR 16901 - The post/windows/manage/killav.rb script has been updated to support shell and PowerShell sessions and has undergone some code cleanup. Additionally, documentation has now been created to explain its operations and how to use it.

  • PR 16903 - This cleans up the enum_shares post modules and adds support for shell sessions.

  • PR 16934 - This adds support for dumping process memory by name in the post/windows/gather/memory_dump module.

  • PR 16947 - This adds support for formatting buffers for golang.

  • PR 16948 - This adds arguments for specifying the username, password and database to the #run_sql post method.

  • PR 16952 - This PR improves the domain_controller? method to allow lower-priv users to invoke it, extends it to support shell sessions, and adds additional useful domain controller enumeration methods to the library.

  • PR 16959 - The time command has been updated with the --cpu and --memory profiler options to allow users to get memory and CPU usage profiles when running a command inside msfconsole.

  • PR 16973 - This adds support for formatting buffers for nim.

  • PR 16983 - This PR adds documentation, references, and a more complete description for the firefox_xpi_bootstrapped_addon module.

Fixed

  • Pro: We improved cli connections to remote services.

  • Pro: We addressed an issue with slow or failed update checks for some installs.

  • Pro: We fixed a regression in display and section of default report sections and options during creation of default reports as well as edit of report tasks inside task chains.

  • PR 16750 - This updates the exploit/multi/http/jenkins_script_console module to use the decoder from the java.util.Base64 class in place of the now-deprecated decoder from the sun.misc.BASE64Decoder class, enabling exploitation of newer Jenkins versions.

  • PR 16861 - Fixes a bug in cmd/unix/reverse_ssh that stopped reverse SSH sessions from opening.

  • PR 16869 - This fixes an issue in the file_remote_digestmd5() and file_remote_digestsha1() methods where read_file() would return an error message instead of the remote file contents. Additionally, the file_remote_digest* methods now support more session types, and they have a new util option that allows the user to perform the hashing on the remote host instead of downloading the remote file and performing the hashing locally.

  • PR 16918 - A bug has been fixed in the module for CVE-2022-30333 whereby if the server responded with a 200 OK response, the module would keep trying to trigger the payload. This would lead to multiple sessions being returned when only one was desired.

  • PR 16920 - A typo has been fixed in _msfvenom that prevented ZSH autocompletion from working when using the --arch argument with msfvenom.

  • PR 16926 - Fixes a bug when using RPC service with the analyze command and specifying a workspace, i.e. within Metasploit RPC client - rpc.call('db.analyze_host', { host: '<metasploitable3 ip>', workspace: 'other' } ).

  • PR 16955 - This fixes an issue in the LDAP query module that would cause issues if the user queried for a field that was populated with binary data.

  • PR 16968 - This PR adds support for the new syntax of the find command’s perm parameter while also maintaining support for the deprecated syntax.

  • PR 16972 - Updates msfconsole’s tables to support wordwrapping when colors are present.

  • PR 16974 - Updates Rex::Proto::Http::Client to rely on Ruby’s built in string comparison.

Modules

  • PR 16725 - Two new auxiliary/gather modules have been added that take advantage of default Xnode credentials, aka CVE-2020–11532, in order to enumerate Active Directory information and other sensitive data via the DataEngine Xnode server. Additionally, a new library has been added to provide reusable functionality for interacting with Xnode servers.

  • PR 16734 - This updates the exploit for CVE-2022-30190 (AKA Follina) to support generating RTF exploit documents. RTF documents are helpful for not only being another exploit vector, but they will trigger the payload execution when viewed by Explorer’s preview tab without needing user interaction to enable editing functionality.

  • PR 16786 - This adds an LPE exploit for Zyxel Firewalls that can allow a user to escalate themselves to root. The vulnerability is identified as CVE_2022-30526 and is due to a suid binary that allows any user to copy files with root permissions.

  • PR 16923 - This adds an exploit module that leverages an authenticated command injection vulnerability in Cisco ASA-X with FirePOWER Services. This vulnerability is identified as CVE-2022-20828 and has been patched in ASA FirePOWER module versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. Note that versions 6.2.2 and earlier, 6.3, 6.5, and 6.7 won’t receive patch.

  • PR 16939 - This adds a module for issuing certificates via Active Directory Certificate Services, which is useful in a few contexts including persistence and for some specific exploits. The resulting PFX certificate file is stored to the loot and is encrypted using a blank password.

  • PR 16944 - This exploits an unauthenticated command injection vulnerability in Apache Spark. The spark.acls.enable setting permits injection through the id command via a POST request containing arbitrary code in the doAs parameter. The exploit achieves unauthenticated RCE as the spark user.

Offline Update

Metasploit Framework and Pro Installers