Improved
Pro: Updates to Metasploit 6.4 which enables new PostgreSQL, MSSQL, MySQL and SMB session types as well as providing Kerberos and Meterpreter payload improvements for Metasploit Pro.
PR 18838 - This adds support for Debian and includes a number of fixes and improvements for the
runc_cwd_priv_esc
module. Prior to this fix, the module would incorrectly report some of the versions that the patch had been back ported to as vulnerable.PR 18841 - This PR updates the sap_icm_paths.txt wordlist with the newest entries.
PR 18895 - This PR adds the ability to upload/download/delete/mkdir/rmdir from within the SMB session type.
PR 18925 - Updates RPC API to include Auxiliary and Exploit modules in
session.compatible_modules
response.PR 18978 - This PR updates several login modules to now display some messaging to the end of scans to tell the user how many credentials and/or sessions were successful.
PR 18982 - Adds RPC methods
session.interactive_read
andsession.interactive_write
that support interaction with SQL, SMB and Meterpreter sessions via RPC API.PR 19016 - Updates the MSSQL modules to support the GUID column type. Also improves error logging.
PR 19017 - Improves the
auxiliary/admin/mssql/mssql_exec
andauxiliary/admin/mssql/mssql_sql
modules to have improved error logging.
Fixed
PR 18945 - Fixes crash when running http crawler with database connected.
PR 18947 - Fixes an issue with
exploits/windows/local/wmi_persistence
module when Powershell obfuscation was applied.PR 18952 - Updates Postgres hashdump module to now work with newer versions of Postgres.
PR 18954 - This PR fixes an issue where modules were not honouring spooler settings.
PR 18985 - Fixes store_valid_credential conditional logic for
unix/webapp/wp_admin_shell_upload
module.PR 19006 - This PR fixes an issue where WMAP plugin module loading was causing failures.
PR 19009 - Updates
modules/exploits/osx/local/persistence
to no longer be marked as a compatible module for Windows targets.
Modules
PR 18618 - This module exploits built-in functionality in OpenNMS Horizon in order to execute arbitrary commands as the opennms user. For versions 32.0.2 and higher, this module requires valid credentials for a user with ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST. For versions 32.0.1 and lower, credentials are required for a user with ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges.
PR 18716 - This adds and exploit module that leverages an account-take-over vulnerability to take control of a gitlab account without user interaction. The vulnerability lies in the password reset functionality. Its possible to provide 2 emails and the reset code will be sent to both. It is therefore possible to provide the e-mail address of the target account as well as that of one we control, and to reset the password.
PR 18721 - This PR adds a module that allows unauthenticated remote code execution as
Administrator
on Sharepoint 2019 hosts.It performs this by exploiting two vulnerabilities in Sharepoint 2019: first, it uses CVE-2023-29357, an auth bypass patched in June of 2023 to impersonate theAdministrator
user, then it uses CVE-2023-24955, an RCE patched in May of 2023 to execute commands asAdministrator
.PR 18775 - This adds an auxiliary module that leverages an information disclosure (CVE-2023-28432) in a cluster deployment of MinIO versions from RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z. This retrieves all environment variables, including
MINIO_SECRET_KEY
andMINIO_ROOT_PASSWORD
.PR 18891 - This PR adds an exploit module that targets a known vulnerability, CVE-2024-25600, in the WordPress Bricks Builder Theme, versions prior to 1.9.6.
PR 18922 - This adds an exploit module that leverages an authentication bypass vulnerability in JetBrains TeamCity (CVE-2024-27198) to achieve unauthenticated RCE. The authentication bypass enables to access the REST API and create a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload.
PR 18967 - The PR adds a module targeting CVE-2024-2054, a command injection vulnerability in Artica Proxy appliance version 4.50 and 4.40.The exploit allows remote unauthenticated attackers to run arbitrary commands as the
www-data
user.