Newsy.co

Metasploit Wrap-Up 03/08/2024

New module content (2)

GitLab Tags RSS feed email disclosure

Metasploit Wrap-Up 03/08/2024

Authors: erruquill and n00bhaxor
Type: Auxiliary
Pull request: #18821 contributed by n00bhaxor
Path: gather/gitlab_tags_rss_feed_email_disclosure
AttackerKB reference: CVE-2023-5612

Description: This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-5612) in Gitlab versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 to retrieve user email addresses via tags feed.

BoidCMS Command Injection

Authors: 1337kid and bwatters-r7
Type: Exploit
Pull request: #18827 contributed by bwatters-r7
Path: multi/http/cve_2023_38836_boidcms
AttackerKB reference: CVE-2023-38836

Description: This PR adds an authenticated RCE against BoidCMS versions 2.0.0 and earlier. The underlying issue in the vulnerability CVE-2023-38836 is that the file upload check allows a php file to be uploaded and executes as a media file if the GIF header is present in the PHP file.

Enhancements and features (11)

  • #18686 from h00die - This updates the existing auxiliary/scanner/ssh/ssh_version module with new checks for supported cryptographic algorithms and version detection capabilities.
  • #18715 from errorxyz - This adds a Splunk library for use by future modules. It also updates the existing exploit/multi/http/splunk_privilege_escalation_cve_2023_32707 module to use it.
  • #18796 from errorxyz - This updates the ManageEngine Endpoint Central and ServiceDesk Plus RCE modules for CVE-2022-47966. Particularly, it adds a Java target to be able to use Java-based payloads.
  • #18862 from sjanusz-r7 - This PR aligns the client's peerhost and peerport API for the recently added SQL-based sessions (postgres, mssql, mysql).
  • #18875 from dwelch-r7 - This PR adds conditional validation of options depending on the chosen connection type, so for example if you want to connect via RHOST we also check (where applicable) that RPORT or the USERNAME is set. When a connection is made over an existing SESSION we can still allow the user to only set SESSION and not worry about the missing values only required for a new RHOST connection.
  • #18887 from cgranleese-r7 - Updates the search command to now search modules that are compatible with a specified session type, for instance: search session_type:meterpreter or search session_type:smb.
  • #18903 from sjanusz-r7 - This PR improves the UX by correctly handling databases changes by updating the prompt to now get the appropriate database value in the context of a MySQL or MSSQL session.
  • #18905 from cgranleese-r7 - Improves the pwd command output for SMB sessions.
  • #18908 from adfoster-r7 - Update SAMR computer and ICPR cert to support SMB sessions.
  • #18921 from dwelch-r7 - This adds the IP address to the SMB session prompt when there is no selected share.
  • #18926 from cgranleese-r7 - Update sessions to have a consistent set of local file system commands.

Bugs fixed (5)

  • #18844 from sfewer-r7 - This fixes a bug in the file dropper mixin that would prevent files from being deleted with a Windows shell session.
  • #18897 from adfoster-r7 - Updates the smb_login module to support configuring the negotiated SMB protocol versions and whether encryption is negotiated.
  • #18904 from double16 - Fixes the windows/gather/bloodhound module to no longer incorrectly validate the OutputDirectory option.
  • #18920 from dwelch-r7 - This PR fixes an issue with the autorunscript module option within an SMB session.
  • #18928 from dwelch-r7 - This PR fixes an issue when running the auxiliary/gather/windows_secrets_dump module while using the SESSION module option to connect, that caused the client to be disconnected and unable to be reused for subsequent runs/other modules.

Documentation (1)

  • #18929 from adfoster-r7 - Updates the Metasploit API documentation library to the latest available version to avoid CVE-2024-27285 - an XSS in the default YARD template. Thanks to Aviv Keller for reporting.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

  • Pull Requests 6.3.58...6.3.59
  • Full diff 6.3.58...6.3.59

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro