Category: Metasploit Weekly Wrapup

New module content (3)

Get NAA Credentials

Authors: skelsec, smashery, and xpn
Type: Auxiliary
Pull request: #19712 contributed by smashery
Path: admin/sccm/get_naa_credentials

Description: Adds an auxiliary module which performs the retrieval of Network Access Account (NAA) credentials from an System Center Configuration Manager (SCCM) server. Given a computer name and password (which can typically be created by a standard AD domain user), a misconfigured SCCM server will give NAA credentials when requested.

SonicWall HTTP Login Scanner

Author: msutovsky-r7
Type: Auxiliary
Pull request: #19935 contributed by msutovsky-r7
Path: scanner/sonicwall/login_scanner

Description: This adds a module to brute-force the login credentials for SonicWall NSv HTTP Login.

D-Tale RCE

Authors: Takahiro Yokoyama and taiphung217
Type: Exploit
Pull request: #19899 contributed by Takahiro-Yoko
Path: linux/http/dtale_rce_cve_2025_0655
AttackerKB reference: CVE-2025-0655

Description: This module exploits a bypass (CVE-2025-0655) for an older vulnerability (CVE-2024-3408), leading to remote code execution (RCE) in D-Tale, a visualizer for pandas data structures.

Enhancements and features (7)

• #19639 from zeroSteiner - Adds support for check method in relay modules and updates the two relay modules present in Metasploit Framework. In the case of smb_relay, this checks if the target has SMB signing disabled. In the case of ESC8, it checks that the target URI responds with a 401 and offers NTLM as an authentication mechanism.
• #19682 from h00die - Adds additional tests for Linux post functionality along with additional comments for better understanding; adds new library for work with Linux packages.
• #19879 from zeroSteiner - This updates the existing MsDtypSecurityDescriptor class to include a #to_sddl_text method. This allows an initialized object to be displayed using the Security Descriptor Definition Language defined by Microsoft.
  • #19917 from zeroSteiner - This adds crypto primitives for AES key derivation (NIST SP 800 108) and AES key unwrapping (NIST SP 800 38f) replacing RubySMB's implementation which does not support all of the parameters.
  • #19918 from msutovsky-r7 - Extracts a reusable Rex::Proto::Http::AuthDigest library for use within modules.
  • #19927 from bcoles - This improves the support of several Linux distros on the library function get_sysinfo in Msf::Post:Linux::System.
  • #19933 from zeroSteiner - Updates the auxiliary/scanner/ldap/ldap_login module with a new CreateSession option which controls the opening of an interactive LDAP session. This functionality was previously behind a feature flag, but is now enabled by default.
  • #19946 from zeroSteiner - Adds a warning to help users that are performing relay attacks. It notes that the attack won't work when relaying SMB to SMB on the same host if the MS08-068 patch has been applied.

Bugs fixed (5)

• #19745 from smashery - This adds an escape_args method to all command shells that finds the appropriate OS escaping routines for an SSH server.
• #19902 from zeroSteiner - This fixes the byte to int and vice versa conversion in MsAdts.
• #19919 from jheysel-r7 - This fixes an issue in the gather/ldap_esc_vulnerable_cert_finder that would come up when checking templates for ESC13 that had missing issuance policy OIDs.
• #19922 from cgranleese-r7 - Fixes a crash when searching by target, i.e search targets:python.
• #19925 from zeroSteiner - Fixes a bug that caused a module's validation logic to not always be executed.

Documentation added (2)

• #19895 from cgranleese-r7 - Updates multiple out of date reference links within modules.
• #19920 from jheysel-r7 - This adds documentation for creating AD CS certificate templates that are vulnerable to ESC4, ESC13, and ESC15 for testing purposes.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.51...6.4.52
• Full diff 6.4.51...6.4.52

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New module content (5)

mySCADA myPRO Manager Credential Harvester (CVE-2025-24865 and CVE-2025-22896)

Author: Michael Heinzl
Type: Auxiliary
Pull request: #19878 contributed by h4x-x0r
Path: admin/scada/mypro_mgr_creds
AttackerKB reference: CVE-2025-22896

Description: This module adds credential harvesting for MySCADA MyPro Manager using CVE-2025-24865 and CVE-2025-22896.

NetAlertX File Read Vulnerability

Authors: chebuya and msutovsky-r7
Type: Auxiliary
Pull request: #19881 contributed by msutovsky-r7
Path: scanner/http/netalertx_file_read
AttackerKB reference: CVE-2024-48766

Description: This adds an auxiliary module allowing arbitrary file read on vulnerable (CVE-2024-48766) NetAlertX targets.

SimpleHelp Path Traversal Vulnerability CVE-2024-57727

Authors: horizon3ai, imjdl, and jheysel-r7
Type: Auxiliary
Pull request: #19894 contributed by jheysel-r7
Path: scanner/http/simplehelp_toolbox_path_traversal
AttackerKB reference: CVE-2024-57727

Description: This adds an auxiliary module for SimpleHelp; the vulnerability (CVE-2024-57727) is a path traversal which allows arbitrary file read.

Invoice Ninja unauthenticated PHP Deserialization Vulnerability

Authors: Mickaël Benassouli, Rémi Matasse, and h00die-gr3y
Type: Exploit
Pull request: #19897 contributed by h00die-gr3y
Path: linux/http/invoiceninja_unauth_rce_cve_2024_55555
AttackerKB reference: CVE-2024-55555

Description: This adds an exploit module for Invoice Ninja, the vulnerability (CVE-2024-55555) is an unauthenticated RCE exploitable by having the APP_KEY value for the Laravel installation.

RaspberryMatic unauthenticated Remote Code Execution vulnerability through HMServer File Upload.

Authors: h00die-gr3y and h0ng10
Type: Exploit
Pull request: #19841 contributed by h00die-gr3y
Path: linux/http/raspberrymatic_unauth_rce_cve_2024_24578
AttackerKB reference: CVE-2024-24578

Description: Adds support for CVE-2024-24578, an unauthenticated file write and ZipSlip vulnerability allowing attackers to upload a compressed file that will not be bounds-checked and expanded automatically, allowing the overwrite of arbitrary files. In this case, we overwrite the watchdog script, run by a cron job every 5 minutes.

Bugs fixed (1)

• #19893 from bwatters-r7 - This removes a CVE reference from an LPE because the vulnerability identified by the CVE is not exploited in the LPE module. The CVE was instead referring to an RCE which led to the discovery of the technique employed by the RCE. The LPE technique was never acknowledged by the vendor as a vulnerability.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.50...6.4.51
• Full diff 6.4.50...6.4.51

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

BeyondTrust and Fetch Payload

This Metasploit release includes an exploit module that chains two vulnerabilities, one exploited in the wild by APT groups and another one, a 0-day discovered by Rapid7 during the vulnerability analysis.
In addition to that, a significant improvement was made to Fetch-Payloads by adding support for the ppc, mips and arm architectures. This allows the payloads to be used in exploits that commonly target embedded systems.

New module content (3)

BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #19877 contributed by sfewer-r7
Path: linux/http/beyondtrust_pra_rs_unauth_rce
AttackerKB reference: CVE-2025-1094

Description: The module exploits two bugs CVE-2024-12356 and CVE-2025-1094, an argument injection in BeyondTrust code base and SQL injection in PostgreSQL code base, respectively.

InvokeAI RCE

Authors: Takahiro Yokoyama and jackfromeast
Type: Exploit
Pull request: #19883 contributed by Takahiro-Yoko
Path: linux/http/invokeai_rce_cve_2024_12029
AttackerKB reference: CVE-2024-12029

Description: This adds an exploit module for InvokeAI unauth RCE (CVE-2024-12029).

Fetch Payload Update

Authors: Adam Cammack adam_cammack@rapid7.com, Brendan Watters, and Spencer McIntyre
Type: Payload
Pull request: #19850 contributed by bwatters-r7

Description: This extends the fetch-payload support for aarch64, armbe, armle, mipsbe, mipsle, ppc, ppc64 and ppc64le payloads.

Enhancements and features (3)

• #19884 from adfoster-r7 - Add OSVDB search functionality to msfconsole e.g. search osvdb:67241.
• #19885 from adfoster-r7 - Improve msfconsole's module search performance by caching search regexes.
• #19887 from adfoster-r7 - Updates the reload_lib command to ignore Gemfiles.

Bugs fixed (3)

• #19810 from h00die - Adds a verification to the file content checks so that we don't crash when trying to open files that do not exist and adds proper CVE to references section now that a CVE exists.
• #19871 from bwatters-r7 - This fix the ELF template file for Linux aarch64 payloads.
• #19875 from dledda-r7 - Adds a fix for the odd behavior of the read syscall on Raspberrypi 4b. For some reason, on the Raspberry Pi 4B, the data read from the socket is not present immediately after the read syscall, so we added a sync syscall. This behavior is not present in Raspberry Pi 3, Raspberry Pi 5, emulators, or Microsoft's AARCH64 Devkit.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.49...6.4.50
• Full diff 6.4.49...6.4.50

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New module content (2)

Unauthenticated RCE in NetAlertX

Authors: Chebuya (Rhino Security Labs) and Takahiro Yokoyama
Type: Exploit
Pull request: #19868 contributed by Takahiro-Yoko
Path: linux/http/netalertx_rce_cve_2024_46506
AttackerKB reference: CVE-2024-46506

Description: A new module for an unauthenticated remote code execution bug in NetAlertX (CVE-2024-46506). An unauthenticated attacker can change the system configuration and then compel the application to run arbitrary system commands, leading to remote code execution.

mySCADA myPRO Manager Unauthenticated Command Injection (CVE-2024-47407)

Author: Michael Heinzl
Type: Exploit
Pull request: #19846 contributed by h4x-x0r
Path: windows/scada/mypro_mgr_cmd
AttackerKB reference: CVE-2024-47407

Description: A module for mySCADA myPRO Manager exploiting a command injection vulnerability (CVE-2024-47407) in the email parameter.

Enhancements and features (2)

• #19851 from zeroSteiner - Updates the ad_cs_cert_template module to parse and display the flags field.
• #19869 from adfoster-r7 - Removes the datastore_fallbacks feature flag and the corresponding code now that it is enabled by default.

Bugs fixed (3)

• #19729 from sempervictus - Adds a fix for when an msfuser has established a shell session and wants to run a command on the target that also happens to be a built-in Metasploit command. Prior to this, it was not possible as MSF would intercept the command and run the built-in version. This was fixed by allowing the user to prepend built-ins with '.' to pass-through execution of the intended command (such as '.help' being executed as 'help') to the target.
• #19842 from jheysel-r7 - When setting the JOHNPWFILE datastore option in a module that includes the Msf::Exploit::Remote::SMB::Server::HashCapture, NTLMv1 hashes were incorrectly being placed in the NTLMv2 hash file.
• #19873 from adfoster-r7 - Remove report note calls from the ldap_esc_vulnerable_cert_finder as they were no longer needed and caused a side-effect crash in some codepaths.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.48...6.4.49
• Full diff 6.4.48...6.4.49

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Gathering data and improving workflows

This week's release includes 2 new auxiliary modules targeting Argus Surveillance DVR and Ivanti Connect Secure. The former, contributed by Maxwell Francis, and based on the work of John Page, can be used to retrieve arbitrary files on the target's filesystem by exploiting an unauthenticated directory traversal vulnerability. The latter, brought by our very own Martin Šutovský, is a HTTP login scanner for Ivanti Connect Secure. This release also adds many improvements related to our Github continuous integration process and to the AD CS attack-based workflow. Thanks to the community for making Metasploit great!

New module content (2)

Argus Surveillance DVR 4.0.0.0 - Directory Traversal

Authors: John Page and Maxwell Francis
Type: Auxiliary
Pull request: #19847 contributed by TheBigStonk
Path: gather/argus_dvr_4_lfi_cve_2018_15745
AttackerKB reference: CVE-2018-15745

Description: Adds a module which exploits CVE-2018-15745, an unauthenticated directory traversal leading to file disclosure in Argus Surveillance DVR 4.0.0.0.

Ivanti Connect Secure HTTP Scanner

Author: msutovsky-r7
Type: Auxiliary
Pull request: #19844 contributed by msutovsky-r7
Path: scanner/ivanti/login_scanner

Description: This adds an auxiliary module for Ivanti Connect Secure HTTP Login.

Enhancements and features (3)

• #19779 from h00die - Adds a Github workflow to run update_wordpress_vulnerabilities.rb, update_user_agent_strings.rb and update_joomla_components.rb and to post a weekly PR with the changes from each update script. This also converts both update_joomla_components and update_user_agent_strings from python scripts to ruby scripts.
• #19849 from zeroSteiner - This makes changes to the ldap_esc_vulnerable_cert_finder, ad_cs_cert_template and get_ticket modules to enable them to be used as part of larger workflow automation. For all three modules, it adds a return value to indicate that the operation was successful and include some relevant information. LDAP object caching has been introduced to reduce the number of queries sent to the target. A #build_certificate_details method to consolidate the collection of information about certificate templates. This ensures that all certificates are returned with common information, regardless of their vulnerability status. DNS records are looked up from LDAP to avoid crashing in instances where the DNS hostname of the CA server can not be resolved by Metasploit's running configuration. This would be the case when a DC is targeted without the ability to resolve addresses within its domain.
• #19856 from bwatters-r7 - This fixes certificate request behavior for the esc8 relay module as well as adds domain controller template support. The certificate generation for the Computer template now correctly requests based on the Machine template name instead of the DisplayName, which previously caused failures. When in AUTO mode and a computer login is detected, the module now attempts to generate certificates based on both the Machine and DomainController templates. This ensures that if a login is coerced from a domain controller (Petit Potam), the appropriate DC certificate is obtained.

Bugs fixed (2)

• #19813 from h00die - Fixes an issue were Rex::Version.new was causing modules to crash when run against instances of Amazon Linux and other distributions which have a different format for displaying the kernel version.
• #19837 from adfoster-r7 - Fixes a bug which caused incorrect creation of multiple Mdm::TaskService objects when calling report_service from modules.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.47...6.4.48
• Full diff 6.4.47...6.4.48

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

ESC4 Detection

This week, Metasploit’s jheysel-r7 updated the existing ldap_esc_vulnerable_cert_finder module to include detecting template objects that can be written to by the authenticated user. This means the module can now identify instances of ESC4 from the perspective of the account that the Metasploit operator provided the credentials for. Metasploit has been capable of exploiting ESC4 for some time, but required users to know which certificate templates they had write access to. This closes an important gap in Metasploit’s AD CS coverage and should help users identify additional attack vectors. See the Metasploit AD CS documentaiton for steps on how ESC4 can be exploited using Metasploit.

New module content (1)

Craft CMS Twig Template Injection RCE via FTP Templates Path

Authors: AssetNote, Valentin Lobstein, and jheysel-r7
Type: Exploit
Pull request: #19772 contributed by jheysel-r7
Path: linux/http/craftcms_ftp_template
AttackerKB reference: CVE-2024-56145

Description: Adding new exploit module for Craft CMS, when the attacker can use malicious FTP server to gain remote code execution. This vulnerability requires PHP option register_argc_argv to be enabled.

Enhanced Modules (1)

Modules which have either been enhanced, or renamed:

• #19816 from jheysel-r7 - This adds support to the existing ldap_esc_vulnerable_cert_finder for identifying certificate templates that are vulnerable to ESC4 from the perspective of the authenticated user.

Bugs fixed (6)

• #19826 from zeroSteiner - Fixes two issues with the ldap_query module. The first was that the BASE_DN wasn't being used when set. The second was that the QUERY_ATTRIBUTES was a required datastore option. Now if the QUERY_ATTRIBUTES is left unset the module will return all the attributes. This is particularly useful if the operator doesn't know the exact attributes defined on an object because they're looking for something.
• #19833 from cdelafuente-r7 - This fixes an issue with the petitpotam module where in the default configuration, an incorrect service UUID was being used.
• #19834 from sfewer-r7 - Updates the connect_ws method within the Exploit::Remote::HttpClient library to generate a RFC 6455 compliant value for the generated Sec-WebSocket-Key header.
• #19835 from cdelafuente-r7 - This fixes an issue in the lookup logic when providing a Kerberos ticket as a file. The comparison of the SPN hostname was done as a case sensitive comparison, which prevented the ticket to be used if the user sets the *::rhostname option with a different case than the one stored in the ticket.
• #19836 from 0xAryan - Fixes a broken blog link in the exploit/multi/http/nibbleblog_file_upload module.
• #19843 from cdelafuente-r7 - This fixes an issue with both the ldap_login and smb_login modules. The problem is that now, some login scanner modules are not only used to discover and report valid credentials, but also to get a session (e.g. SMB session, LDAP session). This means, if Kerberos is used as the authentication method, the user can omit the password and reuse tickets from the cache. Also, if the authentication method is Schannel (LDAP), the username can also be omitted since the certificate will contain everything needed to authenticate. Prior to this fix these modules would error if they were run without the username and password fields set. The fix introduces two new boolean attributes in the CredentialCollection class ignore_private and ignore_public which indicate whether the module should be allowed to be run without a username or password.

Documentation added (1)

• #19825 from adfoster-r7 - Adds documentation for ldap test system.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.46...6.4.47
• Full diff 6.4.46...6.4.47

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

LibreNMS Authenticated RCE module and ESC15 improvements

This week the Metasploit Framework was blessed with an authenticated RCE module in LibreNMS, an autodiscovering PHP/MySQL-based network monitoring system. An authenticated attacker can create dangerous directory names on the system and alter sensitive configuration parameters through the web portal. These two defects combined to allow arbitrary OS commands inside shell_exec() calls, thus achieving arbitrary code execution.

Additionally, improvements have been made to the icpr_cert module. Metasploit users reported that when running the module with the option to add application policy OIDs to the template—typically done when attempting to exploit ESC15—the module would say that it ran successfully against a server patched for ESC15. However, no certificate application policy OIDs would be returned in the response. This behavior indicated that the server had been patched for ESC15 (CVE-2024-49019). In response to this, the module has been updated to raise an error in this scenario, notifying the user that the target is likely patched and the exploit will not be successful.

New module content (1)

LibreNMS Authenticated RCE (CVE-2024-51092)

Authors: Takahiro Yokoyama and murrant (Tony Murray)
Type: Exploit
Pull request: #19805 contributed by Takahiro-Yoko
Path: linux/http/librenms_authenticated_rce_cve_2024_51092
AttackerKB reference: CVE-2024-51092

Description: New module for exploiting CVE-2024-51092, an authenticated command injection in LibreNMS. It allows the attacker to run system commands and gain remote code execution (RCE). However, it requires a set of working credentials.

Bugs fixed (2)

• #19808 from jheysel-r7 - Adds detection for the ESC15 patch to the icpr_cert module.
• #19820 from adfoster-r7 - Pin the version of concurrent-ruby used to stop a crash on msfconsole bootup.

Documentation added (1)

• #19807 from msutovsky-r7 - Clarify the usage of vars_get and vars_post in module development.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.45...6.4.46
• Full diff 6.4.45...6.4.46

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Clarity in Cleo Exploitation

Last Month, Huntress reported that several Cleo products were being attacked in the wild, including Harmony, VLTrader, and LexiCom. Cleo announced CVE-2024-50623 and that these issues were patched in 5.8.0.21, but Huntress reported the vulnerability was still in those patched versions. Cleo later announced a new vulnerability, CVE-2024-55956, and released patches for it as well.
Rapid7 has released a top-level CVE-2024-55956 analysis covering the issues and an in-deth CVE-2024-55956 technical analysis that found the new vulnerability was patched in version 5.8.0.24 of the three affected products. The Metasploit Framework release this week contains a module for the CVE-2024-55956 vulnerability. If you run Cleo Harmony, VLTrader, and LexiCom, please make sure you are updated to version 5.8.0.24 as soon as possible; patches are available from the vendor.

New module content (3)

Pandora FMS authenticated command injection leading to RCE via LDAP using default DB password

Authors: Askar mhaskar and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #19738 contributed by h00die-gr3y
Path: linux/http/pandora_fms_auth_rce_cve_2024_11320
AttackerKB reference: CVE-2024-11320

Description: This adds an exploit module for Pandora FMS having a command injection vulnerability (CVE-2024-11320) in the LDAP authentication mechanism.

Ubuntu needrestart Privilege Escalation

Authors: h00die, makuga01, and qualys
Type: Exploit
Pull request: #19676 contributed by h00die
Path: linux/local/ubuntu_needrestart_lpe
AttackerKB reference: CVE-2024-48990

Description: This adds a post module which exploits needrestart on Ubuntu, before version 3.8. It allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.

Cleo LexiCom, VLTrader, and Harmony Unauthenticated Remote Code Execution

Authors: remmons-r7 and sfewer-r7
Type: Exploit
Pull request: #19793 contributed by sfewer-r7
Path: multi/http/cleo_rce_cve_2024_55956
AttackerKB reference: CVE-2024-55956

Description: Add an exploit module for CVE-2024-55956, an unauthenticated file write vulnerability affecting Cleo LexiCom, VLTrader, and Harmony versions 5.8.0.23 and below.

Enhancements and features (2)

• #19734 from h00die - Adds Arch Linux compatibility to the runc_cwd_priv_esc local privilege escalation module.
• #19752 from h00die - This enhancement adds checks for presence of pprof for Prometheus. It can detect potential denial-of-service or information leakage associated with the pprof package.

Bugs fixed (1)

• #19800 from zeroSteiner - Fixes an exception when a custom DNS resolver is used that was preventing SRV records from resolving correctly.

Documentation added (2)

• #19723 from cgranleese-r7 - Add documentation on how to test payload changes when opening pull requests.
• #19794 from jheysel-r7 - Adds documentation clarify what a passive stance module is and how to declare a module passive.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.44...6.4.45
• Full diff 6.4.44...6.4.45

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New module content (4)

GameOver(lay) Privilege Escalation and Container Escape

Authors: bwatters-r7, g1vi, gardnerapp, and h00die
Type: Exploit
Pull request: #19460 contributed by gardnerapp
Path: linux/local/gameoverlay_privesc
AttackerKB reference: CVE-2023-2640

Description: Adds a module for CVE-2023-2640 and CVE-2023-32629, a local privilege escalation in some Ubuntu kernel versions by abusing overly-trusting OverlayFS features.

Clinic's Patient Management System 1.0 - Unauthenticated RCE

Authors: Aaryan Golatkar and Oğulcan Hami Gül
Type: Exploit
Pull request: #19733 contributed by aaryan-11-x
Path: multi/http/clinic_pms_fileupload_rce
AttackerKB reference: CVE-2022-40471

Description: New exploit module for Clinic's Patient Management System 1.0, also dubbed as CVE-2022-40471. The module exploits unrestricted file upload, which can be further used to get remote code execution (RCE) through a malicious PHP file.

WordPress WP Time Capsule Arbitrary File Upload to RCE

Authors: Rein Daelman and Valentin Lobstein
Type: Exploit
Pull request: #19713 contributed by Chocapikk
Path: multi/http/wp_time_capsule_file_upload_rce
AttackerKB reference: CVE-2024-8856

Description: This exploits a Remote Code Execution (RCE) vulnerability identified as CVE-2024-8856 in the WordPress WP Time Capsule plugin (versions ≤ 1.22.21). This vulnerability allows unauthenticated attackers to upload and execute arbitrary files due to improper validation within the plugin.

WSO2 API Manager Documentation File Upload Remote Code Execution

Authors: Heyder Andrade <@HeyderAndrade>, Redway Security <redwaysecurity.com>, and Siebene@ <@Siebene7>
Type: Exploit
Pull request: #19647 contributed by heyder
Path: multi/http/wso2_api_manager_file_upload_rce

Description: Adds an exploit module for a vulnerability in the 'Add API Documentation' feature of WSO2 API Manager and allows malicious users with specific permissions to upload arbitrary files to a user-controlled server location. This flaw allows for RCE on the target system.

Enhancements and features (4)

• #19546 from adfoster-r7 - Improves the database module cache performance from ~3 minutes to ~1 minute by performing bulk inserts of module metadata instead of multiple smaller inserts for every module/reference/author/etc.
• #19660 from zeroSteiner - Updates OptEnum to validate values without being case sensitive while preserving the case the author was expecting.
• #19715 from oddlittlebird - Improves db/README.md documentation.
• #19718 from sjanusz-r7 - Expose the currently authenticated rpc_token to RPC handlers.

Bugs fixed (3)

• #19719 from bwatters-r7 - The bug in fetch payload resulted in malformed bash command when setting FETCH_DELETE to true, causing syntax error. While we fixed the original error, when we were testing the fix, we noticed a race condition - causing deleting the payload file before executing it. In the final fix, we added random sleep between executing and deleting to prevent race condition and to keep bash syntax integrity.
• #19721 from bwatters-r7 - This updates the way the module checks the Windows build version to determine if it's vulnerable to CVE-2020-0668.
• #19739 from sjanusz-r7 - Fixes an issue with the post/multi/recon/local_exploit_suggester module which would crash if a TARGET value was set.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.40...6.4.41
• Full diff 6.4.40...6.4.41

If you are a git user, you can clone the [Metasploit Framework repo][repo] (master branch) for the latest.
To install fresh without using git, you can use the open-source-only [Nightly Installers][nightly] or the
commercial edition Metasploit Pro

Another year has come and gone, and the Metasploit team has taken some time to review the year’s notable additions. This year saw some great new features added, Metasploit 6.4 released and a slew of new modules. We’re grateful to the community members new and old that have submitted modules and issues this year. The real privilege escalation was the privilege of working with the contributors and friends we made along the way. And so, as is tradition, let us begin the 2024 annual recap.

HTTP Relaying and ESC8

Metasploit continues to expand support for Active Directory Certificate Services AD CS attacks, also known as ESC attacks. These attacks have been popular since they were announced three years ago, and the complexity and ubiquity of enterprise AD CS setups has rendered them “gifts that keep on giving” for attackers and pen testers alike. This year, we added support for ESC8, a vulnerability in AD CS Web Enrollment service, in which authentication from a user’s SMB connection can be relayed to a Certificate Web Enrollment endpoint and used to generate a valid certificate for authentication. This means that if an attacker can coerce a user to attempt to access an SMB share, their authentication can be relayed to a certificate server for authentication. Once authenticated, the session will allow the attacker to mint certificates for any template they have permissions to access. Unlike many AD CS attacks, this is not necessarily due to a misconfiguration in a template, but is an effect of the Web Enrollment service’s use of NTLM over HTTP, which does not enable relaying protections by default.

msf6 auxiliary(server/relay/esc8) > show options

Module options (auxiliary/server/relay/esc8):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   CAINPWFILE                      no        Name of file to store Cain&Abel hashes in. Only supports NTLMv1 hashes. Can be a path.
   JOHNPWFILE                      no        Name of file to store JohnTheRipper hashes in. Supports NTLMv1 and NTLMv2 hashes, each
                                              of which is stored in separate files. Can also be a path.
   MODE           AUTO             yes       The issue mode. (Accepted: ALL, AUTO, QUERY_ONLY, SPECIFIC_TEMPLATE)
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RELAY_TARGETS                   yes       Target address range or CIDR identifier to relay to
   RELAY_TIMEOUT  25               yes       Seconds that the relay socket will wait for a response after the client has initiated
                                             communication.
   RPORT          80               yes       The target port (TCP)
   SMBDomain      WORKGROUP        yes       The domain name used during SMB exchange.
   SRVHOST        0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local
                                              machine or 0.0.0.0 to listen on all addresses.
   SRVPORT        445              yes       The local port to listen on.
   SRV_TIMEOUT    25               yes       Seconds that the server socket will wait for a response after the client has initiated
                                              communication.
   SSL            false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI      /certsrv/        yes       The URI for the cert server.
   VHOST                           no        HTTP server virtual host


   When MODE is SPECIFIC_TEMPLATE:

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   CERT_TEMPLATE                   no        The template to issue if MODE is SPECIFIC_TEMPLATE.


Auxiliary action:

   Name   Description
   ----   -----------
   Relay  Run SMB ESC8 relay server



View the full module info with the info, or info -d command.

msf6 auxiliary(server/relay/esc8) > set RELAY_TARGETS 10.5.132.182
RELAY_TARGETS => 10.5.132.182
msf6 auxiliary(server/relay/esc8) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/relay/esc8) > 
[*] SMB Server is running. Listening on 0.0.0.0:445
[*] Server started.
[*] New request from 10.5.132.191
[*] Received request for EXAMPLE\Administrator
[*] Relaying to next target http://10.5.132.182:80/certsrv/
[+] Identity: EXAMPLE\Administrator - Successfully authenticated against relay target http://10.5.132.182:80/certsrv/
[SMB] NTLMv2-SSP Client     : 10.5.132.182
[SMB] NTLMv2-SSP Username   : EXAMPLE\Administrator
[SMB] NTLMv2-SSP Hash       : Administrator::EXAMPLE:9a0ad3b11b1b3471:b97c9d53262316974c31219cd6dd2f00:01010000000000009e0f749d1b53db013d142354bb7d5da90000000002000e004500580041004d0050004c00450001001e00570049004e002d00440052004300390048004300440049004d0041005400040016006500780061006d0070006c0065002e0063006f006d0003003600570049004e002d00440052004300390048004300440049004d00410054002e006500780061006d0070006c0065002e0063006f006d00050016006500780061006d0070006c0065002e0063006f006d00070008009e0f749d1b53db01060004000200000008003000300000000000000001000000002000007eb46f894f1cad59192724ba6164849c3e04a00c54dae36b065603553ff355c40a001000000000000000000000000000000000000900220063006900660073002f00310030002e0035002e003100330035002e003200300031000000000000000000

[+] Certificate generated using template User and EXAMPLE\Administrator
[+] Certificate for EXAMPLE\Administrator using template User saved to /home/tmoose/.msf4/loot/20241220141352_default_10.5.132.182_windows.ad.cs_360378.pfx
[*] Received request for EXAMPLE\Administrator
[*] Identity: EXAMPLE\Administrator - All targets relayed to

Meterpreter’s PoolParty

In November 2024, the Metasploit Framework improved the Windows Meterpreter capabilities by including the PoolParty Injection technique to perform code injection into remote processes. The new technique functions as a replacement to the common kernel32!CreateRemoteThread technique. This increased the stealth skills of the Meterpreter agent without removing any functionality already present. Significant effort was made to implement the cleanest injection technique in a transparent manner to the user and avoid leaving any footprint in memory after a successful injection. Currently the PoolParty injection is based on the TP_DIRECT_INSERTION variant and supports code injection on 64-bit Windows 10 and newer systems. Injection to and from WoW64 processes is partially implemented due to some security restrictions. Injection is currently limited to WoW64 to x64.

LDAP Improvements

Over the past couple of years Metasploit has improved its LDAP support substantially. There are troves of data points available in Active Directory via LDAP that aid in various attack workflows. Some examples include the domain SID, the number of computers a normal user can add, kerberoastable-accounts, vulnerable ESC templates and more. To aid users in accessing this information, Metasploit has continued to make LDAP improvements this year.

Metasploit 6.4 included multiple new protocol-based session types, one of which was LDAP. The ldap_login module can be used to open an interactive LDAP session, enabling the user to take multiple actions without needing to reconnect and reauthenticate to the target server. This feature is currently disabled by default, but can be enabled using set ldap_session_type true and then restarting Metasploit. Once established, these sessions can be used to run queries from the command line, or certain auxiliary modules, such as ldap_query and ldap_esc_vulnerable_cert_finder can use the session to gather information.

In addition to the new session type, Metasploit has added support for both channel binding and signing to enable users to operate in hardened environments. Now when Metasploit authenticates to an LDAP service, it’ll automatically use signing or channel binding as applicable based on the configuration. Signing can also be controlled using the LDAP::Signing datastore option which supports three values:

• disabled – never use signing, useful for verifying a server is requiring signing
• auto – signing will be used when it is necessary
• required – signing will always be used

Channel binding is always used when SSL is in use. Metasploit supports channel binding for both NTLM and Kerberos authentication.

Metasploit 6.4 Released

This year Metasploit 6.4 released with multiple features; including the new dns command which grants the user a high degree of control over how DNS queries should be processed, and adds support for multiple new session types (PostgreSQL, MSSQL, MySQL and SMB) with the CreateSession option:

msf6 > use scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > run rhost=192.168.123.133 username=vagrant password=vagrant CreateSession=true

[*] 192.168.123.133:445   - 192.168.123.133:445 - Starting SMB login bruteforce
[+] 192.168.123.133:445   - 192.168.123.133:445 - Success: '.\vagrant:vagrant' Administrator
[*] SMB session 2 opened (192.168.123.1:52253 -> 192.168.123.133:445) at 2024-03-19 12:07:15 +0000

Each new session type supports different capabilities such as querying databases, using the SQL/SMB session with exploit modules to gain native sessions, and exploring and manipulating remote file systems:

msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
[*] Starting interaction with 1…
SMB (192.168.123.133) > ls
[-] No active share selected. Use the shares command to view available shares, and shares -i <id> to interact with one
SMB (192.168.123.133) > shares
Shares
======
    #  Name      Type          comment
    -  ----      ----          -------
    0  ADMIN$    DISK|SPECIAL  Remote Admin
    1  C$        DISK|SPECIAL  Default share
    2  foo       DISK
    3  IPC$      IPC|SPECIAL   Remote IPC
    4  NETLOGON  DISK          Logon server share
    5  SYSVOL    DISK          Logon server share

SMB (192.168.123.133) >

Metasploit 6.4 also continued to enhance support for Kerberos workflows:

• auxiliary/admin/kerberos/forge_ticket - Adding support for forging diamond and sapphire tickets, in addition to the original golden and silver techniques
• post/windows/manage/kerberos_tickets - Adding support for dumping Kerberos tickets from a compromised host. This is similar functionality to what the popular Rubeus tool’s klist/dump commands do and operates entirely in memory
• auxiliary/gather/windows_secrets_dump - Performing DCSync attacks on Windows domain controllers with Kerberos tickets

Module Highlights

CVE-2023-22527
Metasploit had a great start to 2024 with the addition of a module for CVE-2023-22527 in January, which was an unauthenticated RCE in Atlassian Confluence. This module was written by Metasploit’s Spencer McIntyre aka zeroSteiner. Due to an SSTI flaw that allows an OGNL expression to be evaluated, Metasploit users can obtain OS command execution in the context of the service account. On Windows the service account is NT AUTHORITY\NETWORK SERVICE which, don’t forget, can easily be escalated to NT AUTHORITY\SYSTEM using the RPCSS namedpipe impersonation technique in Meterpreter, just type: “getsystem -t 4”!

CVE-2024-21893 + CVE-2024-21887
February kept the good times rolling with an exploit chain that works against both Ivanti Connect Secure and Ivanti Policy Secure from Rapid7’s research extraordinaire, Stephen Fewer. This module combined CVE-2024-21893, a SSRF vulnerability, with a command injection vulnerability tracked as CVE-2024-21887 in order to achieve unauthenticated remote code execution in the context of the root user.

Shadow Credentials
The Shadows Credential’s module was an incredible addition to Metasploit’s Active Directory exploit capabilities. Using an account that has write permissions over another user account object, the module adds a public key credential object to the user account's msDS-KeyCredentialLink property, and then uses the existing PKINIT functionality in the get_ticket module to authenticate as that user. This module was written by Metasploit aficionado Ashley Donaldson aka smashery.

CVE-2024-3400
April saw some amazing additions to the Metasploit Framework including a very impactful exploit module for CVE-2024-3400. PAN-OS GlobalProtect Gateway and GlobalProtect Portal deployments with the default telemetry service enabled could be remotely exploited without authentication in order to gain code execution in the context of the root user. Rapid7’s very own Ryan Emmons PR’d this module and it was the only module this year to be awarded the “hotness” label in github, very cool.

CVE-2023-43177
This module, while being a great addition to the framework, also highlighted some great Rapid7 collaboration: the vulnerability was originally discovered by Rapid7’s Ryan Emmons and was written by the one and only Christophe De La Fuente. The exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution in the context of the Administrator user on Windows and the root user on Linux.

Progress Loadmaster sudo abuse privilege escalation
In May we saw the exploitation of Progress (Kemp) Loadmaster. The vulnerability lies in the configuration to allow sudo to auto elevate when run with certain files, but grants the non-root user bal write permissions to those files. The exploit module simply overwrites one of the files that auto-elevates with /bin/bash and runs a payload within a root-enabled /bin/bash session. This heavy hitting privilege escalation module was brought to us by Metasploit powerhouse, Brendan Watters on the 10th of May.

CVE-2024-29824
July brought some of the hottest weather to the northern hemisphere it also brought some of the hottest vulns to the Metasploit Framework with the addition of yet another fantastic exploit module from Christophe De La Feunte: The Ivanti Endpoint Manager (EPM) SQLi to RCE module. This exploit works by sending a soap envelope to the application targeting one poor unsanitized database parameter which pays the ultimate price of allowing the query to be escaped and EXEC xp_cmdshell to be run. The SQLi allows for RCE in the context of the NT Service\MSSQL$LDMSDATA user.

CVE-2024-6670
While Progress WhatsUp Gold made headlines with CVE-2024-6670, community contributor h4x-x0r made haste writing an exploit module adding yet another high impact exploit module in their rookie year of Metasploit framework contributions. The vulnerability allows an unauthenticated attacker to change the password of an existing user to an attacker-controlled value potentially giving up administrative control over the application.

CVE-2024-43917
Some kids got tricks on Halloween but Metasploit got a treat - an exploit module for a SQLi in TI WooCommerce Wishlist. Submitted by one of the hardest working Metasploit community members Valentin Lobstein aka Chocapikk, this was only one of 10 WordPress plugin modules they contributed this year. We decided to highlight this particular module because with it came an entire library of SQLi functionality specifically designed to help facilitate SQLi exploitation against WordPress plugins. We love seeing this type of reusability being added to the framework.

CVE-2024-35230
They say when it rains it pours and this is all too true when looking at the amount of vulnerabilities discovered in the Windows Kernel Streaming family of drivers this year. This module, written by Metasploit’s Jack Heysel, targeted an Access Mode Mismatch LPE in ks.sys. The vulnerable driver had hardcoded the RequestorMode parameter of a KTHREAD structure to KernelMode, which eventually allows for user supplied code to be executed with SYSTEM level privileges. This bug can be found lurking in the depths of Windows 2008 SP2 all the way up to present day Windows 11 and Server 2022.

CVE-2024-27596
It wouldn't be a proper year without some fun Wordpress vulnerabilities. The CVE-2024-27596 was quite memorable as the vulnerability was contained in a popular wp-automatic plugin. The best part was that an unauthenticated user was able to perform SQL injection and even get remote code execution by uploading a malicious module. As SQL injection allows an attacker to create an admin account, the Wordpress site is fully compromised.

CVE-2023-0386
This vulnerability was discovered last year, however, it has been added into Metasploit as a module only recently. And it's one of easy-to-exploit privilege escalations. The reason why it's so interesting is that it combines the setuid and overlay file system to run binary as root.

CVE-2024-37081
The vulnerabilities in VMWare products are always of very high interest, as these vulnerabilities can be often misused by threat actors. The CVE-2024-37081 is local privilege escalation in vCenter 8.0.0.10200 caused by misconfiguration. This misconfiguration allows the attacker to run sudo commands with preserved environmental variables such as PYTHONPATH,VMWARE_PYTHON_PATH and so.

CVE-2023-7028
When it comes to version control systems, accounts are the identity of the developer. Compromising the identity exposes the whole codebase to risk. This year, we implemented a module for CVE-2023-7028, Github account takeover. This vulnerability can be exploited without any user interaction. If the attacker provides two emails in the request for password reset - administrator's email and attacker's email - the reset code for the admin account gets sent back to both emails.

Remote Code Execution in CUPS
https://github.com/rapid7/metasploit-framework/pull/19630
https://github.com/rapid7/metasploit-framework/pull/19510

The CUPS vulnerability made big headlines this year. The reason is that CUPS exposed a UDP service, which was listening for any host to connect. Of course, CUPS service was vulnerable itself, allowing the attacker to execute remote code via specially crafted print jobs. The vulnerability allowed remote code execution on virtually any Linux machine that runs a vulnerable version of CUPS. We have implemented a module (cups_browsed_info_disclosure) for scanning for vulnerable CUPS services and also a module for exploitation (cups_ipp_remote_code_execution).

Community Stats Recap

The entire Metasploit team would like to give a big thank you to all the contributors who added content in 2024. Your ideas and contributions make this tool greater every year. We saw code additions from 62 contributors, including 39 first-time contributors.

Here are some stats for 2024:

• Number of new modules: 165
• Number of new bug fixes: 142
• Number of new enhancements: 161
• Number of new documentations: 19
• Number of new payload enhancements: 4

Contributors in 2024 (ordered by count)

• h00die
• Chocapikk
• jvoisin
• smashery
• h00die-gr3y
• h4x-x0r (new in 2024)
• nrathaus
• bcoles
• errorxyz
• upsidedwn (new in 2024)
• The-Pink-Panther (new in 2024)
• Takahiro-Yoko (new in 2024)
• DaveYesland (new in 2024)
• NtAlexio2 (new in 2024)
• heyder
• KanchiMoe (new in 2024)
• ide0x90
• ostrichgolf (new in 2024)
• jmartin-tech
• jalvarezz13 (new in 2024)
• ArchiMoebius (new in 2024)
• molecula2788 (new in 2024)
• jjoshm (new in 2024)
• dotslashsuperstar (new in 2024)
• double16 (new in 2024)
• jlownie (new in 2024)
• randomstr1ng (new in 2024)
• SickMcNugget (new in 2024)
• n00bhaxor
• lihe07 (new in 2024)
• 6a6f656c
• AleksaZatezalo
• poupapaa (new in 2024)
• Sh3llSp4wn (new in 2024)
• ErikWynter
• siddolo (new in 2024)
• ggisz (new in 2024)
• rad10
• JustAnda7
• pczinser (new in 2024)
• james-otten
• oddlittlebird (new in 2024)
• szymonj99 (new in 2024)
• aaryan-11-x (new in 2024)
• soroshsabz (new in 2024)
• dudu7615 (new in 2024)
• Mathiou04 (new in 2024)
• GhostlyBox (new in 2024)
• Grezzo
• xaitax
• igomeow (new in 2024)
• cn-kali-team
• Adithya2357 (new in 2024)
• gardnerapp
• pmauduit (new in 2024)
• aaronjfeingold (new in 2024)
• e2002e
• softScheck (new in 2024)
• PizzaHat (new in 2024)
• sud0Ru (new in 2024)
• Fufu-btw (new in 2024)
• fanqiaojun (new in 2024)