Improved
Pro: Adds additional diagnostics logs when restoring Metasploit Pro from a backup file.
Pro: Improve error messages when uploading backups and fix an edge-case that stopped Windows installs from uploading backups successfully.
Pro: Ensures that Metasploit Pro's startup time is faster on subsequent boots.
Pro: Updates the module run page to include a new dropdown menu that allows users to select between executing the
checkorruncapabilities of a module.PR 19660 - Updates
OptEnumto validate values without being case sensitive while preserving the case the author was expecting.PR 19684 - Improves the fingerprinting logic for the
auxiliary/scanner/teamcity/teamcity_loginmodule.PR 19705 - Updates the
exploits/linux/http/projectsend_unauth_rcemodule to include the CVE entry CVE-2024-11680 for ProjectSend r1295 - r1605 Unauthenticated Remote Code Execution.PR 19718 - Expose the currently authenticated
rpc_tokento RPC handlers.PR 19734 - Adds Arch Linux compatibility to the
runc_cwd_priv_esclocal privilege escalation module.PR 19752 - This enhancement adds checks for presence of
pproffor Prometheus. It can detect potential denial-of-service or information leakage associated with thepprofpackage.PR 19755 - Update Metasploit's HTTP request User Agent strings for December 2024.
PR 19774 - Updates
modules/auxiliary/scanner/http/wordpress_scanner.rbto have the most up to date list of vulnerable components based on the available exploits/scanners in Metasploit framework.
Fixed
Pro: Fixes a crash when submitting the vulnerability validation wizard form with tags enabled.
Pro: Fixes a
ActiveRecord::RecordInvalid Validation failed: User must existcrash when invoking thepro.start_exploitAPI.Pro: Fixes a crash when attempting to load modules that required older SSL ciphers within the
msfprocommand line console.PR 19367 - This fixes the ARM stager to properly download the second stage by fixing the
recv()loop.PR 19621 - This fixes the symlinks handling by the Java Meterpreter on Windows targets.
PR 19656 - Fixed an issue where an SSH session could sometimes be reported as alive when it has failed to open successfully against Windows running older versions of OpenSSH.
PR 19700 - Fixes a bug where HTTP redirects were not handling HTTP query parameters correctly.
PR 19719 - The bug in fetch payload resulted in malformed bash command when setting
FETCH_DELETEto true, causing syntax error. While we fixed the original error, when we were testing the fix, we noticed a race condition - causing deleting the payload file before executing it. In the final fix, we added randomsleepbetween executing and deleting to prevent race condition and to keep bash syntax integrity.PR 19721 - This updates the way the module checks the Windows build version to determine if it's vulnerable to CVE-2020-0668.
PR 19739 - Fixes an issue with the
post/multi/recon/local_exploit_suggestermodule which would crash if aTARGETvalue was set.PR 19740 - This removes the old
reverse_https_proxyx86 Windows stager which has been superseded by thereverse_httpsstager and its proxy options.PR 19763 - Fix non-deterministic Windows version detection for post modules.
PR 19800 - Fixes an exception when a custom DNS resolver is used that was preventing SRV records from resolving correctly.
Modules
PR 18877 - This adds a new X11 library and module that uses it to remotely capture key presses from open X servers.
PR 19402 - VMware vCenter Server less 7.0.3 update R and more than 8.0.2 update D contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance. This adds a post module to exploit these vulnerabilities.
PR 19430 - This adds an exploit module for Moodle learning platform. The module exploits a command injection vulnerability in Moodle CVE-2024-43425 to obtain remote code execution. By default, the application will run in the context of www-data, so only a limited shell can be obtained.
PR 19460 - Adds a module for CVE-2023-2640 and CVE-2023-32629, a local privilege escalation in some Ubuntu kernel versions by abusing overly-trusting OverlayFS features.
PR 19533 - This updates the existing
multi/http/werkzeug_debug_rcemodule that only targeted older version of the vulnerable Werkzeug application that didn't include any authentication.PR 19574 - This adds a post module to gain
NT AUTHORITY/SYSTEMprivileges on a Windows target vulnerable to CVE-2024-35230.PR 19583 - This exploits an RCE and sensitive information disclosure vulnerability due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 before build 29486, Acronis Cyber Backup 12.5 before build 16545.
PR 19595 - Adds an exploit module for a CRLF injection vulnerability in Ivanti Connect Secure to achieve remote code execution. Versions prior to 22.7R2.1 and 22.7R2.2 are vulnerable. Ivanti Policy Secure versions prior to 22.7R1.1 are also vulnerable but this module doesn't support this software. Valid administrative credentials are required. A non-administrative user is also required and can be created using the administrative account, if needed. Also the Client Log Upload feature needs to be enabled. This can also be done using the administrative interface if it is not enabled already.
PR 19596 - The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress, plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This adds an exploit module which allows an attacker to reset the password of any known user on the system.
PR 19608 - Adds a CyberPanel Pre-Auth RCE exploit module for for the following CVEs: CVE-2024-51378, CVE-2024-51567, CVE-2024-51568. The module contains three separate actions which lets you specify which CVE you would like to exploit.
PR 19613 - Adds and authenticated RCE module for Asterisk via AMI. This vulnerability is tracked as CVE-2024-42365. This also moves the underlying functionality that enables the module to interact with the Asterisk application, originally written by @bcoles, to a library.
PR 19614 - This adds an exploit module for an unauthenticated arbitrary file read vulnerability, tracked as CVE-2024-45309, which affects OneDev versions <= 11.0.8.
PR 19629 - This adds an exploit module for Chamilo LMS, where versions prior to <= v1.11.24, a webshell can be uploaded via the bigload.php endpoint allowing remote code execution on the context of
www-data(CVE-2023-4220).PR 19647 - Adds an exploit module for a vulnerability in the 'Add API Documentation' feature of WSO2 API Manager and allows malicious users with specific permissions to upload arbitrary files to a user-controlled server location. This flaw allows for RCE on the target system.
PR 19648 - Adds a module that exploits a missing authentication vulnerability affecting FortiManager and FortiManager Cloud devices to achieve unauthenticated RCE with root privileges. This vulnerability is being tracked as CVE-2024-47575.
PR 19649 - This adds a module which exploits a Java Expression Language RCE vulnerability in the Primefaces JSF framework. Primefaces versions prior to 5.2.21, 5.3.8 or 6.0 are vulnerable to a padding oracle attack, due to the use of weak crypto and default encryption password and salt.
PR 19661 - This add an exploit module for a CVE-2024-10924, a vulnerability in the WordPress Really Simple Security plugin, versions 9.0.0 to 9.1.1.1 and allows unauthenticated attackers to bypass Two-Factor Authentication (2FA). By exploiting this flaw, an attacker can retrieve the administrator's session cookie directly, enabling full control over the WordPress instance, including the ability to upload and execute arbitrary code.
PR 19663 - Adds an exploit module for the recent PAN-OS management interface unauthenticated RCE exploit chain for CVE-2024-0012 + CVE-2024-9474.
PR 19666 - This adds a module that is able to change a user's password knowing the current value or reset a user's password given the necessary permissions using SMB.
PR 19671 - This adds a module that is able to change a user's password knowing the current value or reset a user's password given the necessary permissions using LDAP.
PR 19676 - This adds a post module which exploits needrestart on Ubuntu, before version 3.8. It allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.
PR 19696 - This updates replaces the existing
samr_computermodule with a more general one that can also be used to add user accounts to active directory if the operator has the necessary permissions.PR 19701 - This adds an auxiliary module that exploits CVE-2021-24762, an unauthenticated SQL Injection that allows dumping user credentials from the database.
PR 19713 - This exploits a Remote Code Execution (RCE) vulnerability identified as CVE-2024-8856 in the WordPress WP Time Capsule plugin (versions ≤ 1.22.21). This vulnerability allows unauthenticated attackers to upload and execute arbitrary files due to improper validation within the plugin.
PR 19733 - New exploit module for Clinic's Patient Management System 1.0, also dubbed as CVE-2022-40471. The module exploits unrestricted file upload, which can be further used to get remote code execution (RCE) through a malicious PHP file.
PR 19738 - This adds an exploit module for Pandora FMS having a command injection vulnerability (CVE-2024-11320) in the LDAP authentication mechanism.
PR 19748 - Adds a module for timeroasting, a technique where the RID of a computer account is used in a crafted NTP frame that when received by a Domain Controller will prompt the DC to respond with a NTP frame containing a cryptographic hash.
PR 19769 - This adds an exploit module for Selenium Server (Grid) allowing unauthenticated command injection using Chrome backend.
PR 19770 - This adds an exploit module for Netis Routers including rebranded routers from GLCtec and Stone. The module chains 3 CVEs together to accomplish unauthenticated RCE. The first, CVE-2024-48456, is a command injection vulnerability in the change admin password page which allows an attacker to change the admin password to one of their choosing. The next vulnerability, CVE-2024-48457, is an authenticated RCE which can be chained with the first vuln nicely. The last CVE-2024-48455 allows for unauthenticated information disclosure revealing sensitive configuration information of the router which can be used by the attacker to determine if the router is running specific vulnerable firmware.
PR 19771 - This adds an exploit module for Selenium Server (Grid) <= 4.27.0 vulnerable to a Command Injection vulnerability using Firefox as backend.
PR 19781 - This adds an auxiliary module to perform arbitrary file read on vulnerable Selenium installations using Firefox, Chrome or Edge backends.
PR 19793 - Add an exploit module for CVE-2024-55956, an unauthenticated file write vulnerability affecting Cleo LexiCom, VLTrader, and Harmony versions 5.8.0.23 and below.