Improved
Pro: We updated tracking IDs for new Social Engineering campaigns to generated identifiers more uniquely across installs for the same license.
PR 16746 - This updates the MSSQL login scanner to catch exceptions and continue running.
PR 16900 - This adds a new
#kill_process
method that supports shell, powershell, and meterpreter sessions on different platforms.PR 16901 - The
post/windows/manage/killav.rb
script has been updated to support shell and PowerShell sessions and has undergone some code cleanup. Additionally, documentation has now been created to explain its operations and how to use it.PR 16903 - This cleans up the enum_shares post modules and adds support for shell sessions.
PR 16934 - This adds support for dumping process memory by name in the
post/windows/gather/memory_dump
module.PR 16947 - This adds support for formatting buffers for golang.
PR 16948 - This adds arguments for specifying the username, password and database to the
#run_sql
post method.PR 16952 - This PR improves the
domain_controller?
method to allow lower-priv users to invoke it, extends it to support shell sessions, and adds additional useful domain controller enumeration methods to the library.PR 16959 - The
time
command has been updated with the--cpu
and--memory
profiler options to allow users to get memory and CPU usage profiles when running a command insidemsfconsole
.PR 16973 - This adds support for formatting buffers for nim.
PR 16983 - This PR adds documentation, references, and a more complete description for the firefox_xpi_bootstrapped_addon module.
Fixed
Pro: We improved cli connections to remote services.
Pro: We addressed an issue with slow or failed update checks for some installs.
Pro: We fixed a regression in display and section of default report sections and options during creation of default reports as well as edit of report tasks inside task chains.
PR 16750 - This updates the
exploit/multi/http/jenkins_script_console
module to use the decoder from thejava.util.Base64
class in place of the now-deprecated decoder from thesun.misc.BASE64Decoder
class, enabling exploitation of newer Jenkins versions.PR 16861 - Fixes a bug in
cmd/unix/reverse_ssh
that stopped reverse SSH sessions from opening.PR 16869 - This fixes an issue in the
file_remote_digestmd5()
andfile_remote_digestsha1()
methods whereread_file()
would return an error message instead of the remote file contents. Additionally, thefile_remote_digest*
methods now support more session types, and they have a newutil
option that allows the user to perform the hashing on the remote host instead of downloading the remote file and performing the hashing locally.PR 16918 - A bug has been fixed in the module for CVE-2022-30333 whereby if the server responded with a 200 OK response, the module would keep trying to trigger the payload. This would lead to multiple sessions being returned when only one was desired.
PR 16920 - A typo has been fixed in _msfvenom that prevented ZSH autocompletion from working when using the
--arch
argument withmsfvenom
.PR 16926 - Fixes a bug when using RPC service with the analyze command and specifying a workspace, i.e. within Metasploit RPC client -
rpc.call('db.analyze_host', { host: '<metasploitable3 ip>', workspace: 'other' } )
.PR 16955 - This fixes an issue in the LDAP query module that would cause issues if the user queried for a field that was populated with binary data.
PR 16968 - This PR adds support for the new syntax of the
find
command'sperm
parameter while also maintaining support for the deprecated syntax.PR 16972 - Updates msfconsole's tables to support wordwrapping when colors are present.
PR 16974 - Updates
Rex::Proto::Http::Client
to rely on Ruby's built in string comparison.
Modules
PR 16725 - Two new auxiliary/gather modules have been added that take advantage of default Xnode credentials, aka CVE-2020–11532, in order to enumerate Active Directory information and other sensitive data via the DataEngine Xnode server. Additionally, a new library has been added to provide reusable functionality for interacting with Xnode servers.
PR 16734 - This updates the exploit for CVE-2022-30190 (AKA Follina) to support generating RTF exploit documents. RTF documents are helpful for not only being another exploit vector, but they will trigger the payload execution when viewed by Explorer's preview tab without needing user interaction to enable editing functionality.
PR 16786 - This adds an LPE exploit for Zyxel Firewalls that can allow a user to escalate themselves to root. The vulnerability is identified as CVE_2022-30526 and is due to a suid binary that allows any user to copy files with root permissions.
PR 16923 - This adds an exploit module that leverages an authenticated command injection vulnerability in Cisco ASA-X with FirePOWER Services. This vulnerability is identified as CVE-2022-20828 and has been patched in ASA FirePOWER module versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. Note that versions 6.2.2 and earlier, 6.3, 6.5, and 6.7 won't receive patch.
PR 16939 - This adds a module for issuing certificates via Active Directory Certificate Services, which is useful in a few contexts including persistence and for some specific exploits. The resulting PFX certificate file is stored to the loot and is encrypted using a blank password.
PR 16944 - This exploits an unauthenticated command injection vulnerability in Apache Spark. The
spark.acls.enable
setting permits injection through theid
command via a POST request containing arbitrary code in thedoAs
parameter. The exploit achieves unauthenticated RCE as thespark
user.