Improved
Pro: We improved state verification during the site import process for Nexpose/IVM data.
PR 17191 - This fixes a bug where the Windows Subsystem for Linux crashes when using a reverse_tcp x64 stager because of data in the upper bits of the rdi registry when the syscall occurs.
PR 17214 - This improves upon the data gathered on a vcenter server originally implemented in https://github.com/rapid7/metasploit-framework/pull/16871, including library integration, optimization, and deduplication.
PR 17255 - The command payloads have been updated to allow specifying the file system path for several of their commands within datastore options. This should allow users to specify these command locations should they not be contained within the searchable PATH.
PR 17258 - This updates the SharpHound post module to use version 1.1.0 of SharpHound, which works with BloodHound 4. This includes both the .ps1 and binary from the original repository.
PR 17332 - Updates
windows/gather/enum_proxy
to support non-Meterpreter sessions (shell, powershell).PR 17346 - The logic for counting threads within
lib/metasploit/framework/spec/threads/suite.rb
has been updated to appropriately count and document the known threads that can be left behind when running the rspec test suite. This fixes an intermittent rspec crash.PR 17355 - The
creds
command has been updated to show the full SSH key contents when running thecreds -v
command or when exporting to a file withcreds -o output.txt
. Previously, only a shortened fingerprint string would be shown to the user.PR 17357 - The docs site has been updated to support mermaid graphs for rendering diagrams to assist with explanations.
PR 17380 - The list of user agent strings inside
lib/rex/user_agent.rb
has been updated to reflect the latest user agents as of December 2022.PR 17387 - The
hosts
,services
,vulns
, andnotes
commands have been updated to support tab expansion in paths using the~
character when using the-o
option to specify the path to the file to write the output to.PR 17427 - This adds YARD documentation to the LDAP libraries for developers to reference.
PR 17447 - We now utilize 'pry' dependencies with support for newer Ruby versions.
Fixed
Pro: We restored import results from the Rapid7 Labs Sonar project.
Pro: We added further guards around brute force scanner execution to ensure tasks continue when a single host fails to pass the service validation check.
Pro: We fix a stack trace emitted in logs about a missing variable during execution of a background task.
Pro: We fixed a regression that prevented Passive Network Discovery from activating properly.
PR 17183 - This adds some small changes, cleanups and fixes to the
linux/http/zimbra_unrar_cve_2022_30333
andlinux/http/zimbra_cpio_cve_2022_41352
Zimbra exploit modules andlinux/local/zimbra_slapper_priv_esc
documentation. Particularly, this fixes an issue that prevented the exploit modules to work properly when the handler was prematurely shutdown.PR 17305 - Updates Metasploit's RPC to automatically choose an appropriate payload if
module.execute
is invoked without a payload set. This mimics the functionality of msfconsole.PR 17323 - Fixes a bug when attempting to detect
enlightenment_sys
inexploits/linux/local/ubuntu_enlightenment_mount_priv_esc
.PR 17330 - This fixes an issue in the ProxyShell module, which limited the email enumeration to 100 entries. Now, it correctly enumerates all the emails before finding one that is suitable for exploitation.
PR 17334 - Multiple improvements to
modules/post/linux/gather/enum_commands
- including fixing a crash when attempting to search a path that doesn't exist.PR 17342 - This adds the necessary control to the search queries used to find vulnerable certificate templates in an ADCS environment. Prior to this, non-privileged users would not be able to read the security descriptor field.
PR 17345 - A crash has been fixed when using the report API when verbose mode enabled, and there is no active DB enabled.
PR 17350 - This updates three UAC bypass modules to remove a hard coded delay in favor of using the module's builtin cleanup method. This results in the user having access to the interactive session without needing to wait.
PR 17351 - This fixes an issue in the
exploit/windows/local/s4u_persistence
module where the default value forFREQUENCY
would cause an error.PR 17352 - A bug has been fixed in the
file_version
method for Windows Meterpreter, which would cause the session to crash if it was run on a file that did not exist on the target system.PR 17361 - A bug has been fixed that would cause a crash when running the
exit
command from withinmsfconsole
when runningmsfconsole
with a 3.1.x release of Ruby.PR 17366 - The upload and download commands used by shell sessions have been updated to handle directory destinations in the same way as the Meterpreter equivalents do, and to fix some bugs when uploading and downloading files that would prevent errors from being displayed and might cause session crashes.
PR 17368 - Fixes a regression issue with msfvenom payload generation for large payloads taking more than 5 minutes to generate when outputting as hex format. Now, it takes a few seconds as normal.
PR 17370 - A bug has been fixed in the
smb_enumshares.rb
where if a SMBv1 connection is used a call was made to thenet_share_enum_all
function on the wrong object. This has since been updated to address this error.PR 17378 - A bug has been fixed in the Meterpreter payloads that was preventing Python Meterpreter from being able to utilize its EventLog API properly. Additionally a bug has been fix in the COFFLoader that prevented BOFLoader from working with some COFF files.
PR 17386 - A bug has been fixed where the HTTP library was parsing HTTP HEAD requests like GET requests, which was causing issues due to lack of compliance to RFC9110 standards. By updating the code to be more compliant with these standards, modules such as
auxiliary/scanner/http/http_header
now work as expected.PR 17389 - log4shell_header_injection bugfix to prevent NoMethodError for nil:NilClass.
PR 17409 - Updates rhost walker to handle interrupt signal.
PR 17416 - The
jenkins_gather.rb
module has been updated to use.blank?
instead of.empty?
when handling SSH Key details to prevent crashes should the various elements of the SSH Key be empty ornil
.PR 17435 - A bug has been fixed where some modules were accidentally updated to use
smtp_send_recv
when they did not import the requiredExploit::Remote::SMTPDeliver
mixin. These modules have been updated to use the appropriateraw_send_recv
method instead.PR 17438 - This fixes an issue in the
exchange_proxylogon_collector
module where it would crash if the LegacyDN was not present in the XML response.PR 17454 - A bug has been fixed where
smb_enumshares
incorrectly truncated file names before storing them into loot. This has been addressed so that only the console output will contain truncated file names, and the loot files will still contain the full file names for reference.
Modules
PR 16990 - This adds a login scanner module for Syncovery for Linux.
PR 16991 - A new login scanner module that brute-forces a valid session token for the Syncovery File Sync & Backup Software Web-GUI. This will work if the default user is already logged in the application. If he does not logout, the token stays valid until next reboot.
PR 16992 - This adds a module that exploits an authenticated remote code execution vulnerability identified as CVE-2022-36534 in the Web GUI of Syncovery File Sync & Backup Software for Linux. The module leverages a flaw in the application that allows the creation of jobs that will be executed when a profile is run. This allows the execution of arbitrary commands as the root user.
PR 17242 - A new module has been added for CVE-2022-0739 which is an unauthenticated SQL injection in WP BookingPress prior to 1.0.11 in the
bookingpress_front_get_category_services
AJAX action. Successful exploitation using the module allows unauthenticated attackers to gain the hashed passwords of WordPress users on the target site.PR 17265 - This module exploits a local privilege escalation vulnerability in Acronis TrueImage versions 2019 update 1 through 2021 update 1 on macOS. This vulnerability is identified as CVE-2020-25736. By abusing a local helper executable, it is possible to execute arbitrary commands as the
root
user.PR 17272 - This adds a post module for gathering facts from an F5 system's MCP database protocol.
PR 17278 - This adds a post module for extracting encrypted credentials from SolarWinds Orion NPM.
PR 17286 - This PR adds a priv esc for users in the cis group to escalate to root on certain versions of vCenter. A service file /usr/lib/vmware-vmon/java-wrapper-vmon has improper permissions allowing cis group members to write to it. Upon host reboot or vmware-vmon service restart, a root shell is obtained.
PR 17298 - This adds an exploit module for an unauthenticated command injection vulnerability in OpenTSDB through 2.4.0. This vulnerability is identified as CVE-2020-35476.
PR 17312 - An exploit has been added for CVE-2019-7256, an unauthenticated command injection vulnerability in Linear eMerge E3 versions
1.00-06
and below in theNo
anddoor
parameters ofcard_scan_decoder.php
. Successful exploitation results in RCE as theroot
user.PR 17337 - This adds a post exploit module that retrieves Dbeaver session data from local configuration files. It is able to extract and decrypt credentials stored in these files for any version of Dbeaver installed on Windows or Linux/Unix systems.
PR 17341 - This adds a post module that gathers local credentials stored by the MinIO client on Windows, Linux and MacOS.