Last updated at Thu, 18 Jan 2024 21:09:21 GMT
New module content (3)
LDAP Login Scanner
Author: Dean Welch
Type: Auxiliary
Pull request: #18197 contributed by dwelch-r7
Path: scanner/ldap/ldap_login
Description: This PR adds a new login scanner module for LDAP. Login scanners are the classes that provide functionality for testing authentication against various different protocols and mechanisms. This LDAP login scanner supports multiple types of authentication including: Plaintext, NTLM, Kerberos and SChannel.
Junos OS PHPRC Environment Variable Manipulation RCE
Authors: Jacob Baines, Ron Bowes, and jheysel-r7
Type: Exploit
Pull request: #18389 contributed by jheysel-r7
Path: freebsd/http/junos_phprc_auto_prepend_file
Description: This adds an exploit module that leverages a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. This vulnerability is identified as CVE-2023-36845 and allows an attacker to achieve unauthenticated remote code execution as a low privileged user. This module also includes a jailbreak feature that consists in changing the root password and establishing an SSH session as the root user. The original password is restored when the module terminates.
Progress Software WS_FTP Unauthenticated Remote Code Execution
Author: sfewer-r7
Type: Exploit
Pull request: #18414 contributed by sfewer-r7
Path: windows/http/ws_ftp_rce_cve_2023_40044
Description: This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP server prior to 8.7.4 and 8.8.2 are vulnerable to this issue. The vulnerability was originally discovered by AssetNote.
AttackerKB Assessment: (https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044/rapid7-analysis)
Enhancements and features (6)
- #17919 from bcoles - This PR adds support for starting and stopping Windows services using the service control manager to shell payloads.
- #18338 from smashery - This PR updates the kerberos.rb library such that when a kerberos login is attempted, on a user where pre-authentication is not required, the module now requests a RRC4-HMAC ticket, since it's more easily crackable.
- #18363 from j0ev - This PR adds support to outputting payloads in octal in both framework and venom.
- #18412 from zeroSteiner - This adds additional usage tips to Metasploit, expanding the pool that is selected from on startup.
- #18420 from smashery - :
This PR updates the user-agent string reported by our http payloads. We update this periodically to make sure that our payloads don't stick out having an older user agent string. - #18425 from adfoster-r7 - Adds history support to the nasm and metasm shells. Now when re-opening these shells, previously typed commands should be remembered and available.
Bugs fixed (1)
Documentation added (3)
- #18277 from cnnrshd -
This PR adds new documentation for how to create a command injection exploit module. - #18347 from bwatters-r7 - This PR updates the how-to-write-a-check-method docs to better explain to not use
fail_withto align with best practices when making sure a check method returns a check code. - #18393 from adfoster-r7 - Updates the running modules landing page on the Wiki with more beginner friendly information on searching for and running modules.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
