Skip to Content
Release NotesMetasploitIndex

Nov 04, 2022

We improved icons on task chains schedule states and fixed a failure when importing from a Nexpose/InsightVM console.

Improved

  • Pro: Updated icon on suspended schedule state of task chains.

  • Pro: We addressed a post processing failure when importing a site from a Nexpose/InsightVM console.

  • PR 16979 - This improves the existing ldap_query module by allowing it to decode some data types into a human readable format.

  • PR 17050 - This updates the osx stager to no longer write artifacts to disk when performing in-memory code loading.

  • PR 17071 - This adds additional predefined LDAP queries to the existing ldap_query module that can help enumerate specific information in support of certain attack paths.

  • PR 17128 - Updates auxiliary/scanner/smb/smb_enumshares to support specifying a share name such as run smb://Account:Password@TargetIP spidershares=true showfiles=true share=TargetShareName. Useful files are now also highlighted automatically.

  • PR 17155 - This PR updates version checking for the recent Remote mouse RCE module and updates the docs with a vulnerable version download link.

  • PR 17164 - This adds a new option, THEME_DIR to the exploit/multi/http/wp_crop_rce module that is useful when the current Wordpress theme cannot be auto-detected by the module or when a user leverages other means of determining the theme.

  • PR 17176 - This updates the Python Meterpreter stage to calculate the necessary data for AES encryption at runtime which reduces the stage size by about 6,000 bytes.

  • PR 17184 - Updates the metashell upload/download commands to work for powershell and windows sessions.

  • PR 17185 - Updates msfconsole’s tips command to include the analyze command, as well as hosts -R and services -R.

  • PR 17186 - Fixes broken file writes on windows targets when newlines are present within the uploaded file.

  • PR 17195 - Fixes uploading binary files with identical names to a Windows shell session. Previously this would silently error and not write the new file contents, now the file contents will successfully be written out.

  • PR 17196 - Adds new get_hostname library support for Windows sessions.

  • PR 17207 - Updates msfvenom and msfconsole to support formatting shellcode as a Rust array. Example usage: msfvenom -p windows/x64/exec cmd='calc.exe' -f rust.

Fixed

  • PR 17172 - Fix a bug in Msf::Post::File.append_file which caused file contents to be overwritten on non-Windows sessions.

  • PR 17187 - Fixes an issue in the aerohive_netconfig_lfi_log_poison_rce exploit module that resulted in the vulnerable version 10.0r8 being flagged as non-vulnerable.

  • PR 17188 - Fixes a regression issue that stopped Python Meterpreter working for v3.1-3.3.

  • PR 17190 - This sets the bufptr parameter in multiple netapi32 railgun functions to the PLPVOID data type and consequently fixes a crash in the post/windows/gather/enum_domain_tokens module caused by improper data types being set for the bufptr parameter.

  • PR 17213 - Fixes a bug that stopped the post/linux/gather/vcenter_secrets_dump module from loading.

Modules

  • PR 16871 - Add post/linux/gather module to dump vCenter vmdir dcAccountPassword and platform certificates.

  • PR 17142 - A new module has been added to exploit CVE-2022-24706 an RCE within Apache CouchDB prior to 3.2.2 via the Erlang/OTP Distribution protocol, which used a default cookie of “monster” to allow users to connect and run OS commands.

  • PR 17147 - This PR adds a module that exploits a default Vagrant shared folder to append a Ruby payload to the Vagrant project Vagrantfile config file. The payload gets executed the next time the user runs a vagrant command.

  • PR 17162 - This PR adds a module for CVE-2022-35914, a php command injection vulnerability in GLPI versions up to and including 10.0.2.

  • PR 17168 - This adds a module that exploits improper access controls in Webmin File Manager. An authenticated attacker can coerce Webmin into downloading a malicious cgi script from an attacker-controlled http server. After that, the attacker can further use File Manager utilities to set execute permissions on the cgi script, execute it, and achieve RCE as the root user.

  • PR 17174 - This adds an exploit module that targets FLIR AX8 thermal cameras. A command injection vulnerability exists in the id POST parameter to the res.php endpoint, which can be leveraged by an unauthenticated attacker to achieve RCE as the root user.

  • PR 17181 - Adds a new auxiliary/admin/ldap/rbcd module which uses LDAP to set the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on the user provided delegate_to datastore option within Active Directory. This technique is used as part of Role Based Constrained Delegation (RBCD) attacks. Example usage: run rhost=192.168.123.13 username=account_with_write_privileges@demo.local password=p4$$w0rd delegate_to=dc3$ action=WRITE delegate_from=fake_computer. This new module can be used in conjunction with the existing auxiliary/admin/dcerpc/samr_computer module to create the required fake computer account.

  • PR 17192 - This post module gathers ManageEngine’s Password Manager Pro credentials from the local database.

Offline Update

Metasploit Framework and Pro Installers