May 09, 20234.22.0-2023050901

Improved

  • PR 16390 - Two new libraries, Rex::Proto::DNS::CachedResolver and Rex::Proto::DNS::Cache, have been added to extends the functionality of Rex::Proto::DNS::Resolver and add the ability for users to cache DNS responses, specify the name server that they would like to use when trying to resolve DNS names, and load and cache existing DNS entries in their hostfile.

  • PR 17857 - This adds T3S support for the weblogic_deserialize_rawobject, weblogic_deserialize_marshalledobject, and weblogic_deserialize_badattr_extcomp exploit modules.

  • PR 17921 - This adds documentation for the module post/windows/gather/resolve_sid.

  • PR 17941 - Updates the exploits/linux/misc/zyxel_multiple_devices_zhttp_lan_rce module with CVE identifier CVE-2023-28769.

  • PR 17963 - Updates auxiliary/scanner/nfs/nfsmount to include a references to CVE-1999-0554 - which is related to finding sensitive files on an NFS mount.

Fixed

  • Pro: We restored the ability to load large Network Topology maps provided the user accepts the possible performance impacts.

  • PR 17910 - Fixes false positives in the auxiliary/scanner/couchdb/couchdb_login module which incorrectly reported successful user authentication when connection timeouts occurred.

  • PR 17911 - Updates the setting missing datastore values validation to produce a warning instead of an error. This fixes an edgecase where setting options on multi/handler without having first set a payload would fail.

  • PR 17912 - Fixes a MinGW issue in the Meterpreter stdapi extension. The stdapi extension was using free() instead of FreeMibTable() to free memory allocated GetIpForwardTable2() which led to a crash when compiled with MinGW.

  • PR 17913 - Fixes a crash when running local exploit suggester against older Windows targets.

  • PR 17914 - This fixes an issue where paths with trailing backslashes would wait for more input when passed to directory?() due to the " being escaped in the command testing for the existence of the path.

  • PR 17926 - This fixes an issue with a railgun function definition that caused the post/windows/gather/resolve_sid module to fail on 64-bit system. When the module failed, the session was lost.

  • PR 17944 - A new release of metasploit-payloads is out which adds long awaited WOW64 support for hashdump, fixes an issue with building payloads using MingGW, and adds memory read/write abilities to Windows version of Python Meterpreter.

  • PR 17947 - Updates exploits/osx/local/feedback_assistant_root.rb to no longer assume that OSX version nil/zero is vulnerable - which may occur when running against non-OSX systems.

Modules

  • PR 17856 - This adds two modules; an RCE exploit for CVE-2023-26360 (Adobe ColdFusion) and an auxiliary gather module for the same vulnerability that can be leveraged to read arbitrary files. ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier are affected.

  • PR 17895 - This adds a scanner that pulls user and config information from Joomla installations that permit access to endpoints containing sensitive information. This affects versions 4.0.0 through 4.2.7 inclusive.

  • PR 17915 - A new module has been added in for CVE-2022-24716, an unauthenticated arbitrary file read in Icinga Web 2 versions 2.9.0 to 2.9.5 inclusive, and 2.8.0 to 2.8.5 inclusive that can be used to leak sensitive configuration information from a target server.

Offline Update

Metasploit Framework and Pro Installers