Improved
Pro: We improved logging of land page redirection in Social Engineering campaigns.
Pro: We improved logging of timeouts that may occur during execution of basic tasks.
PR 17145 - This PR adds the ability to authenticate via hash when using
auxiliary/scanner/smb/impacket/wmiexecand improves the error reporting when authentication fails.PR 17211 - This compresses Python payloads to make them smaller.
PR 17219 - Update Zabbix login_scanner to work with version 6.2.4.
PR 17223 - The
reload_libfunctionality has been updated so that its file change tracking logic better takes into account scenarios where files are modified. Previously if a breakpoint was inserted, removed, and thenreload_lib -awas run, it would mistakenly use an old copy of the code.PR 17234 - Add references to
info -dcommand in theoptionsandinfocommand outputs. This command allows you to generate a HTML document which you can use to view the full documentation of a module in your browser.PR 17235 - Updates
auxiliary/scanner/http/manageengine_desktop_central_loginmodule to report the service name correctly as http or https.PR 17238 - Adds the
shutdowncommand to Window's Python Meterpreter.PR 17243 - Improves the TLV packet logging for Railgun.
PR 17253 - The list of Wordpress plugins and themes has been updated to allow Metasploit tools to scan for a wider range of known themes and plugins on Wordpress targets.
PR 17279 - This adds the
ducky-script-pshformat to msfvenom so it can create payloads that are compatible with Bad USB devices such as the Flipper Zero.PR 17283 - Improves the
linux/gather/enum_pskmodule, and adds documentation.PR 17284 - Updates
modules/post/linux/gather/enum_networkandmodules/post/linux/gather/tor_hiddenservicesto extract hostname details in a similar fashion to other modules.PR 17285 - Improves validation in
linux/gather/tor_hiddenservicesto ensure that thelocatecommand is present before running the module.PR 17296 - Adds clarification to the module documentation that links to external resources are not controlled by project maintainers. These external resources may no longer exist and are subject to malicious takeover in the future. These links should be reviewed accordingly.
PR 17304 - Improves
auxiliary/scanner/http/tomcat_mgr_login.rberror message on 401 status codes to include the user defined URI.
Fixed
Pro: We improved error handling when a bruteforce module reports incomplete data during execution.
PR 17163 - This fixes a bug in the check method where we left an artifact on disk.
PR 17177 - A bug has been fixed when searching for or attempting to use modules whereby trailing
:'s were not handled appropriately as part of the input, and could lead to all modules in Metasploit being returned.PR 17220 - This fixes a crash in the
peinjectstage that would occur when thePEdatastore option was not set.PR 17221 - A bug has been fixed that would cause crashes when generating payload sizes. Additionally the code has been updated to ignore payload metadata for adaptor payloads when determining payload sizes.
PR 17244 - A bug that could cause the
hostnamecommand to fail in Mettle versions of Meterpreter has been improved by adding increased validation to thehostnamecode.PR 17260 - This fixes an issue with the RBCD module due to the
access_maskfield of the Access Control Entry types being changed from the AccessMask type to an integer.PR 17263 - The metasploit-payloads gem has been bumped to 2.0.101, which fixes memory and handle leaks when using the
incognitoplugin'slist_tokenfunctionality. It also updates the Mimikatz code in Metasploit to pull in the latest changes.PR 17277 - Fixes a crash within the python reverse http stager.
PR 17299 - This fixes a bug in the
polkit_dbus_auth_bypassmodule that prevented it from working with certain session types.
Modules
PR 17021 - This adds an exploit module that leverages a command injection vulnerability in Gitea. Due to an improper escaping of input, it is possible to execute commands on the system abusing the Gitea repository migration process. This vulnerability is identified as CVE-2022-30781 and affects Gitea versions prior to 1.16.7.
PR 17087 - This PR adds an exploit targeting the Remote Control Server software which allows remote control of a PC, now including running a payload.
PR 17097 - This adds a post module that retrieves and decrypts passwords saved by Navicat.
PR 17122 - This adds a module that analyzes certificate templates to identify ones that are vulnerable to ESC1, ESC2 and ESC3. When a template is found to be vulnerable, the necessary information is printed for the user including the template name, the issuing CAs and the SIDs of the users that are able to issue them.
PR 17149 - A new module
modules/auxiliary/scanner/ssl/ssl_version.rbhas been released which replaces the old SSL scanners and offers improved features such as SSL cipher suite checking, improvements to CA Issuers logic, support for expired certs and deprecated protocols, and better error handling.PR 17222 - This adds an exploit module that leverages a Remote Command Injection vulnerability in VMware Cloud Foundation 3.x and NSX Manager Data Center for vSphere up to and including version 6.4.13. This vulnerability is identified as CVE-2021-39144.
PR 17229 - Adds a new
post/multi/recon/reverse_lookupmodule that reverse resolves an IP address or IP address range to hostnames. The oldpost/windows/gather/reverse_lookupandpost/windows/recon/resolve_ipmodules have been removed.PR 17257 - A new module has been added for CVE-2021-43258 which exploits a flaw whereby, when emailing users in the ChurchInfo database with attachments, the uploaded file is hosted in a web accessible location under the ChurchInfo web root before the email is sent. An authenticated attacker can abuse this to gain RCE as the
www-useruser.PR 17271 - This module exploits a CSRF vulnerability in F5 Big-IP versions 17.0.0.1 and below which leads to an arbitrary file overwrite as root. With this module, a user can choose to overwrite various system files to achieve a Meterpreter session as the
rootuser.PR 17273 - This adds an authenticated RCE for F5 devices that leverages the command injection flaw identified in CVE-2022-41800.
PR 17275 - This adds an exploit module for
CVE-2022-41082, AKA ProxyNotShell. This vulnerability is a deserialization flaw in Microsoft Exchange's PSRP backend. The PSRP backend can be accessed by an authenticated attacker leveraging the SSRF flaw identified asGHSA-6ph7-8wxv-6gf2. Together, these vulnerabilities allow an authenticated attacker to execute arbitrary commands on a Microsoft Exchange Server.