Improved
PR 17474 - Adds support to the Capcom.sys driver LPE for Windows 11 21H1.
PR 18179 - Improves the Windows checkvm post module by adding new techniques to identify the hypervisor in which the session is running.
PR 18190 - Improves the Linux checkvm post module by adding new techniques to identify the hypervisor in which the session is running.
PR 18191 - Adds support for detecting whether a Metasploit session is running in a Podman container and improves detection for sessions running in Docker, LXC and WLS containers.
PR 18214 - Makes two improvements to the fetch payloads. The first improvement is that the
FETCH_SRVHOSToption will be set toLHOSTwhenLHOSTis set andFETCH_SRVHOSTis not. That means there is one less option users need to set when using a payload with a reverse stager. The second improvement is that the default command for the Windows HTTP payload has been changed to CERTUTIL which will offer better compatibility with older versions of Windows than the previous CURL command. The HTTPS and TFTP payloads will still default to CURL.PR 18231 - Adds index selection for the modules returned via the favorites (or show favorites) command.
PR 18244 - Adds tests to ensure the consistency of Metasploit payloads.
PR 18262 - Adds ability to select favorite modules with the
usecommand after runningshow favorites, similar to thesearchcommand.PR 18270 - Improves tab completion for the
setandunsetcommands.PR 18274 - Updates CVE-2020-14871
exploits/solaris/ssh/pam_username_bofdocs.PR 18276 - Updates all PostgreSQL modules to now support a newer form of authentication (SASL-SCRAM-256) that pentesters are now more frequently seeing in the wild. This includes the modules for PostgreSQL authentication brute force, version fingerprinting, running queries, etc.
PR 18288 - Adds stability enhancements to Meterpreter payloads. Additionally, this adds a large suite of automated sanity tests to Github Actions that verify OSX/Windows/Linux/Python/Java/PHP Meterpreter payloads work.
PR 18294 - Improves error messages when failing to interact with a network interface such as calling
set LHOST=.PR 18307 - Fixes documentation typos with the
exploit/multi/http/subrion_cms_file_upload_rcemodule.PR 18308 - Improves the readability of
documentation/modules/exploit/windows/http/smartermail_rce.PR 18309 - Updates the
ldap_querymodule to stream the results instead of collecting them all at once, improving the user experience when using the module in large target environments with thousands of accounts.PR 18310 - Updates the Elasticsearch auxiliary module. It has been renamed to
elastic_enum, accepts credentials, and will store data to disk that is pulled from the target.PR 18327 - Fixes an issue where specifying a TLS version in the
ssl_versionmodule would result in aNoMethodError.PR 18358 - Adds a new ThriftClient class for interacting with Thrift RPC services. It also updates the two existing Metasploit modules to use it.
PR 18361 - Updates the
searchcommand with additional search keywordsstage:,:stager:, andadapter:.PR 18374 - Fixes a bug in 7 modules that specified the
RelatedModulesmetadata incorrectly. Now, theRelatedModulesdata is correctly shown to the user when running theinfocommand.PR 18377 - Adds a check to the smtp_relay
auxiliary/scanner/smtp/smtp_relayscanner module to confirm if theEHLOcommand is supported by the server. If not, the module will try to initiate the session using theHELOcommand instead.PR 18399 - Fixes multiple spelling mistakes in module documentation.
Fixed
PR 17970 - Fixed an error in
nessus_db_importandnessus_scan_exportcommands that prevented them from completing successfully.PR 18220 - Adds additional error handling when loading Metasploit payloads to msfconsole's startup process to ensure missing payloads do not crash msfconsole
PR 18260 - Adds a fix to verify the
EC2_IDmodule option is validated.PR 18272 - Fixes an issue in the exploit module
multi/http/adobe_coldfusion_rce_cve_2023_26360when the target ColdFusion server is deployed with a Development profile.PR 18275 - Updates the module metadata for the Java reverse_http and reverse_https stagers to be treated as a dynamic payload size, instead of a static/fixed size. This size change can happen as the Java payload contains a user-configurable HTTP callback URL, and combined with the Zip compression present in JAR files - the overall generated payload size can change as a result.
PR 18278 - Fixes a crash when running the
auxiliary/scanner/mysql/mysql_loginmodule against newer versions of MySQL.PR 18287 - Fixes a stack trace thrown by the forge_ticket module when the SPN datastore option was left blank. The module now fails due to bad-config and gives a detailed error message.
PR 18289 - Fixes a typo in the
exploit/freebsd/http/citrix_formssso_target_rcedocs.PR 18297 - Fixes the broken
scanner/mysql/mysql_authbypass_hashdumpmodule and adds documentation for the module.PR 18298 - Changes the behavior of setting
LHOSTas an interface name, for example withset LHOST eth0. Previously, a non-deterministic IP would be resolved from the adapter name if the adapter had multiple IPv4/IPv6 addresses registered. Now, the lowest ordinal IPv4 addresses are preferenced, followed by any IPv6 addresses.PR 18306 - Fixes a crash when parsing ThriftHeader binary data.
PR 18359 - Updates the
admin/kerberos/forge_ticketmodule to work with newer Windows Server releases, in particular post Windows Server October 2022. Now when forging Golden tickets, the forged PAC contains a PAC requestor element with the forged user SID, and additional PAC attributes.PR 18362 - Fixes an issue which could have caused a new msfrpc console instance to hang forever.
PR 18369 - Fixes a crash with OptAddressLocal that was caused by darwin AF_LINK having an empty string for its
addr.PR 18370 - Fixes an issue where
msfrpcwould hang when updating saved command history.
Modules
PR 18123 - Adds a module that chains together a log poisoning LFI, redirection bypass and a path traversal vulnerability to obtain unauthenticated RCE.
PR 18180 - Adds two modules for targeting vulnerabilities related to the signing of Flask's session cookies. One of them exploits a vulnerability in Apache Superset which is identified as CVE-2023-27524.
PR 18232 - Adds a module for an unauthenticated RCE against Metabase. Metabase versions before 0.46.6.1has a bug where an unauthenticated user can retrieve a setup-token. With this, they can query an API endpoint to setup a new database, then inject an H2 connection string RCE.
PR 18233 - Adds an exploit module that leverages an unauthenticated remote command execution vulnerability Chamilo versions 1.11.18 and below. This vulnerability is identified as CVE-2023-34960. Due to a functionality called
Chamilo Rapidto easily convert PowerPoint slides to courses on Chamilo, it is possible for an unauthenticated remote attacker to execute arbitrary commands at OS level using a malicious SOAP request at the vulnerable endpoint/main/webservices/additional_webservices.php.PR 18247 - Adds an exploit module that leverages an authentication bypass and an arbitrary file upload in Netgear ProSAFE NMS300. These vulnerabilities have been identified as CVE-2023-38096 and CVE-2023-38098 respectively and affect versions below 1.7.0.22. By chaining together these vulnerabilities, an unauthenticated remote attacker can execute arbitrary code with SYSTEM privileges.
PR 18250 - Adds a new privilege escalation module that exploits a vulnerable
clfs.sysdriver on Windows to spawn a newNT AUTHORITY/SYSTEMMeterpreter session. The vulnerable driver comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 2022 (Build 20348) operating systems.PR 18253 - Adds a file-format exploit affecting Greenshot versions 1.3.274 and earlier, including the last stable release, 1.2.10.6.
PR 18257 - Adds an exploit module for a Apache NiFi h2 remote code execution identified as CVE-2023-34468. Versions 0.0.2 through 1.21.0 are vulnerable and allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. This also adds a library with helper functions for modules targeting this product.
PR 18263 - Adds an unauthenticated command injection module for the RaspAP WebGUI application.
PR 18264 - Updates the
exploits/freebsd/http/citrix_formssso_target_rcemodule for CVE-2023-3519 to include two new targets, Citrix ADC (NetScaler) 12.1-65.25, and 12.1-64.17. This module now supports automatic targeting based on theLast-Modifiedheader of thelogon/fonts/citrix-fonts.cssresource.PR 18273 - Adds an exploit for VMware vRealize Log Insight versions prior to 8.10.2. It chains multiple vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31711) together to achieve unauthenticated RCE.
PR 18280 - Adds a module for an unauthenticated RCE vulnerability in Maltrail, a malicious traffic detection system. The module author indicated that this vulnerability does not have a CVE associated with it as the vendor (product team in this case) declined to assign one.
PR 18281 - Adds a module that detects Windows hosts that are vulnerable to https://github.com/advisories/GHSA-xvhr-xr27-hpmq aka QueueJumper.
PR 18283 - Exploits an unauthenticated command injection vulnerability by combining two critical vulnerabilities in Apache Airflow 1.10.10. The first, CVE-2020-11978, is an authenticated command injection vulnerability found in one of Airflow's example DAGs, example_trigger_target_dag, which allows any authenticated user to run arbitrary OS commands as the user running Airflow Worker/Scheduler. The second, CVE-2020-13927, is a default setting of Airflow 1.10.10 that allows unauthenticated access to Airflow's Experimental REST API to perform malicious actions such as creating the vulnerable DAG above.
PR 18286 - Adds a module to retrieve an arbitrary file on hosts running Roundcube versions from 1.1.0 through version 1.3.2.
PR 18290 - Creates two modules: one to interrogate Prometheus API endpoints for information, the other to query Prometheus Node Exporters for information. This is supported by a new Prometheus library and specs.
PR 18302 - This adds an exploit module that leverages a remote code execution in SonicWall GMS. Version 9.3.9320 (and likely earlier) is affected by this vulnerability identified as CVE-2023-34124.
PR 18313 - Adds a module which exploits a vulnerability that allows remote code execution on a vulnerable SolarView Compact device by bypassing internal restrictions through the vulnerable endpoint downloader.php using the file parameter. Firmware versions up to v6.33 are vulnerable.
PR 18314 - Adds an exploit module that leverages a directory traversal vulnerability in Windows 10. This vulnerability is identified as CVE-2023-36874 and enables an attacker to elevate privileges to those of the
NT AUTHORITY\SYSTEMuser. Note that this module works with Windows 10x64 22H2.PR 18316 - Adds a module that exploits a prototype pollution vulnerability in the Kibana Timelion visualiser resulting in Remote Code Execution.
PR 18321 - Adds an exploit module that targets Ivanti Avalanche MDM versions before v6.4.1, leveraging a buffer overflow condition.
PR 18322 - Adds an auxiliary scanner module which exploits a memory disclosure vulnerability within Elasticsearch 7.10.0 to 7.13.3 (inclusive) by submitting a malformed query that generates an error message containing previously used portions of a data buffer. The disclosed memory could contain sensitive information such as Elasticsearch documents or authentication details.
PR 18329 - This module exploits broken access control and directory traversal vulnerabilities for achieving unauthenticated remote code execution on the LG Simple Editor versions <= v3.21. Module achieves code execution in the context of NT AUTHORITY\SYSTEM via uploading and executing a JSP payload.
PR 18330 - Adds an exploit module that targets Ivanti Sentry (formerly Mobileiron Sentry) which is vulnerable to an authentication by-pass which exposes API functionality, allowing for code execution in the context of the root user.
PR 18333 - Adds an exploit module that leverages an unauthenticated remote code execution vulnerability in certain Lexmark devices through 2023-02-19. This vulnerability (CVE-2023-26068) is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user.
PR 18341 - Adds a module covering CVE-2023-38831, a fileformat vulnerability affecting Winrar 6.22.
PR 18350 - Adds a new module that exploits an unauthenticated command injection vulnerability in OpenTSDB through 2.4.1 resulting in root access.
PR 18365 - Adds an exploit module that leverages a command insertion vulnerability in TOTOLINK X5000R Wireless Gigabit Router firmware
X5000R_V9.1.0u.6118_B20201102. This allows remote code execution as the user running the web server, typically as therootuser.PR 18408 - Adds an unauthenticated RCE for JetBrains' TeamCity server on both Linux and Windows. A remote attacker can exploit an authentication bypass vulnerability and then execute OS commands in the context of the service.