Release Notes

Improved

• Pro: We enhanced timeout handling for active auxiliary modules to log errors more gracefully.

• Pro: Improved generation of reference links shown in module details and reports.

• PR 17635 - Updates the admin/kerberos/inspect_ticket module to display the ticket checksum and full PAC checksum.

• PR 17675 - Updates the admin/kerberos/forge_ticket to support a new extra_sids option which can be useful for including cross-domain SIDs for forging external Kerberos trust tickets as part of cross-trust domain escalation. The admin/kerberos/inspect_ticket has also been updated to support viewing these extra sid values.

• PR 17686 - This adds 3 additional methods to the existing PetitPotam module to make it work even if the patch for CVE-2021-36942 has been installed. Note that it won't work after December 2021 patch.

• PR 17699 - This adds SCHANNEL authentication support to LDAP modules.

• PR 17715 - The Metasploit Payload gem has been bumped to 2.0.115, bringing in support for the arp command to Python Meterpreter on Linux, and adding support for displaying IPv6 routing tables using the route command on Windows.

• PR 17727 - Two new options have been added to the login scanner library: max_consecutive_error_count and max_error_count. These options allow users to set the maximum number of errors that are allowed to occur when connecting as well as the maximum number of consecutive errors that are allowed when connecting before the login scanner will give up on a target.

• PR 17744 - The code for msfconsole has been updated so that performance profiling can also take into account the time it takes to load msfenv and console related libraries, thereby allowing for more accurate performance profiling.

• PR 17745 - This updates the metasploit-payloads gem to pull in changes to the Python Meterpreter on Windows to add the route add and delete functionality as well as process information.

• PR 17746 - The data/wordlists/password.lst password list has been updated to include the master password that LastPass suggests as an example when a user goes to create a new master password, r50$K28vaIFiYxaY, into the password list, as well as to fix some encoding issues.

• PR 17749 - Updates the auxiliary/admin/kerberos/keytab.rb module to additionally export any NTHASHES, which can be useful for decrypting Kerberos network traffic in wireshark.

• PR 17756 - Updates secrets dump to generate the Kerberos rc4 key for the machine account.

• PR 17757 - Updates the formatting logic for info command to improve the readability of the module description. Previously, the module description was squashed into a single line, but now each paragraph and bullet list etc will be rendered on their own new lines.

Fixed

• Pro: Improved enforcement of SSL settings for globally configure SMTP.

• PR 17562 - This fixes some incorrect Railgun definitions for the wldap32 Windows library.

• PR 17673 - lib/msf/core/payload/apk.rb has been updated so that by default it only decompiles the main classes instead of all classes, fixing some issues whereby decompiling all classes would prevent creation of a backdoored APK. This also bumps up the minimum apktool version to 2.4.1 and makes it so that versions prior to 2.7.0 of apktool will throw a warning about being potentially out of date.

• PR 17679 - This PR fixes the broken payload selection for Metasploit RPC.

• PR 17696 - The version of Metasploit Payloads in use by Metasploit has been bumped, which brings in support for the getprivs and getdesktop commands to Python Meterpreters running on Windows, and also adds support for getting the handle of processes opened via the session. Additionally, fixes were made to support Python 2.5 and to fix the getdesktop output of Python Meterpreters.

• PR 17697 - This updates the exploit/linux/http/froxlor_log_path_rce module to note that Foxlor 2.0.7 is the last vulnerable version.

• PR 17700 - The argument validation for the route command has been reworked to improve the way it validates arguments and to print out more accurate error messages.

• PR 17716 - A bug has been fixed whereby the reverse port forward information message was displayed incorrectly, and the same information was shown on both the local and remote parts of the message.

• PR 17721 - This fixes an issue where payloads that were adapted failed when stage encoding was enabled because the stage encoding was based on the stager arch and platform values. These values were always the same until we introduced adapted payloads, which can vary.

• PR 17723 - A bug has been fixed in the modules/encoders/php/base64.rb encoder whereby strings were being passed as literal strings without being properly quoted, which could result in errors on newer versions of PHP.

• PR 17726 - The Metasploit Payloads gem has been updated bringing in initial support for attaching to processes on Python Meterpreter shells on Windows, a bug fix for the route command on newer versions of Windows on Windows Meterpreter, and a fix so that both C Meterpreter and Python Meterpreter sessions will attempt to enable the same set of permissions when running getprivs.

• PR 17729 - Fixes an edge case crash when running Ruby 3.2.

• PR 17738 - Fix Ruby 3.2 crash when running certain tools.

• PR 17758 - The metasploit-payloads gem has been bumped to fix a token handle leak that was causing Python Meterpreters to leave dangling handles after using getprivs, fix a error in packet_transmit_http whereby error codes were not appropriately returned, and update the arp command to properly return the interface name instead of the index for the Interface column.

• PR 17774 - A bug has been fixed when displaying the Metasploit banner due to use of an undefined function; this has been updated to use the proper function.

Modules

• PR 17507 - A module has been added which exploits CVE-2023-22952, a RCE vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2. Successful exploitation as an unauthenticated attacker will result in remote code execution as the user running the web services, which is typically www-data.

• PR 17624 - This pull request adds an exploit module for an arbitrary file upload vulnerability in Oracle Web Applications Desktop Integrator, as shipped with Oracle E-Business Suite versions 12.2.3 through to 12.2.11, which results in remote code execution.

• PR 17638 - This adds a module to execute code using Lucee's scheduled job functionality. The feature requires authentication by default and allows a ColdFusion page to be rendered which is used to execute an OS command using the cfexecte directive. The module works on both Linux and Windows targets.

• PR 17672 - This PR includes post module that will disable ClamAV on Linux systems.

• PR 17676 - This adds a login module for the Softing Secure Integration Server software.

• PR 17733 - This adds a login scanner module to brute force credentials of Wowza Streaming Engine Manager.

• PR 17737 - This adds a post module that collects Wowza Streaming Engine user credentials from the admin.password local configuration file. This file is world-readable by default on Linux and readable by BUILTIN\Users on Windows.

Offline Update

• https://updates.metasploit.com/packages/e70f49f545473f979fd72661b319937358ec373c.bin

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version