Skip to Content
Release NotesMetasploitIndex

May 03, 2024

We have updated the version of Metasploit Framework to include new modules and enhancements.

Improved

  • Pro: Fixes a bug that caused the exploit/multi/http/apache_normalize_path_rce module to not correctly expoit vulnerable targets

  • Pro: Updates Metasploit Pro’s multi/handler module with additional information on global listeners

  • Pro: Fixes multiple modules that were not having their default module options set correctly

  • PR 18723 - Enhances our GitLab fingerprinting capabilities

  • PR 18914 - Adds functionality so that CVE and URL references will be imported from an OpenVAS XML report by default. DNF-CERT and CERT-BUND references can also be collected by sending additional flags to the db_import command.

  • PR 19048 - Updates the windows_secrets_dump module to enable accessing the necessary registry data without writing it to disk first.

  • PR 19054 - Adds NText column parsing to MSSQL modules.

  • PR 19066 - Adds automated tests for multiple SMB modules.

  • PR 19075 - Updates the Softing Secure Integration Server login library to allow the code to be better reused by other modules.

  • PR 19078 - Fixes a crash in the modules/auxiliary/gather/ldap_query.rb module when running queries from a file.

  • PR 19080 - Adds architecture and platform detection for PostgreSQL sessions.

  • PR 19086 - Update Metasploit’s RPC to expose module’s default_options metadata.

  • PR 19105 - Updates MSSQL modules to support querying multiple new column types: float, real, money, smallmoney, datetime, smalldatetime, and numeric.

  • PR 19112 - Adds architecture and platform detection for MSSQL sessions.

  • PR 19122 - Adds additional reliability metadata to exploits/linux/local/vcenter_java_wrapper_vmon_priv_esc.

Fixed

  • PR 19079 - Fixes an issue were the password_spray module option was being ignored.

  • PR 19089 - Fixes a bug where a user might get an unexpected NoMethodError running the linux/local/exim4_deliver_message_priv_esc module.

  • PR 19095 - Updates the smb_enumusers module to use an updated SMB implementation from RubySMB which fixes an issue where the module could sometimes time out or return an unexpected error when targeting Samba.

  • PR 19113 - Fixes a regression that caused Metasploit to leak memory, and sometimes crash.

  • PR 19114 - Fixes multiple LDAP-related modules from crashing.

  • PR 19137 - Fixes an infinite recursion error where Metasploit would attempt to resolve a nameserver specified as a hostname in /etc/resolv.conf while initializing.

  • PR 19138 - Fixes a crash in the cve_2022_26923_certifried module.

  • PR 19141 - Fixes timeout issues encountered by rocketmq and activemq modules that would occur when the target is not running the expected service.

  • PR 19152 - Fixes an issue in the exploit/multi/http/apache_normalize_path_rce exploit module that affected Metasploit Pro due to how the module was handling datastore options.

Modules

  • PR 18918 - This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1.

  • PR 18936 - This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-0342) in MongoDB Ops Manager v5.0 prior to 5.0.21 and v6.0 prior to 6.0.12 to retrieve the SAML SSL Pem Key File Password, which is stored in plaintext in the application’s Diagnostics Archive.

  • PR 18956 - This adds an exploit for CVE-2021-36782, a vulnerability which can be leveraged by an authenticated attacker to leak API credentials from an affected Rancher instance.

  • PR 18972 - This adds a module targeting CVE-2024-1212, an unauthenticated command injection vulnerability in Kemp Progress Loadmaster versions after 7.2.48.1, but patched in 7.2.59.2 (GA), 7.2.54.8 (LTSF) and 7.2.48.10 (LTS).

  • PR 18996 - Adds a new exploit module that creates a malicious VS / VSCode extension file.

  • PR 18997 - Adds a FileFormat exploit for VSCode. The VSCode extension GitLens by GitKraken before v.14.0.0 allows an untrusted workspace to execute git commands. A repo may include its own .git folder including a malicious config file to execute arbitrary code.

  • PR 19005 - Adds a module for a Remote Code Execution vulnerability in Gambio Online Webshop version 4.9.2.0 and lower allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request.

  • PR 19026 - Adds an exploit for pgAdmin <= 8.3 which is a path traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized. This also adds a new Python deserialization gadget chain to execute the code in a new thread so the target application doesn’t block the HTTP request.

  • PR 19046 - Adds apache_solr_backup_restore module, taking advantage of a Unrestricted Upload of File with Dangerous Type vulnerability, allowing the user to gain a session in a Apache Solr instance for remote code execution.

  • PR 19082 - Adds windows/http/forticlient_ems_fctid_sqli module that takes advantage of a SQLi injection vulnerability in FortiNet FortiClient EMS.

  • PR 19101 - Adds an exploit module for https://security.paloaltonetworks.com/CVE-2024-3400, affecting PAN-OS GlobalProtect Gateway and GlobalProtect Portal deployments with the default telemetry service enabled.

Offline Update

Metasploit Framework and Pro Installers