Last updated at Fri, 06 Dec 2024 21:21:09 GMT

Post-Thanksgiving Big Release

This week's release is an impressive one. It adds 9 new modules, which will get you remote code execution on products such as Ivanti Connect Secure, VMware vCenter Server, Asterisk, Fortinet FortiManager and Acronis Cyber Protect. It also includes an account takeover on Wordpress, a local privilege escalation on Windows and a X11 keylogger module. Finally, this release improves the fingerprinting logic for the TeamCity login module and adds instructions about the installation of the Metasploit development environment on windows using Powershell in the official documentation. A big thank you to the community for this awesome release!

New module content (9)

Wordpress POST SMTP Account Takeover

Authors: Ulysses Saicha and h00die
Type: Auxiliary
Pull request: #19596 contributed by h00die
Path: admin/http/wp_post_smtp_acct_takeover
AttackerKB reference: CVE-2023-6875

Description: The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress, plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This adds an exploit module which allows an attacker to reset the password of any known user on the system.

X11 Keylogger

Authors: h00die and nir tzachar
Type: Auxiliary
Pull request: #18877 contributed by h00die
Path: gather/x11_keyboard_spy
AttackerKB reference: CVE-1999-0526

Description: This adds a new X11 library and module that uses it to remotely capture key presses from open X servers.

Chamilo v1.11.24 Unrestricted File Upload PHP Webshell

Authors: Ngo Wei Lin and jheysel-r7
Type: Exploit
Pull request: #19629 contributed by jheysel-r7
Path: linux/http/chamilo_bigupload_webshell
AttackerKB reference: CVE-2023-4220

Description: This adds an exploit module for Chamilo LMS, where versions prior to 1.11.24, a webshell can be uploaded via the bigload.php endpoint allowing remote code execution in the context of www-data (CVE-2023-4220).

Ivanti Connect Secure Authenticated Remote Code Execution via OpenSSL CRLF Injection

Authors: Christophe De La Fuente and Richard Warren
Type: Exploit
Pull request: #19595 contributed by cdelafuente-r7
Path: linux/http/ivanti_connect_secure_rce_cve_2024_37404
AttackerKB reference: CVE-2024-37404

Description: Adds an exploit module for a CRLF injection vulnerability in Ivanti Connect Secure to achieve remote code execution. Versions prior to 22.7R2.1 and 22.7R2.2 are vulnerable. Ivanti Policy Secure versions prior to 22.7R1.1 are also vulnerable but this module doesn't support this software. Valid administrative credentials are required. A non-administrative user is also required and can be created using the administrative account, if needed. Also the Client Log Upload feature needs to be enabled. This can also be done using the administrative interface if it is not enabled already.

vCenter Sudo Privilege Escalation

Authors: Matei "Mal" Badanoiu and h00die
Type: Exploit
Pull request: #19402 contributed by h00die
Path: linux/local/vcenter_sudo_lpe
AttackerKB reference: CVE-2024-37081

Description: VMware vCenter Server < 7.0.3 update R and < 8.0.2 update D contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance. This adds a post module to exploit these vulnerabilities.

Asterisk AMI Originate Authenticated RCE

Authors: Brendan Coles bcoles@gmail.com, NielsGaljaard, and h00die
Type: Exploit
Pull request: #19613 contributed by h00die
Path: linux/misc/asterisk_ami_originate_auth_rce
AttackerKB reference: CVE-2024-42365

Description: Adds an authenticated RCE module for Asterisk via AMI. This vulnerability is tracked as CVE-2024-42365. This also moves the underlying functionality that enables the module to interact with the Asterisk application, originally written by @bcoles, to a library.

Fortinet FortiManager Unauthenticated RCE

Author: sfewer-r7
Type: Exploit
Pull request: #19648 contributed by sfewer-r7
Path: linux/misc/fortimanager_rce_cve_2024_47575
AttackerKB reference: CVE-2024-47575

Description: Adds a module that exploits a missing authentication vulnerability affecting FortiManager and FortiManager Cloud devices to achieve unauthenticated RCE with root privileges. This vulnerability is being tracked as CVE-2024-47575.

Acronis Cyber Protect/Backup remote code execution

Authors: Sandro Tolksdorf of usd AG. and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #19583 contributed by h00die-gr3y
Path: multi/acronis_cyber_protect_unauth_rce_cve_2022_3405
AttackerKB reference: CVE-2022-3405

Description: This exploits an RCE and sensitive information disclosure vulnerability due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 before build 29486, Acronis Cyber Backup 12.5 before build 16545.

Windows Access Mode Mismatch LPE in ks.sys

Authors: AngelBoy, jheysel-r7, and varwara
Type: Exploit
Pull request: #19574 contributed by jheysel-r7
Path: windows/local/cve_2024_35250_ks_driver
AttackerKB reference: CVE-2024-35250

Description: This adds a post module to gain NT AUTHORITY/SYSTEM privileges on a Windows target vulnerable to CVE-2024-35230.

Enhancements and features (1)

  • #19684 from sjanusz-r7 - Improves the fingerprinting logic for the auxiliary/scanner/teamcity/teamcity_login module.

Documentation added (1)

  • #19622 from soroshsabz - This improves the Metasploit development environment installation documentation by adding Powershell instructions on Windows 10 and earlier.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.