Infiltrate the Broadcast!

A new module from Chocapikk allows the user to perform remote code execution on vulnerable versions of streaming platform AVideo (12.4 - 14.2). The multi/http/avideo_wwbnindex_unauth_rce module leverages CVE-2024-31819, a vulnerability to PHP Filter Chaining, to gain unauthenticated and unprivileged access, earning it an attacker value of High on AttackerKB.

New module content (8)

Chaos RAT XSS to RCE

Authors: chebuya and h00die
Type: Exploit
Pull request: #19104 contributed by h00die
Path: linux/http/chaos_rat_xss_to_rce
AttackerKB reference: CVE-2024-30850

Description: Adds an exploit for HAOS v5.0.8, which contains a remote command execution vulnerability which
can be triggered through one of three routes: credentials, JWT token from an agent, an agent executable can be provided, or the JWT token can be extracted.

AVideo WWBNIndex Plugin Unauthenticated RCE

Author: Valentin Lobstein
Type: Exploit
Pull request: #19071 contributed by Chocapikk
Path: multi/http/avideo_wwbnindex_unauth_rce
AttackerKB reference: CVE-2024-31819

Description: Adds a module for CVE-2024-31819 which exploits an LFI in AVideo which uses PHP Filter Chaining to turn the LFI into unauthenticated RCE.

NorthStar C2 XSS to Agent RCE

Authors: chebuya and h00die
Type: Exploit
Pull request: #19102 contributed by h00die
Path: windows/http/northstar_c2_xss_to_agent_rce
AttackerKB reference: CVE-2024-28741

Description: Adds an exploit for CVE-2024-28741 which exploits an XSS vulnerability in Northstar C2.

Adi IRC credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19169 contributed by The-Pink-Panther
Path: windows/gather/credentials/adi_irc

Description: This adds a gather module leveraging Packrat targeting Adi IRC client.

CarotDAV credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19173 contributed by The-Pink-Panther
Path: windows/gather/credentials/carotdav_ftp

Description: This adds a gather module leveraging Packrat targeting the CarotDAV FTP client.

Halloy IRC credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19165 contributed by The-Pink-Panther
Path: windows/gather/credentials/halloy_irc

Description: This adds a module leveraging Packrat to gather credentials against the Halloy IRC client.

Quassel IRC credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19166 contributed by The-Pink-Panther
Path: windows/gather/credentials/quassel_irc

Description: This adds a gather module leveraging Packrat targeting Quassel IRC client.

Sylpheed email credential gatherer

Authors: Barwar Salim M, Daniel Hallsworth, Jacob Tierney, Kazuyoshi Maruta, and Z. Cliffe Schreuders
Type: Post
Pull request: #19171 contributed by The-Pink-Panther
Path: windows/gather/credentials/sylpheed

Description: This adds a gather module leveraging Packrat targeting Sylpheed Email client.

Enhancements and features (1)

• #19189 from adfoster-r7 - Updates Metasploit framework's default Ruby version to 3.1.5; newer Ruby versions are also supported.

Bugs fixed (4)

• #19002 from adfoster-r7 - Fixed persistent jobs not working when rebooting MSF console.
• #19170 from sjanusz-r7 - Fixes the smb_lookupsid module hanging with STATUS_PENDING when running against Samba targets.
• #19186 from dwelch-r7 - Fixes a bug were the show advanced command could show normal options.
• #19192 from adfoster-r7 - Fix crashing mipsel modules when running Ruby 3.3.0.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.9...6.4.10
• Full diff 6.4.9...6.4.10

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New module content (3)

GitLab Password Reset Account Takeover

Authors: asterion04 and h00die
Type: Auxiliary
Pull request: #18716 contributed by h00die
Path: admin/http/gitlab_password_reset_account_takeover
AttackerKB reference: CVE-2023-7028

Description: This adds an exploit module that leverages an account-take-over vulnerability to take control of a GitLab account without user interaction. The vulnerability lies in the password reset functionality as it’s possible to provide two email addresses so that
the reset code will be sent to both. It is therefore possible to provide the email
address of the target account as well as that of one we control, and to reset the password.

MinIO Bootstrap Verify Information Disclosure

Authors: RicterZ and joel <joel @ ndepthsecurity>
Type: Auxiliary
Pull request: #18775 contributed by 6a6f656c
Path: gather/minio_bootstrap_verify_info_disc
AttackerKB reference: CVE-2023-28432

Description: This adds an auxiliary module that leverages an information disclosure (CVE-2023-28432) in a cluster deployment of MinIO versions from RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z. This retrieves all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD.

JetBrains TeamCity Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18922 contributed by sfewer-r7
Path: multi/http/jetbrains_teamcity_rce_cve_2024_27198
AttackerKB reference: CVE-2024-27198

Description: This adds an exploit module that leverages an authentication bypass vulnerability in JetBrains TeamCity (CVE-2024-27198) to achieve unauthenticated RCE. The authentication bypass enables access to the REST API and creates a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload.

Enhancements and features (5)

• #18835 from zgoldman-r7 - This PR reduces code duplication in the modules/exploits/windows/mssql/mssql_payload module.
• #18899 from zeroSteiner - Updates the tools/payloads/ysoserial/dot_net.rb tool to add options for encoding the resulting payload as a viewstate.
• #18930 from dwelch-r7 - This PR adds the ability to run a help command from within the interactive SQL prompt.
• #18931 from cgranleese-r7 - Adds additional help information when interacting with an SQL session.
• #18932 from adfoster-r7 - This PR adds PostgreSQL session type acceptance tests using Allure report generation as well as a local test module.

Bugs fixed (5)

• #18944 from zeroSteiner - This fixes an issue when saving and loading DNS rules from the config.
• #18945 from adfoster-r7 - Fixes an issue that caused a crash when running http crawler with database connected.
• #18949 from zeroSteiner - This updates the DNS feature to notify the user a restart is required when the feature is enabled or disabled.
• #18952 from cgranleese-r7 - Updates Postgres hashdump module to now work with newer versions of Postgres.
• #18954 from adfoster-r7 - This PR fixes an issue where modules were not honoring spooler settings.

Documentation added (3)

• #18868 from zeroSteiner - This adds documentation for the new DNS command.
• #18937 from jjoshm - Fixes a typo in the Kerberos documentation.
• #18951 from adfoster-r7 - This PR improves documentation on running Postgres acceptance tests locally.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.59...6.3.60
• Full diff 6.3.59...6.3.60

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro