Metasploit Pro Recent Releases / Nov 14, 2024

Nov 14, 20244.22.5-2024111401

Improved

  • Pro: Updates the quick pentest and pro exploit tasks logs to contain the current workspace and minimum rank information.

  • Pro: Add a new code example for interacting with the module search API.

  • Pro: Adds additional startup logging information to the Metasploit engine service, as well as improving nginx startup error handling and additional logging for capturing unhandled startup errors. Windows environments will now correctly mark metasploitProSvc as not running if an unexpected crash has occurred.

  • Pro: Update diagnostics reporting tool to include inactive systemctl units.

  • PR 19360 - Adds a new LAUNCH_ITEM option to the exploits/osx/local/persistence module. The allowed values are LaunchAgent or LaunchDaemon. One of the advantages of persisting as a LaunchDaemon is that they run before user login and with elevated permissions. Additionally this pull request adds the ability for the module to target Apple Silicon devices.

  • PR 19529 - This updates the pipe_dcerpc_auditor module to use the new pattern for handling port settings which offers users greater control over their targeting.

  • PR 19597 - Fix symlink and junction detection on Python windows Meterpreter.

  • PR 19600 - Updates the post windows modules gather/credentials/seamonkey, gather/credentials/chrome, and gather/enum_chrome as being superseded by windows/gather/enum_browsers.

Payload Enhancements

  • PR 19604 - This adds a new method for injecting code into running processes on Windows Kernel version 10.x.

Fixed

  • Pro: Fixes a crash when calling the pro.module_search RPC API.

  • PR 19553 - This fixes a bug in modules that use Kerberos authentication where when the KrbOfferedEncryptionTypes datastore option was set, it would be ignored instead of used to select a compatible ticket from the cache.

Modules

  • PR 19404 - This adds a module for exploiting ESC8. It includes an SMB capture server to repackage and forward authentication from the SMB capture server to an NTLM-authenticating HTTP server. The module then uses the HTTP Client to request and download certificates.

  • PR 19488 - This adds a new auxiliary module to exploit an unauthenticated SQL injection vulnerability in the Ultimate Member plugin for WordPress versions 2.1.3 to 2.8.2. The vulnerability allows an unauthenticated attacker to extract sensitive data via the sorting parameter.

  • PR 19489 - This adds a new exploit module for the SQL injection vulnerability in the WordPress wp-automatic plugin, affecting versions prior to 3.92.1. The vulnerability allows unauthenticated attackers to inject SQL commands, enabling them to create a malicious administrator account. Using the newly created admin account, the attacker can upload a plugin and achieve remote code execution.

  • PR 19499 - This adds a new module which exploits a backdoor in SolarWinds Web Help Desk (CVE-2024-28987) versions <= v12.8.3 which enables attackers to retrieve all tickets currently logged in the application.

  • PR 19506 - Adds a new post-exploitation post/windows/gather/enum_browsers module which extracts sensitive browser data from both Chromium-based and Gecko-based browsers on the target system. It supports the decryption of passwords and cookies using Windows Data Protection API (DPAPI) and can extract additional data such as browsing history, keyword search history, download history, autofill data, credit card information, browser cache and installed extensions.

  • PR 19517 - This adds a new auxiliary module that exploits an unauthenticated SQL injection vulnerability in the TI WooCommerce Wishlist plugin for WordPress (versions <= 2.8.2). The vulnerability allows attackers to execute SQL queries via the order parameter which can be used to dump usernames and their hashed passwords.

  • PR 19518 - Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.

  • PR 19527 - Updates the exploit/multi/http/wp_givewp_rce module with a patch bypass. This module is now compatible with GiveWP version 3.16.1.

  • PR 19528 - Adds a new exec payload leveraging Python.

  • PR 19557 - Adds a module to chain CVE-2024-5910, a password reset vulnerability with CVE-2024-9464, an authenticated command-injection vulnerability to gain code execution on PaloAlto Expedition servers between versions after 1.2 and before 1.2.92 with or without knowledge of the credentials.

Offline Update

Metasploit Framework and Pro Installers