Metasploit Recent Releases / Apr 03, 2024

Apr 03, 20244.22.3-2024040301

Improved

  • Pro: Updates to Metasploit 6.4 which enables new PostgreSQL, MSSQL, MySQL and SMB session types as well as providing Kerberos and Meterpreter payload improvements for Metasploit Pro.

  • PR 18838 - This adds support for Debian and includes a number of fixes and improvements for the runc_cwd_priv_esc module. Prior to this fix, the module would incorrectly report some of the versions that the patch had been back ported to as vulnerable.

  • PR 18841 - This PR updates the sap_icm_paths.txt wordlist with the newest entries.

  • PR 18895 - This PR adds the ability to upload/download/delete/mkdir/rmdir from within the SMB session type.

  • PR 18925 - Updates RPC API to include Auxiliary and Exploit modules in session.compatible_modules response.

  • PR 18978 - This PR updates several login modules to now display some messaging to the end of scans to tell the user how many credentials and/or sessions were successful.

  • PR 18982 - Adds RPC methods session.interactive_read and session.interactive_write that support interaction with SQL, SMB and Meterpreter sessions via RPC API.

  • PR 19016 - Updates the MSSQL modules to support the GUID column type. Also improves error logging.

  • PR 19017 - Improves the auxiliary/admin/mssql/mssql_exec and auxiliary/admin/mssql/mssql_sql modules to have improved error logging.

Fixed

  • PR 18945 - Fixes crash when running http crawler with database connected.

  • PR 18947 - Fixes an issue with exploits/windows/local/wmi_persistence module when Powershell obfuscation was applied.

  • PR 18952 - Updates Postgres hashdump module to now work with newer versions of Postgres.

  • PR 18954 - This PR fixes an issue where modules were not honouring spooler settings.

  • PR 18985 - Fixes store_valid_credential conditional logic for unix/webapp/wp_admin_shell_upload module.

  • PR 19006 - This PR fixes an issue where WMAP plugin module loading was causing failures.

  • PR 19009 - Updates modules/exploits/osx/local/persistence to no longer be marked as a compatible module for Windows targets.

Modules

  • PR 18618 - This module exploits built-in functionality in OpenNMS Horizon in order to execute arbitrary commands as the opennms user. For versions 32.0.2 and higher, this module requires valid credentials for a user with ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST. For versions 32.0.1 and lower, credentials are required for a user with ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges.

  • PR 18716 - This adds and exploit module that leverages an account-take-over vulnerability to take control of a gitlab account without user interaction. The vulnerability lies in the password reset functionality. Its possible to provide 2 emails and the reset code will be sent to both. It is therefore possible to provide the e-mail address of the target account as well as that of one we control, and to reset the password.

  • PR 18721 - This PR adds a module that allows unauthenticated remote code execution as Administrator on Sharepoint 2019 hosts.It performs this by exploiting two vulnerabilities in Sharepoint 2019: first, it uses CVE-2023-29357, an auth bypass patched in June of 2023 to impersonate the Administrator user, then it uses CVE-2023-24955, an RCE patched in May of 2023 to execute commands as Administrator.

  • PR 18775 - This adds an auxiliary module that leverages an information disclosure (CVE-2023-28432) in a cluster deployment of MinIO versions from RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z. This retrieves all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD.

  • PR 18891 - This PR adds an exploit module that targets a known vulnerability, CVE-2024-25600, in the WordPress Bricks Builder Theme, versions prior to 1.9.6.

  • PR 18922 - This adds an exploit module that leverages an authentication bypass vulnerability in JetBrains TeamCity (CVE-2024-27198) to achieve unauthenticated RCE. The authentication bypass enables to access the REST API and create a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload.

  • PR 18967 - The PR adds a module targeting CVE-2024-2054, a command injection vulnerability in Artica Proxy appliance version 4.50 and 4.40.The exploit allows remote unauthenticated attackers to run arbitrary commands as the www-data user.

Offline Update

Metasploit Framework and Pro Installers