Improved
Pro: Updated icon on suspended schedule state of task chains.
Pro: We addressed a post processing failure when importing a site from a Nexpose/InsightVM console.
PR 16979 - This improves the existing
ldap_querymodule by allowing it to decode some data types into a human readable format.PR 17050 - This updates the osx stager to no longer write artifacts to disk when performing in-memory code loading.
PR 17071 - This adds additional predefined LDAP queries to the existing ldap_query module that can help enumerate specific information in support of certain attack paths.
PR 17128 - Updates
auxiliary/scanner/smb/smb_enumsharesto support specifying a share name such asrun smb://Account:Password@TargetIP spidershares=true showfiles=true share=TargetShareName. Useful files are now also highlighted automatically.PR 17155 - This PR updates version checking for the recent Remote mouse RCE module and updates the docs with a vulnerable version download link.
PR 17164 - This adds a new option,
THEME_DIRto theexploit/multi/http/wp_crop_rcemodule that is useful when the current Wordpress theme cannot be auto-detected by the module or when a user leverages other means of determining the theme.PR 17176 - This updates the Python Meterpreter stage to calculate the necessary data for AES encryption at runtime which reduces the stage size by about 6,000 bytes.
PR 17184 - Updates the metashell upload/download commands to work for powershell and windows sessions.
PR 17185 - Updates msfconsole's
tipscommand to include theanalyzecommand, as well ashosts -Randservices -R.PR 17186 - Fixes broken file writes on windows targets when newlines are present within the uploaded file.
PR 17195 - Fixes uploading binary files with identical names to a Windows shell session. Previously this would silently error and not write the new file contents, now the file contents will successfully be written out.
PR 17196 - Adds new
get_hostnamelibrary support for Windows sessions.PR 17207 - Updates msfvenom and msfconsole to support formatting shellcode as a Rust array. Example usage:
msfvenom -p windows/x64/exec cmd='calc.exe' -f rust.
Fixed
PR 17172 - Fix a bug in
Msf::Post::File.append_filewhich caused file contents to be overwritten on non-Windows sessions.PR 17187 - Fixes an issue in the
aerohive_netconfig_lfi_log_poison_rceexploit module that resulted in the vulnerable version 10.0r8 being flagged as non-vulnerable.PR 17188 - Fixes a regression issue that stopped Python Meterpreter working for v3.1-3.3.
PR 17190 - This sets the
bufptrparameter in multiplenetapi32railgun functions to thePLPVOIDdata type and consequently fixes a crash in thepost/windows/gather/enum_domain_tokensmodule caused by improper data types being set for thebufptrparameter.PR 17213 - Fixes a bug that stopped the
post/linux/gather/vcenter_secrets_dumpmodule from loading.
Modules
PR 16871 - Add post/linux/gather module to dump vCenter vmdir dcAccountPassword and platform certificates.
PR 17142 - A new module has been added to exploit CVE-2022-24706 an RCE within Apache CouchDB prior to 3.2.2 via the Erlang/OTP Distribution protocol, which used a default cookie of "monster" to allow users to connect and run OS commands.
PR 17147 - This PR adds a module that exploits a default Vagrant shared folder to append a Ruby payload to the Vagrant project Vagrantfile config file. The payload gets executed the next time the user runs a vagrant command.
PR 17162 - This PR adds a module for CVE-2022-35914, a php command injection vulnerability in GLPI versions up to and including 10.0.2.
PR 17168 - This adds a module that exploits improper access controls in Webmin File Manager. An authenticated attacker can coerce Webmin into downloading a malicious cgi script from an attacker-controlled http server. After that, the attacker can further use File Manager utilities to set execute permissions on the cgi script, execute it, and achieve RCE as the
rootuser.PR 17174 - This adds an exploit module that targets FLIR AX8 thermal cameras. A command injection vulnerability exists in the
idPOST parameter to theres.phpendpoint, which can be leveraged by an unauthenticated attacker to achieve RCE as therootuser.PR 17181 - Adds a new
auxiliary/admin/ldap/rbcdmodule which uses LDAP to set themsDS-AllowedToActOnBehalfOfOtherIdentityattribute on the user provideddelegate_todatastore option within Active Directory. This technique is used as part of Role Based Constrained Delegation (RBCD) attacks. Example usage:run rhost=192.168.123.13 username=account_with_write_privileges@demo.local password=p4$$w0rd delegate_to=dc3$ action=WRITE delegate_from=fake_computer. This new module can be used in conjunction with the existingauxiliary/admin/dcerpc/samr_computermodule to create the required fake computer account.PR 17192 - This post module gathers ManageEngine's Password Manager Pro credentials from the local database.