Improved
Pro: Updated icon on suspended schedule state of task chains.
Pro: We addressed a post processing failure when importing a site from a Nexpose/InsightVM console.
PR 16979 - This improves the existing
ldap_query
module by allowing it to decode some data types into a human readable format.PR 17050 - This updates the osx stager to no longer write artifacts to disk when performing in-memory code loading.
PR 17071 - This adds additional predefined LDAP queries to the existing ldap_query module that can help enumerate specific information in support of certain attack paths.
PR 17128 - Updates
auxiliary/scanner/smb/smb_enumshares
to support specifying a share name such asrun smb://Account:Password@TargetIP spidershares=true showfiles=true share=TargetShareName
. Useful files are now also highlighted automatically.PR 17155 - This PR updates version checking for the recent Remote mouse RCE module and updates the docs with a vulnerable version download link.
PR 17164 - This adds a new option,
THEME_DIR
to theexploit/multi/http/wp_crop_rce
module that is useful when the current Wordpress theme cannot be auto-detected by the module or when a user leverages other means of determining the theme.PR 17176 - This updates the Python Meterpreter stage to calculate the necessary data for AES encryption at runtime which reduces the stage size by about 6,000 bytes.
PR 17184 - Updates the metashell upload/download commands to work for powershell and windows sessions.
PR 17185 - Updates msfconsole's
tips
command to include theanalyze
command, as well ashosts -R
andservices -R
.PR 17186 - Fixes broken file writes on windows targets when newlines are present within the uploaded file.
PR 17195 - Fixes uploading binary files with identical names to a Windows shell session. Previously this would silently error and not write the new file contents, now the file contents will successfully be written out.
PR 17196 - Adds new
get_hostname
library support for Windows sessions.PR 17207 - Updates msfvenom and msfconsole to support formatting shellcode as a Rust array. Example usage:
msfvenom -p windows/x64/exec cmd='calc.exe' -f rust
.
Fixed
PR 17172 - Fix a bug in
Msf::Post::File.append_file
which caused file contents to be overwritten on non-Windows sessions.PR 17187 - Fixes an issue in the
aerohive_netconfig_lfi_log_poison_rce
exploit module that resulted in the vulnerable version 10.0r8 being flagged as non-vulnerable.PR 17188 - Fixes a regression issue that stopped Python Meterpreter working for v3.1-3.3.
PR 17190 - This sets the
bufptr
parameter in multiplenetapi32
railgun functions to thePLPVOID
data type and consequently fixes a crash in thepost/windows/gather/enum_domain_tokens
module caused by improper data types being set for thebufptr
parameter.PR 17213 - Fixes a bug that stopped the
post/linux/gather/vcenter_secrets_dump
module from loading.
Modules
PR 16871 - Add post/linux/gather module to dump vCenter vmdir dcAccountPassword and platform certificates.
PR 17142 - A new module has been added to exploit CVE-2022-24706 an RCE within Apache CouchDB prior to 3.2.2 via the Erlang/OTP Distribution protocol, which used a default cookie of "monster" to allow users to connect and run OS commands.
PR 17147 - This PR adds a module that exploits a default Vagrant shared folder to append a Ruby payload to the Vagrant project Vagrantfile config file. The payload gets executed the next time the user runs a vagrant command.
PR 17162 - This PR adds a module for CVE-2022-35914, a php command injection vulnerability in GLPI versions up to and including 10.0.2.
PR 17168 - This adds a module that exploits improper access controls in Webmin File Manager. An authenticated attacker can coerce Webmin into downloading a malicious cgi script from an attacker-controlled http server. After that, the attacker can further use File Manager utilities to set execute permissions on the cgi script, execute it, and achieve RCE as the
root
user.PR 17174 - This adds an exploit module that targets FLIR AX8 thermal cameras. A command injection vulnerability exists in the
id
POST parameter to theres.php
endpoint, which can be leveraged by an unauthenticated attacker to achieve RCE as theroot
user.PR 17181 - Adds a new
auxiliary/admin/ldap/rbcd
module which uses LDAP to set themsDS-AllowedToActOnBehalfOfOtherIdentity
attribute on the user provideddelegate_to
datastore option within Active Directory. This technique is used as part of Role Based Constrained Delegation (RBCD) attacks. Example usage:run rhost=192.168.123.13 username=account_with_write_privileges@demo.local password=p4$$w0rd delegate_to=dc3$ action=WRITE delegate_from=fake_computer
. This new module can be used in conjunction with the existingauxiliary/admin/dcerpc/samr_computer
module to create the required fake computer account.PR 17192 - This post module gathers ManageEngine's Password Manager Pro credentials from the local database.