Improved
Pro: The
create-segmentation-target.sh
script has been updated to support modern Debian environments.Pro: The scan UI has now been updated to work with both Ipv4 and Ipv6 addreses. Previously scans supported only one address type, but now both are supported.
Pro: Updates multiple documentation links to updated locations.
PR 17634 - Reliability and stability notes that have been previously missing have been added to some modules.
PR 17667 - Makes various performance and output readability improvements to Metasploit's password cracking functionality. Hash types without a corresponding hash are skipped, invalid hashes are no longer output, cracking stops for a hash type when there's no more hashes left, empty tables are no longer printed, support for Hashcat username functionality has been added, a quiet option has been added, documentation has been added to the wiki, among other code optimizations.
PR 17689 - Adds an additional column to the
creds
command to additionally show any cracked passwords that have been created by theauxiliary/analyze/crack_databases
module or similar modules.PR 18218 - This PR reduces the number of requests the Windows checkvm post module sends to the host when attempting to determine what hypervisor the session is running in by saving the initial responses in instance variables for later use in the module. The PR also includes many other general code improvements.
PR 18256 - Performs a routine update of multiple library dependencies.
PR 18296 - Updates multiple MySQL modules to support authenticating with newer versions of MySQL.
PR 18299 - Improves error messages for timeouts when interacting with a Meterpreter session. Before an unclear error was printed. Now the user is notified how to increase the timeout limit.
PR 18364 - Adds support for filtering sessions based on last checkin time, session type, and ID.
PR 18379 - This PR improves the Kerberos service authenticator hostname matching for
ccache
credentials. Prior to this change the service authenticator was filtering out valid credentials when the hostname wasn't an exact match when credentials for a domain (i.e. windomain.local) should work on a subdomain (i.e. dc.windomain.local).PR 18383 - This PR adds a variety of improvements to the enum_computers module including Shell and Powershell support as well as improvements when running on non-english systems.
PR 18386 - This PR adds the
lmkdir
command to Meterpreter, which creates a directory on the local host.PR 18394 - This PR adds documentation for the
auxiliary/scanner/http/http_traversal
module.PR 18421 - This adds the capability to store the TGT ticket in the MSF kerberos cache when a successful Kerberos login is received by the
kerberos_login
brute force module.PR 18428 - This PR adds documentation for the mssql_login module.
PR 18441 - Adds at-rest encryption to Meterpreter payloads on the Metasploit host machine's file system.
PR 18446 - This PR makes the
DomainControllerRhost
option optional, even when the authentication mode is set to Kerberos. It does so by looking up the Kerberos server using the SRV records that Active Directory publishes by default for the specified realm.PR 18451 - Updates the newly added cracked password column as part of the
creds
command to work with the remote database.PR 18463 - This updates the
linux/upnp/dlink_upnp_msearch_exec
exploit module to be more generic and adds an advanced detection logic (check
method). This module leverages a command injection vulnerability that exists in multiple D-Link network products. This allows an attacker to inject arbitrary command to theUPnP
via a crafted M-SEARCH packet. This also deprecates themodules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi
module, which uses the same attack vector and can be replaced by this updated module.PR 18484 - Updates the
multi/manage/shell_to_meterpreter
with additional options for overriding the calculated platform and PowerShell arch value, these options can be seen with theadvanced
options.PR 18504 - Updates the
auxiliary/scanner/http/grafana_plugin_traversal
module to include a disclosure date and a link to the original disclosure blog post.PR 18515 - This PR adds a Java target for the manageengine servicedesk plus exploit for CVE-2022-47966 and deletes the log file that records the error due to the exploit to make it more stealthy.
PR 18548 - Updates the
admin/http/tomcat_ghostcat
module to follow newer library conventions.PR 18560 - This updates the existing Kerberos ticket-forging module with new actions for forging tickets with fields copied from ones issued by the legitimate KDC using the Diamond and Sapphire techniques.
PR 18565 - This PR adds an enhancement to adjust the kerberos cache lookup logic. If no TGT for the specific host is found, it will try again but with any host. This fixes the workflow where a user can currently forge a golden ticket, but that ticket will not be automatically used for authentication by other services. This will also fix the future issue of the TGT that's created by the diamond and sapphire techniques.
PR 18571 - Improves the error messages shown to users if there is a validation error with a module's
RHOST
datastore values. Now the user is notified when there is a failure with parsing a URL, invalid CIDR, or DNS resolution failure.PR 18580 - Metasploit modules developed using Python can now provide
default_options
as part of an exploit.PR 18598 - This PR bumps the metasploit-payload version to bring in one fix and one enhancement. The fix is to standardize the behavior of Java Meterpreter to only listen on IPv4 interfaces when binding to 0.0.0.0. The enhancement is to better align pretty OS names on Windows for Windows Kernel 10 releases, AKA Windows server 2016-present or Windows 10/11+.
PR 18622 - Updates the
auxiliary/scanner/dcerpc/petitpotam
module to work with newer Windows Server releases.PR 18623 - This updates the file handling of the
generate
command's-o
parameter to expand file system paths.PR 18631 - This PR adds an improvement to the check method of the vcenter_java_wrapper_vmon_priv_esc module. Before the module would attempt to see if a file was writable before checking if the file existed on the system. This caused the check method to return an error message along with a the check code. This PR fixes that issue.
PR 18632 - This PR adds improvements to the glibc tunables privilege escalation module. In the event the file command is not present on the target the module will try to use the readelf command in order to get the ld.so build ID to determine whether or not the target is compatible with exploit.
PR 18680 - This adds a service compatible with
Rex::ServiceManager
for SMB that can be shared among modules.PR 18691 - Metasploit console now requires an installed version of apktool greater than or equal to v2.9.2.
PR 18720 - This enhancement marks the existing unix encoders as also being compatible with linux. Previously, no encoder modules were marked as compatible with linux, so users could not set bad character when using the new fetch payloads.
PR 18735 - Adds additional module metadata to the
exploits/windows/iis/iis_webdav_scstoragepathfromurl
module.PR 18737 - This updates
metasploit-payloads
gem to 2.0.165 to pull in changes to support direct syscalls for Meterpreter on Windows. See this PR and this PR for details.PR 18742 - Enhances the
post/multi/gather/memory_search
with additional UX improvements such as outputting a list of matched processes that are being targeted, as well as improved error handling if the process architecture is not correct.PR 18747 - Updates the
auxiliary/scanner/mssql/mssql_login
module with a newCreateSession
option which controls the opening of an interactive MSSQL session. This functionality is currently behind a feature flag which can be enabled withfeatures set mssql_session_type true
.PR 18761 - Adds a user notification that new modules support a
CreateSession
option. This functionality is currently behind a feature flag which can be enables with thefeatures
command.PR 18806 - Improves unknown command handling by suggesting similar valid commands.
PR 18825 - Improves the error messages when the current session is not compatible with a post module.
Payload Enhancements
- PR 18355 - This PR contains a metasploit-payloads fix which enables the Java Meterpreter to run on the latest OpenJDK. Prior to this change the Java Meterpreter was broken due to changes in JDK 9's reflection policy. The new approach avoids the use of problematic URLClassLoaders and implements Metasploit's own ClassLoader type.
Fixed
PR 18400 - This fixes an issue when searching for a Kerberos ticket and passing in the workspace. The workspace is now correctly used to query the database.
PR 18403 - Fixes a potential bug with modules that register files to cleanup after a session opens. Previously modules could accidentally mutate registered file names to delete, causing the intended files to be left on the remote system.
PR 18411 - Fixes an edge-case where the
services -R
command generated invalid hosts such as192.0.2.2%
if an empty string was registered for the scope metadata instead of nil.PR 18431 - Updates the order in which the lhost and lport are displayed to the user in the portfwd command
PR 18443 - Adds a fix for the
handler/reverse_ssh
module that was returning warnings when msfconsole was booted on a Windows machine.PR 18448 - Fixes and updates the
auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
module to use renamedNEW_USERNAME
andNEW_PASSWORD
options.PR 18449 - Fixes an issue with the
scanner/mysql/mysql_authbypass_hashdump
module to now correctly close sockets.PR 18506 - This PR fixes a stability issue with the
f5_bigip_tmui_rce_cve_2023_46747
module. Prior to this fix, occasionally the module would fail on login as things were running too quickly, the module now retries logging in if the first attempt fails.PR 18532 - Fix db2 scanner module crashes.
PR 18547 - This fixes an issue in the platform detection used by the SSH login modules that was causing certain Windows environments to be incorrectly fingerprinted.
PR 18558 - Fixes a crash in the
post/windows/gather/enum_chrome
module which can be used to decrypt passwords stored by the user in Chrome.PR 18564 - Fixes a module crash when running the
auxiliary/server/capture/http
module.PR 18579 - This converts the module to use the new style of Windows version detection that was added in https://github.com/rapid7/metasploit-framework/pull/17336. This will become more important once the Windows Meterpreter returns a more accurate string for the sysinfo OS field.
PR 18603 - Updates the
auxiliary/scanner/snmp/snmp_enum
andauxiliary/scanner/snmp/snmp_login
module metadata to include metadata references to CVE-1999-0516 (guessable SNMP community string) and CVE-1999-0517 (default/null/missing SNMP community string).PR 18606 -
rpc_plugin
has been updated to correctly use the provided plugin options.PR 18609 - This fixes an issue in the
cmd/windows/powershell/download_exec
payload module that was preventing it from executing correctly due to an architecture check.PR 18613 - Ensures that after listing files within an SMB directory that the handle is closed.
PR 18614 - Fixes a crash in the
auxiliary/scanner/ssh/ssh_identify_pubkeys
module, as well as adding new module documentation.PR 18655 - Fix added for when the hierarchical search functionality is enabled, and only one module result is found - the module will automatically be used.
PR 18667 - Re-adds the #sysinfo instance method for sessions.
PR 18673 - Fix spelling mistakes in Metasploit's scripts folder.
PR 18690 - Ensures that a target's default payload is correctly chosen when selecting a module from the search command.
PR 18710 - Fixes an
uninitialized constant Msf::Simple::Exploit::ExploitDriver
exception that could sometimes occur when running Metasploit framework's payload modules.PR 18712 - Fixes a crash with Metasploit's REST api when calling
/api/v1/modules?name=aux
.PR 18746 - Fixes a module bug when using the
generate OPTION=VALUE
syntax. Previously the module's datastore would be unintentionally updated with the new option value.PR 18750 - Updates the
to_handler
command for payload modules to support option overrides. Theto_handler
command is a convenient way of usingmulti/handler
, setting the payload, and setting datastore options.PR 18760 - Fixes an issue where Metasploit fails to start when
resolv.conf
cannot be found.PR 18774 - Updates the following modules to now work with newer versions of
sqlcmd
,post/windows/gather/credentials/mssql_local_hashdump
andpost/windows/manage/mssql_local_auth_bypass
.PR 18798 - This fixes an issue in the
exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move
module's check method that was causing version comparisons to fail.PR 18799 - This fixes an issue in the
exploit/windows/local/cve_2020_17136
module's check method that was causing version comparisons to fail.PR 18800 - This fixes an issue in the
exploit/windows/local/cve_2021_40449
module's check method that was causing version comparisons to fail.PR 18801 - This fixes an issue in the
exploit/windows/local/cve_2022_26904_superprofile
module's check method that was causing version comparisons to fail.PR 18803 - Fixes a crash when using
exploit/multi/handler
with an invalid payload name.PR 18812 - Reverts the
auxiliary/scanner/mssql/mssql_login
modules'sTDSENCRYPTION
default value tofalse
.PR 18813 - Fixes a crash when running the
help services
orhelp hosts
commands.PR 18823 - Fix module metadata platform list comparison.
PR 18826 - Fixes a regression where the
windows/smb/psexec
module was not correctly performing cleanup logic.
Modules
PR 18194 - This adds a post module that creates a new user on the target OS. It tries to use standard tools already available on the system, but it's also able to directly updates the plaintext database files (
/etc/passwd
and `/etc/shadow). This module requires root privileges.PR 18348 - This module exploits an authorization vulnerability in Splunk, targeting CVE-2023-32707, allowing a lower privileged user with the capability
edit_user
to take over the admin account and log in to upload a malicious app, achieving remote code execution.PR 18351 - This adds an exploit for CVE-2023-37941 which is an authenticated RCE in Apache Superset.
PR 18404 - This adds an exploit for CVE-2023-38146 AKA ThemeBleed which is a TOCTOU issue in the way Windows handles theme files. The vulnerability can be leveraged to load a payload DLL from Metasploit to execute code within the context of the user who loads it. A legitimate signed theme DLL must be provided in order to use the exploit.
PR 18417 - Kibana before version 7.6.3 suffers from a prototype pollution bug within the Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we're able to execute arbitrary code in the context of the Kibana user. There is no CVE for this at the moment.
PR 18427 - This PR adds a module that exploits PyTorch TorchServer by chaining an SSRF vulnerability with a deserialization RCE vulnerability to permit an unauthenticated remote attacker arbitrary Java code execution. The PR also fixes how the ClassLoader mixin handles datastore options.
PR 18434 - This PR adds an exploit module for an unauthenticated remote code execution vulnerability in the video surveillance software Zoneminder (CVE-2023-26035).
PR 18447 - This adds an exploit for CVE-2023-22515 which is an authentication bypass within Atlassian Confluence that enables a remote attacker to create a new administrator account.
PR 18460 - This adds a new exploit module that leverages the fact that SSH keys on VMWare Aria Operations for Networks (vRealize Network Insight) versions 6.0.0 through 6.10.0 are not randomized on initialization. It tries all the default SSH keys until one succeed and gain unauthorized remote access as the "support" (root) user.
PR 18461 - This adds an exploit module that leverages an improper input validation issue in Atlassian Confluence versions between 8.0.0 through to 8.3.2, 8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1. This vulnerability is identified as CVE-2023-22515 and allows unauthenticated remote code execution. The module first creates a new administrator by abusing the embedded XWorks2 middleware and uploading a malicious plugin to get code execution. Note that the module is currently not able to delete the new administrator account it created. This would require a manual clean up.
PR 18481 - This adds an exploit module that leverages a command injection vulnerability in MagnusBilling versions 6 and 7. this vulnerability is identified as CVE-2023-30258 and allows unauthenticated remote code execution in the context of the user running the web server process.
PR 18488 - This PR adds a module to manage Kerberos tickets from a compromised host. This notably allows Kerberos tickets to be exported from the target and then added to Metasploit's own cache, allowing them to be used for the duration in which they are valid.
PR 18492 - This adds a scanner module for exploiting CVE-2023-4966 which is a memory leak in Citrix ADC servers. This vulnerability allows a remote, unauthenticated attacker to leak memory by sending a very large HTTP Host header. The leaked memory is then scanned for session cookies which can be hijacked if found.
PR 18494 - This PR adds an RCE module for AjaxPro which leverages an insecure deserialization of data to get remote code execution on the target OS in the context of the user running the website which utilized AjaxPro.
PR 18497 - This module exploits a flaw in F5s BIG-IP Traffic Management User Interface (TMUI) that enables an external, unauthenticated attacker to create an administrative user. The attacker can then use the admin user to execute arbitrary code in the context of the root user.
PR 18501 - This pull request is an exploit module for CVE-2023-46604, affecting the OpenWire transport unmarshaller in Apache ActiveMQ.
PR 18503 - This PR adds a post module to steal config and credential information for Apache NiFi.
PR 18507 - This PR adds three modules:
auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198
leverages CVE-2023-20198 to perform unauthenticated remote CLI command execution, moduleauxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273
leverages bothCVE-2023-20198 and CVE-2023-20273 to perform unauthenticated remote OS command execution, andexploit/linux/misc/cisco_ios_xe_rce
uses the same two vulnerabilities to run an arbitrary payload on the target.PR 18541 - This adds an exploit module for the "Looney Tunables" Linux LPE, identified as CVE-2023-4911. It checks the version of glibc running on the target to make sure it is vulnerable and, once verified, it drops a python script that exploits the vulnerability and returns a session running in the context of the root user.
PR 18542 - This adds an exploit module fora command injection vulnerability in Vinchin Backup & Recovery versions v5.0, v6.0, v6.7, and v7.0. This leverages two vulnerabilities identified as CVE-2023-45499 and CVE-2023-45498.
PR 18566 - This adds an exploit module for CVE-2023-22518, an Improper Authorization vulnerability in Confluence which allows an attacker to upload and restore a .zip backup file to the server containing a known user name and password. The attacker can then login with the credentials from the backup file to gain administrative access to the server.
PR 18567 - This pull request adds a new exploit module for, CVE-2023-5360, an unauth file upload vulnerability in the WordPress Royal Elementor Addons and Templates plugin in versions before 1.3.79.
PR 18568 - This PR adds a module leveraging CVE-2023-32781, an authenticated command injection vulnerability in PRTG versions 23.2.84.1566 and earlier.The result is command execution as SYSTEM.
PR 18569 - This adds a module to gather credential material from accounts with "Requires Pre-Authentication" disabled. The module supports two mechanisms, brute forcing using a list of usernames or using a LDAP query to request the relevant usernames, followed by requesting TGTs.
PR 18577 - This PR adds a Remote Code Execution (RCE) module for Splunk Enterprise using CVE-2023-46214. This module exploits a vulnerability in the XSLT transformation functionality of certain versions of Splunk Enterprise, allowing for authenticated remote code execution.
PR 18578 - This PR adds a new module to exploit CVE-2022-0492, a docker escape for root on the host OS.
PR 18591 - This PR adds an auxiliary module for CVE-2023-49103 which can extract sensitive environment variables from ownCloud targets including ownCloud, DB, Redis, SMTP and S3 credentials.
PR 18604 - This pull request introduces a new post module to extracts Mikrotik Winbox credentials saved in the "settings.cfg.viw" file when the "Keep Password" option is selected in Winbox.
PR 18612 - This adds an exploit module that leverages a remote code execution vulnerability in CraftCMS versions between 4.0.0-RC1 and 4.4.14. This vulnerability is identified as CVE-2023-41892 and allows an unauthenticated attacker to execute arbitrary code remotely.
PR 18626 - This PR adds an exploit module which allows for a user who has compromised a host acting as a SaltStack Master to deploy payloads to the Minions attached to that Master.
PR 18627 - This adds 3post exploitation modules for Ansible. The first one gathers information and configuration. The second exploits an arbitrary file read that enables an attacker to read the first line of a file (tipicaly
/etc/shadow
), when the compromised account is configured with password-lesssudo
permissions. The last one is an exploit that can deploy a payload to all the nodes in the network.PR 18628 - This PR adds a post gather module to get Puppet configs and other sensitive files.
PR 18630 - This adds an exploit for a command injection vulnerability in MajorDoMo versions before 0662e5e.
PR 18633 - This adds an exploit module that leverages an unauthenticated RCE in the WordPress plugin
Backup Migration
versions prior to 1.3.7. This vulnerability is identified as CVE-2023-6553. This also adds a library that implements a technique calledPHP Filter Chaining
which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversion.PR 18635 - This PR adds a module for an authenticated Splunk information disclosure vulnerability. This module gathers information about the host machine and the Splunk install including OS version, build, CPU arch, Splunk license keys etc.
PR 18638 - Adds an exploit module for CVE-2022-42889 that targets web apps utilising Apache Commons Text's (1.5-1.9) StringSubstitutor interpolator class in an insecure fashion.
PR 18648 - This PR adds an exploit module for a number of different GL.iNet network products. The module combines an authentication by-pass vulnerability (CVE-2023-50919) with an RCE (CVE-2023-50445) allowing the user to remotely obtain, without authentication, a Meterpreter session running in the context of the root user.
PR 18664 - This adds an SMB fetch-payload service and a new payload to use it. The payload invokes
rundll32
but handles everything for the user automatically.PR 18708 - This PR adds an exploit chain that consists of two vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The exploit chain allows a remote unauthenticated attacker to execute arbitrary OS commands with root privileges. As per the Ivanti advisory, these vulnerabilities affect all supported versions of the products, versions 9.x and 22.x. It is unknown if the unsupported versions 8.x and older are also affected.
PR 18713 - Adds a new
multi/gather/memory_search
module that can read memory of processes on Windows and Linux hosts with Meterpreter. Regular expressions can be used to find passwords/credentials, and glob patterns and PIDs can be used to identify target processes.PR 18734 - This adds an exploit for CVE-2023-22527 which is an unauthenticated RCE in Atlassian Confluence. The vulnerability is due to an SSTI flaw that allows an OGNL expression to be evaluated. The result is OS command execution in the context of the service account.
PR 18755 - This PR adds an exploit module for Mirth Connect. Versions < 4.4.1 are vulnerable to CVE-2023-43208 and CVE-2023-37679 and where the former is a patch bypass for the later. In both cases, an attacker can execute an OS command in the context of the target service using a specially crafted HTTP request and Java deserialization gadget.
PR 18762 - This pull request adds an exploit module for CVE-2024-0204 which is a path traversal vulnerability which results in unauthenticated RCE in Fortra GoAnywhere MFT. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.
PR 18769 - This PR adds an exploit module which leverages a SQLi (CVE-2023-49085) and a LFI (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to achieve RCE.
PR 18780 - This adds a local privilege escalation exploit that leverages an internal file descriptor leak in runc versions prior to 1.1.12. An attacker with docker privileges is able write an arbitrary file on the host file system with the permissions of runc (typically root). With this, the module uploads a payload, sets the execute and the SUID permissions to escalate privileges.
PR 18807 - This adds a new encoder module that leverages base64 encoding to escape bad characters in ARCH_CMD payloads for the Linux and UNIX platforms.