Skip to Content
Release NotesMetasploitIndex

Apr 03, 2024

We have updated the version of Metasploit Framework to 6.4 which enables new PostgreSQL, MSSQL, MySQL and SMB session types as well as providing Kerberos and Meterpreter payload improvements.

Improved

  • Pro: Updates to Metasploit 6.4 which enables new PostgreSQL, MSSQL, MySQL and SMB session types as well as providing Kerberos and Meterpreter payload improvements for Metasploit Pro.

  • PR 18838 - This adds support for Debian and includes a number of fixes and improvements for the runc_cwd_priv_esc module. Prior to this fix, the module would incorrectly report some of the versions that the patch had been back ported to as vulnerable.

  • PR 18841 - This PR updates the sap_icm_paths.txt wordlist with the newest entries.

  • PR 18895 - This PR adds the ability to upload/download/delete/mkdir/rmdir from within the SMB session type.

  • PR 18925 - Updates RPC API to include Auxiliary and Exploit modules in session.compatible_modules response.

  • PR 18978 - This PR updates several login modules to now display some messaging to the end of scans to tell the user how many credentials and/or sessions were successful.

  • PR 18982 - Adds RPC methods session.interactive_read and session.interactive_write that support interaction with SQL, SMB and Meterpreter sessions via RPC API.

  • PR 19016 - Updates the MSSQL modules to support the GUID column type. Also improves error logging.

  • PR 19017 - Improves the auxiliary/admin/mssql/mssql_exec and auxiliary/admin/mssql/mssql_sql modules to have improved error logging.

Fixed

  • PR 18945 - Fixes crash when running http crawler with database connected.

  • PR 18947 - Fixes an issue with exploits/windows/local/wmi_persistence module when Powershell obfuscation was applied.

  • PR 18952 - Updates Postgres hashdump module to now work with newer versions of Postgres.

  • PR 18954 - This PR fixes an issue where modules were not honouring spooler settings.

  • PR 18985 - Fixes store_valid_credential conditional logic for unix/webapp/wp_admin_shell_upload module.

  • PR 19006 - This PR fixes an issue where WMAP plugin module loading was causing failures.

  • PR 19009 - Updates modules/exploits/osx/local/persistence to no longer be marked as a compatible module for Windows targets.

Modules

  • PR 18618 - This module exploits built-in functionality in OpenNMS Horizon in order to execute arbitrary commands as the opennms user. For versions 32.0.2 and higher, this module requires valid credentials for a user with ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST. For versions 32.0.1 and lower, credentials are required for a user with ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges.

  • PR 18716 - This adds and exploit module that leverages an account-take-over vulnerability to take control of a gitlab account without user interaction. The vulnerability lies in the password reset functionality. Its possible to provide 2 emails and the reset code will be sent to both. It is therefore possible to provide the e-mail address of the target account as well as that of one we control, and to reset the password.

  • PR 18721 - This PR adds a module that allows unauthenticated remote code execution as Administrator on Sharepoint 2019 hosts.It performs this by exploiting two vulnerabilities in Sharepoint 2019: first, it uses CVE-2023-29357, an auth bypass patched in June of 2023 to impersonate the Administrator user, then it uses CVE-2023-24955, an RCE patched in May of 2023 to execute commands as Administrator.

  • PR 18775 - This adds an auxiliary module that leverages an information disclosure (CVE-2023-28432) in a cluster deployment of MinIO versions from RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z. This retrieves all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD.

  • PR 18891 - This PR adds an exploit module that targets a known vulnerability, CVE-2024-25600, in the WordPress Bricks Builder Theme, versions prior to 1.9.6.

  • PR 18922 - This adds an exploit module that leverages an authentication bypass vulnerability in JetBrains TeamCity (CVE-2024-27198) to achieve unauthenticated RCE. The authentication bypass enables to access the REST API and create a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload.

  • PR 18967 - The PR adds a module targeting CVE-2024-2054, a command injection vulnerability in Artica Proxy appliance version 4.50 and 4.40.The exploit allows remote unauthenticated attackers to run arbitrary commands as the www-data user.

Offline Update

Metasploit Framework and Pro Installers