Release Notes

Improved

• Pro: The create-segmentation-target.sh script has been updated to support modern Debian environments.

• Pro: The scan UI has now been updated to work with both Ipv4 and Ipv6 addreses. Previously scans supported only one address type, but now both are supported.

• Pro: Updates multiple documentation links to updated locations.

• PR 17634 - Reliability and stability notes that have been previously missing have been added to some modules.

• PR 17667 - Makes various performance and output readability improvements to Metasploit's password cracking functionality. Hash types without a corresponding hash are skipped, invalid hashes are no longer output, cracking stops for a hash type when there's no more hashes left, empty tables are no longer printed, support for Hashcat username functionality has been added, a quiet option has been added, documentation has been added to the wiki, among other code optimizations.

• PR 17689 - Adds an additional column to the creds command to additionally show any cracked passwords that have been created by the auxiliary/analyze/crack_databases module or similar modules.

• PR 18218 - This PR reduces the number of requests the Windows checkvm post module sends to the host when attempting to determine what hypervisor the session is running in by saving the initial responses in instance variables for later use in the module. The PR also includes many other general code improvements.

• PR 18256 - Performs a routine update of multiple library dependencies.

• PR 18296 - Updates multiple MySQL modules to support authenticating with newer versions of MySQL.

• PR 18299 - Improves error messages for timeouts when interacting with a Meterpreter session. Before an unclear error was printed. Now the user is notified how to increase the timeout limit.

• PR 18364 - Adds support for filtering sessions based on last checkin time, session type, and ID.

• PR 18379 - This PR improves the Kerberos service authenticator hostname matching for ccache credentials. Prior to this change the service authenticator was filtering out valid credentials when the hostname wasn't an exact match when credentials for a domain (i.e. windomain.local) should work on a subdomain (i.e. dc.windomain.local).

• PR 18383 - This PR adds a variety of improvements to the enum_computers module including Shell and Powershell support as well as improvements when running on non-english systems.

• PR 18386 - This PR adds the lmkdir command to Meterpreter, which creates a directory on the local host.

• PR 18394 - This PR adds documentation for the auxiliary/scanner/http/http_traversal module.

• PR 18421 - This adds the capability to store the TGT ticket in the MSF kerberos cache when a successful Kerberos login is received by the kerberos_login brute force module.

• PR 18428 - This PR adds documentation for the mssql_login module.

• PR 18441 - Adds at-rest encryption to Meterpreter payloads on the Metasploit host machine's file system.

• PR 18446 - This PR makes the DomainControllerRhost option optional, even when the authentication mode is set to Kerberos. It does so by looking up the Kerberos server using the SRV records that Active Directory publishes by default for the specified realm.

• PR 18451 - Updates the newly added cracked password column as part of the creds command to work with the remote database.

• PR 18463 - This updates the linux/upnp/dlink_upnp_msearch_exec exploit module to be more generic and adds an advanced detection logic (check method). This module leverages a command injection vulnerability that exists in multiple D-Link network products. This allows an attacker to inject arbitrary command to the UPnP via a crafted M-SEARCH packet. This also deprecates the modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi module, which uses the same attack vector and can be replaced by this updated module.

• PR 18484 - Updates the multi/manage/shell_to_meterpreter with additional options for overriding the calculated platform and PowerShell arch value, these options can be seen with the advanced options.

• PR 18504 - Updates the auxiliary/scanner/http/grafana_plugin_traversal module to include a disclosure date and a link to the original disclosure blog post.

• PR 18515 - This PR adds a Java target for the manageengine servicedesk plus exploit for CVE-2022-47966 and deletes the log file that records the error due to the exploit to make it more stealthy.

• PR 18548 - Updates the admin/http/tomcat_ghostcat module to follow newer library conventions.

• PR 18560 - This updates the existing Kerberos ticket-forging module with new actions for forging tickets with fields copied from ones issued by the legitimate KDC using the Diamond and Sapphire techniques.

• PR 18565 - This PR adds an enhancement to adjust the kerberos cache lookup logic. If no TGT for the specific host is found, it will try again but with any host. This fixes the workflow where a user can currently forge a golden ticket, but that ticket will not be automatically used for authentication by other services. This will also fix the future issue of the TGT that's created by the diamond and sapphire techniques.

• PR 18571 - Improves the error messages shown to users if there is a validation error with a module's RHOST datastore values. Now the user is notified when there is a failure with parsing a URL, invalid CIDR, or DNS resolution failure.

• PR 18580 - Metasploit modules developed using Python can now provide default_options as part of an exploit.

• PR 18598 - This PR bumps the metasploit-payload version to bring in one fix and one enhancement. The fix is to standardize the behavior of Java Meterpreter to only listen on IPv4 interfaces when binding to 0.0.0.0. The enhancement is to better align pretty OS names on Windows for Windows Kernel 10 releases, AKA Windows server 2016-present or Windows 10/11+.

• PR 18622 - Updates the auxiliary/scanner/dcerpc/petitpotam module to work with newer Windows Server releases.

• PR 18623 - This updates the file handling of the generate command's -o parameter to expand file system paths.

• PR 18631 - This PR adds an improvement to the check method of the vcenter_java_wrapper_vmon_priv_esc module. Before the module would attempt to see if a file was writable before checking if the file existed on the system. This caused the check method to return an error message along with a the check code. This PR fixes that issue.

• PR 18632 - This PR adds improvements to the glibc tunables privilege escalation module. In the event the file command is not present on the target the module will try to use the readelf command in order to get the ld.so build ID to determine whether or not the target is compatible with exploit.

• PR 18680 - This adds a service compatible with Rex::ServiceManager for SMB that can be shared among modules.

• PR 18691 - Metasploit console now requires an installed version of apktool greater than or equal to v2.9.2.

• PR 18720 - This enhancement marks the existing unix encoders as also being compatible with linux. Previously, no encoder modules were marked as compatible with linux, so users could not set bad character when using the new fetch payloads.

• PR 18735 - Adds additional module metadata to the exploits/windows/iis/iis_webdav_scstoragepathfromurl module.

• PR 18737 - This updates metasploit-payloads gem to 2.0.165 to pull in changes to support direct syscalls for Meterpreter on Windows. See this PR and this PR for details.

• PR 18742 - Enhances the post/multi/gather/memory_search with additional UX improvements such as outputting a list of matched processes that are being targeted, as well as improved error handling if the process architecture is not correct.

• PR 18747 - Updates the auxiliary/scanner/mssql/mssql_login module with a new CreateSession option which controls the opening of an interactive MSSQL session. This functionality is currently behind a feature flag which can be enabled with features set mssql_session_type true.

• PR 18761 - Adds a user notification that new modules support a CreateSession option. This functionality is currently behind a feature flag which can be enables with the features command.

• PR 18806 - Improves unknown command handling by suggesting similar valid commands.

• PR 18825 - Improves the error messages when the current session is not compatible with a post module.

Payload Enhancements

• PR 18355 - This PR contains a metasploit-payloads fix which enables the Java Meterpreter to run on the latest OpenJDK. Prior to this change the Java Meterpreter was broken due to changes in JDK 9's reflection policy. The new approach avoids the use of problematic URLClassLoaders and implements Metasploit's own ClassLoader type.

Fixed

• PR 18400 - This fixes an issue when searching for a Kerberos ticket and passing in the workspace. The workspace is now correctly used to query the database.

• PR 18403 - Fixes a potential bug with modules that register files to cleanup after a session opens. Previously modules could accidentally mutate registered file names to delete, causing the intended files to be left on the remote system.

• PR 18411 - Fixes an edge-case where the services -R command generated invalid hosts such as 192.0.2.2% if an empty string was registered for the scope metadata instead of nil.

• PR 18431 - Updates the order in which the lhost and lport are displayed to the user in the portfwd command

• PR 18443 - Adds a fix for the handler/reverse_ssh module that was returning warnings when msfconsole was booted on a Windows machine.

• PR 18448 - Fixes and updates the auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass module to use renamed NEW_USERNAME and NEW_PASSWORD options.

• PR 18449 - Fixes an issue with the scanner/mysql/mysql_authbypass_hashdump module to now correctly close sockets.

• PR 18506 - This PR fixes a stability issue with the f5_bigip_tmui_rce_cve_2023_46747 module. Prior to this fix, occasionally the module would fail on login as things were running too quickly, the module now retries logging in if the first attempt fails.

• PR 18532 - Fix db2 scanner module crashes.

• PR 18547 - This fixes an issue in the platform detection used by the SSH login modules that was causing certain Windows environments to be incorrectly fingerprinted.

• PR 18558 - Fixes a crash in the post/windows/gather/enum_chrome module which can be used to decrypt passwords stored by the user in Chrome.

• PR 18564 - Fixes a module crash when running the auxiliary/server/capture/http module.

• PR 18579 - This converts the module to use the new style of Windows version detection that was added in https://github.com/rapid7/metasploit-framework/pull/17336. This will become more important once the Windows Meterpreter returns a more accurate string for the sysinfo OS field.

• PR 18603 - Updates the auxiliary/scanner/snmp/snmp_enum and auxiliary/scanner/snmp/snmp_login module metadata to include metadata references to CVE-1999-0516 (guessable SNMP community string) and CVE-1999-0517 (default/null/missing SNMP community string).

• PR 18606 - rpc_plugin has been updated to correctly use the provided plugin options.

• PR 18609 - This fixes an issue in the cmd/windows/powershell/download_exec payload module that was preventing it from executing correctly due to an architecture check.

• PR 18613 - Ensures that after listing files within an SMB directory that the handle is closed.

• PR 18614 - Fixes a crash in the auxiliary/scanner/ssh/ssh_identify_pubkeys module, as well as adding new module documentation.

• PR 18655 - Fix added for when the hierarchical search functionality is enabled, and only one module result is found - the module will automatically be used.

• PR 18667 - Re-adds the #sysinfo instance method for sessions.

• PR 18673 - Fix spelling mistakes in Metasploit's scripts folder.

• PR 18690 - Ensures that a target's default payload is correctly chosen when selecting a module from the search command.

• PR 18710 - Fixes an uninitialized constant Msf::Simple::Exploit::ExploitDriver exception that could sometimes occur when running Metasploit framework's payload modules.

• PR 18712 - Fixes a crash with Metasploit's REST api when calling /api/v1/modules?name=aux.

• PR 18746 - Fixes a module bug when using the generate OPTION=VALUE syntax. Previously the module's datastore would be unintentionally updated with the new option value.

• PR 18750 - Updates the to_handler command for payload modules to support option overrides. The to_handler command is a convenient way of using multi/handler, setting the payload, and setting datastore options.

• PR 18760 - Fixes an issue where Metasploit fails to start when resolv.conf cannot be found.

• PR 18774 - Updates the following modules to now work with newer versions of sqlcmd, post/windows/gather/credentials/mssql_local_hashdump and post/windows/manage/mssql_local_auth_bypass.

• PR 18798 - This fixes an issue in the exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move module's check method that was causing version comparisons to fail.

• PR 18799 - This fixes an issue in the exploit/windows/local/cve_2020_17136 module's check method that was causing version comparisons to fail.

• PR 18800 - This fixes an issue in the exploit/windows/local/cve_2021_40449 module's check method that was causing version comparisons to fail.

• PR 18801 - This fixes an issue in the exploit/windows/local/cve_2022_26904_superprofile module's check method that was causing version comparisons to fail.

• PR 18803 - Fixes a crash when using exploit/multi/handler with an invalid payload name.

• PR 18812 - Reverts the auxiliary/scanner/mssql/mssql_login modules's TDSENCRYPTION default value to false.

• PR 18813 - Fixes a crash when running the help services or help hosts commands.

• PR 18823 - Fix module metadata platform list comparison.

• PR 18826 - Fixes a regression where the windows/smb/psexec module was not correctly performing cleanup logic.

Modules

• PR 18194 - This adds a post module that creates a new user on the target OS. It tries to use standard tools already available on the system, but it's also able to directly updates the plaintext database files (/etc/passwd and `/etc/shadow). This module requires root privileges.

• PR 18348 - This module exploits an authorization vulnerability in Splunk, targeting CVE-2023-32707, allowing a lower privileged user with the capability edit_user to take over the admin account and log in to upload a malicious app, achieving remote code execution.

• PR 18351 - This adds an exploit for CVE-2023-37941 which is an authenticated RCE in Apache Superset.

• PR 18404 - This adds an exploit for CVE-2023-38146 AKA ThemeBleed which is a TOCTOU issue in the way Windows handles theme files. The vulnerability can be leveraged to load a payload DLL from Metasploit to execute code within the context of the user who loads it. A legitimate signed theme DLL must be provided in order to use the exploit.

• PR 18417 - Kibana before version 7.6.3 suffers from a prototype pollution bug within the Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we're able to execute arbitrary code in the context of the Kibana user. There is no CVE for this at the moment.

• PR 18427 - This PR adds a module that exploits PyTorch TorchServer by chaining an SSRF vulnerability with a deserialization RCE vulnerability to permit an unauthenticated remote attacker arbitrary Java code execution. The PR also fixes how the ClassLoader mixin handles datastore options.

• PR 18434 - This PR adds an exploit module for an unauthenticated remote code execution vulnerability in the video surveillance software Zoneminder (CVE-2023-26035).

• PR 18447 - This adds an exploit for CVE-2023-22515 which is an authentication bypass within Atlassian Confluence that enables a remote attacker to create a new administrator account.

• PR 18460 - This adds a new exploit module that leverages the fact that SSH keys on VMWare Aria Operations for Networks (vRealize Network Insight) versions 6.0.0 through 6.10.0 are not randomized on initialization. It tries all the default SSH keys until one succeed and gain unauthorized remote access as the "support" (root) user.

• PR 18461 - This adds an exploit module that leverages an improper input validation issue in Atlassian Confluence versions between 8.0.0 through to 8.3.2, 8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1. This vulnerability is identified as CVE-2023-22515 and allows unauthenticated remote code execution. The module first creates a new administrator by abusing the embedded XWorks2 middleware and uploading a malicious plugin to get code execution. Note that the module is currently not able to delete the new administrator account it created. This would require a manual clean up.

• PR 18481 - This adds an exploit module that leverages a command injection vulnerability in MagnusBilling versions 6 and 7. this vulnerability is identified as CVE-2023-30258 and allows unauthenticated remote code execution in the context of the user running the web server process.

• PR 18488 - This PR adds a module to manage Kerberos tickets from a compromised host. This notably allows Kerberos tickets to be exported from the target and then added to Metasploit's own cache, allowing them to be used for the duration in which they are valid.

• PR 18492 - This adds a scanner module for exploiting CVE-2023-4966 which is a memory leak in Citrix ADC servers. This vulnerability allows a remote, unauthenticated attacker to leak memory by sending a very large HTTP Host header. The leaked memory is then scanned for session cookies which can be hijacked if found.

• PR 18494 - This PR adds an RCE module for AjaxPro which leverages an insecure deserialization of data to get remote code execution on the target OS in the context of the user running the website which utilized AjaxPro.

• PR 18497 - This module exploits a flaw in F5s BIG-IP Traffic Management User Interface (TMUI) that enables an external, unauthenticated attacker to create an administrative user. The attacker can then use the admin user to execute arbitrary code in the context of the root user.

• PR 18501 - This pull request is an exploit module for CVE-2023-46604, affecting the OpenWire transport unmarshaller in Apache ActiveMQ.

• PR 18503 - This PR adds a post module to steal config and credential information for Apache NiFi.

• PR 18507 - This PR adds three modules: auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 leverages CVE-2023-20198 to perform unauthenticated remote CLI command execution, module auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273 leverages bothCVE-2023-20198 and CVE-2023-20273 to perform unauthenticated remote OS command execution, and exploit/linux/misc/cisco_ios_xe_rce uses the same two vulnerabilities to run an arbitrary payload on the target.

• PR 18541 - This adds an exploit module for the "Looney Tunables" Linux LPE, identified as CVE-2023-4911. It checks the version of glibc running on the target to make sure it is vulnerable and, once verified, it drops a python script that exploits the vulnerability and returns a session running in the context of the root user.

• PR 18542 - This adds an exploit module fora command injection vulnerability in Vinchin Backup & Recovery versions v5.0, v6.0, v6.7, and v7.0. This leverages two vulnerabilities identified as CVE-2023-45499 and CVE-2023-45498.

• PR 18566 - This adds an exploit module for CVE-2023-22518, an Improper Authorization vulnerability in Confluence which allows an attacker to upload and restore a .zip backup file to the server containing a known user name and password. The attacker can then login with the credentials from the backup file to gain administrative access to the server.

• PR 18567 - This pull request adds a new exploit module for, CVE-2023-5360, an unauth file upload vulnerability in the WordPress Royal Elementor Addons and Templates plugin in versions before 1.3.79.

• PR 18568 - This PR adds a module leveraging CVE-2023-32781, an authenticated command injection vulnerability in PRTG versions 23.2.84.1566 and earlier.The result is command execution as SYSTEM.

• PR 18569 - This adds a module to gather credential material from accounts with "Requires Pre-Authentication" disabled. The module supports two mechanisms, brute forcing using a list of usernames or using a LDAP query to request the relevant usernames, followed by requesting TGTs.

• PR 18577 - This PR adds a Remote Code Execution (RCE) module for Splunk Enterprise using CVE-2023-46214. This module exploits a vulnerability in the XSLT transformation functionality of certain versions of Splunk Enterprise, allowing for authenticated remote code execution.

• PR 18578 - This PR adds a new module to exploit CVE-2022-0492, a docker escape for root on the host OS.

• PR 18591 - This PR adds an auxiliary module for CVE-2023-49103 which can extract sensitive environment variables from ownCloud targets including ownCloud, DB, Redis, SMTP and S3 credentials.

• PR 18604 - This pull request introduces a new post module to extracts Mikrotik Winbox credentials saved in the "settings.cfg.viw" file when the "Keep Password" option is selected in Winbox.

• PR 18612 - This adds an exploit module that leverages a remote code execution vulnerability in CraftCMS versions between 4.0.0-RC1 and 4.4.14. This vulnerability is identified as CVE-2023-41892 and allows an unauthenticated attacker to execute arbitrary code remotely.

• PR 18626 - This PR adds an exploit module which allows for a user who has compromised a host acting as a SaltStack Master to deploy payloads to the Minions attached to that Master.

• PR 18627 - This adds 3post exploitation modules for Ansible. The first one gathers information and configuration. The second exploits an arbitrary file read that enables an attacker to read the first line of a file (tipicaly /etc/shadow), when the compromised account is configured with password-less sudo permissions. The last one is an exploit that can deploy a payload to all the nodes in the network.

• PR 18628 - This PR adds a post gather module to get Puppet configs and other sensitive files.

• PR 18630 - This adds an exploit for a command injection vulnerability in MajorDoMo versions before 0662e5e.

• PR 18633 - This adds an exploit module that leverages an unauthenticated RCE in the WordPress plugin Backup Migration versions prior to 1.3.7. This vulnerability is identified as CVE-2023-6553. This also adds a library that implements a technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversion.

• PR 18635 - This PR adds a module for an authenticated Splunk information disclosure vulnerability. This module gathers information about the host machine and the Splunk install including OS version, build, CPU arch, Splunk license keys etc.

• PR 18638 - Adds an exploit module for CVE-2022-42889 that targets web apps utilising Apache Commons Text's (1.5-1.9) StringSubstitutor interpolator class in an insecure fashion.

• PR 18648 - This PR adds an exploit module for a number of different GL.iNet network products. The module combines an authentication by-pass vulnerability (CVE-2023-50919) with an RCE (CVE-2023-50445) allowing the user to remotely obtain, without authentication, a Meterpreter session running in the context of the root user.

• PR 18664 - This adds an SMB fetch-payload service and a new payload to use it. The payload invokes rundll32 but handles everything for the user automatically.

• PR 18708 - This PR adds an exploit chain that consists of two vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The exploit chain allows a remote unauthenticated attacker to execute arbitrary OS commands with root privileges. As per the Ivanti advisory, these vulnerabilities affect all supported versions of the products, versions 9.x and 22.x. It is unknown if the unsupported versions 8.x and older are also affected.

• PR 18713 - Adds a new multi/gather/memory_search module that can read memory of processes on Windows and Linux hosts with Meterpreter. Regular expressions can be used to find passwords/credentials, and glob patterns and PIDs can be used to identify target processes.

• PR 18734 - This adds an exploit for CVE-2023-22527 which is an unauthenticated RCE in Atlassian Confluence. The vulnerability is due to an SSTI flaw that allows an OGNL expression to be evaluated. The result is OS command execution in the context of the service account.

• PR 18755 - This PR adds an exploit module for Mirth Connect. Versions < 4.4.1 are vulnerable to CVE-2023-43208 and CVE-2023-37679 and where the former is a patch bypass for the later. In both cases, an attacker can execute an OS command in the context of the target service using a specially crafted HTTP request and Java deserialization gadget.

• PR 18762 - This pull request adds an exploit module for CVE-2024-0204 which is a path traversal vulnerability which results in unauthenticated RCE in Fortra GoAnywhere MFT. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.

• PR 18769 - This PR adds an exploit module which leverages a SQLi (CVE-2023-49085) and a LFI (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to achieve RCE.

• PR 18780 - This adds a local privilege escalation exploit that leverages an internal file descriptor leak in runc versions prior to 1.1.12. An attacker with docker privileges is able write an arbitrary file on the host file system with the permissions of runc (typically root). With this, the module uploads a payload, sets the execute and the SUID permissions to escalate privileges.

• PR 18807 - This adds a new encoder module that leverages base64 encoding to escape bad characters in ARCH_CMD payloads for the Linux and UNIX platforms.

Offline Update

• https://updates.metasploit.com/packages/de8b16c01146b0d6bf72da09bd73f887f993c6c0.bin.

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version.