Jun 23, 20234.22.1-2023062301

Improved

  • Pro: We added support for adhoc Nexpose/InsightVM connection dialogs to be submitted upon completion using the Enter key and improved the error reporting for this dialog.

  • PR 17336 - This PR adds new code to simplify and standardize windows version checking and comparisons.

  • PR 17781 - Adds support for module writers to supply a custom include_dirs array when using the MinGW library to compile payloads.

  • PR 17868 - The ms15_034_http_sys_memory_dump.rb module has been updated to improve its handling of the check_host function so that the information about target exploitability is more accurate.

  • PR 17942 - The script generated by the web_delivery module is blocked by the Antimalware Scan Interface (AMSI) on newer versions of windows. This PR includes an enhancement which allows the web_delivery module to bypass AMSI.

  • PR 17955 - Reduces the size of PHP payloads such as php/reverse_php.

  • PR 18050 - Adds a new post/test/all module which will run all available post/test modules against the open session.

  • PR 18062 - A new mixin has been added to support detecting the architecture of the host OS on Windows systems. Support for other OSes will be added at a later date.

  • PR 18064 - The grafana_plugin_traversal module has been updated to support beta and pre-release versions of Grafana.

  • PR 18066 - The archer_c7_traversal module has been converted to a gather module and updated to include a check method so that users can appropriately check if a target is an Archer router or not.

  • PR 18069 - This updates the LDAP server library to handle unbind requests.

  • PR 18078 - This adds support to the auxiliary/admin/dcerpc/icpr_cert module to issue certificates for an explicit SID by specifying it within the NTDS_CA_SECURITY_EXT. This addition ensures that ESC1 will remain exploitable when issuing certificates with an SID becomes a requirement.

  • PR 18089 - Adds supports for masm output format when generating payloads.

  • PR 18106 - This PR updates Meterpreter's setg SessionTLVLogging true support to no longer truncate useful values such as payload UUIDs, file paths, executed commands etc.

  • PR 18109 - Update test post modules to always have a clean, writable, and consistent test file system directory when running modules under the loadpath test/modules directory.

  • PR 18110 - When running test modules that have been loaded by loadpath test/modules, any verbose printing logic generated will now be prefixed by the current test that is being run.

  • PR 18115 - This PR updates unknown windows errors on python meterpreter to include original error code.

  • PR 18117 - This adds Windows 10 revision number extraction to the Windows version Post API.

  • PR 18118 - This PR updates the User Agent strings for June 2023.

  • PR 18119 - This adds support for only running user specified test names in modules loaded by running loadpath test/modules.

  • PR 18126 - This PR adds additional logging to the test/file module. This module is useful for developers contributing enhancements or new functionality to Meterpreter and other payloads. It is available after running loadpath test/modules.

  • PR 18127 - This PR adds additional test/railgun_reverse_lookup tests for macOS and Linux.

Payload Enhancements

  • PR 18057 - The Metasploit Payloads gem has been bumped, bringing in several changes, such as the ability to change memory protections and query process memory on Python Meterpreter on Windows. Additionally, documentation on how to build and run the Java Meterpreter on a Mac has been updated, along with our README file, and some bugs were fixed.

Fixed

  • Pro: Fixed issue with urls on web vulnerabilities index view.

  • Pro: We improved scaling support for exploring related modules in projects with large asset and vulnerability counts.

  • PR 17576 - This fixes a bug where adding and deleting tags to multiple hosts was not functioning correctly.

  • PR 17917 - Two bugs have been fixed in post/multi/manage/shell_to_meterpreter: one was caused by a lack of validation on the payload being used when using the PAYLOAD_OVERRIDE option to ensure the payload was valid, and one was caused by the module creating a handler but failing to pass the RHOST information along, causing the handler to run with an invalid configuration.

  • PR 18040 - This fixes a Python's payload issue with Windows where it was failing due to bytes args is not allowed on Windows.

  • PR 18049 - This PR updates Jenkins modules to work with newer versions. Previously they fell over with a CSRF failure and gave a false negative result.

  • PR 18051 - Adds additional skip calls to the test/post modules to ensure that only relevant test expectations are run against the specified session without crashes.

  • PR 18054 - This PR fixes the issue where an ArgumentError was thrown on the FETCH_SRVHOST option when running the info command when using a fetch payload.

  • PR 18055 - This updates the post/multi/gather/aws_keys module to mark the platforms it is compatible with.

  • PR 18056 - A bug has been fixed whereby command stager progress could go over 100%. This has now been fixed so that command stager progress should never go over 100%.

  • PR 18068 - Fixes a bug that caused multi/manage/shell_to_meterpreter to not break when win_transfer=VBS was set.

  • PR 18074 - A typo has been fixed in the exploits/multi/http/gitlab_github_import_rce_cve_2022_2992 module that prevent proper exception handling from occurring, and additional YARD documentation has been added for some related functions that were missing appropriate documentation on the exceptions they might throw.

  • PR 18076 - This fixes a bug in the Windows Meterpreter's memory free API.

  • PR 18083 - A bug has been fixed in the stdapi extension of Meterpreter when calling the stdapi_sys_process_memory_free command. This incorrectly handled memory, leading to a double free condition, which would crash Meterpreter. This has since been fixed.

  • PR 18090 - The auxiliary/admin/kerberos/keytab EXPORT action will now consistently order exported entries.

  • PR 18094 - Fixes an edgecase with windows/meterpreter/reverse_tcp where there was a small chance of an invalid stager being created.

  • PR 18097 - This PR fixes Python Meterpreter sessions from crashing when extracting macOS network configuration when using the route or ipconfig commands.

  • PR 18098 - Fix rex-text crashes when running ruby 3.3.

  • PR 18099 - This PR fixes Python Meterpreter subprocess deadlock and file descriptor leak caused by the stdout/stderr file descriptors not being closed.

  • PR 18101 - This PR fixes a Python Meterpreter macOS route command crash when ifconfig has a gateway name as a mac address separated by dots.

  • PR 18102 - This PR adds a fix for false negatives on files not existing on windows python meterpreter.

  • PR 18104 - This PR fixes the issue that falsely caused empty file reads on Meterpreter.

  • PR 18105 - Fix bug when running the time command in msfconsole with complex commands.

  • PR 18108 - Updates the test/services module to more consistently pass. This module is useful for developers contributing enhancements or new functionality to Meterpreter and other payloads. It is available after running loadpath test/modules.

  • PR 18111 - This PR fixes an initialised constant error when meterpreter registry key reads timeout.

  • PR 18112 - This PR fixes a symlink test bug when running python meterpreter on windows.

  • PR 18124 - Fixes the broken test/extapi module. The module was facing issues returning clipboard data that pertained to the session being tested, this issue has been resolved. This module is useful for developers contributing enhancements or new functionality to Meterpreter and other payloads. It is available after running loadpath test/modules.

  • PR 18132 - This PR reverts the changes from #17942 which was an improvement to AMSI bypass on new versions of windows. PR #17942 broke psexec and this PR reverts that issue.

Modules

  • PR 17670 - Adds a new rpyc_rce module to exploit CVE-2019-16328 and achieve remote command executionas the vulnerable server’s service user.

  • PR 17936 - This adds an exploit module that leverages an authentication bypass to get remote code execution on PaperCut NG version 8.0.0 to 19.2.7 (inclusive), version 20.0.0 to 20.1.6 (inclusive), version 21.0.0 to 21.2.10 (inclusive) and version 22.0.0 to 22.0.8 (inclusive). This vulnerability is identified as CVE-2023-27350. Due to an improper access control in the SetupCompleted class, it is possible to bypass authentication and abuse the built-in scripting functionality for printers to obtain code execution as the SYSTEM user on Windows and the less privileged papercut user on Linux.

  • PR 17946 - This adds an exploit for CVE-2023-21839 which is an unauthenticated RCE in Oracle Weblogic. Successful exploitation results in remote code execution as the oracle user.

  • PR 18002 - This adds a command payload module that creates a new privileged user on a *nix target system.

  • PR 18016 - This adds an exploit for CVE-2023-28771 which is a remote, unauthenticated OS command injection in IKE service of several Zyxel devices. Successful exploitation results in remote command execution as the root user.

  • PR 18018 - This adds an exploit module for CVE-2023-29084 which is an authenticated RCE in Zoho ManageEngine ADManager Plus. A remote attacker can leverage this vulnerability to execute OS commands by crafting a request to update the server's configuration. The modified configuration's value is restored by the exploit once it is completed. This exploit is incompatible with HTTP payloads due to the exploit modifying the HTTP proxy configuration of the server during exploitation.

  • PR 18022 - This adds the post/windows/manage/make_token module which is capable of creating new tokens from known credentials and then setting them in a running instance of Meterpreter, which can allow that session to access resources it might not have previously been able to access.

  • PR 18039 - This adds an exploit leverages an authenticated arbitrary file read on Github 16.0.0. This vulnerability is identified as CVE-2023-2825.

  • PR 18044 - Add MIPS64 Linux Fetch Payloads.

  • PR 18063 - This adds an exploit for TerraMaster NAS devices running TOS 4.x versions. The logic in include/makecvs.php permits shell metacharacters through the Event parameter in a GET request, permitting the upload of a webshell without authentication. Through this, an attacker can achieve remote code execution as the user running the TOS web interface.

  • PR 18070 - This exploits a series of vulnerabilities including session crafting and command injection in TerraMaster NAS versions 4.2.15 and below to achieve unauthenticated RCE as the root user.

  • PR 18072 - A module has been added for CVE-2023-1133, an unauthenticated .NET deserialization vulnerability in Delta Electronics InfraSuite Device Master versions below v1.0.5 in the ParseUDPPacket() method of the 'Device-Gateway-Status' process. Successful exploitation leads to unauthenticated code execution as the user running the 'Device-Gateway-Status' process.

  • PR 18075 - This PR adds a version scanner for Apache RocketMQ.

  • PR 18077 - This adds an exploit for Symmetricom SyncServer appliances (S100-S300 series) vulnerable to an unauthenticated command injection in the hostname parameter in a request to the /controller/ping.php endpoint. The command injection vulnerability is patched in the S650 v2.2. Requesting the endpoint will result in a redirect to the login page; however, the command will still be executed, resulting in RCE as the root user.

  • PR 18086 - This exploits an administrative password leak and command injection vulnerability on TerraMaster devices running TerraMaster Operating System (TOS) versions 4.2.29 and below to achieve unauthenticated RCE as the root user.

  • PR 18100 - Adds a new module targeting the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer’s database.

Offline Update

Metasploit Framework and Pro Installers