Improved
Pro: We added validation on save of global SMTP configuration.
Pro: We added workspace level indicators for failed Task Chains that need user interaction to resume execution.
PR 17353 - Adds support for persisting pkcs12 credentials in Metasploit, i.e.
.pfx
/.p12
files. Thetheauxiliary/admin/dcerpc/icpr_cert
andauxiliary/admin/dcerpc/cve_2022_26923_certifried
modules will now persist requested certificates for future exploitation. Thecreds
command can also directly persist certificates - for example:creds add user:alice pkcs12:/path/to/certificate.pfx
.PR 17502 - This PR adds SCTP sessions which Metasploit Framework can utilize for session transports similarly to TCP as it is a stream-wise transport.
PR 17804 - Fixes the metadata for multiple modules which had invalid reference names, incorrect rankings, missing notes, etc. Additionally adds automation for verifying module metadata is correct.
PR 17809 - Adds caching to Ruby's load path logic to improve the bootup performance of msfconsole on startup, averaging 2-3 seconds faster boot time on the tested hardware.
PR 17820 - This PR fixes the nagiosxi authenticated modules to work with even when autocheck is disabled as well as refactors reusable code.
PR 17821 - This enables the import of Nuclei scan results using the
db_import
command. Both JSON and JSONL formats are supported.PR 17862 - Updates msfvenom to require apktools version 2.7.0 or greater when attempting to modify Android apk files, as it includes security improvements and bug fixes.
PR 17884 - Adds database migration validation before attempting to run the test suite. Users who have not migrated their local test database will be notified of the steps required to resolve this issue.
PR 17892 - Adds additional documentation for the
exploit/windows/misc/unified_remote_rce
module.
Fixed
Pro: We added guards to ensure errors raised in a Bruteforce service attempt are logged and allow the task to complete for other scanners.
PR 17851 - N/A
PR 17864 - A bug has been fixed in
auxiliary/admin/http/trendmicro_dlp_traversal
andauxiliary/admin/http/tomcat_utf8_traversal
wherebyprint_good
was used when a file was missing instead ofprint_error
.PR 17867 - A bug has been fixed in the
modules/auxiliary/scanner/http/surgenews_user_creds.rb
module whereby the code did not properly check if there were no users in thenwauth.add
file prior to proceeding to operate on it.PR 17872 - Fixes a crash when modules relied on a hash identifying method that wasn't always available. This method is now available as expected and modules will no longer crash.
PR 17873 - Updates the
scanner/ftp/ftp_login
module to ensure that opened connections are correctly closed after attempting to log in. Additionally fixes a bug were the user setFTPTimeout
option was being ignored, this is now honored.PR 17882 - A bug has been fixed in the
getsystem
command whereby getsystem techniques 5 and 6 were crashing sessions on Windows 11 22H2. Additionally Python Windows Meterpreter payloads have been updated to include memory lock/unlock abilities.PR 17883 - Fix crashes a crash when running the
modules/auxiliary/scanner/lotus/lotus_domino_hashes
module and the database is not active.PR 17888 - Fixes a crash when running the
help setg
command in msfconsole.PR 17893 - Updates the documentation for the
modules/exploit/linux/local/asan_suid_executable_priv_esc
module to be in the correct location.PR 17907 - Fixes a crash when running the
exploits/linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain.rb
module.PR 17909 - Fix Windows7 Meterpreter crash when in debug mode.
Modules
PR 17711 - This module exploits a PHP code injection in SPIP. The vulnerability exists in the oubli parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges.
PR 17832 - This adds two exploit modules that target UniData versions 8.2.4 (and earlier) on linux. Due to a flaw in the udadmin service implementation, it is possible to get remote command execution as the root user. One module leverages a stack buffer overflow in a "password" field (CVE-2023-28502) and the other is an authentication bypass (CVE-2023-28503).
PR 17854 - This PR adds an exploit chaining CVE-2022-22956 and CVE-2022-22957 to gain code execution as the
horizon
user on VMWare Workspace One Access.The first vulnerability, CVE-2022-22956, is an authentication bypass in OAuth2TokenResourceController ACS which allows a remote, unauthenticated attacker to bypass the authentication mechanism and execute any operation. The second vulnerability, CVE-2022-22957, is a JDBC injection RCE specifically in the DBConnectionCheckController class's dbCheck method which allows an attacker to deserialize arbitrary Java objects which can allow remote code execution.PR 17874 - This PR adds an exploit module targeting CVE-2022-22960, which allows the user to overwrite the permissions of the certproxyService.sh script so that it can be modified by the horizon user. This allows a local attacker with the uid 1001 to escalate their privileges to root access.