Post Syndicated from Jack Heysel original https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-01-23-2026

Oracle E-Business Suite Unauth RCE

This week, we are pleased to announce the addition of a module that exploits CVE-2025-61882, a pre-authentication remote code execution vulnerability in Oracle E-Business Suite versions 12.2.3 through 12.2.14. The exploit chains multiple flaws—including SSRF, path traversal, HTTP request smuggling, and XSLT injection—to coerce the target into fetching and executing a malicious XSL file hosted by the attacker. Successful exploitation results in arbitrary command execution and an interactive shell on both Linux/Unix and Windows targets. The module is reliable, repeatable, and we here at Metasploit hope you enjoy it, happy hacking!

New module content (3)

Authenticated RCE in Splunk (splunk_archiver app)

Authors: Alex Hordijk, Maksim Rogov, and psytester Type: Exploit Pull request: #20770 contributed by vognik Path: linux/http/splunk_auth_rce_cve_2024_36985 AttackerKB reference: CVE-2024-36985

Description: This adds two separate Metasploit exploit modules targeting Remote Code Execution (RCE) vulnerabilities in Splunk Enterprise. CVE-2024-36985 exploits unsafe use of the “copybuckets” lookup function within the splunk_archiver application, resulting in execution of the sudobash helper script with attacker-controlled arguments. Affected versions: All releases prior to 9.0.10, 9.1.2 through 9.1.5, 9.2.0 through 9.2.2 CVE-2022-43571, exploits a Python code injection vulnerability in Splunk SimpleXML dashboards by injecting malicious code into sparkline style parameters. Malicious code is executed when a user exports the dashboard to PDF. Affected versions: All releases prior to 8.1.12, 8.2.0 through 8.2.9, 9.0.0 through 9.0.2.

Oracle E-Business Suite CVE-2025-61882 RCE

Authors: Mathieu Dupas and watchTowr (Sonny, Sina Kheirkhah, Jake Knott) Type: Exploit Pull request: #20750 contributed by MatDupas Path: multi/http/oracle_ebs_cve_2025_61882_exploit_rce AttackerKB reference: CVE-2025-61882

Description: This adds an exploit for CVE-2025-61882, a critical Remote Code Execution (RCE) vulnerability in Oracle E-Business Suite (EBS). The flaw allows unauthenticated attackers to execute arbitrary code by leveraging a combination of SSRF, HTTP request smuggling and XSLT injection. Affected Versions: Oracle E-Business Suite, 12.2.3-12.2.14.

Authenticated RCE in Splunk (SimpleXML dashboard PDF generation)

Authors: Danylo Dmytriiev, Maksim Rogov, and psytester Type: Exploit Pull request: #20770 contributed by vognik Path: multi/http/splunk_auth_rce_cve_2022_43571 AttackerKB reference: CVE-2022-43571

Description: This adds two separate Metasploit exploit modules targeting Remote Code Execution (RCE) vulnerabilities in Splunk Enterprise. CVE-2024-36985 exploits unsafe use of the “copybuckets” lookup function within the splunk_archiver application, resulting in execution of the sudobash helper script with attacker-controlled arguments. Affected versions: All releases prior to 9.0.10, 9.1.2 through 9.1.5, 9.2.0 through 9.2.2 CVE-2022-43571, exploits a Python code injection vulnerability in Splunk SimpleXML dashboards by injecting malicious code into sparkline style parameters. Malicious code is executed when a user exports the dashboard to PDF. Affected versions: All releases prior to 8.1.12, 8.2.0 through 8.2.9, 9.0.0 through 9.0.2.

Enhancements and features (3)

• #20755 from rudraditya21 – This adds an advanced datastore option, KrbClockSkew, to modules that use Kerberos authentication, allowing operators to adjust the Kerberos clock from the Metasploit side to fix clock skew errors.
• #20840 from xaitax – This updates the MongoBleed auxiliary module and adds new options. The module can now use Wiz Magic Packet to detect the vulnerability quickly; it can detect compression libraries used by MongoDB (and warns or stops the user if zlib is not enabled). The module can also reuse the MongoDB socket connection during memory scanning, which significantly improves performance. Finally, it can better leak secrets, either by pattern matching or by storing the extracted information in raw or JSON format.
• #20861 from bcoles – Adds multiple improvements to get_hostname resolution logic for post exploitation modules.

Bugs fixed (1)

• #20888 from jheysel-r7 – Fixes an issue that caused dMSA kerberos authentication to fail.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.108…6.4.110
• Full diff 6.4.108…6.4.110

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Post Syndicated from Jack Heysel original https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-12-05-2025

Twonky Auth Bypass, RCEs and RISC-V Reverse Shell Payloads

This was another fantastic week in terms of PR contribution to the Metasploit Framework. Rapid7’s very own Ryan Emmons recently disclosed CVE-2025-13315 and CVE-2025-13316 which exist in Twonky Server and allow decrypting admin credentials by reading logs without authentication (which contain them). The auxiliary module Ryan submitted which exploits both of these CVEs was released this week. Community contributor Valentin Lobsein aka Chocapikk has returned to the PR queue with a welcomed vengeance. Two modules from Chocapikk were landed this week, a Monsta FTP downloadFile Remote Code Execution module along with a WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE. In addition to some awesome module content, community contributor bcoles added Linux RISC-V 32-bit/64-bit TCP reverse shell payloads.

New module content (5)

Twonky Server Log Leak Authentication Bypass

Author: remmons-r7

Type: Auxiliary

Pull request: #20709 contributed by remmons-r7 

Path: gather/twonky_authbypass_logleak 

AttackerKB reference: CVE-2025-13316

Description: This module exploits two CVEs: CVE-2025-13315 and CVE-2025-13316. Both CVEs exist in Twonky Server and allow decrypting admin credentials by reading logs without authentication (which contain them). Then, because the module uses hardcoded keys, it decrypts those credentials.

Monsta FTP downloadFile Remote Code Execution

Authors: Valentin Lobstein [email protected], msutovsky-r7, and watchTowr Labs

Type: Exploit

Pull request: #20718 contributed by Chocapikk 

Path: multi/http/monsta_ftp_downloadfile_rce 

AttackerKB reference: CVE-2025-34299

Description: This add module for CVE-2025-34299. The module exploits a vulnerability in the downloadFile action which allows an attacker to connect to a malicious FTP server and download arbitrary files to arbitrary locations on the Monsta FTP server.

WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE

Authors: Emiliano Versini, Khaled Alenazi (Nxploited), Valentin Lobstein [email protected], and dledda-r7

Type: Exploit

Pull request: #20720 contributed by Chocapikk 

Path: multi/http/wp_ai_engine_mcp_rce 

AttackerKB reference: CVE-2025-11749

Description: This adds a new exploit module for an unauthenticated vulnerability in the WordPress AI Engine plugin, which has over 100,000 active installations. The vulnerability allows an attacker to create an administrator account via the MCP (Model Context Protocol) endpoint without authentication, then upload and execute a malicious plugin to achieve remote code execution. The vulnerability is being tracked as CVE-2025-11749.

Linux Command Shell, Reverse TCP Inline

Authors: bcoles [email protected] and modexp

Type: Payload (Single)

Pull request: #20712 contributed by bcoles 

Path: linux/riscv32le/shell_reverse_tcp

Description: This adds Linux RISC-V 32-bit/64-bit TCP reverse shell payloads.

Linux Command Shell, Reverse TCP Inline

Authors: bcoles [email protected] and modexp

Type: Payload (Single)

Pull request: #20712 contributed by bcoles 

Path: linux/riscv64le/shell_reverse_tcp

Description: This adds Linux RISC-V 32-bit/64-bit TCP reverse shell payloads.

Enhancements and features (3)

• #20658 from jheysel-r7 – This adds a number of accuracy enhancements to the ldap_esc_vulnerable_cert_finder module. It also adds a CertificateAuthorityRhost datastore option to the esc_update_ldap_object module so the operator can specify an IP Address explicitly in cases where the hostname cannot be resolved via DNS.
• #20677 from zeroSteiner – This enables sessions to MSSQL servers that require encryption. These changes add a new MsTds::Channel which leverages Rex’s socket abstraction to facilitate the necessary encapsulation for the TLS negotiation.
• #20741 from SaiSakthidar – This removes CAIN as an output format for collected hashes.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.100…6.4.101
• Full diff 6.4.100…6.4.101

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2025/03/28/metasploit-wrap-up-03-28-2025/

Windows LPE – Cloud File Mini Filer Driver Heap Overflow

This Metasploit release includes an exploit module for CVE-2024-30085, an LPE in cldflt.sys which is known as the Windows Cloud Files Mini Filer Driver. This driver allows users to manage and sync files between a remote server and a local client. The exploit module allows users with an existing session on an affected Windows device to seamlessly escalate their privileges to NT AUTHORITY\SYSTEM. This module has been tested on Windows workstation versions 10_1809 through 11_23H2 and Windows server versions 2022 to 22_23H2.

New module content (3)

GLPI Inventory Plugin Unauthenticated Blind Boolean SQLi

Authors: jheysel-r7 and rz
Type: Auxiliary
Pull request: #19974 contributed by jheysel-r7
Path: gather/glpi_inventory_plugin_unauth_sqli
AttackerKB reference: CVE-2025-24799

Description: This adds an auxiliary module for an Unauth Blind Boolean SQLi (CVE-2025-24799) vulnerability in GLPI <= 1.0.18 when the Inventory Plugin is installed and enabled.

Eramba (up to 3.19.1) Authenticated Remote Code Execution Module

Authors: Niklas Rubel, Sergey Makarov, Stefan Pietsch, Trovent Security GmbH, and msutovsky-r7
Type: Exploit
Pull request: #19957 contributed by msutovsky-r7
Path: linux/http/eramba_rce
AttackerKB reference: CVE-2023-36255

Description: This adds an exploit for CVE-2023-36255 which is an authenticated command injection vulnerability in Eramba.

Windows Cloud File Mini Filer Driver Heap Overflow

Authors: Alex Birnberg, bwatters-r7, and ssd-disclosure
Type: Exploit
Pull request: #19802 contributed by bwatters-r7
Path: windows/local/cve_2024_30085_cloud_files
AttackerKB reference: CVE-2024-30085

Description: Local Privilege Escalation for Windows, exploiting CVE-2024-30085. It allows escalating an existing session to higher privileges.

Bugs fixed (3)

• #19932 from adfoster-r7 – Fixes a crash when running the exploits/windows/mssql/mssql_payload module against previously opened Microsoft SQL Server sessions.
• #19962 from e2002e – This preemptively updates the API host for the ZoomEye search module to reflect changes made by the upstream organization.
• #19987 from zeroSteiner – This updates the Ivanti and Sonicwall Bruteforce modules to use #initialize methods that accept a single argument as the LoginScanner classes should. It also renames the modules to follow the standard convention and adds a small fix to catch an unhandled connection error that was being thrown by the Sonicwall module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.54…6.4.55
• Full diff 6.4.54…6.4.55

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2025/01/24/metasploit-weekly-wrap-up-01-24-2025/

LibreNMS Authenticated RCE module and ESC15 improvements

This week the Metasploit Framework was blessed with an authenticated RCE module in LibreNMS, an autodiscovering PHP/MySQL-based network monitoring system. An authenticated attacker can create dangerous directory names on the system and alter sensitive configuration parameters through the web portal. These two defects combined to allow arbitrary OS commands inside shell_exec() calls, thus achieving arbitrary code execution.

Additionally, improvements have been made to the icpr_cert module. Metasploit users reported that when running the module with the option to add application policy OIDs to the template—typically done when attempting to exploit ESC15—the module would say that it ran successfully against a server patched for ESC15. However, no certificate application policy OIDs would be returned in the response. This behavior indicated that the server had been patched for ESC15 (CVE-2024-49019). In response to this, the module has been updated to raise an error in this scenario, notifying the user that the target is likely patched and the exploit will not be successful.

New module content (1)

LibreNMS Authenticated RCE (CVE-2024-51092)

Authors: Takahiro Yokoyama and murrant (Tony Murray)
Type: Exploit
Pull request: #19805 contributed by Takahiro-Yoko
Path: linux/http/librenms_authenticated_rce_cve_2024_51092
AttackerKB reference: CVE-2024-51092

Description: New module for exploiting CVE-2024-51092, an authenticated command injection in LibreNMS. It allows the attacker to run system commands and gain remote code execution (RCE). However, it requires a set of working credentials.

Bugs fixed (2)

• #19808 from jheysel-r7 – Adds detection for the ESC15 patch to the icpr_cert module.
• #19820 from adfoster-r7 – Pin the version of concurrent-ruby used to stop a crash on msfconsole bootup.

Documentation added (1)

• #19807 from msutovsky-r7 – Clarify the usage of vars_get and vars_post in module development.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.45…6.4.46
• Full diff 6.4.45…6.4.46

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2024/11/15/metasploit-weekly-wrap-up-43/

Palo Alto Expedition RCE module

This week’s release includes an exploit module for the Palo ALto Expedition exploit chain that’s been making headlines recently. The first vulnerability, CVE-2024-5910, allows attackers to reset the password of the admin user. The second vulnerability, CVE-2024-9464 is an authenticated OS command injection. The module makes use of both vulnerabilities in order to obtain unauthenticated RCE in the context of the user www-data.

New module content (1)

Palo Alto Expedition Remote Code Execution (CVE-2024-5910 and CVE-2024-9464)

Authors: Brian Hysell, Enrique Castillo, Michael Heinzl, and Zach Hanley
Type: Exploit
Pull request: #19557 contributed by h4x-x0r
Path: linux/http/paloalto_expedition_rce
AttackerKB reference: CVE-2024-24809

Description: Adds a module to chain CVE-2024-5910, a password reset vulnerability with CVE-2024-9464, an authenticated command-injection vulnerability to gain code execution on PaloAlto Expedition servers between versions after 1.2 and before 1.2.92 with or without knowledge of the credentials.

Bugs fixed (3)

• #19610 from cgranleese-r7 – Fixes the bruteforce summary table to correctly output the identified credentials as part of the smb_login module. This functionality is behind the features set show_successful_logins true command.
• #19617 from sjanusz-r7 – Fixes a crash when running against a shell session which does not echo the executed commands.
• #19623 from adfoster-r7 – This fixes a bug in the logic that fetches stored Kerberos tickets.

Documentation added (2)

• #19369 from Adithya2357 – This improves the clarity and organization of the Metasploit Framework’s README documentation. It restructures content into distinct categories, updates installation instructions, enhances usage guidance, and provides a detailed contributing section.
• #19635 from adfoster-r7 – Update the Kerberos enumusers module description to include a note about ASREPRoast attacks.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.35…6.4.36
• Full diff 6.4.35…6.4.36

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2024/09/06/metasploit-weekly-wrap-up-42/

Honey, I shrunk the PHP payloads

This release contains more PHP payload improvements from Julien Voisen. Last week we landed a PR from Julien that added a datastore option to the php/base64 encoder that when enabled, will use zlib to compress the payload which significantly reduced the size, bringing a payload of 4040 bytes down to a mere 1617 bytes. This week’s release includes a php/minify encoder which removes all unnecessary characters from the payload including comments, empty lines, leading spaces, trailing spaces, spaces after keywords and spaces before block openings. Using the php/minify encoder can take a payload of size 4052 bytes down to 2839 bytes. We’d like to thank Julien for their continued commitment to improving PHP payloads!

New module content (1)

PHP Minify Encoder

Author: Julien Voisin
Type: Encoder
Pull request: #19435 contributed by jvoisin
Path: php/minify

Description: This encoder minifies PHP payloads by removing spaces after keywords and before block openings. It removes comments, empty lines, new lines and leading and trailing spaces.

Enhancements and features (2)

• #19368 from h00die-gr3y – This adjusts the exploit/multi/http/geoserver_unauth_rce_cve_2024_36401 to dynamically pull and test the feature_type list to establish an RCE. This will make the module more robust towards installations with different feature_type configurations.
• #19401 from jvoisin – Add a mixin to get SPIP version and make use of it.

Bugs fixed (2)

• #19381 from Takahiro-Yoko – This fixes the gitlab_login scanner so that it uses the proper datastore options Username and Password which are the standard for login scanners. Before this fix the scanner was using HttpUsername and HttpPassword and ignoring the datastore options Username and Password.
• #19438 from cgranleese-r7 – Fixes a nil error if login is successful with ldap_login module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.24…6.4.25
• Full diff 6.4.24…6.4.25

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2024/06/28/metasploit-weekly-wrap-up-06-28-2024/

Unauthenticated Command Injection in Netis Router

This week’s Metasploit release includes an exploit module for an unauthenticated command injection vulnerability in the Netis MW5360 router which is being tracked as CVE-2024-22729. The vulnerability stems from improper handling of the password parameter within the router’s web interface which allows for command injection. Fortunately for attackers, the router’s login page authorization can be bypassed by simply deleting the authorization header, leading to the vulnerability. All router firmware versions up to V1.0.1.3442 are vulnerable.

New module content (2)

MS-NRPC Domain Users Enumeration

Author: Haidar Kabibo https://x.com/haider_kabibo
Type: Auxiliary
Pull request: #19205 contributed by sud0Ru
Path: scanner/dcerpc/nrpc_enumusers

Description: This adds a new module that can enumerate accounts on a target Active Directory Domain Controller without authenticating to it; instead the module does so by issuing a DCERPC request and analyzing the returned error status.

Netis router MW5360 unauthenticated RCE.

Authors: Adhikara13 and h00die-gr3y [email protected]
Type: Exploit
Pull request: #19188 contributed by h00die-gr3y
Path: linux/http/netis_unauth_rce_cve_2024_22729
AttackerKB reference: CVE-2024-22729

Description: This adds an exploit module that leverages CVE-2024-22729, a command injection vulnerability in Netis router MW5360 to achieve remote code execution as the user root. All router firmware versions up to V1.0.1.3442 are vulnerable.

Bugs fixed (3)

• #19259 from dledda-r7 – This updates Metasploit to check for a new flag that is sent as part of the encryption key negotiation with Meterpreter which indicates if Meterpreter had to use a weak source of entropy to generate the key.
• #19267 from zeroSteiner – Fixes a crash in the ldap_esc_vulnerable_cert_finder module when targeting an AD CS server that has a certificate template containing parenthesis.
• #19283 from adeherdt-r7 – Fixes the auxiliary/scanner/redis/redis_login module to correctly track the registered service name as redis – previously it was blank.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.14…6.4.15
• Full diff 6.4.14…6.4.15

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2024/04/19/metasploit-weekly-wrap-up-04-19-24/

Welcome Ryan and the new CrushFTP module

It’s not every week we add an awesome new exploit module to the Framework while adding the original discoverer of the vulnerability to the Rapid7 team as well. We’re very excited to welcome Ryan Emmons to the Emergent Threat Response team, which works alongside Metasploit here at Rapid7. Ryan discovered an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in CrushFTP (CVE-2023-43177) versions prior to 10.5.1 which results in unauthenticated remote code execution. Metasploit’s very own Christophe De La Fuente did a fantastic job of turning this complex exploit into a smooth running Metasploit module. This release includes another unauthenticated remote code execution vulnerability in the oh so popular PostgreSQL management tool, pgAdmin. Written by Spencer McIntyre, the module exploits CVE-2024-2044 which is a path-traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized.

New module content (3)

MongoDB Ops Manager Diagnostic Archive Sensitive Information Retriever

Author: h00die
Type: Auxiliary
Pull request: #18936 contributed by h00die
Path: gather/mongodb_ops_manager_diagnostic_archive_info
AttackerKB reference: CVE-2023-0342

Description: This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-0342) in MongoDB Ops Manager v5.0 prior to 5.0.21 and v6.0 prior to 6.0.12 to retrieve the SAML SSL Pem Key File Password, which is stored in plaintext in the application’s Diagnostics Archive.

CrushFTP Unauthenticated RCE

Authors: Christophe De La Fuente and Ryan Emmons
Type: Exploit
Pull request: #18918 contributed by cdelafuente-r7
Path: multi/http/crushftp_rce_cve_2023_43177
AttackerKB reference: CVE-2023-43177

Description: This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1.

pgAdmin Session Deserialization RCE

Authors: Abdel Adim Oisfi, Davide Silvetti, and Spencer McIntyre
Type: Exploit
Pull request: #19026 contributed by zeroSteiner
Path: multi/http/pgadmin_session_deserialization
AttackerKB reference: CVE-2024-2044

Description: This adds an exploit for pgAdmin <= 8.3 which is a path traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized. This also adds a new Python deserialization gadget chain to execute the code in a new thread so the target application doesn’t block the HTTP request.

Enhancements and features (0)

None

Bugs fixed (0)

None

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.3…6.4.4
• Full diff 6.4.3…6.4.4

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2024/02/09/metasploit-weekly-wrap-up-02-09-2024/

Go go gadget Fortra GoAnywhere MFT Module

This Metasploit release contains a module for one of 2024’s hottest vulnerabilities to date: CVE-2024-0204. The path traversal vulnerability in Fortra GoAnywhere MFT allows for unauthenticated attackers to access the InitialAccountSetup.xhtml endpoint which is used during the products initial setup to create the first administrator user. After setup has completed, this endpoint is supposed to be no longer available. Attackers can use this vulnerability to create a user with Administrator privileges. Once Administrative privileges have been obtained for the GoAnywhere MFT application, uploading a .jsp payload in order to achieve RCE is trivial.

New module content (3)

runc (docker) File Descriptor Leak Privilege Escalation

Authors: Rory McNamara and h00die
Type: Exploit
Pull request: #18780 contributed by h00die
Path: linux/local/runc_cwd_priv_esc

Description: This adds a local privilege escalation exploit that leverages an internal file descriptor leak in runc versions prior to 1.1.12. An attacker with docker privileges is able write an arbitrary file on the host file system with the permissions of runc (typically root). With this, the module uploads a payload, sets the execute and the SUID permissions to escalate privileges.

Cacti RCE via SQLi in pollers.php

Authors: Aleksey Solovev and Christophe De La Fuente
Type: Exploit
Pull request: #18769 contributed by cdelafuente-r7
Path: multi/http/cacti_pollers_sqli_rce

Description: This PR adds an exploit module which leverages a SQLi (CVE-2023-49085) and a LFI (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to achieve RCE.

Fortra GoAnywhere MFT Unauthenticated Remote Code Execution

Authors: James Horseman, Zach Hanley, and sfewer-r7
Type: Exploit
Pull request: #18762 contributed by sfewer-r7
Path: multi/http/fortra_goanywhere_mft_rce_cve_2024_0204

Description: This pull request adds an exploit module for CVE-2024-0204 which is a path traversal vulnerability which results in unauthenticated RCE in Fortra GoAnywhere MFT. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.

Enhancements and features (3)

• #18696 from zgoldman-r7 – Introduces a standalone MSSQL client class that can be used in new contexts not tied to a specific module.
• #18718 from cgranleese-r7 – Updates the auxiliary/scanner/mysql/mysql_login.rb module to include a new CreateSession option that opens an interactive session. This functionality is currently behind a feature flag which can be enabled with features set mysql_session_type true.
• #18761 from dwelch-r7 – Adds a user notification that new modules support a CreateSession option. This functionality is currently behind a feature flag which can be enabled with the features command.

Bugs fixed (3)

• #18704 from dwelch-r7 – Fixes a bug with framework having 0 registered nop modules when the defer-module-loads feature was enabled.
• #18773 from sjanusz-r7 – Fixes an issue where Ctrl+Z and Ctrl+C when in the context of an interactive PostgreSQL shell prompt inside the PostgreSQL session type did work correctly.
• #18803 from dwelch-r7 – Fixes a crash when using exploit/multi/handler with an invalid payload name.

Documentation added (1)

• #18782 from ekalinichev-r7 – Updates our existing Windows installation documentation to mention that Administrator privileges are required when installing via our .msi package.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.54…6.3.55
• Full diff 6.3.54…6.3.55

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2023/07/21/metasploit-weekly-wrap-up-20/

It’s open season on Openfire with a new RCE module in Metasploit

This week the Metasploit framework saw the addition of an RCE module which exploits path traversal vulnerability in the instant messaging and group chat server, Openfire. The module was submitted by the one and only community contributor h00die-gr3y. The module targets Openfire’s unauthenticated setup environment, in an already configured Openfire environment, to access restricted pages in the Admin Console reserved for administrative users. This module uses a path traversal vulnerability to create a new admin user that is used to upload a Openfire management plugin weaponized with a Java native payload that triggers an RCE. The module is quite flexible and will get you shells when Openfire is running in Windows, Linux and on a variety of different Java versions.

New module content (2)

Piwigo CVE-2023-26876 Gather Credentials via SQL Injection

Authors: Rodolfo Tavares, Tempest Security, Henrique Arcoverde, and rodnt
Type: Auxiliary
Pull request: #18182 contributed by rodnt
AttackerKB reference: CVE-2023-26876

Description: This PR adds an auxiliary module that takes advantage of CVE-2023-26876 to retrieve the username and password hash from piwigo v.13.5.0 and earlier.

Openfire authentication bypass with RCE plugin

Author: h00die-gr3y
Type: Exploit
Pull request: #18173 contributed by h00die-gr3y
AttackerKB reference: CVE-2023-32315

Description: This PR adds a module for CVE-2023-32315, a remote code execution vulnerability for all versions of Openfire that have been released since April 2015, starting with version 3.10.0. Patched versions are 4.7.5+ 4.6.8+ and 4.8.0+.

Enhancements and features (1)

• #17681 from MegaManSec – This PR adds a new datastore option for Jenkins home directory to the jenkins_gather module.

Bugs fixed (0)

None

Documentation added (1)

• #18186 from adfoster-r7 – This PR updates multiple code and console snippets within the Wiki to now have syntax highlighting

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.25…6.3.26
• Full diff 6.3.25…6.3.26

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2023/03/24/metasploit-weekly-wrap-up-197/

Zxyel Routers Beware

This week we’ve released a module written by first time community contributor shr70 that can exploit roughly 45 different Zyxel router and VPN models. The module exploits a buffer overflow vulnerability that results in unauthenticated remote code execution on affected devices. It’s rare we see a module affect this many devices once and are excited to see this ship in the framework. We hope pentesters and red-teamers alike can make good use of this module in their day to day operations.

Monitorr unauthenticated RCE

Community contributor h00die-gr3y strikes again this time with a module for an Unauthenticated RCE vulnerability in Monitorr. Monitorr is a simple web application that allows you to set up a dashboard to monitor various web sites / web applications up or down state. Vulnerable versions allow an attacker to upload a webshell tagged as a GIF image and execute malicious php code in the upload directory where the malicious file is stored.

More Metasploit Twitch Streaming

In case you missed it or were previously unaware, our very own Spencer McIntyre has been doing live exploit development on Twitch the second Friday of the month at 4pm EST. This past week Spencer (aka zerosteiner) shared in real time the trials and tribulations of reverse engineering an authenticated SolarWinds information service deserialization RCE. The pull request for this work can be found here: https://github.com/rapid7/metasploit-framework/pull/17785. In the live stream he explained how he takes a blog posted with limited technical details, decompiles and debugs the application to figure out what makes the vulnerability tick. Come watch the next on Friday April 14th, at: https://www.twitch.tv/zerosteiner, there’s a good chance you’ll learn something new and be sure to invite your family and friends!

New module content (4)

Zyxel Unauthenticated LAN Remote Code Execution

Authors: Gerhard Hechenberger, SEC Consult Vulnerability Lab, Stefan Viehboeck, Steffen Robertz, and Thomas Weber
Type: Exploit
Pull request: #17388 contributed by shr70

Description: This PR adds a new exploit module for a buffer overflow in roughly 45 different Zyxel router and VPN models.

Monitorr unauthenticated Remote Code Execution (RCE)

Authors: Lyhins Lab and h00die-gr3y
Type: Exploit
Pull request: #17771 contributed by h00die-gr3y
AttackerKB reference: CVE-2020-28871

Description: This adds a module that exploits an unauthenticated file upload vulnerability in various versions of Monitorr. RCE as the user under which the software runs can be achieved due to insufficient validation on GIF uploads.

Open Web Analytics 1.7.3 – Remote Code Execution (RCE)

Authors: Dennis Pfleger and Jacob Ebben
Type: Exploit
Pull request: #17754 contributed by Pflegusch
AttackerKB reference: CVE-2022-24637

Description: This adds an exploit module for CVE-2022-24637, a single/double quote confusion vulnerability in Open Web Analytics versions below 1.7.4. This leads to the disclosure of sensitive information in an automatically generated PHP cache file, which can be leveraged to gain admin privileges and remote code execution.

WhatsUp Gold Credentials Dump

Authors: npm and sshah
Type: Post
Pull request: #17462 contributed by npm-cesium137-io
AttackerKB reference: CVE-2022-29848

Description: This adds a post module that collects and decrypts credentials from WhatsUp Gold installs.

Enhancements and features (2)

• #17401 from araout42 – This PR adds a new x86 XOR polymorphic encoder.
• #17583 from cgranleese-r7 – Enhances msfconsole’s info -d command, which is used to generate browser Metasploit module documentation, to additionally include references to AttackerKB.

Bugs fixed (8)

• #17735 from tekwizz123 – Fixes a few incorrect parameter names in the generated developer documentation found at https://docs.metasploit.com/api/.
• #17747 from dwelch-r7 – Updates the wmap plugin to no longer crash when running `wmap_targets -t http://metasploit.com.
• #17783 from adfoster-r7 – An update has been made to the reload_lib command so that it continues to reload files even if a single file fails to load.
• #17784 from dwelch-r7 – Reduces the amount of files loaded when msfconsole start up. This was a performance regression introduced by a recent Rails upgrade.
• #17792 from adfoster-r7 – Fixes external module crash for when running the auxiliary/scanner/wproxy/att_open_proxy module.
• #17794 from adfoster-r7 – Update external modules to support python3.11.
• #17798 from adfoster-r7 – The debug --datastore command was previously causing a stacktrace due to some incorrect operations. These have since been fixed so that users can now use debug --datastore to output debug information along with the datastore information.
• #17802 from zeroSteiner – Updates Python pingback payloads such as payload/python/pingback_reverse_tcp to no longer crash when viewing info or generating.

Documentation added (1)

• #17795 from adfoster-r7 – This PR adds documentation on debugging and running external python modules.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.8…6.3.9
• Full diff 6.3.8…6.3.9

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Jack Heysel original https://blog.rapid7.com/2023/03/10/metasploit-weekly-wrap-up-196/

Wowza, a new credential gatherer and login scanner!

This week Metasploit Framework gained a credential gatherer for Wowza Streaming Engine Manager. Credentials for this application are stored in a file named admin.password in a known location and the file is readable by default by BUILTIN\Users on Windows and is world readable on Linux.. The module was written by community contributor bcoles who also wrote a login scanner for Wowza this week. The login scanner can be used to validate the credentials found by the gatherer. The two modules complement each other quite nicely.

New module content (3)

Wowza Streaming Engine Manager Login Utility

Author: bcoles
Type: Auxiliary
Pull request: #17733 contributed by bcoles

Description: This adds a login scanner module to brute force credentials of Wowza Streaming Engine Manager.

SugarCRM unauthenticated Remote Code Execution (RCE)

Authors: Sw33t.0day and h00die-gr3y
Type: Exploit
Pull request: #17507 contributed by h00die-gr3y
AttackerKB reference: CVE-2023-22952

Description: A module has been added which exploits CVE-2023-22952, a RCE vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2. Successful exploitation as an unauthenticated attacker will result in remote code execution as the user running the web services, which is typically www-data.

Gather Wowza Streaming Engine Credentials

Author: bcoles
Type: Post
Pull request: #17737 contributed by bcoles

Description: This adds a post module that collects Wowza Streaming Engine user credentials from the admin.password local configuration file. This file is world-readable by default on Linux and readable by BUILTIN\Users on Windows.

Enhancements and features (9)

• #17675 from adfoster-r7 – Updates the admin/kerberos/forge_ticket to support a new extra_sids option which can be useful for including cross-domain SIDs for forging external Kerberos trust tickets as part of cross-trust domain escalation. The admin/kerberos/inspect_ticket has also been updated to support viewing these extra SID values.
• #17686 from zeroSteiner – This adds 3 additional methods to the existing PetitPotam module to make it work even if the patch for CVE-2021-36942 has been installed. Note that it won’t work after the December 2021 patch.
• #17715 from zeroSteiner – The Metasploit Payload gem has been bumped to 2.0.115, bringing in support for the arp command to Python Meterpreter on Linux, and adding support for displaying IPv6 routing tables using the route command on Windows.
• #17727 from rohitkumarankam – Two new options have been added to the login scanner library: max_consecutive_error_count and max_error_count. These options allow users to set the maximum number of errors that are allowed to occur when connecting as well as the maximum number of consecutive errors that are allowed when connecting before the login scanner will give up on a target.
• #17744 from adfoster-r7 – The code for msfconsole has been updated so that performance profiling can also take into account the time it takes to load msfenv and console related libraries, thereby allowing for more accurate performance profiling.
• #17745 from gwillcox-r7 – This updates the metasploit-payloads gem to pull in changes to the Python Meterpreter on Windows to add the route add and route delete commands as well as the ability to get process information such as process names and paths.
• #17746 from todb-r7 – The data/wordlists/password.lst password list has been updated to include the master password that LastPass suggests as an example when a user goes to create a new master password, r50$K28vaIFiYxaY, into the password list, as well as to fix some encoding issues.
• #17749 from adfoster-r7 – Updates the auxiliary/admin/kerberos/keytab.rb module to additionally export any NTHASHES, which can be useful for decrypting Kerberos network traffic in Wireshark.
• #17756 from adfoster-r7 – Updates secrets dump to generate the Kerberos RC4 key for the machine account.

Bugs fixed (8)

• #17673 from bcoles – lib/msf/core/payload/apk.rb has been updated so that by default it only decompiles the main classes instead of all classes, fixing some issues whereby decompiling all classes would prevent creation of a backdoored APK. This also bumps up the minimum apktool version to 2.4.1 and makes it so that versions prior to 2.7.0 of apktool will throw a warning about being potentially out of date.
• #17716 from zeroSteiner – A bug has been fixed whereby the reverse port forward information message was displayed incorrectly, and the same information was shown on both the local and remote parts of the message.
• #17721 from zeroSteiner – This fixes an issue where payloads that were adapted failed when stage encoding was enabled because the stage encoding was based on the stager arch and platform values. These values were always the same until we introduced adapted payloads, which can vary.
• #17723 from jvoisin – A bug has been fixed in the modules/encoders/php/base64.rb encoder whereby strings were being passed as literal strings without being properly quoted, which could result in errors on newer versions of PHP.
• #17726 from zeroSteiner – The Metasploit Payloads gem has been updated bringing in initial support for attaching to processes on Python Meterpreter shells on Windows, a bug fix for the route command on newer versions of Windows on Windows Meterpreter, and a fix so that both C Meterpreter and Python Meterpreter sessions will attempt to enable the same set of permissions when running getprivs.
• #17729 from bcoles – Fixes an edge case crash when running Ruby 3.2
• #17738 from adfoster-r7 – Fix Ruby 3.2 crash when running certain tools
• #17758 from zeroSteiner – The metasploit-payloads gem has been bumped to fix a token handle leak that was causing Python Meterpreters to leave dangling handles after using getprivs, fix a error in packet_transmit_http whereby error codes were not appropriately returned, and update the arp command to properly return the interface name instead of the index for the interface column.

Documentation added (3)

• #17684 from adfoster-r7 – This PR adds the RBCD exploitation documentation to the docs site.
• #17688 from adfoster-r7 – This PR fixes several broken wiki links, as well as adding validation to users users don’t use the wrong syntax when making docs changes.
• #17743 from adfoster-r7 – A new page has been added to explain the METASPLOIT_CPU_PROFILE and METASPLOIT_MEMORY_PROFILE options and to explain how to profile msfconsole‘s and msfvenom‘s performance on systems.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.5…6.3.6
• Full diff 6.3.5…6.3.6

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).