Improved
Pro: We added support for adhoc Nexpose/InsightVM connection dialogs to be submitted upon completion using the
Enterkey and improved the error reporting for this dialog.PR 17336 - This PR adds new code to simplify and standardize windows version checking and comparisons.
PR 17781 - Adds support for module writers to supply a custom
include_dirsarray when using the MinGW library to compile payloads.PR 17868 - The
ms15_034_http_sys_memory_dump.rbmodule has been updated to improve its handling of thecheck_hostfunction so that the information about target exploitability is more accurate.PR 17942 - The script generated by the web_delivery module is blocked by the Antimalware Scan Interface (AMSI) on newer versions of windows. This PR includes an enhancement which allows the web_delivery module to bypass AMSI.
PR 17955 - Reduces the size of PHP payloads such as
php/reverse_php.PR 18050 - Adds a new post/test/all module which will run all available post/test modules against the open session.
PR 18062 - A new mixin has been added to support detecting the architecture of the host OS on Windows systems. Support for other OSes will be added at a later date.
PR 18064 - The
grafana_plugin_traversalmodule has been updated to support beta and pre-release versions of Grafana.PR 18066 - The archer_c7_traversal module has been converted to a gather module and updated to include a
checkmethod so that users can appropriately check if a target is an Archer router or not.PR 18069 - This updates the LDAP server library to handle unbind requests.
PR 18078 - This adds support to the
auxiliary/admin/dcerpc/icpr_certmodule to issue certificates for an explicit SID by specifying it within theNTDS_CA_SECURITY_EXT. This addition ensures that ESC1 will remain exploitable when issuing certificates with an SID becomes a requirement.PR 18089 - Adds supports for masm output format when generating payloads.
PR 18106 - This PR updates Meterpreter's
setg SessionTLVLogging truesupport to no longer truncate useful values such as payload UUIDs, file paths, executed commands etc.PR 18109 - Update test post modules to always have a clean, writable, and consistent test file system directory when running modules under the loadpath test/modules directory.
PR 18110 - When running test modules that have been loaded by loadpath test/modules, any verbose printing logic generated will now be prefixed by the current test that is being run.
PR 18115 - This PR updates unknown windows errors on python meterpreter to include original error code.
PR 18117 - This adds Windows 10 revision number extraction to the Windows version Post API.
PR 18118 - This PR updates the User Agent strings for June 2023.
PR 18119 - This adds support for only running user specified test names in modules loaded by running
loadpath test/modules.PR 18126 - This PR adds additional logging to the
test/filemodule. This module is useful for developers contributing enhancements or new functionality to Meterpreter and other payloads. It is available after runningloadpath test/modules.PR 18127 - This PR adds additional
test/railgun_reverse_lookuptests for macOS and Linux.
Payload Enhancements
- PR 18057 - The Metasploit Payloads gem has been bumped, bringing in several changes, such as the ability to change memory protections and query process memory on Python Meterpreter on Windows. Additionally, documentation on how to build and run the Java Meterpreter on a Mac has been updated, along with our README file, and some bugs were fixed.
Fixed
Pro: Fixed issue with urls on web vulnerabilities index view.
Pro: We improved scaling support for exploring related modules in projects with large asset and vulnerability counts.
PR 17576 - This fixes a bug where adding and deleting tags to multiple hosts was not functioning correctly.
PR 17917 - Two bugs have been fixed in
post/multi/manage/shell_to_meterpreter: one was caused by a lack of validation on the payload being used when using thePAYLOAD_OVERRIDEoption to ensure the payload was valid, and one was caused by the module creating a handler but failing to pass the RHOST information along, causing the handler to run with an invalid configuration.PR 18040 - This fixes a Python's payload issue with Windows where it was failing due to
bytes args is not allowed on Windows.PR 18049 - This PR updates Jenkins modules to work with newer versions. Previously they fell over with a CSRF failure and gave a false negative result.
PR 18051 - Adds additional skip calls to the test/post modules to ensure that only relevant test expectations are run against the specified session without crashes.
PR 18054 - This PR fixes the issue where an ArgumentError was thrown on the FETCH_SRVHOST option when running the info command when using a fetch payload.
PR 18055 - This updates the
post/multi/gather/aws_keysmodule to mark the platforms it is compatible with.PR 18056 - A bug has been fixed whereby command stager progress could go over 100%. This has now been fixed so that command stager progress should never go over 100%.
PR 18068 - Fixes a bug that caused
multi/manage/shell_to_meterpreterto not break whenwin_transfer=VBSwas set.PR 18074 - A typo has been fixed in the
exploits/multi/http/gitlab_github_import_rce_cve_2022_2992module that prevent proper exception handling from occurring, and additional YARD documentation has been added for some related functions that were missing appropriate documentation on the exceptions they might throw.PR 18076 - This fixes a bug in the Windows Meterpreter's memory free API.
PR 18083 - A bug has been fixed in the stdapi extension of Meterpreter when calling the
stdapi_sys_process_memory_freecommand. This incorrectly handled memory, leading to a double free condition, which would crash Meterpreter. This has since been fixed.PR 18090 - The
auxiliary/admin/kerberos/keytabEXPORTaction will now consistently order exported entries.PR 18094 - Fixes an edgecase with
windows/meterpreter/reverse_tcpwhere there was a small chance of an invalid stager being created.PR 18097 - This PR fixes Python Meterpreter sessions from crashing when extracting macOS network configuration when using the
routeoripconfigcommands.PR 18098 - Fix rex-text crashes when running ruby 3.3.
PR 18099 - This PR fixes Python Meterpreter subprocess deadlock and file descriptor leak caused by the stdout/stderr file descriptors not being closed.
PR 18101 - This PR fixes a Python Meterpreter macOS route command crash when
ifconfighas a gateway name as a mac address separated by dots.PR 18102 - This PR adds a fix for false negatives on files not existing on windows python meterpreter.
PR 18104 - This PR fixes the issue that falsely caused empty file reads on Meterpreter.
PR 18105 - Fix bug when running the time command in msfconsole with complex commands.
PR 18108 - Updates the
test/servicesmodule to more consistently pass. This module is useful for developers contributing enhancements or new functionality to Meterpreter and other payloads. It is available after runningloadpath test/modules.PR 18111 - This PR fixes an initialised constant error when meterpreter registry key reads timeout.
PR 18112 - This PR fixes a symlink test bug when running python meterpreter on windows.
PR 18124 - Fixes the broken
test/extapimodule. The module was facing issues returning clipboard data that pertained to the session being tested, this issue has been resolved. This module is useful for developers contributing enhancements or new functionality to Meterpreter and other payloads. It is available after runningloadpath test/modules.PR 18132 - This PR reverts the changes from #17942 which was an improvement to AMSI bypass on new versions of windows. PR #17942 broke psexec and this PR reverts that issue.
Modules
PR 17670 - Adds a new
rpyc_rcemodule to exploit CVE-2019-16328 and achieve remote command executionas the vulnerable server’s service user.PR 17936 - This adds an exploit module that leverages an authentication bypass to get remote code execution on PaperCut NG version 8.0.0 to 19.2.7 (inclusive), version 20.0.0 to 20.1.6 (inclusive), version 21.0.0 to 21.2.10 (inclusive) and version 22.0.0 to 22.0.8 (inclusive). This vulnerability is identified as CVE-2023-27350. Due to an improper access control in the
SetupCompletedclass, it is possible to bypass authentication and abuse the built-in scripting functionality for printers to obtain code execution as the SYSTEM user on Windows and the less privilegedpapercutuser on Linux.PR 17946 - This adds an exploit for CVE-2023-21839 which is an unauthenticated RCE in Oracle Weblogic. Successful exploitation results in remote code execution as the
oracleuser.PR 18002 - This adds a command payload module that creates a new privileged user on a *nix target system.
PR 18016 - This adds an exploit for CVE-2023-28771 which is a remote, unauthenticated OS command injection in IKE service of several Zyxel devices. Successful exploitation results in remote command execution as the
rootuser.PR 18018 - This adds an exploit module for CVE-2023-29084 which is an authenticated RCE in Zoho ManageEngine ADManager Plus. A remote attacker can leverage this vulnerability to execute OS commands by crafting a request to update the server's configuration. The modified configuration's value is restored by the exploit once it is completed. This exploit is incompatible with HTTP payloads due to the exploit modifying the HTTP proxy configuration of the server during exploitation.
PR 18022 - This adds the
post/windows/manage/make_tokenmodule which is capable of creating new tokens from known credentials and then setting them in a running instance of Meterpreter, which can allow that session to access resources it might not have previously been able to access.PR 18039 - This adds an exploit leverages an authenticated arbitrary file read on Github 16.0.0. This vulnerability is identified as CVE-2023-2825.
PR 18044 - Add MIPS64 Linux Fetch Payloads.
PR 18063 - This adds an exploit for TerraMaster NAS devices running TOS 4.x versions. The logic in
include/makecvs.phppermits shell metacharacters through theEventparameter in a GET request, permitting the upload of a webshell without authentication. Through this, an attacker can achieve remote code execution as the user running the TOS web interface.PR 18070 - This exploits a series of vulnerabilities including session crafting and command injection in TerraMaster NAS versions
4.2.15and below to achieve unauthenticated RCE as therootuser.PR 18072 - A module has been added for CVE-2023-1133, an unauthenticated .NET deserialization vulnerability in Delta Electronics InfraSuite Device Master versions below v1.0.5 in the
ParseUDPPacket()method of the 'Device-Gateway-Status' process. Successful exploitation leads to unauthenticated code execution as the user running the 'Device-Gateway-Status' process.PR 18075 - This PR adds a version scanner for Apache RocketMQ.
PR 18077 - This adds an exploit for Symmetricom SyncServer appliances (S100-S300 series) vulnerable to an unauthenticated command injection in the
hostnameparameter in a request to the/controller/ping.phpendpoint. The command injection vulnerability is patched in the S650 v2.2. Requesting the endpoint will result in a redirect to the login page; however, the command will still be executed, resulting in RCE as therootuser.PR 18086 - This exploits an administrative password leak and command injection vulnerability on TerraMaster devices running TerraMaster Operating System (TOS) versions
4.2.29and below to achieve unauthenticated RCE as therootuser.PR 18100 - Adds a new module targeting the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer’s database.