Jan 17, 20234.21.1-2023011701

Improved

  • Pro: We improved state verification during the site import process for Nexpose/IVM data.

  • PR 17191 - This fixes a bug where the Windows Subsystem for Linux crashes when using a reverse_tcp x64 stager because of data in the upper bits of the rdi registry when the syscall occurs.

  • PR 17214 - This improves upon the data gathered on a vcenter server originally implemented in https://github.com/rapid7/metasploit-framework/pull/16871, including library integration, optimization, and deduplication.

  • PR 17255 - The command payloads have been updated to allow specifying the file system path for several of their commands within datastore options. This should allow users to specify these command locations should they not be contained within the searchable PATH.

  • PR 17258 - This updates the SharpHound post module to use version 1.1.0 of SharpHound, which works with BloodHound 4. This includes both the .ps1 and binary from the original repository.

  • PR 17332 - Updates windows/gather/enum_proxy to support non-Meterpreter sessions (shell, powershell).

  • PR 17346 - The logic for counting threads within lib/metasploit/framework/spec/threads/suite.rb has been updated to appropriately count and document the known threads that can be left behind when running the rspec test suite. This fixes an intermittent rspec crash.

  • PR 17355 - The creds command has been updated to show the full SSH key contents when running the creds -v command or when exporting to a file with creds -o output.txt. Previously, only a shortened fingerprint string would be shown to the user.

  • PR 17357 - The docs site has been updated to support mermaid graphs for rendering diagrams to assist with explanations.

  • PR 17380 - The list of user agent strings inside lib/rex/user_agent.rb has been updated to reflect the latest user agents as of December 2022.

  • PR 17387 - The hosts, services, vulns, and notes commands have been updated to support tab expansion in paths using the ~ character when using the -o option to specify the path to the file to write the output to.

  • PR 17427 - This adds YARD documentation to the LDAP libraries for developers to reference.

  • PR 17447 - We now utilize 'pry' dependencies with support for newer Ruby versions.

Fixed

  • Pro: We restored import results from the Rapid7 Labs Sonar project.

  • Pro: We added further guards around brute force scanner execution to ensure tasks continue when a single host fails to pass the service validation check.

  • Pro: We fix a stack trace emitted in logs about a missing variable during execution of a background task.

  • Pro: We fixed a regression that prevented Passive Network Discovery from activating properly.

  • PR 17183 - This adds some small changes, cleanups and fixes to the linux/http/zimbra_unrar_cve_2022_30333 and linux/http/zimbra_cpio_cve_2022_41352 Zimbra exploit modules and linux/local/zimbra_slapper_priv_esc documentation. Particularly, this fixes an issue that prevented the exploit modules to work properly when the handler was prematurely shutdown.

  • PR 17305 - Updates Metasploit's RPC to automatically choose an appropriate payload if module.execute is invoked without a payload set. This mimics the functionality of msfconsole.

  • PR 17323 - Fixes a bug when attempting to detect enlightenment_sys in exploits/linux/local/ubuntu_enlightenment_mount_priv_esc.

  • PR 17330 - This fixes an issue in the ProxyShell module, which limited the email enumeration to 100 entries. Now, it correctly enumerates all the emails before finding one that is suitable for exploitation.

  • PR 17334 - Multiple improvements to modules/post/linux/gather/enum_commands - including fixing a crash when attempting to search a path that doesn't exist.

  • PR 17342 - This adds the necessary control to the search queries used to find vulnerable certificate templates in an ADCS environment. Prior to this, non-privileged users would not be able to read the security descriptor field.

  • PR 17345 - A crash has been fixed when using the report API when verbose mode enabled, and there is no active DB enabled.

  • PR 17350 - This updates three UAC bypass modules to remove a hard coded delay in favor of using the module's builtin cleanup method. This results in the user having access to the interactive session without needing to wait.

  • PR 17351 - This fixes an issue in the exploit/windows/local/s4u_persistence module where the default value for FREQUENCY would cause an error.

  • PR 17352 - A bug has been fixed in the file_version method for Windows Meterpreter, which would cause the session to crash if it was run on a file that did not exist on the target system.

  • PR 17361 - A bug has been fixed that would cause a crash when running the exit command from within msfconsole when running msfconsole with a 3.1.x release of Ruby.

  • PR 17366 - The upload and download commands used by shell sessions have been updated to handle directory destinations in the same way as the Meterpreter equivalents do, and to fix some bugs when uploading and downloading files that would prevent errors from being displayed and might cause session crashes.

  • PR 17368 - Fixes a regression issue with msfvenom payload generation for large payloads taking more than 5 minutes to generate when outputting as hex format. Now, it takes a few seconds as normal.

  • PR 17370 - A bug has been fixed in the smb_enumshares.rb where if a SMBv1 connection is used a call was made to the net_share_enum_all function on the wrong object. This has since been updated to address this error.

  • PR 17378 - A bug has been fixed in the Meterpreter payloads that was preventing Python Meterpreter from being able to utilize its EventLog API properly. Additionally a bug has been fix in the COFFLoader that prevented BOFLoader from working with some COFF files.

  • PR 17386 - A bug has been fixed where the HTTP library was parsing HTTP HEAD requests like GET requests, which was causing issues due to lack of compliance to RFC9110 standards. By updating the code to be more compliant with these standards, modules such as auxiliary/scanner/http/http_header now work as expected.

  • PR 17389 - log4shell_header_injection bugfix to prevent NoMethodError for nil:NilClass.

  • PR 17409 - Updates rhost walker to handle interrupt signal.

  • PR 17416 - The jenkins_gather.rb module has been updated to use .blank? instead of .empty? when handling SSH Key details to prevent crashes should the various elements of the SSH Key be empty or nil.

  • PR 17435 - A bug has been fixed where some modules were accidentally updated to use smtp_send_recv when they did not import the required Exploit::Remote::SMTPDeliver mixin. These modules have been updated to use the appropriate raw_send_recv method instead.

  • PR 17438 - This fixes an issue in the exchange_proxylogon_collector module where it would crash if the LegacyDN was not present in the XML response.

  • PR 17454 - A bug has been fixed where smb_enumshares incorrectly truncated file names before storing them into loot. This has been addressed so that only the console output will contain truncated file names, and the loot files will still contain the full file names for reference.

Modules

  • PR 16990 - This adds a login scanner module for Syncovery for Linux.

  • PR 16991 - A new login scanner module that brute-forces a valid session token for the Syncovery File Sync & Backup Software Web-GUI. This will work if the default user is already logged in the application. If he does not logout, the token stays valid until next reboot.

  • PR 16992 - This adds a module that exploits an authenticated remote code execution vulnerability identified as CVE-2022-36534 in the Web GUI of Syncovery File Sync & Backup Software for Linux. The module leverages a flaw in the application that allows the creation of jobs that will be executed when a profile is run. This allows the execution of arbitrary commands as the root user.

  • PR 17242 - A new module has been added for CVE-2022-0739 which is an unauthenticated SQL injection in WP BookingPress prior to 1.0.11 in the bookingpress_front_get_category_services AJAX action. Successful exploitation using the module allows unauthenticated attackers to gain the hashed passwords of WordPress users on the target site.

  • PR 17265 - This module exploits a local privilege escalation vulnerability in Acronis TrueImage versions 2019 update 1 through 2021 update 1 on macOS. This vulnerability is identified as CVE-2020-25736. By abusing a local helper executable, it is possible to execute arbitrary commands as the root user.

  • PR 17272 - This adds a post module for gathering facts from an F5 system's MCP database protocol.

  • PR 17278 - This adds a post module for extracting encrypted credentials from SolarWinds Orion NPM.

  • PR 17286 - This PR adds a priv esc for users in the cis group to escalate to root on certain versions of vCenter. A service file /usr/lib/vmware-vmon/java-wrapper-vmon has improper permissions allowing cis group members to write to it. Upon host reboot or vmware-vmon service restart, a root shell is obtained.

  • PR 17298 - This adds an exploit module for an unauthenticated command injection vulnerability in OpenTSDB through 2.4.0. This vulnerability is identified as CVE-2020-35476.

  • PR 17312 - An exploit has been added for CVE-2019-7256, an unauthenticated command injection vulnerability in Linear eMerge E3 versions 1.00-06 and below in the No and door parameters of card_scan_decoder.php. Successful exploitation results in RCE as the root user.

  • PR 17337 - This adds a post exploit module that retrieves Dbeaver session data from local configuration files. It is able to extract and decrypt credentials stored in these files for any version of Dbeaver installed on Windows or Linux/Unix systems.

  • PR 17341 - This adds a post module that gathers local credentials stored by the MinIO client on Windows, Linux and MacOS.

Offline Update

Metasploit Framework and Pro Installers