Post Syndicated from Spencer McIntyre original https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-01-30-2026

FreeBPX Content Galore

This week brings 3 new pieces of module content for targeting FreePBX. All three chain multiple vulnerabilities together, starting with CVE-2025-66039. This initial vulnerability allows unauthenticated users to bypass the authentication process to interact with FreePBX. From this point, the different modules leverage either a SQL injection vulnerability (CVE-2025-61675) or a file upload vulnerability (CVE-2025-61678) to obtain remote code execution.

New module content (7)

FreePBX endpoint SQLi to RCE

Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20857 contributed by msutovsky-r7 Path: unix/http/freepbx_custom_extension_rce AttackerKB reference: CVE-2025-61675

Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with a SQLi, CVE-2025-61675, which allows for a cron job to be added to the cron_job table of the database to allow for Remote Code Execution.

FreePBX firmware file upload

Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20858 contributed by msutovsky-r7 Path: unix/http/freepbx_firmware_file_upload AttackerKB reference: CVE-2025-61678

Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with an unrestricted file upload (via firmware upload), CVE-2025-61678, which allows for a webshell to be uploaded to the webserver resulting in remote code execution.

FreePBX Custom Extension SQL Injection

Authors: Noah King and msutovsky-r7 Type: Auxiliary Pull request: #20846 contributed by msutovsky-r7 Path: gather/freepbx_custom_extension_injection AttackerKB reference: CVE-2025-61675

Description: This adds an exploit module for FreePBX which chains an authentication bypass, (CVE-2025-66039) with an SQLi (CVE-2025-61675) to create an admin user in the database.

Cacti Graph Template authenticated RCE versions prior to 1.2.29

Authors: Jack Heysel and chutchut Type: Exploit Pull request: #20799 contributed by jheysel-r7 Path: multi/http/cacti_graph_template_rce AttackerKB reference: CVE-2025-24367

Description: This adds an exploit for CVE-2025-24367 which is an unauthenticated RCE in Cacti.

SmarterTools SmarterMail GUID File Upload Vulnerability

Authors: Piotr Bazydlo, Sina Kheirkhah, and jheysel-r7 Type: Exploit Pull request: #20866 contributed by jheysel-r7 Path: multi/http/smartermail_guid_file_upload AttackerKB reference: CVE-2025-52691

Description: This adds a module for unauthenticated file upload in SmarterTools SmaterMail (CVE-2025-52691). The vulnerability allows an unauthenticated user to upload a file to any location on the system using path traversal using the guid variable. The module will either drop a webshell in the webroot directory (if the target is Windows) or create a cron job by dropping a file in /etc/cron.d (if the target is Linux).

Burp Extension Persistence

Author: h00die Type: Exploit Pull request: #19821 contributed by h00die Path: multi/persistence/burp_extension

Description: This adds a new persistence module for BurpSuite. The module adds a malicious extension to both the Pro and Community versions, which is triggered when the user starts BurpSuite.

SSH Key Persistence

Authors: Dean Welch [email protected] and h00die [email protected] Type: Exploit Pull request: #20778 contributed by h00die Path: multi/persistence/ssh_key

Description: Combines the Windows and Linux ssh key persistence modules.

Enhancements and features (1)

• #20778 from h00die – Combines the Windows and Linux ssh key persistence modules.

Bugs fixed (3)

• #20897 from h00die – This fixes a bug that was preventing collected hash data from being formatted as input for the John the Ripper cracker. The result is that users can now once again crack passwords using John.
• #20902 from rudraditya21 – This fixes a bug in the auxiliary/scanner/ssh/ssh_login module that would incorrectly state that a login failed when it in fact succeeded but the module was unable to open a session. This was only an issue when the CreateSession option is true.
• #20909 from adfoster-r7 – Fixes a bug in Metasploit Pro that reported false positives for HTTP bruteforcing.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.110…6.4.111
• Full diff 6.4.110…6.4.111

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-01-09-2026

RISC-V Payloads

This week brings more RISC-V payloads from community member bcoles. One provides a new adapter which allows RISC-V payloads to be converted to commands and delivered as a Metasploit fetch-payload. The second is a classic bind shell, offering the user interactive connectivity to the target host. Both of these go a long way in improving Metasploit’s support for RISC-V systems.

Annual Wrap Up

With a new year comes a new annual wrap up. Earlier this week, the Metasploit project posted the annual wrap up covering notable changes from 2025.

New module content (4)

Taiga tribe_gig authenticated unserialize remote code execution

Authors: rootjog and whotwagner

Type: Exploit

Pull request: #20700 contributed by whotwagner 

Path: multi/http/taiga_tribe_gig_unserial

AttackerKB reference: CVE-2025-62368

Description: This adds a new module for authenticated deserialization vulnerability in Taiga.io (CVE-2025-62368). The module sends malicious data to exposed API, which performs unsafe deserialization, leading to remote code execution.

Python Site-Specific Hook Persistence

Author: msutovsky-r7

Type: Exploit

Pull request: #20692 contributed by msutovsky-r7 

Path: multi/persistence/python_site_specific_hook

Description: This adds a persistence module which leverages Python’s startup mechanism, where some files can be automatically processed during the initialization of the Python interpreter. Someof those files are startup hooks (site-specific, dist-packages). If these files are present in site-specific or dist-packages directories, any lines beginning with import will be executed automatically. This creates a persistence mechanism if an attacker has established access to the target machine with sufficient permissions.

Add Linux RISC-V command payload adapters

Authors: bcoles [email protected] 

Type: Payload (Adapter)

Pull request: #20734 contributed by bcoles

Description: This extends fetch payloads for RISC-V targets.

Linux Command Shell, Bind TCP Inline

Authors: bcoles [email protected] and modexp

Type: Payload (Single)

Pull request: #20733 contributed by bcoles 

Path: linux/riscv32le/shell_bind_tcp

Description: This adds a new payload: a bind shell for Linux RISC-V targets.

Bugs fixed (2)

• #20370 from msutovsky-r7 – Fixes an issue that occurred when negotiating the SMB version and the server uses an unknown dialect. Now, the login function will throw an exception and exit gracefully.
• #20744 from ptrstr – This fixes a bug in unix/webapp/wp_reflexgallery_file_upload where the current year and month were being hardcoded in the request. This caused the server to reject the exploit if there was no folder in wp-content/uploads for that specific year and month. Now the year and month are configurable datastore options.

Documentation added (1)

• #20831 from DataExplorerX – This adds link to issues in Metasploit Framework Github repository.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.105…6.4.106
• Full diff 6.4.105…6.4.106

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://www.rapid7.com/blog/post/metasploit-wrap-up-12-19-2025

React2Shell Payload Improvements

Last week Metasploit released an exploit for the React2Shell vulnerability, and this week we have made a couple of improvements to the payloads that it uses. The first improvement affects all Metasploit modules. When an exploit is used, an initial payload is selected using some basic logic that effectively would make a selection from the first available in alphabetical order. Now Metasploit will prefer a default of x86 Meterpreters for Windows systems (since 32-bit payloads work on both 32-bit and 64-bit versions of Windows) and x64 Meterpreters for all other platforms including Linux. In the context of React2Shell, this means the payload now defaults to x64 for Linux instead of AARCH64.

Another improvement that only affects this exploit was the change of the default payload to one leveraging Node.js which is more likely to be present than the wget binary that was required. These defaults should hopefully help users get started with this high-impact exploit with more ease, but of course any compatible payload can still be selected.

Stay tuned for the Metasploit annual wrap-up and roadmap announcement coming up!

New module content (2)

N-able N-Central Authentication Bypass and XXE Scanner

Authors: Valentin Lobstein [email protected] and Zach Hanley (Horizon3.ai)

Type: Auxiliary

Pull request: #20713 contributed by Chocapikk 

Path: scanner/http/nable_ncentral_auth_bypass_xxe

AttackerKB reference: CVE-2025-11700

Description: This adds an auxiliary module that exploits two CVEs affecting N-able N-Central. CVE-2025-9316, an Unauthenticated Session Bypass and CVE-2025-11700 a XXE (XML External Entity) vulnerability. The module combines both vulnerabilities to achieve unauthenticated file read on affected N-Central instances (versions < 2025.4.0.9).

Grav CMS Twig SSTI Authenticated Sandbox Bypass RCE

Author: Tarek Nakkouch

Type: Exploit

Pull request: #20749 contributed by nakkouchtarek 

Path: multi/http/grav_twig_ssti_sandbox_bypass_rce

AttackerKB reference: CVE-2025-66301

Description: This adds an exploit module for a Server-Side Template Injection (SSTI) vulnerability (CVE-2025-66294) in Grav CMS, versions prior to 1.8.0-beta.27 , that allows bypassing the Twig sandbox to achieve remote code execution. To inject the malicious payload into a form’s process section, this module leverages CVE-2025-66301, a broken access control flaw in the /admin/pages/{page_name} endpoint.

Enhancements and features (2)

• #20424 from cdelafuente-r7 – Updates how vulnerabilities and services are reported by adding a resource field to both models. It also add a parents field to make layered services possible. An optional resource field can now be provided and the existing service field has been updated to also accept an option hash.
• #20771 from zeroSteiner – Updates Metasploit’s default payload selection logic to preference x86 payloads over AARCH64 payloads.
• #20773 from jheysel-r7 – This updates the exploit for React2Shell with a better default payload.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.102…6.4.103
• Full diff 6.4.102…6.4.103

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-12-12-2025

React2shell Module

As you may have heard, on December 3, 2025, the React team announced a critical Remote Code Execution (RCE) vulnerability in servers using the React Server Components (RSC) Flight protocol. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0 and is informally known as “React2Shell”. It allows attackers to achieve prototype pollution during deserialization of RSC payloads by sending specially crafted multipart requests with “proto”, “constructor”, or “prototype” as module names. We’re happy to announce that community contributor vognik submitted an exploit module for React2Shell which landed earlier this week and is included in this week’s release.

MSSQL Improvements

Over the past couple of weeks Metasploit has made a couple of key improvements to the framework’s MSSQL attack capabilities. The first (PR 20637) is a new NTLM relay module, auxiliary/server/relay/smb_to_mssql, which enables users to start a malicious SMB server that will relay authentication attempts to one or more target MSSQL servers. When successful, the Metasploit operator will have an interactive session to the MSSQL server that can be used to run interactive queries, or MSSQL auxiliary modules.

Building on this work, it became clear that users would need to interact with MSSQL servers that required encryption as many do in hardened environments. To achieve that objective, issue 18745 was closed by updating Metasploits MSSQL protocol library to offer better encryption support. Now, Metasploit users can open interactive sessions to servers that offer and even require encrypted connections. This functionality is available automatically in the auxiliary/scanner/mssql/mssql_login and new auxiliary/server/relay/smb_to_mssql modules.

New module content (5)

Magento SessionReaper

Authors: Blaklis, Tomais Williamson, and Valentin Lobstein [email protected] 

Type: Exploit

Pull request: #20725 contributed by Chocapikk 

Path:multi/http/magento_sessionreaper

AttackerKB reference: CVE-2025-54236

Description: This adds a new exploit module for CVE-2025-54236 (SessionReaper), a critical vulnerability in Magento/Adobe Commerce that allows unauthenticated remote code execution. The vulnerability stems from improper handling of nested deserialization in the payment method context, combined with an unauthenticated file upload endpoint.

Unauthenticated RCE in React and Next.js

Authors: Lachlan Davidson, Maksim Rogov, and maple3142

Type: Exploit

Pull request: #20760 contributed by sfewer-r7 

Path: multi/http/react2shell_unauth_rce_cve_2025_55182 

AttackerKB reference: CVE-2025-66478

Description: This adds an exploit for CVE-2025-55182 which is an unauthenticated RCE in React. This vulnerability has been referred to as React2Shell.

WordPress King Addons for Elementor Unauthenticated Privilege Escalation to RCE

Authors: Peter Thaleikis and Valentin Lobstein [email protected] 

Type: Exploit

Pull request: #20746 contributed by Chocapikk 

Path: multi/http/wp_king_addons_privilege_escalation 

AttackerKB reference: CVE-2025-8489

Description: This adds an exploit module for CVE-2025-8489, an unauthenticated privilege escalation vulnerability in the WordPress King Addons for Elementor plugin (versions 24.12.92 to 51.1.14). The vulnerability allows unauthenticated attackers to create administrator accounts by specifying the user_role parameter during registration, enabling remote code execution through plugin upload.

Linux Reboot

Author: bcoles [email protected] 

Type: Payload (Single)

Pull request: #20682 contributed by bcoles 

Path:linux/loongarch64/reboot

Description: This extends our payloads support to a new architecture, LoongArch64. The first payload introduced for this new architecture is the reboot payload, which will cause the target system to restart once triggered.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

• #20736 from sfewer-r7 – This pull requests updates the exploit/linux/http/fortinet_fortiweb_rce module (added in https://github.com/rapid7/metasploit-framework/pull/20717) to add in support for older version of FortiWeb, versions 6.*, which are no longer under support from the vendor.
• #20747 from vognik – This adds an exploit for CVE-2025-55182 which is an unauthenticated RCE in React. This vulnerability has been referred to as React2Shell.

Enhancements and features (1)

• #20704 from dwelch-r7 – The module auxiliary/scanner/ssh/ssh_login_pubkey has been removed. Its functionality has been moved into auxiliary/scanner/ssh/ssh_login.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.101…6.4.102
• Full diff 6.4.101…6.4.102

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2025/05/30/metasploit-wrap-up-05-30-2025/

The internet is a series of Tube [SOCKS]

Metasploit has supported SOCKS proxies for years now, being able to both act as both a client (by setting the Proxies datastore option) and a server (by running the auxiliary/server/socks_proxy module). While Metasploit has supported both SOCKS versions 4a and 5, there became some ambiguity in regards to how Domain Name System (DNS) requests are made by Metasploit through these versions. Both versions 4a and 5 notably enable clients to make connections to hosts identified by hostnames leading to the DNS resolution to take place on the SOCKS server. Whether or not the SOCKS client chooses to resolve the hostname to an address itself or to use the server is an implementation detail that is inconsistent among many pieces of software.

In the case of Metasploit, the framework opted to handle the DNS resolution itself. This was to ensure consistent behavior of running a module with and without a proxy when the target hostname resolved to multiple IP addresses. Many years ago, when Metasploit shifted focus to assessing targets in bulk, we decided that if a hostname was specified as a target by a user that mapped to multiple IP addresses, the module should be run for each IP address. This behavior is mostly intended for modules targeting web servers and can be seen by running the auxiliary/scanner/http/http_version module with a target behind a CDN such as cloudfront (it’s pretty easy to guess a suitable example here).

This did however introduce a problem for users that intended to use Metasploit as a SOCKS proxy client by setting the Proxies datastore option because Metasploit was performing the DNS resolution instead of passing the hostname to the proxy server as the user might expect. To explicitly facilitate what is probably the expected behavior of using the proxy server for name resolution, Metasploit added the unofficial SOCKS5H scheme used by cURL and other clients. The convention here being that if SOCKS5H is used, that the proxy server should be used for name resolution. Now in this case, Metasploit users can leverage the resolution capabilities of the SOCKS5 server, however that may be implemented, to initiate their connection.

To use this new capability, simply specify the server in the Proxies option as socks5h://192.0.2.0:1080 where 192.0.2.0 is the target SOCKS5 server.

At this time, Metasploit does not currently have client support for the older SOCKS4a version. If this is something that would interest you, please let us know in our ticket.

New module content (2)

WordPress Depicter Plugin SQL Injection (CVE-2025-2011)

Authors: Muhamad Visat and Valentin Lobstein
Type: Auxiliary
Pull request: #20185 contributed by Chocapikk
Path: gather/wp_depicter_sqli_cve_2025_2011
AttackerKB reference: CVE-2025-2011

Description: This adds a module for exploiting CVE-2025-2011 which is an unauthenticated SQL injection vulnerability in the "Slider & Popup Builder" plugin versions <= 3.6.1.

Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization

Authors: H00die Gr3y and Huntress Team
Type: Exploit
Pull request: #20096 contributed by h00die-gr3y
Path: windows/http/gladinet_viewstate_deserialization_cve_2025_30406
AttackerKB reference: CVE-2025-30406

Description: This adds an exploit module for Gladinet CentreStack/Triofox, the vulnerability, an unsafe deserialization allows execution of arbitrary commands.

Enhancements and features (2)

• #20147 from zeroSteiner – This adds support for the SOCKS5H protocol, allowing DNS resolution through a SOCKS5 proxy.
• #20180 from smashery – This adds a warning to PowerShell use when an impersonation token is active.

Bugs fixed (3)

• #20257 from cgranleese-r7 – Fixes an issue where the report_note deprecation message calling method incorrectly.
• #20261 from bwatters-r7 – This updates the vmware_vcenter_vmdir_auth_bypass module and accompanying documentation to refer to the new datastore option name.

Documentation added (1)

• #20255 from arpitjain099 – This fixes multiple typos in various pages of documentation.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.65…6.4.66
• Full diff 6.4.65…6.4.66

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2025/05/16/metasploit-wrap-up-05-16-2025/

New modules for everyone

This week’s release is packed with new module content. We have RCE modules for Car Rental System 1.0, WordPress plugins SureTriggers, User Registration and Membership. We also have a persistence module for LINQPad software and an auxiliary module for POWERCOM UPSMON PRO. We have also added support for 32-bit architectures to our execute-assembly post module, which now supports injection of both 64-bit and 32-bit .NET assembly binaries.

New module content (5)

POWERCOM UPSMON PRO Path Traversal (CVE-2022-38120) and Credential Harvester (CVE-2022-38121)

Author: Michael Heinzl
Type: Auxiliary
Pull request: #20123 contributed by h4x-x0r
Path: gather/upsmon_traversal
AttackerKB reference: CVE-2022-38121

Description: This adds an auxiliary module for two vulnerabilities in POWERCOM UPSMON PRO: path traversal and credential harvesting. The first vulnerability allows users to traverse the path in URI and read arbitrary files with respect to privileges of a given user account. The second vulnerability allows access to sensitive credentials for UPSMON as they are stored in plaintext in a readable file.

Car Rental System 1.0 File Upload RCE (Authenticated)

Author: Aaryan Golatkar
Type: Exploit
Pull request: #20026 contributed by aaryan-11-x
Path: multi/http/carrental_fileupload_rce
AttackerKB reference: CVE-2024-57487

Description: This adds a module for a file upload vulnerability in Car Rental System 1.0. It requires administrator credentials to exploit.

WordPress SureTriggers Auth Bypass and RCE

Authors: Khaled Alenazi (Nxploited), Michael Mazzolini (mikemyers), and Valentin Lobstein
Type: Exploit
Pull request: #20146 contributed by Chocapikk
Path: multi/http/wp_suretriggers_auth_bypass
AttackerKB reference: CVE-2025-3102

Description: Adds a new exploit module for the WordPress SureTriggers plugin (≤ 1.0.78) that abuses CVE-2025-3102, an unauthenticated REST endpoint to create an administrative user and achieve remote code execution.

WP User Registration and Membership Unauthenticated Privilege Escalation (CVE-2025-2563)

Authors: Valentin Lobstein and wesley (wcraft)
Type: Exploit
Pull request: #20159 contributed by Chocapikk
Path: multi/http/wp_user_registration_membership_escalation
AttackerKB reference: CVE-2025-2563

Description: This adds a module for a privilege escalation vulnerability in the User Registration and Membership plugin for WordPress. It allows creating new users with administrator privileges.

LINQPad Deserialization Exploit

Authors: James Williams and msutovsky-r7 [email protected]
Type: Exploit
Pull request: #19777 contributed by msutovsky-r7
Path: windows/local/linqpad_deserialization_persistence
AttackerKB reference: CVE-2024-53326

Description: Adds a module to install persistence relying on CVE-2024-53326, a .NET deserialization vulnerability in the startup of Linqpad versions prior to 5.52.

Enhancements and features (3)

• #20098 from smashery – Adds support for 32-bit execute-assembly, allowing injection of 64-bit or 32-bit .NET assembly.
• #20126 from bcoles – This adds a Linux post-exploitation method to check Yama’s ptrace_scope setting. It removes a round trip required to obtain the scope value making modules that require knowing it to run slightly faster.
• #20173 from adfoster-r7 – Updates the web crawling modules to support HTTP logging.

Bugs fixed (8)

• #20010 from lafried – This fixes missing Powershell signature, when SSH is trying to identify the platform.
• #20111 from cdelafuente-r7 – Fixes an issue that prevented failed exploit attempts to be registered in the database correctly.
• #20118 from zeroSteiner – This fixes the target option for smb_to_ldap module. The option RELAY_TARGETS is now outdated, RHOSTS should be used instead.
• #20120 from bcoles – This fixes typos across many Windows post-exploit modules and adds missing metadata.
• #20128 from bcoles – This fixes an IP address assignment in the auxiliary/bnat/bnat_router module.
• #20142 from L-codes – Fixes a crash when running unknown commands in msfconsole when using specific versions of Ruby and bundler.
• #20156 from bcoles – This fix typos and rubocop violations inside the post modules.
• #20181 from bwatters-r7 – This fixes an issue in Metasploit’s WordPress login functionality that would cause it to fail for certain target configurations.

Documentation added (1)

• #20151 from adfoster-r7 – Updates the Wiki to include the latest available download links.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.62…6.4.64
• Full diff 6.4.62…6.4.64

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2025/05/02/metasploit-wrap-up-114/

Meterpreter Extended API Clipboard Monitoring

Security is hard, and Open Source Security is a collaborative effort. This week, Metasploit released a fix for a vulnerability that was privately disclosed to us by long-time community member bcoles. The vulnerability in question impacted Metasploit users who were using the clipboard monitoring functionality contained within the extended-API Meterpreter extension (extapi). After a user enables monitoring, they would typically run clipboard_monitor_stop or clipboard_monitor_dump to retrieve information from the compromised host. The vulnerability existed in Metasploit’s handling of files that may be present in the remote hosts clipboard. When files were downloaded, they would, by default, be written to in the current working directory and would overwrite any existing files.

An attacker could leverage this by placing a malicious file into their clipboard and waiting for the Metasploit operator to download it, then execute it. As an example, an attacker may assume that the Metasploit operator is running Metasploit from the current working directory of Metasploit itself. In that case, they could have a malicious Ruby file named msfconsole in their clipboard. When the Metasploit operator dumps the contents of the remote clipboard, their local copy of msfconsole would be overwritten and then executed the next time they started Metasploit. It should be noted that the file that is written to is printed in the command’s output, but may be ignored by the user.

Now with the changes introduced in #19938, the extapi’s clipboard monitoring commands have been updated to make this significantly more difficult. Two primary changes were made. Now Metasploit will require a directory to be specified by the user of where file contents should be written to. Additionally, files will not be overwritten automatically. In order to overwrite an existing file, the user must specify the –force argument. If a file would be or is overwritten, it will be noted in the output:

meterpreter > clipboard_monitor_dump -d test_dir --force -p
Files captured at 2025-04-01 19:11:30.0503
==========================================
Remote Path : C:\Users\smcintyre\Desktop\hello-world.txt
File size   : 11 bytes
Downloading : C:\Users\smcintyre\Desktop\hello-world.txt -> /home/smcintyre/Repositories/metasploit-framework.pr/test_dir/hello-world.txt
Downloaded 11.00 B of 11.00 B (100.0%) : C:\Users\smcintyre\Desktop\hello-world.txt -> /home/smcintyre/Repositories/metasploit-framework.pr/test_dir/hello-world.txt
Completed   : Overwrote existing file /home/smcintyre/Repositories/metasploit-framework.pr/test_dir/hello-world.txt

The Metasploit team would like to thank bcoles for bringing this issue to our attention. We have assigned it CVE-2025-3095 and evaluated it with a CVSS score of 5.0 / Medium (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P). This vulnerability was fixed in Metasploit version 6.4.60, released on April 30th, 2025.

New module content (2)

LDAP Password Disclosure

Authors: Hynek Petrak, Spencer McIntyre, Thomas Seigneuret, and Tyler Booth
Type: Auxiliary
Pull request: #20017 contributed by zeroSteiner
Path: gather/ldap_passwords

Description: This updates and renames the ldap_hashdump module to ldap_passwords, extending its functionality to extract secrets used by LAPSv1 and LAPSv2 in Active Directory environments, alongside existing LDAP implementations. It simplifies usage by unifying techniques under one module and avoids requiring users to fingerprint the server type. Associated tests were also updated to include AD-specific data using Samba as a test LDAP server.

WonderCMS Remote Code Execution

Authors: Milad "Ex3ptionaL" Karimi and msutovsky-r7
Type: Exploit
Pull request: #20081 contributed by msutovsky-r7
Path: multi/http/wondercms_rce
AttackerKB reference: CVE-2023-41425

Description: Adds a new module “exploit/multi/http/wondercms_rce” which exploits CVE-2023-41425 – a file upload vulnerability. The module will authenticate against the vulnerable WonderCMS instance using a given password and then creates a zip file with a malicious PHP file. The module then uploads a zip file, which gets automatically parsed into /themes directory and executed by the application.

Enhancements and features (1)

• #20110 from bcoles – Improves code quality, metadata, and fixes some edge-case bugs within the modules/post/osx modules.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.60…6.4.61
• Full diff 6.4.60…6.4.61

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2025/04/04/metasploit-wrap-up-04-04-2025/

New RCEs

Metasploit added four new modules this week, including three that leverage vulnerabilities to obtain remote code execution (RCE). Among these three, two leverage deserialization, showing that the exploit primitive is still going strong. The Tomcat vulnerability in particular CVE-2025-24813 garnered a lot of attention when it was disclosed; however, to function, the exploit requires specific conditions to be met, which may not be present in many environments.

AD CS / PKCS12 Improvements

With the popularity of exploiting AD CS misconfigurations over the past couple of years, Metasploit has been continuing to iterate over our support. This week saw two improvements; one added additional error handling, which notably calls out authorization errors more clearly to the user. These errors, now labeled no-access failures, are encountered when the user is successfully authenticated but lacks authorization privileges to enroll on either the certificate template or the certificate authority server. Additionally, Metasploit’s support for PKCS12 certificate storage is actively being improved. This week, a milestone was reached allowing additional metadata to be stored with the certificate, which, in the future, will enable more streamlined use of stored certificate data. This new metadata includes the password to decrypt the PKCS12 data, the CA that issued the certificate and AD CS template it was derived from.

New module content (4)

pfSense Login Scanner

Author: sjanusz-r7
Type: Auxiliary
Pull request: #19985 contributed by sjanusz-r7
Path: scanner/http/pfsense_login

Description: This adds a login scanner module for pfSense which can be used to brute force valid credentials to the web GUI.

CmsMadeSimple Authenticated File Manager RCE

Authors: Mirabbas Ağalarov, Okan Kurtuluş, and tastyrice
Type: Exploit
Pull request: #19980 contributed by tastyrce
Path: multi/http/cmsms_file_manager_auth_rce
AttackerKB reference: CVE-2023-36969

Description: This adds an exploit module for CMSMadeSimple <= v2.2.21, which is vulnerable to an authenticated RCE (CVE-2023-36969).

Tomcat Partial PUT Java Deserialization

Authors: Calum Hutton, h4ck3r-04, and sw0rd1ight
Type: Exploit
Pull request: #19995 contributed by chutton-r7
Path: multi/http/tomcat_partial_put_deserialization
AttackerKB reference: CVE-2025-24813

Description: This adds an exploit module for CVE-2025-24813, which is an unauthenticated, constrained file write vulnerability in Apache Tomcat.

Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit

Authors: Dylan Pindur and machang-r7
Type: Exploit
Pull request: #19947 contributed by machang-r7
Path: windows/http/sitecore_xp_cve_2025_27218
AttackerKB reference: CVE-2025-27218

Description: This adds an exploit module for CVE-2025-27217, an unauthenticated .NET deserialization vulnerability for Sitecore.

Enhancements and features (4)

• #19606 from cgranleese-r7 – This updates the LDAP modules to use datastore options for authentication that are prefixed with LDAP, allowing them to be used as larger workflows that merge datastore options for multiple protocols.
• #19736 from cdelafuente-r7 – This update adds support for the new Pkcs12 data format, allowing the CA and ADCS template to be stored as metadata in the database. Additionally, Pkcs12 passwords can now be stored as metadata, with validation ensuring correct passwords are provided when adding encrypted Pkcs12 files using the creds command.
• #19984 from zeroSteiner – This improves AD CS workflows by adding additional error handing.
• #19991 from zeroSteiner – This adds some new tests for LoginScanners. It ensures that the LoginScanners follow a common interface for initialization, most notably that they take a single argument containing the configuration as a hash.

Bugs fixed (3)

• #19934 from sfewer-r7 – This addresses several bugs in the exploit/linux/misc/cisco_ios_xe_rce module, which was failing for Cisco IOS XE version 17.06.05 on C8000v series appliances. Fixes include correcting the /webui URI to /webui/ (with a trailing slash) and adjusting the case sensitivity in the /webui_wsma_https URI for both CSR1000v and C8000v appliances. Additionally, the module now properly distinguishes between HTTPS and HTTP targets, ensuring compatibility with both appliance series.
• #19993 from h00die-gr3y – This fixes an issue where payloads using cmd/base64 encoder with badchars \x20 (space) failed due to syntax errors in POSIX shells when ${IFS} followed parentheses. Removed unnecessary spaces from the payload to ensure proper execution in Unix-based environments.
• #19998 from sjanusz-r7 – Fixes a crash when running the auxiliary/crawler/msfcrawler module.

Documentation

• #19979 from bwatters-r7 – This adds documentation that describes when a module submission may be superseded.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.55…6.4.56
• Full diff 6.4.55…6.4.56

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2025/01/31/metasploit-weekly-wrap-up-01-31-25/

ESC4 Detection

This week, Metasploit’s jheysel-r7 updated the existing ldap_esc_vulnerable_cert_finder module to include detecting template objects that can be written to by the authenticated user. This means the module can now identify instances of ESC4 from the perspective of the account that the Metasploit operator provided the credentials for. Metasploit has been capable of exploiting ESC4 for some time, but required users to know which certificate templates they had write access to. This closes an important gap in Metasploit’s AD CS coverage and should help users identify additional attack vectors. See the Metasploit AD CS documentaiton for steps on how ESC4 can be exploited using Metasploit.

New module content (1)

Craft CMS Twig Template Injection RCE via FTP Templates Path

Authors: AssetNote, Valentin Lobstein, and jheysel-r7
Type: Exploit
Pull request: #19772 contributed by jheysel-r7
Path: linux/http/craftcms_ftp_template
AttackerKB reference: CVE-2024-56145

Description: Adding new exploit module for Craft CMS, when the attacker can use malicious FTP server to gain remote code execution. This vulnerability requires PHP option register_argc_argv to be enabled.

Enhanced Modules (1)

Modules which have either been enhanced, or renamed:

• #19816 from jheysel-r7 – This adds support to the existing ldap_esc_vulnerable_cert_finder for identifying certificate templates that are vulnerable to ESC4 from the perspective of the authenticated user.

Bugs fixed (6)

• #19826 from zeroSteiner – Fixes two issues with the ldap_query module. The first was that the BASE_DN wasn’t being used when set. The second was that the QUERY_ATTRIBUTES was a required datastore option. Now if the QUERY_ATTRIBUTES is left unset the module will return all the attributes. This is particularly useful if the operator doesn’t know the exact attributes defined on an object because they’re looking for something.
• #19833 from cdelafuente-r7 – This fixes an issue with the petitpotam module where in the default configuration, an incorrect service UUID was being used.
• #19834 from sfewer-r7 – Updates the connect_ws method within the Exploit::Remote::HttpClient library to generate a RFC 6455 compliant value for the generated Sec-WebSocket-Key header.
• #19835 from cdelafuente-r7 – This fixes an issue in the lookup logic when providing a Kerberos ticket as a file. The comparison of the SPN hostname was done as a case sensitive comparison, which prevented the ticket to be used if the user sets the *::rhostname option with a different case than the one stored in the ticket.
• #19836 from 0xAryan – Fixes a broken blog link in the exploit/multi/http/nibbleblog_file_upload module.
• #19843 from cdelafuente-r7 – This fixes an issue with both the ldap_login and smb_login modules. The problem is that now, some login scanner modules are not only used to discover and report valid credentials, but also to get a session (e.g. SMB session, LDAP session). This means, if Kerberos is used as the authentication method, the user can omit the password and reuse tickets from the cache. Also, if the authentication method is Schannel (LDAP), the username can also be omitted since the certificate will contain everything needed to authenticate. Prior to this fix these modules would error if they were run without the username and password fields set. The fix introduces two new boolean attributes in the CredentialCollection class ignore_private and ignore_public which indicate whether the module should be allowed to be run without a username or password.

Documentation added (1)

• #19825 from adfoster-r7 – Adds documentation for ldap test system.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.46…6.4.47
• Full diff 6.4.46…6.4.47

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2025/01/03/metasploit-2024-annual-wrap-up/

Another year has come and gone, and the Metasploit team has taken some time to review the year’s notable additions. This year saw some great new features added, Metasploit 6.4 released and a slew of new modules. We’re grateful to the community members new and old that have submitted modules and issues this year. The real privilege escalation was the privilege of working with the contributors and friends we made along the way. And so, as is tradition, let us begin the 2024 annual recap.

HTTP Relaying and ESC8

Metasploit continues to expand support for Active Directory Certificate Services AD CS attacks, also known as ESC attacks. These attacks have been popular since they were announced three years ago, and the complexity and ubiquity of enterprise AD CS setups has rendered them “gifts that keep on giving” for attackers and pen testers alike. This year, we added support for ESC8, a vulnerability in AD CS Web Enrollment service, in which authentication from a user’s SMB connection can be relayed to a Certificate Web Enrollment endpoint and used to generate a valid certificate for authentication. This means that if an attacker can coerce a user to attempt to access an SMB share, their authentication can be relayed to a certificate server for authentication. Once authenticated, the session will allow the attacker to mint certificates for any template they have permissions to access. Unlike many AD CS attacks, this is not necessarily due to a misconfiguration in a template, but is an effect of the Web Enrollment service’s use of NTLM over HTTP, which does not enable relaying protections by default.

msf6 auxiliary(server/relay/esc8) > show options

Module options (auxiliary/server/relay/esc8):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   CAINPWFILE                      no        Name of file to store Cain&Abel hashes in. Only supports NTLMv1 hashes. Can be a path.
   JOHNPWFILE                      no        Name of file to store JohnTheRipper hashes in. Supports NTLMv1 and NTLMv2 hashes, each
                                              of which is stored in separate files. Can also be a path.
   MODE           AUTO             yes       The issue mode. (Accepted: ALL, AUTO, QUERY_ONLY, SPECIFIC_TEMPLATE)
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RELAY_TARGETS                   yes       Target address range or CIDR identifier to relay to
   RELAY_TIMEOUT  25               yes       Seconds that the relay socket will wait for a response after the client has initiated
                                             communication.
   RPORT          80               yes       The target port (TCP)
   SMBDomain      WORKGROUP        yes       The domain name used during SMB exchange.
   SRVHOST        0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local
                                              machine or 0.0.0.0 to listen on all addresses.
   SRVPORT        445              yes       The local port to listen on.
   SRV_TIMEOUT    25               yes       Seconds that the server socket will wait for a response after the client has initiated
                                              communication.
   SSL            false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI      /certsrv/        yes       The URI for the cert server.
   VHOST                           no        HTTP server virtual host


   When MODE is SPECIFIC_TEMPLATE:

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   CERT_TEMPLATE                   no        The template to issue if MODE is SPECIFIC_TEMPLATE.


Auxiliary action:

   Name   Description
   ----   -----------
   Relay  Run SMB ESC8 relay server



View the full module info with the info, or info -d command.

msf6 auxiliary(server/relay/esc8) > set RELAY_TARGETS 10.5.132.182
RELAY_TARGETS => 10.5.132.182
msf6 auxiliary(server/relay/esc8) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/relay/esc8) > 
[*] SMB Server is running. Listening on 0.0.0.0:445
[*] Server started.
[*] New request from 10.5.132.191
[*] Received request for EXAMPLE\Administrator
[*] Relaying to next target http://10.5.132.182:80/certsrv/
[+] Identity: EXAMPLE\Administrator - Successfully authenticated against relay target http://10.5.132.182:80/certsrv/
[SMB] NTLMv2-SSP Client     : 10.5.132.182
[SMB] NTLMv2-SSP Username   : EXAMPLE\Administrator
[SMB] NTLMv2-SSP Hash       : Administrator::EXAMPLE:9a0ad3b11b1b3471:b97c9d53262316974c31219cd6dd2f00:01010000000000009e0f749d1b53db013d142354bb7d5da90000000002000e004500580041004d0050004c00450001001e00570049004e002d00440052004300390048004300440049004d0041005400040016006500780061006d0070006c0065002e0063006f006d0003003600570049004e002d00440052004300390048004300440049004d00410054002e006500780061006d0070006c0065002e0063006f006d00050016006500780061006d0070006c0065002e0063006f006d00070008009e0f749d1b53db01060004000200000008003000300000000000000001000000002000007eb46f894f1cad59192724ba6164849c3e04a00c54dae36b065603553ff355c40a001000000000000000000000000000000000000900220063006900660073002f00310030002e0035002e003100330035002e003200300031000000000000000000

[+] Certificate generated using template User and EXAMPLE\Administrator
[+] Certificate for EXAMPLE\Administrator using template User saved to /home/tmoose/.msf4/loot/20241220141352_default_10.5.132.182_windows.ad.cs_360378.pfx
[*] Received request for EXAMPLE\Administrator
[*] Identity: EXAMPLE\Administrator - All targets relayed to

Meterpreter’s PoolParty

In November 2024, the Metasploit Framework improved the Windows Meterpreter capabilities by including the PoolParty Injection technique to perform code injection into remote processes. The new technique functions as a replacement to the common kernel32!CreateRemoteThread technique. This increased the stealth skills of the Meterpreter agent without removing any functionality already present. Significant effort was made to implement the cleanest injection technique in a transparent manner to the user and avoid leaving any footprint in memory after a successful injection. Currently the PoolParty injection is based on the TP_DIRECT_INSERTION variant and supports code injection on 64-bit Windows 10 and newer systems. Injection to and from WoW64 processes is partially implemented due to some security restrictions. Injection is currently limited to WoW64 to x64.

LDAP Improvements

Over the past couple of years Metasploit has improved its LDAP support substantially. There are troves of data points available in Active Directory via LDAP that aid in various attack workflows. Some examples include the domain SID, the number of computers a normal user can add, kerberoastable-accounts, vulnerable ESC templates and more. To aid users in accessing this information, Metasploit has continued to make LDAP improvements this year.

Metasploit 6.4 included multiple new protocol-based session types, one of which was LDAP. The ldap_login module can be used to open an interactive LDAP session, enabling the user to take multiple actions without needing to reconnect and reauthenticate to the target server. This feature is currently disabled by default, but can be enabled using set ldap_session_type true and then restarting Metasploit. Once established, these sessions can be used to run queries from the command line, or certain auxiliary modules, such as ldap_query and ldap_esc_vulnerable_cert_finder can use the session to gather information.

In addition to the new session type, Metasploit has added support for both channel binding and signing to enable users to operate in hardened environments. Now when Metasploit authenticates to an LDAP service, it’ll automatically use signing or channel binding as applicable based on the configuration. Signing can also be controlled using the LDAP::Signing datastore option which supports three values:

• disabled – never use signing, useful for verifying a server is requiring signing
• auto – signing will be used when it is necessary
• required – signing will always be used

Channel binding is always used when SSL is in use. Metasploit supports channel binding for both NTLM and Kerberos authentication.

Metasploit 6.4 Released

This year Metasploit 6.4 released with multiple features; including the new dns command which grants the user a high degree of control over how DNS queries should be processed, and adds support for multiple new session types (PostgreSQL, MSSQL, MySQL and SMB) with the CreateSession option:

msf6 > use scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > run rhost=192.168.123.133 username=vagrant password=vagrant CreateSession=true

[*] 192.168.123.133:445   - 192.168.123.133:445 - Starting SMB login bruteforce
[+] 192.168.123.133:445   - 192.168.123.133:445 - Success: '.\vagrant:vagrant' Administrator
[*] SMB session 2 opened (192.168.123.1:52253 -> 192.168.123.133:445) at 2024-03-19 12:07:15 +0000

Each new session type supports different capabilities such as querying databases, using the SQL/SMB session with exploit modules to gain native sessions, and exploring and manipulating remote file systems:

msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
[*] Starting interaction with 1…
SMB (192.168.123.133) > ls
[-] No active share selected. Use the shares command to view available shares, and shares -i <id> to interact with one
SMB (192.168.123.133) > shares
Shares
======
    #  Name      Type          comment
    -  ----      ----          -------
    0  ADMIN$    DISK|SPECIAL  Remote Admin
    1  C$        DISK|SPECIAL  Default share
    2  foo       DISK
    3  IPC$      IPC|SPECIAL   Remote IPC
    4  NETLOGON  DISK          Logon server share
    5  SYSVOL    DISK          Logon server share

SMB (192.168.123.133) >

Metasploit 6.4 also continued to enhance support for Kerberos workflows:

• auxiliary/admin/kerberos/forge_ticket – Adding support for forging diamond and sapphire tickets, in addition to the original golden and silver techniques
• post/windows/manage/kerberos_tickets – Adding support for dumping Kerberos tickets from a compromised host. This is similar functionality to what the popular Rubeus tool’s klist/dump commands do and operates entirely in memory
• auxiliary/gather/windows_secrets_dump – Performing DCSync attacks on Windows domain controllers with Kerberos tickets

Module Highlights

CVE-2023-22527
Metasploit had a great start to 2024 with the addition of a module for CVE-2023-22527 in January, which was an unauthenticated RCE in Atlassian Confluence. This module was written by Metasploit’s Spencer McIntyre aka zeroSteiner. Due to an SSTI flaw that allows an OGNL expression to be evaluated, Metasploit users can obtain OS command execution in the context of the service account. On Windows the service account is NT AUTHORITY\NETWORK SERVICE which, don’t forget, can easily be escalated to NT AUTHORITY\SYSTEM using the RPCSS namedpipe impersonation technique in Meterpreter, just type: “getsystem -t 4”!

CVE-2024-21893 + CVE-2024-21887
February kept the good times rolling with an exploit chain that works against both Ivanti Connect Secure and Ivanti Policy Secure from Rapid7’s research extraordinaire, Stephen Fewer. This module combined CVE-2024-21893, a SSRF vulnerability, with a command injection vulnerability tracked as CVE-2024-21887 in order to achieve unauthenticated remote code execution in the context of the root user.

Shadow Credentials
The Shadows Credential’s module was an incredible addition to Metasploit’s Active Directory exploit capabilities. Using an account that has write permissions over another user account object, the module adds a public key credential object to the user account’s msDS-KeyCredentialLink property, and then uses the existing PKINIT functionality in the get_ticket module to authenticate as that user. This module was written by Metasploit aficionado Ashley Donaldson aka smashery.

CVE-2024-3400
April saw some amazing additions to the Metasploit Framework including a very impactful exploit module for CVE-2024-3400. PAN-OS GlobalProtect Gateway and GlobalProtect Portal deployments with the default telemetry service enabled could be remotely exploited without authentication in order to gain code execution in the context of the root user. Rapid7’s very own Ryan Emmons PR’d this module and it was the only module this year to be awarded the “hotness” label in github, very cool.

CVE-2023-43177
This module, while being a great addition to the framework, also highlighted some great Rapid7 collaboration: the vulnerability was originally discovered by Rapid7’s Ryan Emmons and was written by the one and only Christophe De La Fuente. The exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution in the context of the Administrator user on Windows and the root user on Linux.

Progress Loadmaster sudo abuse privilege escalation
In May we saw the exploitation of Progress (Kemp) Loadmaster. The vulnerability lies in the configuration to allow sudo to auto elevate when run with certain files, but grants the non-root user bal write permissions to those files. The exploit module simply overwrites one of the files that auto-elevates with /bin/bash and runs a payload within a root-enabled /bin/bash session. This heavy hitting privilege escalation module was brought to us by Metasploit powerhouse, Brendan Watters on the 10th of May.

CVE-2024-29824
July brought some of the hottest weather to the northern hemisphere it also brought some of the hottest vulns to the Metasploit Framework with the addition of yet another fantastic exploit module from Christophe De La Feunte: The Ivanti Endpoint Manager (EPM) SQLi to RCE module. This exploit works by sending a soap envelope to the application targeting one poor unsanitized database parameter which pays the ultimate price of allowing the query to be escaped and EXEC xp_cmdshell to be run. The SQLi allows for RCE in the context of the NT Service\MSSQL$LDMSDATA user.

CVE-2024-6670
While Progress WhatsUp Gold made headlines with CVE-2024-6670, community contributor h4x-x0r made haste writing an exploit module adding yet another high impact exploit module in their rookie year of Metasploit framework contributions. The vulnerability allows an unauthenticated attacker to change the password of an existing user to an attacker-controlled value potentially giving up administrative control over the application.

CVE-2024-43917
Some kids got tricks on Halloween but Metasploit got a treat – an exploit module for a SQLi in TI WooCommerce Wishlist. Submitted by one of the hardest working Metasploit community members Valentin Lobstein aka Chocapikk, this was only one of 10 WordPress plugin modules they contributed this year. We decided to highlight this particular module because with it came an entire library of SQLi functionality specifically designed to help facilitate SQLi exploitation against WordPress plugins. We love seeing this type of reusability being added to the framework.

CVE-2024-35230
They say when it rains it pours and this is all too true when looking at the amount of vulnerabilities discovered in the Windows Kernel Streaming family of drivers this year. This module, written by Metasploit’s Jack Heysel, targeted an Access Mode Mismatch LPE in ks.sys. The vulnerable driver had hardcoded the RequestorMode parameter of a KTHREAD structure to KernelMode, which eventually allows for user supplied code to be executed with SYSTEM level privileges. This bug can be found lurking in the depths of Windows 2008 SP2 all the way up to present day Windows 11 and Server 2022.

CVE-2024-27596
It wouldn’t be a proper year without some fun WordPress vulnerabilities. The CVE-2024-27596 was quite memorable as the vulnerability was contained in a popular wp-automatic plugin. The best part was that an unauthenticated user was able to perform SQL injection and even get remote code execution by uploading a malicious module. As SQL injection allows an attacker to create an admin account, the WordPress site is fully compromised.

CVE-2023-0386
This vulnerability was discovered last year, however, it has been added into Metasploit as a module only recently. And it’s one of easy-to-exploit privilege escalations. The reason why it’s so interesting is that it combines the setuid and overlay file system to run binary as root.

CVE-2024-37081
The vulnerabilities in VMWare products are always of very high interest, as these vulnerabilities can be often misused by threat actors. The CVE-2024-37081 is local privilege escalation in vCenter 8.0.0.10200 caused by misconfiguration. This misconfiguration allows the attacker to run sudo commands with preserved environmental variables such as PYTHONPATH,VMWARE_PYTHON_PATH and so.

CVE-2023-7028
When it comes to version control systems, accounts are the identity of the developer. Compromising the identity exposes the whole codebase to risk. This year, we implemented a module for CVE-2023-7028, Github account takeover. This vulnerability can be exploited without any user interaction. If the attacker provides two emails in the request for password reset – administrator’s email and attacker’s email – the reset code for the admin account gets sent back to both emails.

Remote Code Execution in CUPS
https://github.com/rapid7/metasploit-framework/pull/19630
https://github.com/rapid7/metasploit-framework/pull/19510

The CUPS vulnerability made big headlines this year. The reason is that CUPS exposed a UDP service, which was listening for any host to connect. Of course, CUPS service was vulnerable itself, allowing the attacker to execute remote code via specially crafted print jobs. The vulnerability allowed remote code execution on virtually any Linux machine that runs a vulnerable version of CUPS. We have implemented a module (cups_browsed_info_disclosure) for scanning for vulnerable CUPS services and also a module for exploitation (cups_ipp_remote_code_execution).

Community Stats Recap

The entire Metasploit team would like to give a big thank you to all the contributors who added content in 2024. Your ideas and contributions make this tool greater every year. We saw code additions from 62 contributors, including 39 first-time contributors.

Here are some stats for 2024:

• Number of new modules: 165
• Number of new bug fixes: 142
• Number of new enhancements: 161
• Number of new documentations: 19
• Number of new payload enhancements: 4

Contributors in 2024 (ordered by count)

• h00die
• Chocapikk
• jvoisin
• smashery
• h00die-gr3y
• h4x-x0r (new in 2024)
• nrathaus
• bcoles
• errorxyz
• upsidedwn (new in 2024)
• The-Pink-Panther (new in 2024)
• Takahiro-Yoko (new in 2024)
• DaveYesland (new in 2024)
• NtAlexio2 (new in 2024)
• heyder
• KanchiMoe (new in 2024)
• ide0x90
• ostrichgolf (new in 2024)
• jmartin-tech
• jalvarezz13 (new in 2024)
• ArchiMoebius (new in 2024)
• molecula2788 (new in 2024)
• jjoshm (new in 2024)
• dotslashsuperstar (new in 2024)
• double16 (new in 2024)
• jlownie (new in 2024)
• randomstr1ng (new in 2024)
• SickMcNugget (new in 2024)
• n00bhaxor
• lihe07 (new in 2024)
• 6a6f656c
• AleksaZatezalo
• poupapaa (new in 2024)
• Sh3llSp4wn (new in 2024)
• ErikWynter
• siddolo (new in 2024)
• ggisz (new in 2024)
• rad10
• JustAnda7
• pczinser (new in 2024)
• james-otten
• oddlittlebird (new in 2024)
• szymonj99 (new in 2024)
• aaryan-11-x (new in 2024)
• soroshsabz (new in 2024)
• dudu7615 (new in 2024)
• Mathiou04 (new in 2024)
• GhostlyBox (new in 2024)
• Grezzo
• xaitax
• igomeow (new in 2024)
• cn-kali-team
• Adithya2357 (new in 2024)
• gardnerapp
• pmauduit (new in 2024)
• aaronjfeingold (new in 2024)
• e2002e
• softScheck (new in 2024)
• PizzaHat (new in 2024)
• sud0Ru (new in 2024)
• Fufu-btw (new in 2024)
• fanqiaojun (new in 2024)

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/12/13/metasploit-weekly-wrap-up-12-13-2024/

It’s raining RCEs!

It’s the second week of December and the weather forecast announced another storm of RCEs in Metasploit-Framework land. This weekly release includes RCEs for Moodle e-Learning platform, Primefaces, WordPress Really Simple SSL and CyberPanel along with two modules to change password through LDAP and SMB protocol.

New module content (7)

Change Password

Author: smashery
Type: Auxiliary
Pull request: #19671 contributed by smashery
Path: admin/ldap/change_password

Description: This adds a module that is able to change a user’s password knowing the current value or reset a user’s password given the necessary permissions using LDAP.

SMB Password Change

Author: smashery
Type: Auxiliary
Pull request: #19666 contributed by smashery
Path: admin/smb/change_password

Description: This adds a module that is able to change a user’s password knowing the current value or reset a user’s password given the necessary permissions using SMB.

WordPress Plugin Perfect Survey 1.5.1 SQLi (Unauthenticated)

Authors: Aaryan Golatkar and Ron Jost
Type: Auxiliary
Pull request: #19701 contributed by aaryan-11-x
Path: scanner/http/wp_perfect_survey_sqli
AttackerKB reference: CVE-2021-24762

Description: This adds an auxiliary module that exploits CVE-2021-24762, an unauthenticated SQL Injection that allows dumping user credentials from the database.

Moodle Remote Code Execution (CVE-2024-43425)

Authors: Michael Heinzl and RedTeam Pentesting GmbH
Type: Exploit
Pull request: #19430 contributed by h4x-x0r
Path: linux/http/moodle_rce
AttackerKB reference: CVE-2024-43425

Description: This adds an exploit module for Moodle learning platform. The module exploits a command injection vulnerability in Moodle CVE-2024-43425 to obtain remote code execution. By default, the application will run in the context of www-data, so only a limited shell can be obtained.

Primefaces Remote Code Execution Exploit

Authors: Bjoern Schuette and h00die
Type: Exploit
Pull request: #19649 contributed by h00die
Path: multi/http/primefaces_weak_encryption_rce
AttackerKB reference: CVE-2017-1000486

Description: This adds a module which exploits a Java Expression Language RCE vulnerability in the Primefaces JSF framework. Primefaces versions prior to 5.2.21, 5.3.8 or 6.0 are vulnerable to a padding oracle attack, due to the use of weak crypto and default encryption password and salt.

WordPress Really Simple SSL Plugin Authentication Bypass to RCE

Authors: István Márton and Valentin Lobstein
Type: Exploit
Pull request: #19661 contributed by Chocapikk
Path: multi/http/wp_reallysimplessl_2fa_bypass_rce
AttackerKB reference: CVE-2024-10924

Description: This add an exploit module for a CVE-2024-10924, a vulnerability in the WordPress Really Simple Security plugin, versions 9.0.0 to 9.1.1.1 and allows unauthenticated attackers to bypass Two-Factor Authentication (2FA). By exploiting this flaw, an attacker can retrieve the administrator’s session cookie directly, enabling full control over the WordPress instance, including the ability to upload and execute arbitrary code.

CyberPanel Multi CVE Pre-auth RCE

Authors: DreyAnd, Luka Petrovic (refr4g), and Valentin Lobstein
Type: Exploit
Pull request: #19608 contributed by Chocapikk
Path: unix/webapp/cyberpanel_preauth_rce_multi_cve
AttackerKB reference: CVE-2024-51378

Description: Adds a CyberPanel Pre-Auth RCE exploit module for for the following CVEs: CVE-2024-51378, CVE-2024-51567, CVE-2024-51568. The module contains three separate actions which lets you specify which CVE you would like to exploit.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

• #19533 from Grezzo – This updates the existing multi/http/werkzeug_debug_rce module that only targeted older version of the vulnerable Werkzeug application that didn’t include any authentication. The update adds support for newer versions of Werkzeug that do support authentication. The updated module supports the following authentication methods:

Generated-Cookie: Uses information about the system (which may be gained, e.g. using a separate arbitrary file-read vulnerability) to calculate an authentication cookie which is then used
Known-Cookie: Uses a user-provided cookie to authenticate
Known-PIN: uses a user-provided PIN to authenticate
None: If authentication has been disabled, or is unsupported (e.g. in very old versions of Werkzeug)
When generating a cookie (and PIN), there are 3 different algorithms used, depending on the target selected by the user. This is because the algorithm used to generate the cookie/PIN has changed throughout the application’s development.

• #19696 from smashery – This updates replaces the existing samr_computer module with a more general one that can also be used to add user accounts to active directory if the operator has the necessary permissions.

Enhancements and features (2)

• #19703 from zeroSteiner – Adds additional documentation to the windows/dns_txt_query_exec module to help clarify how it works for users.
• #19705 from ostrichgolf – Updates the exploits/linux/http/projectsend_unauth_rce module to include the CVE entry CVE-2024-11680 for ProjectSend r1295 – r1605 Unauthenticated Remote Code Execution.

Bugs fixed (3)

• #19621 from zeroSteiner – This fixes the symlinks handling by the Java Meterpreter on Windows targets.
• #19656 from sjanusz-r7 – Fixed an issue where an SSH session could sometimes be reported as alive when it has failed to open successfully against Windows running older versions of OpenSSH.
• #19700 from jheysel-r7 – Fixes a bug where HTTP redirects were not handling HTTP query parameters correctly.

Documentation added (1)

• #19714 from bwatters-r7 – Updates the exploits/linux/http/projectsend_unauth_rce module metadata to include CVE-2024-11680.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.39…6.4.40
• Full diff 6.4.39…6.4.40

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/11/22/metasploit-weekly-wrap-up-11-22-2024/

JetBrains TeamCity Login Scanner

Metasploit added a login scanner for the TeamCity application to enable users to check for weak credentials. TeamCity has been the subject of multiple ETR vulnerabilities and is a valuable target for attackers.

Targeted DCSync added to Windows Secrets Dump

This week, Metasploit community member smashery improved the windows_secrets_dump module’s DOMAIN action to allow the operator to specify specific users or groups to retrieve Kerberos secrets for. By setting the KRB_TYPES option to USERS_ONLY or COMPUTERS_ONLY, the operator can target the specified account type. To be even more granular, the operator can target one or more accounts or groups by name with the KRB_USERS option. This should help operators obtain the desired information more quickly when targeting large domains.

New module content (4)

JetBrains TeamCity Login Scanner

Authors: adfoster-r7 and sjanusz-r7
Type: Auxiliary
Pull request: #19601 contributed by sjanusz-r7
Path: scanner/teamcity/teamcity_login

Description: Adds a new bruteforce scanner/teamcity/teamcity_login login scanner module that targets the JetBrains TeamCity service.

Judge0 sandbox escape

Authors: Takahiro Yokoyama and Tanto Security
Type: Exploit
Pull request: #19584 contributed by Takahiro-Yoko
Path: linux/http/judge0_sandbox_escape_cve_2024_28189
AttackerKB reference: CVE-2024-28189

Description: This adds an exploit module for a Judge0 sandbox escape which exploits CVE-2024-28185, CVE-2024-28189 and allows for unauthenticated RCE. Judge0 version 1.13.0 and prior are vulnerable.

Pyload RCE (CVE-2024-39205) with js2py sandbox escape (CVE-2024-28397)

Authors: Marven11, Spencer McIntyre, and jheysel-r7
Type: Exploit
Pull request: #19640 contributed by jheysel-r7
Path: linux/http/pyload_js2py_cve_2024_39205
AttackerKB reference: CVE-2024-28397

Description: This adds an exploit module that leverages CVE-2024-39205 which is an unauthenticated RCE in Pyload.

Ivanti EPM Agent Portal Command Execution

Authors: James Horseman, Spencer McIntyre, and Zach Hanley
Type: Exploit
Pull request: #19593 contributed by zeroSteiner
Path: windows/misc/ivanti_agent_portal_cmdexec
AttackerKB reference: CVE-2023-28324

Description: This adds an exploit module for, CVE-2023-28324, an unauthenticated RCE in Ivanti’s EPM where a .NET remoting client can invoke a method that results in an OS command being executed in the context of NT AUTHORITY\SYSTEM. This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2. Included with this exploit module is a substantial amount of code to fill in the gaps of the existing .NET (de)serialization capabilities to enable the method to be invoked.

Enhancements and features (2)

• #19185 from dwelch-r7 – This adds a feature to the msfconsole UI that will show the currently selected action and how many are available in total. This improves action discoverability.
• #19643 from smashery – This updates the DOMAIN action of the auxiliary/gather/windows_secrets_dump module to allow individual users or groups to be targeted.

Bugs fixed (2)

• #19624 from cdelafuente-r7 – This fixes a bug that would occur when generating CSRs for AD CS with OpenSSL 3.4.0. The bug was related to an attribute in the request that can no longer be explicitly set.
• #19658 from cdelafuente-r7 – Updates the auxiliary/admin/kerberos/get_ticket module to work on Windows environments

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.36…6.4.37
• Full diff 6.4.36…6.4.37

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/10/18/metasploit-weekly-wrap-up-10-18-2024/

ESC15: EKUwu

AD CS continues to be a popular target for penetration testers and security practitioners. The latest escalation technique (hence the the ESC in ESC15) was discovered by Justin Bollinger with details being released just last week. This latest configuration flaw has common issuance requirements to other ESC flaws such as requiring no authorized signatures or manager approval. Additionally, templates must be schema version 1 which enables an attacker to craft a signing request with a custom set of EKU OIDs which will be present in the issued certificate. By overriding the OIDs, the template can be used in a few ways with the most useful being as a certificate enrollment agent. With a valid enrollment agent certificate, a user can issue certificates for other users which, when combined with the builtin “User” certificate, can enable Kerberos authentication to a wide variety of services.

This week’s release of Metasploit has added support to our existing AD CS related modules for identifying and exploiting ESC15.

The auxiliary/admin/ldap/ad_cs_cert_template module can be used along with the new esc15_template to create a vulnerable certificate or (by leveraging ESC4) update an existing certificate to be vulnerable to ESC15.
The auxiliary/gather/ldap_esc_vulnerable_cert_finder module has been updated to identify vulnerable certificate templates.
The auxiliary/admin/dcerpc/icpr_cer module has been updated with the new ADD_CERT_APP_POLICY option to enable users to add EKUs by OID, thus enabling exploitation of ESC15.

For exploitation steps, see the ESC15 section of our AD CS documentation.

New module content (2)

WordPress WP Fastest Cache Unauthenticated SQLi (CVE-2023-6063)

Authors: Alex Sanford, Julien Voisin, and Valentin Lobstein
Type: Auxiliary
Pull request: #19473 contributed by Chocapikk
Path: scanner/http/wp_fastest_cache_sqli
AttackerKB reference: CVE-2023-6063

Description: This adds an auxiliary module to dump user credentials through a Time-based SQL injection present in WP Fastest Cache Plugin <= 1.2.2.

BYOB Unauthenticated RCE via Arbitrary File Write and Command Injection (CVE-2024-45256, CVE-2024-45257)

Authors: Valentin Lobstein and chebuya
Type: Exploit
Pull request: #19485 contributed by Chocapikk
Path: unix/webapp/byob_unauth_rce
AttackerKB reference: CVE-2024-45257

Description: This adds an exploit module for BYOB unauthenticated RCE (CVE-2024-45256, CVE-2024-45257).

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

• #19482 from Chocapikk – The module allows users to select between the two vulnerabilities (c_only_fields for CVE-2024-8522 and c_fields for CVE-2024-8529) and includes options such as specifying the number of rows to retrieve (COUNT).
• #19538 from zeroSteiner – This adds support for ESC15 to various AD CS related modules.

Enhancements and features (6)

• #19108 from smashery – Adds a new API, create_process, which supports creating processes against an open session from an array of args, rather than from a commandline string that needs to go through a subshell. This pull request also fixes multiple module compatibility issues across different session types, i.e. targeting Meterpreter/PowerShell/Cmd/Unix sessions should now behave consistently when running post exploitation and local privilege escalation modules that execute processes.
• #19497 from Chocapikk – This adds an helper library for the development of WordPress SQLi modules.
• #19539 from smashery – This adds functionality to keep the new LDAP sessions alive beyond a server’s idle timeout.
• #19540 from smashery – Update Metasploit’s HTTP request User Agent strings for October 2024.
• #19549 from zeroSteiner – This pull request includes multiple fixes and improvements to the Meterpreter payloads. zeroSteiner fixed a stdapi_fs_ls: Operation failed: 1 error when running the ls command with the Java Meterpreter. cdelafuente-r7 has updated the Java Meterpreter payload to now run on newer OpenJDK versions on Alpine Linux hosts. wolfcod has made improvements for running the C Meterpreter on Windows XP machines when creating remote threads, as well as fixing a memory leak in the sysinfo command.
• #19561 from cdelafuente-r7 – Updates the gather/ldap_esc_vulnerable_cert_finder module to now register the detected vulnerabilities into the Metasploit database if it is currently active.

Bugs fixed (2)

• #19495 from cdelafuente-r7 – Fixes an edgecase crash in the admin/kerberos/get_ticket module when the supplied cert_file contained a subjectAltName extension with an unexpected value present.
• #19563 from adfoster-r7 – Updates exploits/linux/http/metabase_setup_token_rce to support older versions.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.30…6.4.32
• Full diff 6.4.30…6.4.32

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/09/13/metasploit-weekly-wrap-up-09-13-2024/

SPIP Modules

This week brings more modules targeting the SPIP publishing platform. SPIP has gained some attention from Metasploit community contributors recently and has inspired some PHP payload and encoder improvements.

New module content (2)

SPIP BigUp Plugin Unauthenticated RCE

Authors: Julien Voisin, Laluka, Valentin Lobstein, and Vozec
Type: Exploit
Pull request: #19444 contributed by Chocapikk
Path: multi/http/spip_bigup_unauth_rce
AttackerKB reference: CVE-2024-8517

Description: This adds an exploit module for CVE-2024-8517, an unauthenticated RCE able to execute arbitrary PHP code.

SPIP connect Parameter PHP Injection

Authors: Arnaud Pachot, Davy Douhine, Frederic Cikala, and Valentin Lobstein
Type: Exploit
Pull request: #19432 contributed by Chocapikk
Path: multi/http/spip_connect_exec
CVE reference: BID-54292

Description: Refactor SPIP Modules for Windows Compatibility and Incorporating SPIP Mixin.

Enhancements and features (3)

• #19330 from heyder – The start_service method in the http_server.rb library now allows users to specify their SSL preferences directly through the opts parameter. If the ssl option is not provided in opts, it will default to the value in datastore["SSL"].
• #19352 from zgoldman-r7 – Adjusts the metadata for the ldap login scanner, adding defaults and adjusting the service and protocol values.
• #19432 from Chocapikk – Refactor SPIP Modules for Windows Compatibility and Incorporating SPIP Mixin.

Bugs fixed (1)

• #19439 from bcoles – This explicitly defines x86 and x64 as supported architectures for the bypassuac_comhijack module. Prior to this change there were no defined architectures and if you tried to use an x64 based payload the module would fail.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.25…6.4.26
• Full diff 6.4.25…6.4.26

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/05/17/metasploit-wrap-up-05-17-2024/

LDAP Authentication Improvements

This week, in Metasploit v6.4.9, the team has added multiple improvements for LDAP related attacks. Two improvements relating to authentication is the new support for Signing and Channel Binding. Microsoft has been making changes to harden the communications to Domain Controllers. Organizations are incorporating these policies which are making LDAP tools without the necessary features unable to operate. The intention behind these changes are to protect communications with Domain Controllers from relay attacks. There are however plenty of scenarios when users may want to authenticate to a domain controller directly with known credentials to perform a variety of tasks.

The new improvements allow Metasploit users to authenticate via either NTLM or Kerberos to LDAP servers with these hardening settings in place. Signing will be performed opportunistically (LDAP::Signing=auto), however it can be either disabled entirely by setting LDAP::Signing to disabled or required with required. Note that setting it to required will raise exceptions with configurations that are incompatible with signing, e.g. connecting over SSL (LDAPS) or using plaintext / simple authentication. At this time channel binding is automatically enabled and can not be disabled in the same way. When connecting over SSL, and authenticating with either NTLM or Kerberos, the binding information is provided to the server.

For users that are unfamiliar with the semi-recent authentication configuration changes introduced in Metasploit v6.3, LDAP modules have an LDAP::Auth option that can be set to one of auto, ntlm, kerberos, schannel, or plaintext.

LDAP Session

In addition to the new LDAP authentication improvements, Metasploit added the latest session type; LDAP sessions this week. Metasploit v6.4 added new protocol-based sessions that allow modules to be run against persistent connections for a variety of services including SMB, MSSQL and MySQL. Once the feature is enabled by running features set ldap_session_type true, users can open sessions with the auxiliary/scanner/ldap/ldap_login module and CreateSession option. These new sessions allow a users to authenticate once and interact with the connection, running queries or modules such as:

• auxiliary/admin/ldap/rbcd – Role Based Constrained Delegation
• auxiliary/admin/ldap/shadow_credentials – Shadow Credentials
• auxiliary/gather/asrep – Find Users Without Pre-Auth Required (ASREP-roast)
• auxiliary/gather/ldap_esc_vulnerable_cert_finder – Misconfigured Certificate Template Finder
• auxiliary/admin/ldap/ad_cs_cert_template – AD CS Certificate Template Management
• auxiliary/gather/ldap_hashdump – LDAP Information Disclosure
• auxiliary/gather/ldap_query – LDAP Query and Enumeration Module

By interacting with the session, the query command becomes available to run queries interactively. It has a few options allowing the scope, attributes and filter to be set.

LDAP (192.0.2.197) > query -h
Usage: query -f <filter string> -a <attributes>

Run the query against the session.

OPTIONS:

    -a, --attributes      Comma separated list of attributes for the query
    -b, --base-dn         Base dn for the query
    -f, --filter          Filter string for the query (default: (objectclass=*))
    -h, --help            Help menu
    -o, --output-format   Output format: `table`, `csv` or `json` (default: table)
    -s, --scope           Scope for the query: `base`, `single`, `whole` (default: whole)

As an example, basic information about the domain can be queried:

LDAP (192.0.2.197) > query -a ms-DS-MachineAccountQuota,objectSID,name -f '(objectClass=domain)'
DC=labs1collabu0,DC=local
=========================

 Name                       Attributes
 ----                       ----------
 ms-ds-machineaccountquota  10
 name                       labs1collabu0
 objectsid                  S-1-5-21-795503-3050334394-3644400624

New module content (2)

Windows Registry Security Descriptor Utility

Author: Christophe De La Fuente
Type: Auxiliary
Pull request: #19115 contributed by cdelafuente-r7
Path: admin/registry_security_descriptor

Description: This adds a module to read and write the security descriptor of Windows registry keys.

Kemp LoadMaster Local sudo privilege escalation

Authors: Dave Yesland with Rhino Security Labs and bwatters-r7
Type: Exploit
Pull request: #19100 contributed by bwatters-r7
Path: linux/local/progress_kemp_loadmaster_sudo_privesc_2024

Description: This adds a privilege escalation exploit module for LoadMaster that abuses the configuration of the sudo command combined with weak file system permissions. There is no CVE for this vulnerability.

Enhancements and features (2)

• #19058 from dwelch-r7 – This adds an LDAP session type allowing users and modules to interact directly with LDAP servers without uploading a payload.
• #19132 from zeroSteiner – Add channel binding information to Metasploit’s NTLM and Kerberos authentication for the LDAP protocol. This enables users to authenticate to domain controllers where the hardened security configuration setting is in place.
• #19172 from cgranleese-r7 – Updates the debug command to export the currently enabled user features.

Bugs fixed (1)

• #19183 from adfoster-r7 – Fix windows platform detection bug when running on a UCRT compiled environment.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.8…6.4.9
• Full diff 6.4.8…6.4.9

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/04/26/metasploit-weekly-wrap-up-04-26-24/

Rancher Modules

This week, Metasploit community member h00die added the second of two modules targeting Rancher instances. These modules each leak sensitive information from vulnerable instances of the application which is intended to manage Kubernetes clusters. These are a great addition to Metasploit’s coverage for testing Kubernetes environments.

PAN-OS RCE

Metasploit also released an exploit for the unauthenticated RCE in PAN-OS that has been receiving a lot of attention recently. This vulnerability is an unauthenticated file creation that can be leveraged to trigger the execution of remote commands. See Rapid7’s analysis on AttackerKB for an in depth explanation of the root cause.

New module content (8)

Rancher Authenticated API Credential Exposure

Authors: Florian Struck, Marco Stuurman, and h00die
Type: Auxiliary
Pull request: #18956 contributed by h00die
Path: gather/rancher_authenticated_api_cred_exposure
AttackerKB reference: CVE-2021-36782

Description: This adds an exploit for CVE-2021-36782, a vulnerability which can be leveraged by an authenticated attacker to leak API credentials from an affected Rancher instance.

Gitlab Version Scanner

Author: Julien (jvoisin) Voisin
Type: Auxiliary
Pull request: #18723 contributed by jvoisin
Path: scanner/http/gitlab_version

Description: A web page exists that can be reached without authentication that contains a hash that can be used to determine the approximate version of gitlab running on the endpoint. This PR enhances our current GitLab fingerprinting capabilities to include the aforementioned technique.

Apache Solr Backup/Restore APIs RCE

Authors: jheysel-r7 and l3yx
Type: Exploit
Pull request: #19046 contributed by jheysel-r7
Path: linux/http/apache_solr_backup_restore
AttackerKB reference: CVE-2023-50386

Description: Adds apache_solr_backup_restore module, taking advantage of a Unrestricted Upload of File with Dangerous Type vulnerability, allowing the user to gain a session in an Apache Solr instance for remote code execution.

Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution

Authors: remmons-r7 and sfewer-r7
Type: Exploit
Pull request: #19101 contributed by remmons-r7
Path: linux/http/panos_telemetry_cmd_exec
AttackerKB reference: CVE-2024-3400

Description: This adds an exploit module for https://security.paloaltonetworks.com/CVE-2024-3400, affecting PAN-OS GlobalProtect Gateway and GlobalProtect Portal deployments with the default telemetry service enabled.

GitLens Git Local Configuration Exec

Authors: Paul Gerste and h00die
Type: Exploit
Pull request: #18997 contributed by h00die
Path: multi/fileformat/gitlens_local_config_exec
AttackerKB reference: CVE-2023-46944

Description: This adds a FileFormat exploit for VSCode. The VSCode extension GitLens by GitKraken before v.14.0.0 allows an untrusted workspace to execute git commands. A repo may include its own .git folder including a malicious config file to execute arbitrary code.

Code Reviewer

Author: h00die
Type: Exploit
Pull request: #18996 contributed by h00die
Path: multi/fileformat/visual_studio_vsix_exec

Description: This adds a new exploit module that creates a malicious VS / VSCode extension file.

Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability

Authors: h00die-gr3y [email protected] and usd Herolab
Type: Exploit
Pull request: #19005 contributed by h00die-gr3y
Path: multi/http/gambio_unauth_rce_cve_2024_23759
AttackerKB reference: CVE-2024-23759

Description: This adds a module for a Remote Code Execution vulnerability in Gambio Online Webshop version 4.9.2.0 and lower allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request.

FortiNet FortiClient Endpoint Management Server FCTID SQLi to RCE

Authors: James Horseman, Spencer McIntyre, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #19082 contributed by jheysel-r7
Path: windows/http/forticlient_ems_fctid_sqli
AttackerKB reference: CVE-2023-48788

Description: Adds windows/http/forticlient_ems_fctid_sqli module that takes advantage of a SQLi injection vulnerability in FortiNet FortiClient EMS.

Enhancements and features (11)

• #17294 from adfoster-r7 – This adds a new EVENT_DEPENDENT value for module reliability metadata.
• #18723 from jvoisin – A web page exists that can be reached without authentication that contains a hash that can be used to determine the approximate version of gitlab running on the endpoint. This PR enhances our current GitLab fingerprinting capabilities to include the aforementioned technique.
• #18914 from dotslashsuperstar – This PR adds functionality so that CVE and URL references will be imported from an OpenVAS XML report by default. DNF-CERT and CERT-BUND references can also be collected by sending additional flags to the db_import command.
• #19054 from zgoldman-r7 – Adds NText column parsing to MSSQL modules.
• #19066 from sjanusz-r7 – Adds automated tests for multiple SMB modules.
• #19078 from dwelch-r7 – Fixes a crash in the modules/auxiliary/gather/ldap_query.rb module when running queries from a file.
• #19080 from cgranleese-r7 – Adds architecture and platform detection for PostgreSQL sessions.
• #19086 from nrathaus – Update Metasploit’s RPC to expose module’s default_options metadata.
• #19105 from zgoldman-r7 – Not written.
• #19112 from zgoldman-r7 – Adds architecture and platform detection for MSSQL sessions.
• #19122 from h00die – Adds additional reliability metadata to exploits/linux/local/vcenter_java_wrapper_vmon_priv_esc.

Bugs fixed (6)

• #19079 from nrathaus – Fixes an issue were the password_spray module option was being ignored.
• #19089 from adfoster-r7 – This PR fixes a bug where a user might get an unexpected NoMethodError running the linux/local/exim4_deliver_message_priv_esc module.
• #19111 from zeroSteiner – This PR fixes a bug where a user can specify an invalid payload architecture for a given exploit target. Previously, it was not possible to tab-complete an invalid payload, but this enforces the architecture limitations with a run-time exception before sending the exploit.
• #19113 from adfoster-r7 – Fixes a regression that caused Metasploit to leak memory, and sometimes crash.
• #19114 from zeroSteiner – This PR fixes several instances where we we pass nil values rather than the types expected, causing crashes and stack traces in LDAP-related modules.
• #19129 from nrathaus – This fixes a bug where the notes command included an example which contained a flag that was not supported.

Documentation added (1)

• #19088 from adfoster-r7 – This PR adds documentation for running and writing Metasploit’s unit tests.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.4…6.4.6
• Full diff 6.4.4…6.4.6

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/02/23/metasploit-weekly-wrap-up-02-23-2024/

LDAP Capture module

Metasploit now has an LDAP capture module thanks to the work of llcjngdjttrvddchfntdbinjblktjjetrtifdlibuchh
JustAnda7. This work was completed as part of the Google Summer of Code program.

When the module runs it will by default require privileges to listen on port 389. The module implements a default implementation for BindRequest, SearchRequest, UnbindRequest, and will capture both plaintext credentials and NTLM hashes which can be brute-forced offline. Upon receiving a successful Bind Request, a ldap_bind: Authentication method not supported (7) error is sent to the connecting client.

The module can be with run:

msf6 > use auxiliary/server/capture/ldap
msf6 auxiliary(server/capture/ldap) > run

Incoming requests will have their credentials stored for later use:

[+] LDAP Login attempt => From:10.0.2.15:48198 Username:User Password:Pass
[+] LDAP Login Attempt => From:127.0.0.1:55566	 Username:admin	 ntlm_hash::8aa0e517cd547b4032ff7e9c5359c200879aa5a8031d3d74	 Domain:DOMAIN

These values will be stored in the database for later retrieval:

msf6 auxiliary(server/capture/ldap) > creds
Credentials
===========
host       origin     service         public  private  realm        private_type  JtR Format
----       ------     -------         ------  -------  -----        ------------  ----------
10.0.2.15  10.0.2.15  389/tcp (ldap)  User    Pass     example.com  Password      

Ivanti exploit module

Another honorable mention for this week’s Metasploit release is a module by sfewer-r7 that chains two recently disclosed vulnerabilities(CVE-2024-21893 and CVE-2024-21887) in Ivanti gateways to achieve remote code execution on a vulnerable target. The vulnerabilities are both being widely exploited in the wild. Read Rapid7’s full technical analysis of the exploit chain in AttackerKB.

New module content (4)

Authentication Capture: LDAP

Author: JustAnda7
Type: Auxiliary
Pull request: #18678 contributed by jmartin-tech
Path: server/capture/ldap

Description: Adds a new auxiliary/server/capture/ldap module that emulates an LDAP Server. The server accepts a user’s bind request, and the user credentials or NTLM hash is then captured, logged, and persisted to the currently active database. An ldap_bind: Authentication method not supported (7) error is sent to the connecting client.

Ivanti Connect Secure Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18792 contributed by sfewer-r7
Path: linux/http/ivanti_connect_secure_rce_cve_2024_21893
AttackerKB references: CVE-2024-21887, CVE-2023-36661, CVE-2024-21893

Description: This module exploits the recently disclosed SSRF vulnerability (CVE-2024-21893) in Ivanti Connect Secure and Ivanti Policy Secure. The SSRF is chained to a command injection vulnerability (CVE-2024-21887) to achieve unauthenticated RCE.

Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.

Authors: BobTheShopLifter and Thingstad and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18700 contributed by h00die-gr3y
Path: linux/http/kafka_ui_unauth_rce_cve_2023_52251
AttackerKB reference: CVE-2023-52251

Description: This PR adds an exploit module for a command injection vulnerability that exists in Kafka-ui between v0.4.0 and v0.7.1 that allows an attacker to inject and execute arbitrary shell commands via the groovy filter parameter at the topic section.

QNAP QTS and QuTS Hero Unauthenticated Remote Code Execution in quick.cgi

Authors: Spencer McIntyre, jheysel-r7, and sfewer-r7
Type: Exploit
Pull request: #18832 contributed by sfewer-r7
Path: linux/http/qnap_qts_rce_cve_2023_47218
AttackerKB reference: CVE-2023-47218

Description: The PR adds a module targeting CVE-2023-47218, an unauthenticated command injection vulnerability affecting QNAP QTS and QuTH Hero devices. CVE-2023-47218 was discovered and disclosed by Stephen Fewer.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

• #18125 from JustAnda7 – This PR adds a module to launch an LDAP service supporting capture and storage of Simple Authentication attempts. When launching this module with default options users must have permissions to bind to port 389.
• #18681 from h00die – This PR updates the pre-existing apache_ofbiz_deserialization module to include functionality that will bypass authentication by using the newly discovered auth-bypass vulnerability: CVE-2023-51467.

Enhancements and features (8)

• #18376 from JustAnda7 – This PR adds support for LDAP capture of NTLM authentication and adds a default implementation for LDAP BindRequest, SearchRequest, UnbindRequest, as well as a default action for unsupported requests.
• #18817 from dwelch-r7 – This PR adds support to now bucket module options that are output after running the options command. This will be for modules that support either an RHOST or a SESSION connection to show that only one or the other is required when using the new session type features for SMB/MSSQL/MYSQL/PostgreSQL sessions.
• #18847 from sjanusz-r7 – This PR adds proxy support for getting a PostgreSQL session via the postgres_login module.
• #18848 from sjanusz-r7 – This PR adds proxy support for getting a MSSQL session via the mssql_login module.
• #18854 from sjanusz-r7 – This PR adds proxy support for getting a MySQL session via the mysql_login module.
• #18855 from sjanusz-r7 – This PR removes the cwd convention from SQL-based sessions, and instead uses a more appropriate def database_name computed value rather than a cached variable.
• #18863 from sjanusz-r7 – This PR adds in the ENVCHANGE types to the MSSQL client mixin, and uses those to fetch the initial DB name received from the server.
• #18864 from cgranleese-r7 – Adds an alias for ls and dir inside SMB sessions.

Bugs fixed (5)

• #18770 from dwelch-r7 – Fixes a bug when multiple new session types (SMB, PostgreSQL, MSSQL, MySQL) were enabled with the features set postgresql_session_type true command.
• #18842 from upsidedwn – Updates the Metasploit Dockerfile to correctly honor user provided bundler config arguments.
• #18850 from adfoster-r7 – Fixes failing ldap server tests.
• #18861 from cgranleese-r7 – Removes SessionType values from modules with OptionalSession mixin.
• #18871 from adfoster-r7 – Fixes a crash when using the webconsole.

Documentation added (1)

• #18857 from jlownie – Updates the Wiki documentation on running the Metasploit database to be more clear.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.56…6.3.57
• Full diff 6.3.56…6.3.57

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/02/16/metasploit-weekly-wrap-up-02-16-2024/

New Fetch Payload

It has been almost a year since Metasploit released the new fetch payloads and since then, 43 of the 79 exploit modules have had support for fetch payloads. The original payloads supported transferring the second stage over HTTP, HTTPS and FTP. This week, Metasploit has expanded that protocol support to include SMB, allowing payloads to be run using rundll32 which has the added benefit of capturing the NetNTLM hashes of the requestor.

This also streamlines the workflow the user would have previously used by first starting the exploit/windows/smb/smb_delivery module, and then copying the command into another exploit. Now the user can simply select one of the SMB-enabled fetch payloads and Metasploit will manage the service and generate the command.

As an added benefit, since #18680 merged into Metasploit, multiple SMB services can be run simultaneously. This means that multiple SMB-enabled fetch payloads can have their own independent handlers running at the same time.

New module content (2)

Base64 Command Encoder

Author: Spencer McIntyre
Type: Encoder
Pull request: #18807 contributed by zeroSteiner

Description: This adds a new encoder module that leverages base64 encoding to escape bad characters in ARCH_CMD payloads for the Linux and UNIX platforms.

SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager

Authors: Spencer McIntyre, bwatters-r7, and sf [email protected]
Type: Payload (Adapter)
Pull request: #18664 contributed by zeroSteiner

Description: This adds an SMB fetch-payload service and a new payload to use it. The payload invokes rundll32 but handles everything for the user automatically.

This adapter adds the following payloads:

• cmd/windows/smb/x64/custom/bind_ipv6_tcp
• cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/custom/bind_named_pipe
• cmd/windows/smb/x64/custom/bind_tcp
• cmd/windows/smb/x64/custom/bind_tcp_rc4
• cmd/windows/smb/x64/custom/bind_tcp_uuid
• cmd/windows/smb/x64/custom/reverse_http
• cmd/windows/smb/x64/custom/reverse_https
• cmd/windows/smb/x64/custom/reverse_named_pipe
• cmd/windows/smb/x64/custom/reverse_tcp
• cmd/windows/smb/x64/custom/reverse_tcp_rc4
• cmd/windows/smb/x64/custom/reverse_tcp_uuid
• cmd/windows/smb/x64/custom/reverse_winhttp
• cmd/windows/smb/x64/custom/reverse_winhttps
• cmd/windows/smb/x64/encrypted_shell/reverse_tcp
• cmd/windows/smb/x64/encrypted_shell_reverse_tcp
• cmd/windows/smb/x64/exec
• cmd/windows/smb/x64/loadlibrary
• cmd/windows/smb/x64/messagebox
• cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp
• cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/meterpreter/bind_named_pipe
• cmd/windows/smb/x64/meterpreter/bind_tcp
• cmd/windows/smb/x64/meterpreter/bind_tcp_rc4
• cmd/windows/smb/x64/meterpreter/bind_tcp_uuid
• cmd/windows/smb/x64/meterpreter/reverse_http
• cmd/windows/smb/x64/meterpreter/reverse_https
• cmd/windows/smb/x64/meterpreter/reverse_named_pipe
• cmd/windows/smb/x64/meterpreter/reverse_tcp
• cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4
• cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid
• cmd/windows/smb/x64/meterpreter/reverse_winhttp
• cmd/windows/smb/x64/meterpreter/reverse_winhttps
• cmd/windows/smb/x64/meterpreter_bind_named_pipe
• cmd/windows/smb/x64/meterpreter_bind_tcp
• cmd/windows/smb/x64/meterpreter_reverse_http
• cmd/windows/smb/x64/meterpreter_reverse_https
• cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp
• cmd/windows/smb/x64/meterpreter_reverse_tcp
• cmd/windows/smb/x64/peinject/bind_ipv6_tcp
• cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/peinject/bind_named_pipe
• cmd/windows/smb/x64/peinject/bind_tcp
• cmd/windows/smb/x64/peinject/bind_tcp_rc4
• cmd/windows/smb/x64/peinject/bind_tcp_uuid
• cmd/windows/smb/x64/peinject/reverse_named_pipe
• cmd/windows/smb/x64/peinject/reverse_tcp
• cmd/windows/smb/x64/peinject/reverse_tcp_rc4
• cmd/windows/smb/x64/peinject/reverse_tcp_uuid
• cmd/windows/smb/x64/pingback_reverse_tcp
• cmd/windows/smb/x64/powershell_bind_tcp
• cmd/windows/smb/x64/powershell_reverse_tcp
• cmd/windows/smb/x64/powershell_reverse_tcp_ssl
• cmd/windows/smb/x64/shell/bind_ipv6_tcp
• cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/shell/bind_named_pipe
• cmd/windows/smb/x64/shell/bind_tcp
• cmd/windows/smb/x64/shell/bind_tcp_rc4
• cmd/windows/smb/x64/shell/bind_tcp_uuid
• cmd/windows/smb/x64/shell/reverse_tcp
• cmd/windows/smb/x64/shell/reverse_tcp_rc4
• cmd/windows/smb/x64/shell/reverse_tcp_uuid
• cmd/windows/smb/x64/shell_bind_tcp
• cmd/windows/smb/x64/shell_reverse_tcp
• cmd/windows/smb/x64/vncinject/bind_ipv6_tcp
• cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/vncinject/bind_named_pipe
• cmd/windows/smb/x64/vncinject/bind_tcp
• cmd/windows/smb/x64/vncinject/bind_tcp_rc4
• cmd/windows/smb/x64/vncinject/bind_tcp_uuid
• cmd/windows/smb/x64/vncinject/reverse_http
• cmd/windows/smb/x64/vncinject/reverse_https
• cmd/windows/smb/x64/vncinject/reverse_tcp
• cmd/windows/smb/x64/vncinject/reverse_tcp_rc4
• cmd/windows/smb/x64/vncinject/reverse_tcp_uuid
• cmd/windows/smb/x64/vncinject/reverse_winhttp
• cmd/windows/smb/x64/vncinject/reverse_winhttps

Enhancements and features (7)

• #18706 from sjanusz-r7 – Updates multiple PostgreSQL modules to now work with PostgreSQL sessions. This functionality is behind a feature flag which can be enabled with features set postgres_session_type true.
• #18747 from zgoldman-r7 – Updates the auxiliary/scanner/mssql/mssql_login module with a new CreateSession option which controls the opening of an interactive MSSQL session. This functionality is currently behind a feature flag which can be enabled with features set mssql_session_type true.
• #18759 from cgranleese-r7 – Updates the multiple MySQL modules to work with a provided MySQL session instead of opening a new connection. This functionality is behind a feature flag which can be enabled with features set mysql_session_type true.
• #18763 from zgoldman-r7 – Updates multiple MSSQL modules to now work with the new MSSQL session type that is enabled with features set mssql_session_type true.
• #18806 from cgranleese-r7 – Improves unknown command handling by suggesting similar valid commands.
• #18809 from zeroSteiner – Makes multiple improvements to the dns command – a new command which mimics the functionality of /etc/resolv.conf and /etc/hosts. This functionality is currently behind a feature flag which can be enabled with features set dns_feature true in msfconsole.
• #18825 from cgranleese-r7 – Improves the error messages when the current session is not compatible with a post module.

Bugs fixed (13)

• #18616 from adfoster-r7 – This fixes an issue with the AARCH64 SO ELF template that was causing SIGBUS exceptions to be raised.
• #18774 from adfoster-r7 – Updates the following modules to now work with newer versions of sqlcmd:
  post/windows/gather/credentials/mssql_local_hashdump and post/windows/manage/mssql_local_auth_bypass.
• #18786 from lihe07 – This fixes an option name collision between the exploit/linux/local/service_persistence when the payload is set to cmd/unix/reverse_netcat. The option to set the writable path is now BACKDOOR_PATH.
• #18795 from cgranleese-r7 – Moves the CreateSession option from advanced into basic options for modules, in order to increase discoverability.
• #18798 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move module’s check method that was causing version comparisons to fail.
• #18799 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2020_17136 module’s check method that was causing version comparisons to fail.
• #18800 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2021_40449 module’s check method that was causing version comparisons to fail.
• #18801 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2022_26904_superprofile module’s check method that was causing version comparisons to fail.
• #18812 from adfoster-r7 – Reverts the auxiliary/scanner/mssql/mssql_login modules’s TDSENCRYPTION default value to false.
• #18813 from adfoster-r7 – Fixes a crash when running the help services or help hosts commands.
• #18823 from cdelafuente-r7 – Fix module metadata platform list comparison.
• #18826 from dwelch-r7 – Fixes a regression where the windows/smb/psexec module was not correctly performing cleanup logic.
• #18828 from dwelch-r7 – Fixes a crash when exploit modules used nops.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.55…6.3.56
• Full diff 6.3.55…6.3.56

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro