Improved
Pro: We added validation on save of global SMTP configuration.
Pro: We added workspace level indicators for failed Task Chains that need user interaction to resume execution.
PR 17353 - Adds support for persisting pkcs12 credentials in Metasploit, i.e.
.pfx/.p12files. Thetheauxiliary/admin/dcerpc/icpr_certandauxiliary/admin/dcerpc/cve_2022_26923_certifriedmodules will now persist requested certificates for future exploitation. Thecredscommand can also directly persist certificates - for example:creds add user:alice pkcs12:/path/to/certificate.pfx.PR 17502 - This PR adds SCTP sessions which Metasploit Framework can utilize for session transports similarly to TCP as it is a stream-wise transport.
PR 17804 - Fixes the metadata for multiple modules which had invalid reference names, incorrect rankings, missing notes, etc. Additionally adds automation for verifying module metadata is correct.
PR 17809 - Adds caching to Ruby's load path logic to improve the bootup performance of msfconsole on startup, averaging 2-3 seconds faster boot time on the tested hardware.
PR 17820 - This PR fixes the nagiosxi authenticated modules to work with even when autocheck is disabled as well as refactors reusable code.
PR 17821 - This enables the import of Nuclei scan results using the
db_importcommand. Both JSON and JSONL formats are supported.PR 17862 - Updates msfvenom to require apktools version 2.7.0 or greater when attempting to modify Android apk files, as it includes security improvements and bug fixes.
PR 17884 - Adds database migration validation before attempting to run the test suite. Users who have not migrated their local test database will be notified of the steps required to resolve this issue.
PR 17892 - Adds additional documentation for the
exploit/windows/misc/unified_remote_rcemodule.
Fixed
Pro: We added guards to ensure errors raised in a Bruteforce service attempt are logged and allow the task to complete for other scanners.
PR 17851 - N/A
PR 17864 - A bug has been fixed in
auxiliary/admin/http/trendmicro_dlp_traversalandauxiliary/admin/http/tomcat_utf8_traversalwherebyprint_goodwas used when a file was missing instead ofprint_error.PR 17867 - A bug has been fixed in the
modules/auxiliary/scanner/http/surgenews_user_creds.rbmodule whereby the code did not properly check if there were no users in thenwauth.addfile prior to proceeding to operate on it.PR 17872 - Fixes a crash when modules relied on a hash identifying method that wasn't always available. This method is now available as expected and modules will no longer crash.
PR 17873 - Updates the
scanner/ftp/ftp_loginmodule to ensure that opened connections are correctly closed after attempting to log in. Additionally fixes a bug were the user setFTPTimeoutoption was being ignored, this is now honored.PR 17882 - A bug has been fixed in the
getsystemcommand whereby getsystem techniques 5 and 6 were crashing sessions on Windows 11 22H2. Additionally Python Windows Meterpreter payloads have been updated to include memory lock/unlock abilities.PR 17883 - Fix crashes a crash when running the
modules/auxiliary/scanner/lotus/lotus_domino_hashesmodule and the database is not active.PR 17888 - Fixes a crash when running the
help setgcommand in msfconsole.PR 17893 - Updates the documentation for the
modules/exploit/linux/local/asan_suid_executable_priv_escmodule to be in the correct location.PR 17907 - Fixes a crash when running the
exploits/linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain.rbmodule.PR 17909 - Fix Windows7 Meterpreter crash when in debug mode.
Modules
PR 17711 - This module exploits a PHP code injection in SPIP. The vulnerability exists in the oubli parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges.
PR 17832 - This adds two exploit modules that target UniData versions 8.2.4 (and earlier) on linux. Due to a flaw in the udadmin service implementation, it is possible to get remote command execution as the root user. One module leverages a stack buffer overflow in a "password" field (CVE-2023-28502) and the other is an authentication bypass (CVE-2023-28503).
PR 17854 - This PR adds an exploit chaining CVE-2022-22956 and CVE-2022-22957 to gain code execution as the
horizonuser on VMWare Workspace One Access.The first vulnerability, CVE-2022-22956, is an authentication bypass in OAuth2TokenResourceController ACS which allows a remote, unauthenticated attacker to bypass the authentication mechanism and execute any operation. The second vulnerability, CVE-2022-22957, is a JDBC injection RCE specifically in the DBConnectionCheckController class's dbCheck method which allows an attacker to deserialize arbitrary Java objects which can allow remote code execution.PR 17874 - This PR adds an exploit module targeting CVE-2022-22960, which allows the user to overwrite the permissions of the certproxyService.sh script so that it can be modified by the horizon user. This allows a local attacker with the uid 1001 to escalate their privileges to root access.