Improved
PR 16946 - Updates the
show targetsandshow actionscommand to display a visual indicator beside the currently selected value.PR 17481 - An update has been made to the
modules/auxiliary/scanner/http/options.rbmodule to modernize a few of its options, cleaned up the code, and to handle an edge case when a target server might respond with a Tomcat error page.PR 17504 - Two aliases for
show favoriteshave been added, namelyfavorite -landfavorites, to allow for easier listing of modules that users have marked as their favorites.PR 17559 - Adds support for Ruby 3.2.
PR 17560 - Updates the Kerberos inspect_ticket module to show unsupported pac buffer ul_types in a clearer way to the user.
PR 17563 - Improves documentation and code quality for
modules/exploits/multi/local.PR 17564 - Improves the
CIPCTlvdefinition for theexploits/windows/local/anyconnect_lpemodule.PR 17570 - The list of default queries used by the ldap_query module has been updated to add in the
ENUM_DOMAINandENUM_MACHINE_ACCOUNT_QUOTAqueries and to make some small updates to existing queries.PR 17575 - Updates the Kerberos ccache functionality to automatically perform sname switching on Service Tickets when the ticket sname does not match the Metasploit module's required sname. This allows for a service ticket associated with the SPN
service_a/host.domain.localto be used and updated toservice_b/host.domain.localdynamically as part of service authentication.PR 17577 - Updates
modules/exploits/qnxto run thecheckcommand before attempting to exploit the target.PR 17581 - This PR modifies the conditions in 45 local privilege escalation modules to check whether the operator set
ForceExploitto true before checking the permissions required for exploitation on the remote target, which is more efficient and quieter over the network.PR 17597 - Fix notes for SideEffects and Reliability in the
auxiliary/dos/mirageos/qubes_mirage_firewall_dosmodule.PR 17603 - Updates
admin/kerberos/inspect_ticketto show the UPN and DNS Information within a decrypted PAC.PR 17615 - Adds missing module notes for stability, reliability and side effects to several modules.
Fixed
Pro: Fixed issue with adding modules to post exploitation macros.
PR 17444 - A bug has been fixed whereby issuing a command line argument that contained nested equals signs would not be parsed correctly, and would instead be treated as two separate command line statements.
PR 17557 - This fixes the logon timestamp in the MS14-068 exploit so the generated ticket works.
PR 17558 - Fixes running msfconsole's
analyzecommand crashing when a WinRM session was opened.PR 17561 - This fixes the direction for some Railgun function definitions in iphlpapi.
PR 17591 - A bug has been fixed in metasm_shell and nasm_shell whereby the shells were using readline but the dependency wasn't correctly imported. This has since been fixed and improved validation has been added.
PR 17592 - A bug has been fixed in the
bypassuac_injection_winsxsmodule whereby a string was not properly being treated as being NULL terminated. Additionally, the definitions of theFindFirstFileAandFindFirstFileWfunctions have been corrected so that they work on x64 systems.
Modules
PR 17300 - This PR adds a linux priv esc against VMWare virtual machines with kernel 4.14-rc1 - 5.17-rc1 due to a VMWare driver bug.
PR 17301 - This module exploits Linux LPE CVE-2022-1043, a bug in io_uring leading to an additional put_cred() that can be exploited to hijack credentials of other processes.
PR 17371 - This PR adds a module that makes use of incorrect access control for the Lenovo Diagnostics Driver allowing a low-privileged user the ability to issue device IOCTLs to perform arbitrary physical/virtual memory read/write.
PR 17392 - This PR adds a privilege escalation module for F5 that uses the unsecured MCP socket to create a new root account.
PR 17406 - Post credential capture module Veeam Backup & Recovery and Veeam ONE Monitor versions 9.x - 11.x.
PR 17415 - This module is the macOS equivalent of the Dirty Cow vulnerability and allows for an unprivileged user to execute code as root.
PR 17483 - Adds a new
exploit/linux/local/tomcat_ubuntu_log_init_priv_escmodule for CVE-2016-1240 targetting Tomcat (6, 7, 8). By default repositories on Debian-based distributions (including Debian, Ubuntu etc.) provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account (for example, by exploiting an RCE vulnerability in a java web application hosted on Tomcat, uploading a webshell etc.) to escalate their privileges from tomcat user to root and fully compromise the target system.PR 17494 - A new authenticated RCE module for NagiosXI has been added which exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298 to get a shell as the
apacheuser on NagiosXI devices running version 5.5.6 to 5.7.5 inclusive.PR 17511 - Adds an exploit for CVE-2022-44877 which is an unauthenticated command injection in CentOS Control Web Panel <0.9.8.1147. Successful exploitation results in code execution as the root user.
PR 17527 - This adds an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (https://github.com/advisories/GHSA-4w3v-83v8-mg94).
PR 17556 - This PR adds an exploit that uses an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ADSelfService Plus versions 6210 and below (https://github.com/advisories/GHSA-4w3v-83v8-mg94).
PR 17567 - This adds an exploit targeting CVE-2022-47966, an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine Endpoint Central and MSP versions 10.1.2228.10 and below. See https://github.com/advisories/GHSA-mqq7-v29v-25f6 and ManageEngine security advisory.
PR 17607 - This adds an exploit targeting CVE-2023-0669, a pre-authentication deserialization that effects Fortra GoAnywhere MFT.