Improved
Pro: We have updated the Java VM used for reporting to maintain a strong security posture.
PR 17060 - Updates the HTTP scanner modules with the functionality to log both HTTP requests and responses. This functionality can be enabled with
set HTTPTrace true. This functionality is useful for debugging modules. In scenarios where the traffic is encrypted, for instance with WinRM, the logged values will be unencrypted.PR 17807 - Adds documentation for Metasploit's folder structure, so that those unfamiliar with Metasploit can quickly get up to speed and understand where files might be located or where to place new files when developing content for Metasploit.
PR 17972 - Updates the example modules to align with the latest Metasploit framework module conventions.
PR 17985 - Fixes a typo in the
post/windows/manage/sticky_keysmodule.PR 17990 - Adds AutoCheck functionality and notes metadata to
exploits/aix/local/ibstat_path.PR 17991 - A default configuration file has been added in for Solargraph (from https://solargraph.org/), an language server that can help VS Code users and users of other code editors which might not have a language server built in obtain IntelliSense, inline documentation, and code completion functionality for Metasploit's code. For VS Code users, it is recommended to install the Solargraph plugin from https://marketplace.visualstudio.com/items?itemName=castwide.solargraph to take advantage of this change.
Fixed
PR 17967 - Fix ruby 3.1 crashes and resource leaks when garbage collecting Meterpreter resources.
PR 17968 - A bug has been fixed where Certificate Templates were not being identified as vulnerable when there was an ACE that granted enrollment rights but did not correspond to any object types. The logic has now been updated so that only ACEs associated with an object that is neither the
CERTIFICATE_ENROLLMENT_EXTENDED_RIGHTright nor theCERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHTright will be ignored.PR 17980 - This fixes the file system path check used by Powershell sessions.
PR 18005 - This PR fixes a crash when running a module through socks 4a proxy.
PR 18006 - This PR fixes an error when msfconsole opens browser links without a display present.
Modules
PR 17133 - A new exploit module has been added which gains authenticated RCE on ManageEngine AdAudit builds 7005 and prior by creating a custom alert profile and leveraging the custom alert script component. On builds 7004 and later, CVE-2021-42847 is utilized to gain RCE via an arbitrary file write to create the necessary script for the alert profile.
PR 17782 - This adds a set of command payloads that facilitate fetching and executing a payload file from Metasploit.
PR 17881 - This adds a new exploit module that leverages multiple vulnerabilities in the
zhttpdandzcmdbinaries, which are present on more than 40 Zyxel routers and CPE devices, to achieve remote code execution as usersupervisor. This chains a local file disclosure vulnerability that allows an unauthenticated attacker to read the configuration file and a weak password derivation algorithm vulnerability.PR 17964 - A new module has been added which exploits Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x. To do this it first exploits CVE-2022-43939 to bypass authentication before then using CVE-2022-43769, a Server Side Template Injection (SSTI) vulnerability, to achieve unauthenticated code execution as the user running the Pentaho Business Analytics Server.
PR 17979 - A exploit has been added for CVE-2023-28128, an authenticated file upload vulnerability in versions below v6.4.0.186 of Ivanti Avalanche that allows authenticated administrators to change the default path to the web root of the applications, upload a JSP file, and achieve RCE as
NT AUTHORITY\SYSTEM. This occurs due to an bug whereby Ivanti Avalanche doesn't properly validate MS-DOS style short names in the configuration path.PR 17993 - This module leverages a command injection vulnerability in the setuid
invscoututility on AIX systems 7.2 and prior to achieve effective-uid root privileges.