Improved
PR 16911 - This adds support for non-Meterpreter sessions and for WOW64 Meterpreter sessions to the
post/windows/gather/enum_ms_product_keys
module.PR 16929 - The
post/windows/gather/enum_services
module has been updated to support non-Meterpreter sessions, to fix some bugs, and to clean up the code. Additionally, documentation has been added on how to use the module.PR 16930 - This updates the
scripts/resource/dev_checks.rc
resource script to fix issues and add additional module checks.PR 16940 - Rewrites Metasploit's datastore to fix multiple bugs and edgecases. The
unset
command will now consistently unset previously set datastore values, so that default values are used once again. Explicitly clearing a datastore value can be done with theset --clear OptionName
command. Modules that require protocol specific option names such as SMBUser/FTPUser/BIND_DN/etc can now be consistently set with just username/password/domain options, i.e.set username Administrator
instead ofset SMBUser Administrator
. This rewrite is currently behind a feature flag which can be enabled withfeatures set datastore_fallbacks true
.PR 16953 - The
enum_domain
script has been updated to support Powershell and Shell sessions and its documentation and code have been cleaned up.PR 17002 - The
lib/msf/core/post/windows/accounts.rb
,lib/msf/core/post/windows/ldap.rb
, andlib/msf/core/post/windows/wmic.rb
libraries have been updated to replace calls toload_extapi
with ExtAPI compatibility checks which will check if the session supports ExtAPI, since if the sessions supports ExtAPI, it should already be loaded.PR 17003 -
enum_patches
has had its code updated to output the patches enumerated as a table and store the results long term in a CSV file. Additionally a check has been added to see if the current session supports the required Meterpreter extension compatibility prior to trying to run the module. Finally, the code and documentation have been cleaned up and modernized.PR 17008 -
rpc_core.rb
has been updated so that it now reports the number of evasion modules within Metasploit. Previously this statistic wasn't being reported, whilst other statistics like number of exploit modules, auxiliary modules, and payloads were.PR 17015 - Updates
auxiliary/scanner/http/http_login
to report login success when the http status code is in the range200,201,300-308
. This functionality is user-configurable withset HttpSuccessCodes 200
.PR 17049 - Adds Notes module meta information and replaces custom
get_members
method withget_members_from_group
from the Post API.PR 17051 - Adds module documentation, notes for module meta information, and improves module error handling.
Fixed
Pro: We fixed host display of deletion dialogs on the single host analysis view.
Pro: We fixed edit functionality on the single host analysis view.
Pro: We improved validation on backup names.
PR 16928 - Multiple bugs have been fixed in the
Msf::Post::Windows::Service
mixin. Additionally, several methods have been adjusted within this mixin so that the data types they use or return are consistent.PR 16998 - Fixes a crash in modules using the IAX2 client.
PR 17013 - This PR enhances
exploit/multi/http/jenkins_script_console
to handle changes to the login process for Jenkins newer than version 2.246.PR 17014 - This fixes the
exploit/multi/php/ignition_laravel_debug_rce
module to use the default HTTP timeout for the check method. Without this, the check method would yield false negatives on slower connections.PR 17018 - This fixes the
route add
command to use a sensible default netmask.PR 17023 - The
post/windows/manage/rollback_defender_signatures
module has been updated to work on WoW64 sessions, and has had its code updated so that the default action is now a valid option.PR 17036 - Fixes a bug where the
sessions
command would show the connection as coming from losthost 127.0.0.1, instead of the correct peer host address for reverse_http Meterpreter sessions.PR 17052 - Fixes an error in Metasploit-framework when the host machine has OpenSSL 3.
Modules
PR 16521 - This adds a 32-bit and 64-bit custom stage Windows payload. The custom stage allows users to provide their own custom executable code to be delivered as the payload stage in place of Meterpreter, Shell and other Metasploit-provided stages.
PR 16688 - This adds a port of Mimipenguin to Metasploit. Relying on mem_search() and mem_read() (https://github.com/rapid7/mettle/pull/232), this searches the memory regions of various processes for needles that are found near passwords in cleartext. Using the locations for all of the needles found, this will search the nearby regions for possible passwords.
PR 16732 - This PR adds a module which exploits several authenticated sqli in VICIdial(CVE-2022-34876, CVE-2022-34877, CVE-2022-34878).
PR 16828 - This adds support for EIP-0f5d2d7f, a vulnerability in
uid
parameter of theindex.php?entryPoint=export
page on SuiteCRM prior to 7.x prior to 7.12.6 that allows for authenticated SQL injection. The module exploits this SQL injection vulnerability to extract the usernames and password hashes for SuiteCRM users, which can then be cracked offline later to gain access to SuiteCRM.PR 16906 - This improves the
post/windows/gather/enum_snmp
module with shell and Powershell sessions support as well as fixes issues that low-privileged sessions would run into while reading the registry.PR 16914 - This adds an exploit module that leverages an OS Command Injection vulnerability in the PAN-OS management interface versions 10.0 to 10.0.1, versions 9.1.0 to 9.1.4 and version 9.0.0 to 9.0.10. This vulnerability is identified as CVE-2020-2038 and allows authenticated administrators to execute arbitrary OS commands with root privileges.
PR 16989 - This adds an exploit module to exploit an authentication bypass to achieve remote code execution in Unified Remote on Windows. Note that the latest version (3.11.0.2483) is vulnerable, which make it a 0-Day.
PR 17042 - Adds an exploit for CVE-2022-36804 which is an unauthenticated RCE in Bitbucket.