Improved
PR 19197 - Updates the new PostgreSQL, MSSQL, and MySQL session types to track the history of commands that the user has entered.
PR 19229 - The
junos_phprc_auto_prepend_filemodule used to depend on having a user authenticated to the J-Web application to steal the necessary session tokens in order to exploit. With this enhancement the module will now create a session if one doesn't exist. Also it adds datastore options to change the hash format to be compatible with older version as well an option to attempt to set ssh root login to true before attempting to establish a root ssh session.
Fixed
PR 19176 - This adds the x86 and x64 architectures to the
exploit/windows/http/dnn_cookie_deserialization_rcemodule's target metadata.PR 19235 - Fixes an issue where Java payloads zip paths were not being created properly.
PR 19239 - Updates the
modules/auxiliary/gather/zoomeye_searchmodule to work again.PR 19248 - This removes an extra rescue clause added in error and allows the actual rescue clause to rescue exceptions properly in the event a staged http(s) payload calls back to a stageless http(s) listener.
PR 19253 - This fixes an incorrect CVE reference in the
exploit/unix/http/zivif_ipcheck_execmodule.
Modules
PR 18998 - VSCode allows users to open a Jypiter notebook (.ipynb) file. Versions v1.4.0 - v1.71.1 allow the Jypiter notebook to embed HTML and javascript, which can then open new terminal windows within VSCode. Each of these new windows can then execute arbitrary code at startup. This vulnerability is tracked as CVE-2022-41034.
PR 19196 - This exploit module leverages an arbitrary file write vulnerability (CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It abuses the Import Packages feature to upload a specially crafted package that embeds a PHP file.
PR 19221 - This module leverages an unauthenticated arbitrary root file read vulnerability for Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades are enabled on affected devices, traversal payloads can be used to read any files on the local file system. This vulnerability is tracked as CVE-2024-24919.
PR 19240 - Adds an exploit module for CVE-2024-23692, an unauthorized SSTI in the Rejetto HTTP File Server (HFS).
PR 19242 - This adds an exploit for CVE-2024-4358 which is an authentication bypass in Telerik Report Server versions up to and including 10.0.24.305.
PR 19243 - This adds an exploit for CVE-2024-1800 which is an authenticated RCE in Telerik Report Server. To function without authentication it chains CVE-2024-4358 to create a new administrator account before launching the authenticated RCE.
PR 19247 - Windows systems running Japanese or Chinese (simplified or traditional) locales are vulnerable to a PHP CGI argument injection vulnerability. This exploit module returns a session running in the context of the Administrator user.
PR 19249 - This adds an exploit for CVE-2024-32113, which is an unauthenticated RCE in Apache OFBiz.
PR 19255 - This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to the vendor supplied hotfix "15.4.2 Hotfix 2" (version 15.4.2.157) are affected.