Improved
PR 19849 - This makes changes to the
ldap_esc_vulnerable_cert_finder,ad_cs_cert_templateandget_ticketmodules to enable them to be used as part of larger workflow automation. For all three modules, it adds a return value to indicate that the operation was successful and include some relevant information. LDAP object caching has been introduced to reduce the number of queries sent to the target.PR 19851 - Updates the
ad_cs_cert_templatemodule to parse and display the flags field.PR 19856 - This fixes certificate request behavior for the ESC8 relay module as well as adds domain controller template support. The certificate generation for the Computer template now correctly requests based on the Machine template name instead of the DisplayName, which previously caused failures. When in
AUTOmode and a computer login is detected, the module now attempts to generate certificates based on both the Machine and DomainController templates. This ensures that if a login is coerced from a domain controller (PetitPotam), the appropriate DC certificate is obtained.
Fixed
Pro: Fix broken links that were on the restore backup and license activation pages.
Pro: Fixes a bug which caused the stop task button from working.
Pro: Fixes a bug on the credentials bruteforce page that stopped users from right clicking and pasting credential pairs to verify.
Pro: Fixes a crash when updating the current user's password and the user has supplied an invalid password.
Pro: Fixes a crash when performing password reuse against an LDAP service.
Pro: Fixes a crash when visiting the captured data page when the captured data is not associated with a host, i.e. if the passive network discovery module has previously been run.
PR 19729 - Adds a fix for when an msfuser has established a shell session and wants to run a command on the target that also happens to be a built Metasploit command. Prior to this, it was not possible as MSF would intercept the command and run the built-in version. This was fixed by allowing the user to prepend built-ins with '.' to pass-through execution of the intended command (such as '.help' being executed as 'help') to the target.
PR 19808 - Adds detection for the ESC15 patch to the
icpr_certmodule.PR 19826 - Fixes two issues with the
ldap_querymodule. The first was that theBASE_DNwasn't being used when set. The second was that theQUERY_ATTRIBUTESwas a required datastore option. Now if theQUERY_ATTRIBUTESis left unset the module will return all the attributes. This is particularly useful if the operator doesn't know the exact attributes defined on an object because they're looking for something.PR 19833 - This fixes an issue with the PetitPotam module where in the default configuration, an incorrect service UUID was being used.
PR 19834 - Updates the
connect_wsmethod within theExploit::Remote::HttpClientlibrary to generate a RFC 6455 compliant value for the generatedSec-WebSocket-Keyheader.PR 19835 - This fixes an issue in the lookup logic when providing a Kerberos ticket as a file. The comparison of the SPN hostname was done as a case sensitive comparison, which prevented the ticket to be used if the user sets the *::rhostname option with a different case than the one stored in the ticket.
PR 19836 - Fixes a broken blog link in the
exploit/multi/http/nibbleblog_file_uploadmodule.PR 19837 - Fixes a bug which caused incorrect creation of multiple Mdm::TaskService objects when calling
report_servicefrom modules.PR 19842 - When setting the
JOHNPWFILEdatastore option in a module that includes theMsf::Exploit::Remote::SMB::Server::HashCapture, NTLMv1 hashes were incorrectly being placed in the NTLMv2 hash file.
Modules
PR 19772 - Adds a new exploit module for CraftCMS, in which the attacker can use a malicious FTP server to gain remote code execution. This vulnerability requires the PHP option
register_argc_argvto be enabled.PR 19805 - New module for exploiting CVE-2024-51092, an authenticated command injection in LibreNMS. It allows the attacker to run system commands and gain remote code execution (RCE). However, it requires a set of working credentials.
PR 19816 - This adds support to the existing
ldap_esc_vulnerable_cert_finderfor identifying certificate templates that are vulnerable to ESC4 from the perspective of the authenticated user.PR 19844 - This adds an auxiliary module for Ivanti Connect Secure HTTP Login.
PR 19846 - A module for mySCADA myPRO Manager exploiting command injection (CVE-2024-47407) in
emailparameter.PR 19847 - Adds a module which exploits CVE-2018-15745, an unauthenticated directory traversal leading to file disclosure in Argus Surveillance DVR 4.0.0.0.
PR 19868 - A new module for an unauthenticated remote code execution bug in NetAlertX (CVE-2024-46506). An unauthenticated attacker can change the system configuration and force the application to run arbitrary system commands, leading to remote code execution.