Post-Thanksgiving Big Release
This week's release is an impressive one. It adds 9 new modules, which will get you remote code execution on products such as Ivanti Connect Secure, VMware vCenter Server, Asterisk, Fortinet FortiManager and Acronis Cyber Protect. It also includes an account takeover on Wordpress, a local privilege
Post-Thanksgiving Big Release
This week's release is an impressive one. It adds 9 new modules, which will get you remote code execution on products such as Ivanti Connect Secure, VMware vCenter Server, Asterisk, Fortinet FortiManager and Acronis Cyber Protect. It also includes an account takeover on Wordpress, a local privilege escalation on Windows and a X11 keylogger module. Finally, this release improves the fingerprinting logic for the TeamCity login module and adds instructions about the installation of the Metasploit development environment on windows using Powershell in the official documentation. A big thank you to the community for this awesome release!
New module content (9)
Wordpress POST SMTP Account Takeover
Authors: Ulysses Saicha and h00die
Type: Auxiliary
Pull request: #19596 contributed by h00die
Path: admin/http/wp_post_smtp_acct_takeover
AttackerKB reference: CVE-2023-6875
Description: The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress, plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This adds an exploit module which allows an attacker to reset the password of any known user on the system.
X11 Keylogger
Authors: h00die and nir tzachar
Type: Auxiliary
Pull request: #18877 contributed by h00die
Path: gather/x11_keyboard_spy
AttackerKB reference: CVE-1999-0526
Description: This adds a new X11 library and module that uses it to remotely capture key presses from open X servers.
Chamilo v1.11.24 Unrestricted File Upload PHP Webshell
Authors: Ngo Wei Lin and jheysel-r7
Type: Exploit
Pull request: #19629 contributed by jheysel-r7
Path: linux/http/chamilo_bigupload_webshell
AttackerKB reference: CVE-2023-4220
Description: This adds an exploit module for Chamilo LMS, where versions prior to 1.11.24, a webshell can be uploaded via the bigload.php endpoint allowing remote code execution in the context of www-data (CVE-2023-4220).
Ivanti Connect Secure Authenticated Remote Code Execution via OpenSSL CRLF Injection
Authors: Christophe De La Fuente and Richard Warren
Type: Exploit
Pull request: #19595 contributed by cdelafuente-r7
Path: linux/http/ivanti_connect_secure_rce_cve_2024_37404
AttackerKB reference: CVE-2024-37404
Description: Adds an exploit module for a CRLF injection vulnerability in Ivanti Connect Secure to achieve remote code execution. Versions prior to 22.7R2.1 and 22.7R2.2 are vulnerable. Ivanti Policy Secure versions prior to 22.7R1.1 are also vulnerable but this module doesn't support this software. Valid administrative credentials are required. A non-administrative user is also required and can be created using the administrative account, if needed. Also the Client Log Upload feature needs to be enabled. This can also be done using the administrative interface if it is not enabled already.
vCenter Sudo Privilege Escalation
Authors: Matei "Mal" Badanoiu and h00die
Type: Exploit
Pull request: #19402 contributed by h00die
Path: linux/local/vcenter_sudo_lpe
AttackerKB reference: CVE-2024-37081
Description: VMware vCenter Server < 7.0.3 update R and < 8.0.2 update D contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance. This adds a post module to exploit these vulnerabilities.
Asterisk AMI Originate Authenticated RCE
Authors: Brendan Coles [email protected], NielsGaljaard, and h00die
Type: Exploit
Pull request: #19613 contributed by h00die
Path: linux/misc/asterisk_ami_originate_auth_rce
AttackerKB reference: CVE-2024-42365
Description: Adds an authenticated RCE module for Asterisk via AMI. This vulnerability is tracked as CVE-2024-42365. This also moves the underlying functionality that enables the module to interact with the Asterisk application, originally written by @bcoles, to a library.
Fortinet FortiManager Unauthenticated RCE
Author: sfewer-r7
Type: Exploit
Pull request: #19648 contributed by sfewer-r7
Path: linux/misc/fortimanager_rce_cve_2024_47575
AttackerKB reference: CVE-2024-47575
Description: Adds a module that exploits a missing authentication vulnerability affecting FortiManager and FortiManager Cloud devices to achieve unauthenticated RCE with root privileges. This vulnerability is being tracked as CVE-2024-47575.
Acronis Cyber Protect/Backup remote code execution
Authors: Sandro Tolksdorf of usd AG. and h00die-gr3y [email protected]
Type: Exploit
Pull request: #19583 contributed by h00die-gr3y
Path: multi/acronis_cyber_protect_unauth_rce_cve_2022_3405
AttackerKB reference: CVE-2022-3405
Description: This exploits an RCE and sensitive information disclosure vulnerability due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 before build 29486, Acronis Cyber Backup 12.5 before build 16545.
Windows Access Mode Mismatch LPE in ks.sys
Authors: AngelBoy, jheysel-r7, and varwara
Type: Exploit
Pull request: #19574 contributed by jheysel-r7
Path: windows/local/cve_2024_35250_ks_driver
AttackerKB reference: CVE-2024-35250
Description: This adds a post module to gain NT AUTHORITY/SYSTEM privileges on a Windows target vulnerable to CVE-2024-35230.
Enhancements and features (1)
- #19684 from sjanusz-r7 - Improves the fingerprinting logic for the
auxiliary/scanner/teamcity/teamcity_loginmodule.
Documentation added (1)
- #19622 from soroshsabz - This improves the Metasploit development environment installation documentation by adding Powershell instructions on Windows 10 and earlier.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
Source: Rapid7
Source Link: https://blog.rapid7.com/2024/12/06/metasploit-weekly-wrap-up-44/