Metasploit Wrap-Up 01/10/2025

New module content (5)

OneDev Unauthenticated Arbitrary File Read

Authors: Siebene and vultza
Type: Auxiliary
Pull request: #19614 contributed by vultza
Path: gather/onedev_arbitrary_file_read
AttackerKB reference: CVE-2024-45309

Description: This adds an exploit module for an unauthenticated arbitrary file read vulnerability, tracked as CVE-2024-45309, which affects OneDev versions <= 11.0.8.

Selenium arbitrary file read

Authors: Jon Stratton and Takahiro Yokoyama
Type: Auxiliary
Pull request: #19781 contributed by Takahiro-Yoko
Path: gather/selenium_file_read

Description: This adds an auxiliary module to perform arbitrary file read on vulnerable Selenium installations using Firefox, Chrome or Edge backends.

Netis Router Exploit Chain Reactor (CVE-2024-48455, CVE-2024-48456 and CVE-2024-48457).

Author: h00die-gr3y [email protected]
Type: Exploit
Pull request: #19770 contributed by h00die-gr3y
Path: linux/http/netis_unauth_rce_cve_2024_48456_and_48457
AttackerKB reference: CVE-2024-48457

Description: This adds an exploit module for Netis Routers including rebranded routers from GLCtec and Stone. The module chains 3 CVEs together to accomplish unauthenticated RCE. The first, CVE-2024-48456, is a command injection vulnerability in the change admin password page which allows an attacker to change the admin password to one of their choosing. The next vulnerability, CVE-2024-48457, is an authenticated RCE which can be chained with the first vuln nicely. The last CVE-2024-48455 allows for unauthenticated information disclosure revealing sensitive configuration information of the router which can be used by the attacker to determine if the router is running specific vulnerable firmware.

Selenium chrome RCE

Authors: Takahiro Yokoyama, Wiz Research, and randomstuff (Gabriel Corona)
Type: Exploit
Pull request: #19769 contributed by Takahiro-Yoko
Path: linux/http/selenium_greed_chrome_rce_cve_2022_28108
AttackerKB reference: CVE-2022-28108

Description: This adds an exploit module for Selenium Server (Grid) allowing unauthenticated command injection using Chrome backend.

Selenium geckodriver RCE

Authors: Jon Stratton and Takahiro Yokoyama
Type: Exploit
Pull request: #19771 contributed by Takahiro-Yoko
Path: linux/http/selenium_greed_firefox_rce_cve_2022_28108
AttackerKB reference: CVE-2022-28108

Description: This adds an exploit module for Selenium Server (Grid) <= 4.27.0 vulnerable to a Command Injection vulnerability using Firefox as backend.

Enhancements and features (2)

• #19767 from adfoster-r7 - Add support for ruby 3.4.0.
• #19792 from adfoster-r7 - Add additional library dependencies for Ruby 3.4 support.

Bugs fixed (3)

• #19367 from enty8080 - This fixes the ARM stager to properly download the second stage by fixing the recv() loop.
• #19749 from zeroSteiner - There was an issue with the ntp_nak_to_the_future module which was caused by when the BinData::Record instance was sent with the socket, the string representation of it was used instead of the packed binary. It should have been calling #to_binar_s. This fixes the issue with the auxiliary/scanner/ntp/ntp_nak_to_the_future module and documents how the module can be tested.
• #19751 from zeroSteiner - There was an issue present in the ldap library which caused the local and peer socket addresses to be incorrectly reported to the user when a session was created via the ldap_login module when SSL was enabled. This change fixes the issue by extending the SSL socket after it's setup with the Forwardable module and defines delegators for the #localinfo and #peerinfo to come from the underlying socket (@io).

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.43...6.4.44
• Full diff 6.4.43...6.4.44

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro