Category: Metasploit Weekly Wrapup

I still like to MOVEit MOVEit

This week, our very own sfewer-r7 added a new exploit module that leverages an authentication bypass vulnerability in the MOVEit Transfer SFTP service (CVE-2024-5806). It is possible to authenticate to the SFTP service as any user as long as a valid username is known and the "Remote Access Rules" allows the attacker IP address. On successful attack, it is possible to access any file on the SFTP server that the user has permission to access. The module lets you list directories and display (or download) files.

The following version of MOVEit Transfer are affected:

• MOVEit Transfer 2023.0.x (fixed in 2023.0.11)
• MOVEit Transfer 2023.1.x (fixed in 2023.1.6)
• MOVEit Transfer 2024.0.x (fixed in 2024.0.2)

New module content (3)

Progress MOVEit SFTP Authentication Bypass for Arbitrary File Read

Author: sfewer-r7
Type: Auxiliary
Pull request: #19295 contributed by sfewer-r7
Path: gather/progress_moveit_sftp_fileread_cve_2024_5806
AttackerKB reference: CVE-2024-5806

Description: This module exploits an authentication bypass vulnerability in the MOVEit Transfer SFTP service. The vulnerable versions are MOVEit Transfer 2023.0.x until 2023.0.11; MOVEit Transfer 2023.1.x until 2023.1.6; MOVEit Transfer 2024.0.x until 2024.0.2; allowing to list remote directories and reading files without authentication.

Zyxel parse_config.py Command Injection

Authors: SSD Secure Disclosure technical team and jheysel-r7
Type: Exploit
Pull request: #19204 contributed by jheysel-r7
Path: linux/http/zyxel_parse_config_rce
AttackerKB reference: CVE-2023-33012

Description: This adds an exploit module that leverages multiple vulnerabilities in order to obtain pre-auth command injection on multiple VPN Series Zyxel devices.

Azure CLI Credentials Gatherer

Authors: James Otten and h00die
Type: Post
Pull request: #10113 contributed by james-otten
Path: multi/gather/azure_cli_creds

Description: This post module allows to exfiltrate azure tokens and configurations from old azure-cli versions using unencrypted formats.

Enhancements and features (2)

• #19287 from adeherdt-r7 - Updates the auxiliary/scanner/redis/redis_login module to support Redis 6.x.
• #19297 from adeherdt-r7 - Improves the Redis login brute force functionality to better detect when auth is not required for the target.

Bugs fixed (3)

• #19252 from zgoldman-r7 - Improves error logging for unhandled exceptions for login scanners.
• #19285 from dledda-r7 - This fixes an issue with the Meterpreter's sysinfo command that was failing when the current working directory was deleted.
• #19289 from h00die - Updates the post/linux/gather/apache_nifi_credentials module to now support extracting nifi.properties values that contain hyphens.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.15...6.4.16
• Full diff 6.4.15...6.4.16

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Unauthenticated Command Injection in Netis Router

This week's Metasploit release includes an exploit module for an unauthenticated command injection vulnerability in the Netis MW5360 router which is being tracked as CVE-2024-22729. The vulnerability stems from improper handling of the password parameter within the router's web interface which allows for command injection. Fortunately for attackers, the router's login page authorization can be bypassed by simply deleting the authorization header, leading to the vulnerability. All router firmware versions up to V1.0.1.3442 are vulnerable.

New module content (2)

MS-NRPC Domain Users Enumeration

Author: Haidar Kabibo https://x.com/haider_kabibo
Type: Auxiliary
Pull request: #19205 contributed by sud0Ru
Path: scanner/dcerpc/nrpc_enumusers

Description: This adds a new module that can enumerate accounts on a target Active Directory Domain Controller without authenticating to it; instead the module does so by issuing a DCERPC request and analyzing the returned error status.

Netis router MW5360 unauthenticated RCE.

Authors: Adhikara13 and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #19188 contributed by h00die-gr3y
Path: linux/http/netis_unauth_rce_cve_2024_22729
AttackerKB reference: CVE-2024-22729

Description: This adds an exploit module that leverages CVE-2024-22729, a command injection vulnerability in Netis router MW5360 to achieve remote code execution as the user root. All router firmware versions up to V1.0.1.3442 are vulnerable.

Bugs fixed (3)

• #19259 from dledda-r7 - This updates Metasploit to check for a new flag that is sent as part of the encryption key negotiation with Meterpreter which indicates if Meterpreter had to use a weak source of entropy to generate the key.
• #19267 from zeroSteiner - Fixes a crash in the ldap_esc_vulnerable_cert_finder module when targeting an AD CS server that has a certificate template containing parenthesis.
• #19283 from adeherdt-r7 - Fixes the auxiliary/scanner/redis/redis_login module to correctly track the registered service name as redis - previously it was blank.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.14...6.4.15
• Full diff 6.4.14...6.4.15

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Argument Injection for PHP on Windows

This week includes modules that target file traversal and arbitrary file read vulnerabilities for software such as Apache, SolarWinds and Check Point, with the highlight being a module for the recent PHP vulnerability submitted by sfewer-r7. This module exploits an argument injection vulnerability, resulting in remote code execution and a Meterpreter shell running in the context of the Administrator user.
Note, that this attack requires the target to be running a Japanese or Chinese locale, as the attack targets Windows’s character replacement behavior for certain code pages when calling Win32 API functions.
A default configuration of XAMPP is vulnerable. This attack is unauthenticated and the server must expose PHP in CGI mode, not FastCGI. More information on this exploit can be found on AttackerKB.

New module content (4)

Check Point Security Gateway Arbitrary File Read

Author: remmons-r7
Type: Auxiliary
Pull request: #19221 contributed by remmons-r7
Path: gather/checkpoint_gateway_fileread_cve_2024_24919
AttackerKB reference: CVE-2024-24919

Description: This module leverages an unauthenticated arbitrary root file read vulnerability for Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades are enabled on affected devices, traversal payloads can be used to read any files on the local file system. This vulnerability is tracked as CVE-2024-24919.

SolarWinds Serv-U Unauthenticated Arbitrary File Read

Authors: Hussein Daher and sfewer-r7
Type: Auxiliary
Pull request: #19255 contributed by sfewer-r7
Path: gather/solarwinds_servu_fileread_cve_2024_28995
AttackerKB reference: CVE-2024-28995

Description: This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to the vendor supplied hotfix "15.4.2 Hotfix 2" (version 15.4.2.157) are affected.

Apache OFBiz Forgot Password Directory Traversal

Authors: Mr-xn and jheysel-r7
Type: Exploit
Pull request: #19249 contributed by jheysel-r7
Path: multi/http/apache_ofbiz_forgot_password_directory_traversal
AttackerKB reference: CVE-2024-32113

Description: This adds an exploit for CVE-2024-32113, which is an unauthenticated RCE in Apache OFBiz.

PHP CGI Argument Injection Remote Code Execution

Authors: Orange Tsai, sfewer-r7, and watchTowr
Type: Exploit
Pull request: #19247 contributed by sfewer-r7
Path: windows/http/php_cgi_arg_injection_rce_cve_2024_4577
AttackerKB reference: CVE-2024-4577

Description: Windows systems running Japanese or Chinese (simplified or traditional) locales are vulnerable to a PHP CGI argument injection vulnerability. This exploit module returns a session running in the context of the Administrator user.

Enhancements and features (2)

• #18829 from cdelafuente-r7 - Adding multiple HttpServer services in a module is sometimes complex since they share the same methods. This usually causes situations where #on_request_uri needs to be overridden to handle requests coming from each service. This updates the cmdstager and the Java HTTP ClassLoader mixins, since these are commonly used in the same module. This also updates the manageengine_servicedesk_plus_saml_rce_cve_2022_47966 module to make use of these new changes.
• #19229 from softScheck - The junos_phprc_auto_prepend_file module used to depend on having a user authenticated to the J-Web application to steal the necessary session tokens in order to exploit. With this enhancement the module will now create a session if one doesn't exist. Also it adds datastore options to change the hash format to be compatible with older versions as well an option to attempt to set ssh root login to true before attempting to establish a root ssh session.

Bugs fixed (4)

• #19176 from Fufu-btw - This adds the x86 and x64 architectures to the exploit/windows/http/dnn_cookie_deserialization_rce module's target metadata.
• #19253 from aaronjfeingold - This fixes an incorrect CVE reference in the exploit/unix/http/zivif_ipcheck_exec module.
• #19256 from adfoster-r7 - Fix warnings in acceptance tests.
• #19261 from zeroSteiner - Fixed powershell_base64 encoder to execute encoded strings correctly.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.13...6.4.14
• Full diff 6.4.13...6.4.14

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New module content (5)

Telerik Report Server Auth Bypass

Authors: SinSinology and Spencer McIntyre
Type: Auxiliary
Pull request: #19242 contributed by zeroSteiner
Path: scanner/http/telerik_report_server_auth_bypass
AttackerKB reference: CVE-2024-4358

Description: This adds an exploit for CVE-2024-4358 which is an authentication bypass in Telerik Report Server versions up to and including 10.0.24.305.

Cacti Import Packages RCE

Authors: Christophe De La Fuente and Egidio Romano
Type: Exploit
Pull request: #19196 contributed by cdelafuente-r7
Path: multi/http/cacti_package_import_rce
AttackerKB reference: CVE-2024-25641

Description: This exploit module leverages an arbitrary file write vulnerability (CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It abuses the Import Packages feature to upload a specially crafted package that embeds a PHP file.

VSCode ipynb Remote Development RCE

Authors: Zemnmez and h00die
Type: Exploit
Pull request: #18998 contributed by h00die
Path: multi/misc/vscode_ipynb_remote_dev_exec
AttackerKB reference: CVE-2022-41034

Description: VSCode allows users to open a Jypiter notebook (.ipynb) file. Versions v1.4.0 - v1.71.1 allow the Jypiter notebook to embed HTML and javascript, which can then open new terminal windows within VSCode. Each of these new windows can then execute arbitrary code at startup. This vulnerability is tracked as CVE-2022-41034.

Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution

Authors: Arseniy Sharoglazov and sfewer-r7
Type: Exploit
Pull request: #19240 contributed by sfewer-r7
Path: windows/http/rejetto_hfs_rce_cve_2024_23692
AttackerKB reference: CVE-2024-23692

Description: Adds an exploit module for CVE-2024-23692, an unauthorized SSTI in the Rejetto HTTP File Server (HFS).

Telerik Report Server Auth Bypass and Deserialization RCE

Authors: SinSinology, Soroush Dalili, Spencer McIntyre, and Unknown
Type: Exploit
Pull request: #19243 contributed by zeroSteiner
Path: windows/http/telerik_report_server_deserialization
AttackerKB reference: CVE-2024-4358

Description: This adds an exploit for CVE-2024-1800 which is an authenticated RCE in Telerik Report Server. To function without authentication it chains CVE-2024-4358 to create a new administrator account before launching the authenticated RCE.

Enhancements and features (4)

• #19191 from adfoster-r7 - Adds support for Ruby 3.4.0-preview1.
• #19197 from sjanusz-r7 - Updates the new PostgreSQL, MSSQL, and MySQL session types to track the history of commands that the user has entered.
• #19199 from cgranleese-r7 - Updates brute force modules to output a summary of the credential discovered. This functionality is currently opt-in with the feature set show_successful_logins true msfconsole command.
• #19225 from h00die - This adds a link to android payload issues to increase visibility.

Bugs fixed (3)

• #19235 from cgranleese-r7 - Fixes an issue where Java payloads zip paths were not being created properly.
• #19239 from e2002e - Updates the modules/auxiliary/gather/zoomeye_search module to work again.
• #19248 from zgoldman-r7 - This removes an extra rescue clause added in error and allows the actual rescue clause to rescue exceptions properly in the event a staged http[s] payload calls back to a stageless http[s] listener.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.12...6.4.13
• Full diff 6.4.12...6.4.13

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

New OSX payloads:ARMed and Dangerous

In addition to an RCE leveraging CVE-2024-5084 to gain RCE through a WordPress Hash form, this release features the addition of several new binary OSX stageless payloads with aarch64 support: Execute Command, Shell Bind TCP, and Shell Reverse TCP.

The new osx/aarch64/shell_bind_tcp payload opens a listening port on the target machine, which allows the attacker to connect to this open port to spawn a command shell using the user provided command using the execve system call on Apple silicon laptops.

The new osx/aarch64/shell_reverse_tcp payload that can connect back to the configured attacker’s RHOST and RPORT to spawn a command shell using the execve system call on Apple silicon laptops.
The new osx/aarch64/exec payload can execute arbitrary user provided commands using the execve system call on Apple silicon laptops, for example:

msf6 payload(osx/aarch64/exec) > generate -f macho cmd="/bin/bash -c 'echo 123 && echo abc && whoami && echo 🔥'" -o shell
[*] Writing 50072 bytes to shell…

And executing:

$ chmod +x ./shell
$ ./shell
123
abc
user
🔥

New module content (4)

WordPress Hash Form Plugin RCE

Authors: Francesco Carlucci and Valentin Lobstein
Type: Exploit
Pull request: #19208 contributed by Chocapikk
Path: multi/http/wp_hash_form_rce
AttackerKB reference: CVE-2024-5084

Description: This adds an exploit module that leverages a vulnerability in the WordPress Hash Form – Drag & Drop Form Builder plugin (CVE-2024-5084) to achieve remote code execution. Versions up to and including 1.1.0 are vulnerable. This allows unauthenticated attackers to upload arbitrary files, including PHP scripts, due to missing file type validation in the file_upload_action function.

OSX aarch64 Execute Command

Author: alanfoster
Type: Payload (Single)
Pull request: #18646 contributed by AlanFoster
Path: osx/aarch64/exec

Description: Add osx aarch64 exec payload.

OS X x64 Shell Bind TCP

Author: alanfoster
Type: Payload (Single)
Pull request: #18776 contributed by AlanFoster
Path: osx/aarch64/shell_bind_tcp

Description: Add osx aarch64 bind tcp payload.

OSX aarch64 Shell Reverse TCP

Author: alanfoster
Type: Payload (Single)
Pull request: #18652 contributed by AlanFoster
Path: osx/aarch64/shell_reverse_tcp

Description: Add osx aarch64 shell reverse tcp payload.

Enhancements and features (0)

None

Bugs fixed (3)

• #19209 from zgoldman-r7 - Updates multiple file format exploits to show the default settings to users when running show options.
• #19211 from sjanusz-r7 - Fixes an issue were the database management logic would default a model's updated_at value to incorrectly be set to the created_at value.
• #19217 from zgoldman-r7 - Fixes path tab completion for modules when using Ruby 3.2+.
• #19227 from bcoles - Fixed an issue in Moodle::Login.moodle_login that reported a false negative when logging in with user's credentials.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.11...6.4.12
• Full diff 6.4.11...6.4.12

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Quis dīrumpet ipsos dīrumpēs

In this release, we feature a double-double: two exploits each targeting two pieces of software. The first pair is from h00die targeting the Jasmine Ransomeware Web Server. The first uses CVE-2024-30851 to retrieve the login for the ransomware server, and the second is a directory traversal vulnerability allowing arbitrary file read. The second pair from Dave Yesland of Rhino Security targets Progress Flowmon with CVE-2024-2389 and it pairs well like wine with the additional and accompanying Privilege Escalation module.

New module content (4)

Jasmin Ransomware Web Server Unauthenticated Directory Traversal

Authors: chebuya and h00die
Type: Auxiliary
Pull request: #19103 contributed by h00die
Path: gather/jasmin_ransomware_dir_traversal
AttackerKB reference: CVE-2024-30851

Description: This adds an unauthenticated directory traversal and a SQLi exploit against the Jasmin ransomware web panel.

Jasmin Ransomware Web Server Unauthenticated SQL Injection

Authors: chebuya and h00die
Type: Auxiliary
Pull request: #19103 contributed by h00die
Path: gather/jasmin_ransomware_sqli

Description: This adds an unauthenticated directory traversal and a SQLi exploit against the Jasmin ransomware web panel.

Flowmon Unauthenticated Command Injection

Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #19150 contributed by DaveYesland
Path: linux/http/progress_flowmon_unauth_cmd_injection
AttackerKB reference: CVE-2024-2389

Description: Unauthenticated Command Injection Module for Progress Flowmon CVE-2024-2389.

Progress Flowmon Local sudo privilege escalation

Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #19151 contributed by DaveYesland
Path: linux/local/progress_flowmon_sudo_privesc_2024

Description: Privilege escalation module for Progress Flowmon unpatched feature.

Enhancements and features (3)

• #19195 from adfoster-r7 - Updates msfconsole to support risc-v platforms.
• #19198 from adfoster-r7 - Add support for Ruby 3.3.x.
• #19200 from adfoster-r7 - Updates Metasploit's gemspec file to work with additional static analysis tools.

Bugs fixed (0)

None

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.10...6.4.11
• Full diff 6.4.10...6.4.11

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Infiltrate the Broadcast!

A new module from Chocapikk allows the user to perform remote code execution on vulnerable versions of streaming platform AVideo (12.4 - 14.2). The multi/http/avideo_wwbnindex_unauth_rce module leverages CVE-2024-31819, a vulnerability to PHP Filter Chaining, to gain unauthenticated and unprivileged access, earning it an attacker value of High on AttackerKB.

New module content (8)

Chaos RAT XSS to RCE

Authors: chebuya and h00die
Type: Exploit
Pull request: #19104 contributed by h00die
Path: linux/http/chaos_rat_xss_to_rce
AttackerKB reference: CVE-2024-30850

Description: Adds an exploit for HAOS v5.0.8, which contains a remote command execution vulnerability which
can be triggered through one of three routes: credentials, JWT token from an agent, an agent executable can be provided, or the JWT token can be extracted.

AVideo WWBNIndex Plugin Unauthenticated RCE

Author: Valentin Lobstein
Type: Exploit
Pull request: #19071 contributed by Chocapikk
Path: multi/http/avideo_wwbnindex_unauth_rce
AttackerKB reference: CVE-2024-31819

Description: Adds a module for CVE-2024-31819 which exploits an LFI in AVideo which uses PHP Filter Chaining to turn the LFI into unauthenticated RCE.

NorthStar C2 XSS to Agent RCE

Authors: chebuya and h00die
Type: Exploit
Pull request: #19102 contributed by h00die
Path: windows/http/northstar_c2_xss_to_agent_rce
AttackerKB reference: CVE-2024-28741

Description: Adds an exploit for CVE-2024-28741 which exploits an XSS vulnerability in Northstar C2.

Adi IRC credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19169 contributed by The-Pink-Panther
Path: windows/gather/credentials/adi_irc

Description: This adds a gather module leveraging Packrat targeting Adi IRC client.

CarotDAV credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19173 contributed by The-Pink-Panther
Path: windows/gather/credentials/carotdav_ftp

Description: This adds a gather module leveraging Packrat targeting the CarotDAV FTP client.

Halloy IRC credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19165 contributed by The-Pink-Panther
Path: windows/gather/credentials/halloy_irc

Description: This adds a module leveraging Packrat to gather credentials against the Halloy IRC client.

Quassel IRC credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19166 contributed by The-Pink-Panther
Path: windows/gather/credentials/quassel_irc

Description: This adds a gather module leveraging Packrat targeting Quassel IRC client.

Sylpheed email credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19171 contributed by The-Pink-Panther
Path: windows/gather/credentials/sylpheed

Description: This adds a gather module leveraging Packrat targeting Sylpheed Email client.

Enhancements and features (1)

• #19189 from adfoster-r7 - Updates Metasploit framework's default Ruby version to 3.1.5; newer Ruby versions are also supported.

Bugs fixed (4)

• #19002 from adfoster-r7 - Fixed persistent jobs not working when rebooting MSF console.
• #19170 from sjanusz-r7 - Fixes the smb_lookupsid module hanging with STATUS_PENDING when running against Samba targets.
• #19186 from dwelch-r7 - Fixes a bug were the show advanced command could show normal options.
• #19192 from adfoster-r7 - Fix crashing mipsel modules when running Ruby 3.3.0.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.9...6.4.10
• Full diff 6.4.9...6.4.10

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

LDAP Authentication Improvements

This week, in Metasploit v6.4.9, the team has added multiple improvements for LDAP related attacks. Two improvements relating to authentication is the new support for Signing and Channel Binding. Microsoft has been making changes to harden the communications to Domain Controllers. Organizations are incorporating these policies which are making LDAP tools without the necessary features unable to operate. The intention behind these changes are to protect communications with Domain Controllers from relay attacks. There are however plenty of scenarios when users may want to authenticate to a domain controller directly with known credentials to perform a variety of tasks.

The new improvements allow Metasploit users to authenticate via either NTLM or Kerberos to LDAP servers with these hardening settings in place. Signing will be performed opportunistically (LDAP::Signing=auto), however it can be either disabled entirely by setting LDAP::Signing to disabled or required with required. Note that setting it to required will raise exceptions with configurations that are incompatible with signing, e.g. connecting over SSL (LDAPS) or using plaintext / simple authentication. At this time channel binding is automatically enabled and can not be disabled in the same way. When connecting over SSL, and authenticating with either NTLM or Kerberos, the binding information is provided to the server.

For users that are unfamiliar with the semi-recent authentication configuration changes introduced in Metasploit v6.3, LDAP modules have an LDAP::Auth option that can be set to one of auto, ntlm, kerberos, schannel, or plaintext.

LDAP Session

In addition to the new LDAP authentication improvements, Metasploit added the latest session type; LDAP sessions this week. Metasploit v6.4 added new protocol-based sessions that allow modules to be run against persistent connections for a variety of services including SMB, MSSQL and MySQL. Once the feature is enabled by running features set ldap_session_type true, users can open sessions with the auxiliary/scanner/ldap/ldap_login module and CreateSession option. These new sessions allow a users to authenticate once and interact with the connection, running queries or modules such as:

• auxiliary/admin/ldap/rbcd – Role Based Constrained Delegation
• auxiliary/admin/ldap/shadow_credentials – Shadow Credentials
• auxiliary/gather/asrep – Find Users Without Pre-Auth Required (ASREP-roast)
• auxiliary/gather/ldap_esc_vulnerable_cert_finder – Misconfigured Certificate Template Finder
• auxiliary/admin/ldap/ad_cs_cert_template – AD CS Certificate Template Management
• auxiliary/gather/ldap_hashdump – LDAP Information Disclosure
• auxiliary/gather/ldap_query – LDAP Query and Enumeration Module

By interacting with the session, the query command becomes available to run queries interactively. It has a few options allowing the scope, attributes and filter to be set.

LDAP (192.0.2.197) > query -h
Usage: query -f <filter string> -a <attributes>

Run the query against the session.

OPTIONS:

    -a, --attributes      Comma separated list of attributes for the query
    -b, --base-dn         Base dn for the query
    -f, --filter          Filter string for the query (default: (objectclass=*))
    -h, --help            Help menu
    -o, --output-format   Output format: `table`, `csv` or `json` (default: table)
    -s, --scope           Scope for the query: `base`, `single`, `whole` (default: whole)

As an example, basic information about the domain can be queried:

LDAP (192.0.2.197) > query -a ms-DS-MachineAccountQuota,objectSID,name -f '(objectClass=domain)'
DC=labs1collabu0,DC=local
=========================

 Name                       Attributes
 ----                       ----------
 ms-ds-machineaccountquota  10
 name                       labs1collabu0
 objectsid                  S-1-5-21-795503-3050334394-3644400624

New module content (2)

Windows Registry Security Descriptor Utility

Author: Christophe De La Fuente
Type: Auxiliary
Pull request: #19115 contributed by cdelafuente-r7
Path: admin/registry_security_descriptor

Description: This adds a module to read and write the security descriptor of Windows registry keys.

Kemp LoadMaster Local sudo privilege escalation

Authors: Dave Yesland with Rhino Security Labs and bwatters-r7
Type: Exploit
Pull request: #19100 contributed by bwatters-r7
Path: linux/local/progress_kemp_loadmaster_sudo_privesc_2024

Description: This adds a privilege escalation exploit module for LoadMaster that abuses the configuration of the sudo command combined with weak file system permissions. There is no CVE for this vulnerability.

Enhancements and features (2)

• #19058 from dwelch-r7 - This adds an LDAP session type allowing users and modules to interact directly with LDAP servers without uploading a payload.
• #19132 from zeroSteiner - Add channel binding information to Metasploit's NTLM and Kerberos authentication for the LDAP protocol. This enables users to authenticate to domain controllers where the hardened security configuration setting is in place.
• #19172 from cgranleese-r7 - Updates the debug command to export the currently enabled user features.

Bugs fixed (1)

• #19183 from adfoster-r7 - Fix windows platform detection bug when running on a UCRT compiled environment.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.8...6.4.9
• Full diff 6.4.8...6.4.9

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Password Spraying support

Multiple bruteforce/login scanner modules have been updated to support a PASSWORD_SPRAY module option. This work was completed in pull request #19079 from nrathaus as well as an additional update from our developers . When the password spraying option is set, the order of attempted users and password attempts are changed.

For example, with the usernames user1, user2, and passwords password1 and password2. The default bruteforce logic will attempt all passwords against the first user, before continuing to the next user:

user1:password1
user1:password2
user2:password1
user2:password2

When the PASSWORD_SPRAY option is set, each password is tried against each username first:

user1:password1
user2:password1
user1:password2
user2:password2

This change of order can be useful as it decreases the risk of account lock out for larger password lists.

New module content (4)

CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read

Authors: Christiaan Beek, jheysel-r7, ma4ter, and yoryio
Type: Auxiliary
Pull request: #19050 contributed by jheysel-r7
Path: gather/coldfusion_pms_servlet_file_read
AttackerKB reference: CVE-2024-20767

Description: This adds an auxiliary module to exploit an Arbitrary File Read Vulnerability in Adobe ColdFusion versions prior to '2023 Update 6' and prior to '2021 Update 12'.

CrushFTP Unauthenticated Arbitrary File Read

Author: remmons-r7
Type: Auxiliary
Pull request: #19147 contributed by remmons-r7
Path: gather/crushftp_fileread_cve_2024_4040
AttackerKB reference: CVE-2024-4040

Description: This adds an exploit module that leverages an unauthenticated server-side template injection vulnerability in CrushFTP versions prior to 10.7.1 and prior to 11.1.0 (as well as legacy 9.x versions) to read any files on the server file system as root.

MSSQL Version Utility

Author: Zach Goldman
Type: Auxiliary
Pull request: #18907 contributed by zgoldman-r7
Path: scanner/mssql/mssql_version

Description: Adds a new auxiliary/scanner/mssql/mssql_version module for fingerprinting Microsoft SQL Server targets.

Docker Privileged Container Kernel Escape

Authors: Eran Ayalon, Ilan Sokol, and Nick Cottrell
Type: Exploit
Pull request: #18519 contributed by rad10
Path: linux/local/docker_privileged_container_kernel_escape

Description: This adds a local exploit that allows Metasploit to escape container environments in which the SYS_MODULE capability is present.

Enhancements and features (3)

• #19125 from zgoldman-r7 - Updates MSSQL platform/arch fingerprinting to be more resilient.
• #19127 from smashery - This implements LDAP signing and encryption for both NTLM and Kerberos.
• #19158 from cgranleese-r7 - Updates multiple login modules to support the PASSWORD_SPRAY datastore option.

Bugs fixed (3)

• #19156 from cgranleese-r7 - Fixes a bug with the PASSWORD_SPRAY support for login scanners were the default username datastore option was not being tried.
• #19159 from cgranleese-r7 - Improves the error detection when detecting platform and arch for PostgreSQL session types.
• #19163 from zeroSteiner - Updates the modules/auxiliary/scanner/smb/smb_version module to support a user defined RPORT. Previously the module was hard-coded to test port 139 and 445.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.7...6.4.8
• Full diff 6.4.7...6.4.8

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Dump secrets inline

This week, our very own cdelafuente-r7 added a significant improvement to the well-known Windows Secrets Dump module to reduce the footprint when dumping SAM hashes, LSA secrets and cached credentials. The module is now directly reading the Windows Registry remotely without having to dump the full registry keys to disk and parse them, like it was originally. This idea comes from this PR proposed by antuache. The technique takes advantage of the WriteDACL privileges held by local administrators to set temporary read permissions on the SAM and SECURITY registry hives. The module also takes care of restoring the original Security Descriptors after each read. Note that it is still possible to use the original technique by setting the INLINE option to false. Happy dumping!

New module content (1)

Kemp LoadMaster Unauthenticated Command Injection

Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #18972 contributed by DaveYesland
Path: linux/http/progress_kemp_loadmaster_unauth_cmd_injection
AttackerKB reference: CVE-2024-1212

Description: This adds a module targeting CVE-2024-1212, an unauthenticated command injection vulnerability in Kemp Progress Loadmaster versions after 7.2.48.1, but patched in 7.2.59.2 (GA), 7.2.54.8 (LTSF) and 7.2.48.10 (LTS).

Enhancements and features (3)

• #19048 from cdelafuente-r7 - This updates the windows_secrets_dump module to enable accessing the necessary registry data without writing it to disk first.
• #19075 from ide0x90 - :
  Updates the Softing Secure Integration Server login library to allow the code to be better reused by other modules.
• #19148 from adfoster-r7 - Updates Metasploit-framework to compile on x64-mingw-ucrt platforms.

Bugs fixed (5)

• #19095 from zeroSteiner - Updates the smb_enumusers module to use an updated SMB implementation from RubySMB which fixes an issue where the module could sometimes time out or return an unexpected error when targeting Samba.
• #19137 from zeroSteiner - Fixes an infinite recursion error where Metasploit would attempt to resolve a nameserver specified as a hostname in /etc/resolv.conf while initializing.
• #19138 from dwelch-r7 - Fixes a crash in the cve_2022_26923_certifried module.
• #19141 from jheysel-r7 - This fixes timeout issues encountered by rocketmq and activemq modules that would occur when the target is not running the expected service.
• #19152 from adfoster-r7 - This fixes an issue in the exploit/multi/http/apache_normalize_path_rce exploit module that affected Metasploit Pro due to how the module was handling datastore options.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.6...6.4.7
• Full diff 6.4.6...6.4.7

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro.