New module content (2)
GitLab Tags RSS feed email disclosure
Authors: erruquill and n00bhaxor
Type: Auxiliary
Pull request: #18821 contributed by n00bhaxor
Path: gather/gitlab_tags_rss_feed_email_disclosure
AttackerKB reference: CVE-2023-5612
Description: This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-5612) in Gitlab versions before
New module content (2)
GitLab Tags RSS feed email disclosure
Authors: erruquill and n00bhaxor
Type: Auxiliary
Pull request: #18821 contributed by n00bhaxor
Path: gather/gitlab_tags_rss_feed_email_disclosure
AttackerKB reference: CVE-2023-5612
Description: This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-5612) in Gitlab versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 to retrieve user email addresses via tags feed.
BoidCMS Command Injection
Authors: 1337kid and bwatters-r7
Type: Exploit
Pull request: #18827 contributed by bwatters-r7
Path: multi/http/cve_2023_38836_boidcms
AttackerKB reference: CVE-2023-38836
Description: This PR adds an authenticated RCE against BoidCMS versions 2.0.0 and earlier. The underlying issue in the vulnerability CVE-2023-38836 is that the file upload check allows a php file to be uploaded and executes as a media file if the GIF header is present in the PHP file.
Enhancements and features (11)
- #18686 from h00die - This updates the existing
auxiliary/scanner/ssh/ssh_version
module with new checks for supported cryptographic algorithms and version detection capabilities. - #18715 from errorxyz - This adds a Splunk library for use by future modules. It also updates the existing
exploit/multi/http/splunk_privilege_escalation_cve_2023_32707
module to use it. - #18796 from errorxyz - This updates the ManageEngine Endpoint Central and ServiceDesk Plus RCE modules for CVE-2022-47966. Particularly, it adds a Java target to be able to use Java-based payloads.
- #18862 from sjanusz-r7 - This PR aligns the client's peerhost and peerport API for the recently added SQL-based sessions (postgres, mssql, mysql).
- #18875 from dwelch-r7 - This PR adds conditional validation of options depending on the chosen connection type, so for example if you want to connect via
RHOST
we also check (where applicable) thatRPORT
or theUSERNAME
is set. When a connection is made over an existingSESSION
we can still allow the user to only setSESSION
and not worry about the missing values only required for a newRHOST
connection. - #18887 from cgranleese-r7 - Updates the search command to now search modules that are compatible with a specified session type, for instance:
search session_type:meterpreter
orsearch session_type:smb
. - #18903 from sjanusz-r7 - This PR improves the UX by correctly handling databases changes by updating the prompt to now get the appropriate database value in the context of a MySQL or MSSQL session.
- #18905 from cgranleese-r7 - Improves the
pwd
command output for SMB sessions. - #18908 from adfoster-r7 - Update SAMR computer and ICPR cert to support SMB sessions.
- #18921 from dwelch-r7 - This adds the IP address to the SMB session prompt when there is no selected share.
- #18926 from cgranleese-r7 - Update sessions to have a consistent set of local file system commands.
Bugs fixed (5)
- #18844 from sfewer-r7 - This fixes a bug in the file dropper mixin that would prevent files from being deleted with a Windows shell session.
- #18897 from adfoster-r7 - Updates the smb_login module to support configuring the negotiated SMB protocol versions and whether encryption is negotiated.
- #18904 from double16 - Fixes the
windows/gather/bloodhound
module to no longer incorrectly validate theOutputDirectory
option. - #18920 from dwelch-r7 - This PR fixes an issue with the
autorunscript
module option within an SMB session. - #18928 from dwelch-r7 - This PR fixes an issue when running the
auxiliary/gather/windows_secrets_dump
module while using theSESSION
module option to connect, that caused the client to be disconnected and unable to be reused for subsequent runs/other modules.
Documentation (1)
- #18929 from adfoster-r7 - Updates the Metasploit API documentation library to the latest available version to avoid CVE-2024-27285 - an XSS in the default YARD template. Thanks to Aviv Keller for reporting.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
Source: Rapid7
Source Link: https://blog.rapid7.com/2024/03/08/metasploit-wrap-up-03-08-2024/