Improved
PR 19325 - Updates the
TARGETURIdescription for thegeoserver_unauth_rce_cve_2024_36401module.PR 19338 - Improves error handling and progress tracking in the
auxiliary/gather/kerberos_enumusersandgather/asrepmodules.
Fixed
Pro: Fixes a crash when visiting the notes analysis page.
Pro: Fix Metasploit Pro command shell logging when
setg SessionLogging trueis enabled.Pro: Fix an issue with session compatibility detection that caused the quick pen test message
Unable to reach Metasploit Pro Serviceto appear.PR 19312 - Fixes a regression issue that caused the Mettle sniffer extension to not correctly load.
PR 19322 - This fixes an issue that was causing some Meterpreters to consume large amounts of memory when configured with an HTTP or HTTPS transport that was unable to connect.
PR 19324 - This updates the rpc_session library such that rpc compatible modules are able to handle unknown sessions, i.e.
rpc.call('session.compatible_modules', -1).PR 19327 - This bumps the version of metasploit_payloads-mettle to pull in changes for the Linux and OSX Meterpreters. The changes fix an issue which prevented the sniffer extension from loading.
Modules
PR 19274 - This adds an exploit for CVE-2024-29824, which is unauthenticated SQLi in Ivanti Endpoint Manager 2022 SU5 and prior which can be used to obtain RCE.
PR 19304 - This adds an auxiliary module for an XXE which results in an arbitrary file in Magento which is being tracked as CVE-2024-34102.
PR 19311 - This adds an exploit module for CVE-2024-36401, an unauthenticated RCE vulnerability in GeoServer versions prior to 2.23.6, between version 2.24.0 and 2.24.3 and in version 2.25.0, 2.25.1.
PR 19314 - This adds an exploit for CVE-2024-21638 which is an authenticated RCE in Atlassian Confluence affecting all versions prior to 7.17 and many versions up to 8.9.0.