Release Notes

Improved

• PR 18906 - Adds support for leveraging the ESC4 attack on misconfigured AD-CS servers to introduce ESC2 and ESC3.

• PR 19052 - Updates Metasploit's User Agent strings to values valid for April 2024.

• PR 19064 - Adds support to the auxiliary/scanner/snmp/snmp_login module to work over the TCP protocol in addition to UDP.

Fixed

• PR 18935 - Fixes a common user mistake when authenticating with LDAP modules. Now users can specify either the USERNAME (user) and DOMAIN (domain.local) datastore options or the original format of just the USERNAME in the UPN format (user@domain.local). This fix updates the LDAP library.

• PR 19007 - Fixes a regression that affected exploit/multi/http/log4shell_header_injection module which stopped the module from running successfully.

• PR 19021 - Updates the admin/mysql/mysql_enum module to work with newer versions of MySQL.

• PR 19056 - Fixes an issue were the socket would be closed if targeting a single host with multiple user_file/pass_file module option combinations. This was caused when a session was successfully opened but then the next login attempt would close the socket being used by the newly created session.

• PR 19059 - Fixes an issue with the psnuffle module's POP3 support.

• PR 19069 - Fixes an edgecase present in clients that programmatically interacted with Metasploit's remote procedure call (RPC) functionality that caused the login modules for SMB, Postgres, MySQL, and MSSQL to open a new session by default instead of it being opt in behavior.

Modules

• PR 18764 - Adds a new module to exploit CVE-2024-23897, an unauthorized arbitrary (first 2 lines) file read on Jenkins versions prior to 2.442 or for the LTS stream, versions prior to 2.426.3.

• PR 18915 - Adds a module for a buffer overflow at the administration interface of WatchGuard Firebox and XTM appliances. The appliances are built from a cherrypy python backend sending XML-RPC requests to a C binary called wgagent using pre-authentication endpoint /agent/login. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.

• PR 18962 - Adds a post module to leverage CVE-2023-22649 which is a sensitive information leak in the rancher service's audit logs.

• PR 19044 - Adds an exploit module that exploits Gibbon online school platform version 26.0.00 and lower to achieve remote code execution. Note that authentication is required. This leverages a PHP deserialization attack via columnOrder in a POST request (CVE-2024-24725).

• PR 19051 - Adds a new module to add to, list, flush and delete from the LDAP msDS-KeyCredentialLink attribute which enables user to execute "shadow credential" attacks for persistence and lateral movement.

Offline Update

• https://updates.metasploit.com/packages/564c74034204383bbca5c5dd38dbe15659cf0aa8.bin

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version