Metasploit Pro Recent Releases / Oct 28, 2024

Oct 28, 20244.22.5-2024102801

Improved

  • Pro: Updates the version of nginx from 1.23.3 to 1.27.1.

  • Pro: Updates Metasploit Pro from Ruby 3.1.6 to Ruby 3.2.5.

  • Pro: Updates the diagnostics script to extract additional debug information.

  • PR 19536 - Updated the post/windows/gather/enum_unattend.rb module to now include checks for '.vmimport' files which may have been created by the AWS EC2 VMIE service which will contain cleartext credentials.

  • PR 19539 - This adds functionality to keep the new LDAP sessions alive beyond a server's idle timeout. Sessions will not close after 15 minutes.

  • PR 19540 - Update Metasploit's HTTP request User Agent strings for October 2024.

  • PR 19549 - This pull request includes multiple fixes and improvements to the Meterpreter payloads. zeroSteiner fixed a stdapi_fs_ls: Operation failed: 1 error when running the ls command with the Java Meterpreter. cdelafuente-r7 has updated the Java Meterpreter payload to now run on newer OpenJDK versions on Alpine Linux hosts. wolfcod has made improvements for running the C Meterpreter on Windows XP machines when creating remote threads, as well as fixing a memory leak in the sysinfo command.

  • PR 19561 - Updates the gather/ldap_esc_vulnerable_cert_finder module to now register the detected vulnerabilities into the Metasploit database if it is currently active.

  • PR 19567 - Adds default vendor passwords for common single-board computers (SBCs) to wordlists.

Fixed

  • PR 19495 - Fixes an edgecase crash in the admin/kerberos/get_ticket module when the supplied cert_file contained a subjectAltName extension with an unexpected value present.

  • PR 19572 - Fixes an issue in the UPDATE action of admin/ldap/ad_cs_cert_template.

  • PR 19563 - Updates exploits/linux/http/metabase_setup_token_rce to support older versions.

  • PR 19577 - Fixes a crash when running the shell command with a Meterpreter session.

Modules

  • PR 19473 - This adds an auxiliary module to dump user credentials through a Time-based SQL injection present in WP Fastest Cache Plugin <= 1.2.2.

  • PR 19482 - Adds a new auxiliary/scanner/http/wp_learnpress_c_fields_sqli module that exploits two unauthenticated SQL injection vulnerabilities in the LearnPress WordPress LMS Plugin (version <= 4.2.7). These vulnerabilities allow attackers to perform blind SQL injection via the c_only_fields and c_fields parameters.

  • PR 19485 - This adds an exploit module for BYOB (Build Your Own Botnet). These vulnerabilities include an Unauthenticated Arbitrary File Write (CVE-2024-45256) and an Authenticated Command Injection (CVE-2024-45257), which allows attackers to bypass authentication and achieve Remote Code Execution (RCE).

  • PR 19538 - This adds support for ESC15 to three AD CS related modules. A template is added so the ad_cs_cert_template module can create and update templates to be vulnerable to ESC15. To insure that this works each time, create a net-new template. Fingerprinting is added to the ldap_esc_vulnerable_cert_finder module to identify templates that are vulnerable to ESC15. OIDs can be specified in the icpr_cert module so a vulnerable template can be exploited by a user.

  • PR 19544 - Adds a new module exploit/linux/http/magento_xxe_to_glibc_buf_overflow which uses a combination of an Arbitrary File Read (CVE-2024-34102) and a Buffer Overflow in glibc (CVE-2024-2961) to gain unauthenticated Remote Code Execution on multiple versions of Magento and Adobe Commerce, including versions less than 2.4.6-p5.

Offline Update

Metasploit Framework and Pro Installers