Metasploit Wrap-Up 03/15/2024

New module content (3)

GitLab Password Reset Account Takeover

Authors: asterion04 and h00die
Type: Auxiliary
Pull request: #18716 contributed by h00die
Path: admin/http/gitlab_password_reset_account_takeover
AttackerKB reference: CVE-2023-7028

Description: This adds an exploit module that leverages an account-take-over vulnerability to take control of a GitLab account without user interaction. The vulnerability lies in the password reset functionality as it’s possible to provide two email addresses so that
the reset code will be sent to both. It is therefore possible to provide the email
address of the target account as well as that of one we control, and to reset the password.

MinIO Bootstrap Verify Information Disclosure

Authors: RicterZ and joel <joel @ ndepthsecurity>
Type: Auxiliary
Pull request: #18775 contributed by 6a6f656c
Path: gather/minio_bootstrap_verify_info_disc
AttackerKB reference: CVE-2023-28432

Description: This adds an auxiliary module that leverages an information disclosure (CVE-2023-28432) in a cluster deployment of MinIO versions from RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z. This retrieves all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD.

JetBrains TeamCity Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18922 contributed by sfewer-r7
Path: multi/http/jetbrains_teamcity_rce_cve_2024_27198
AttackerKB reference: CVE-2024-27198

Description: This adds an exploit module that leverages an authentication bypass vulnerability in JetBrains TeamCity (CVE-2024-27198) to achieve unauthenticated RCE. The authentication bypass enables access to the REST API and creates a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload.

Enhancements and features (5)

• #18835 from zgoldman-r7 - This PR reduces code duplication in the modules/exploits/windows/mssql/mssql_payload module.
• #18899 from zeroSteiner - Updates the tools/payloads/ysoserial/dot_net.rb tool to add options for encoding the resulting payload as a viewstate.
• #18930 from dwelch-r7 - This PR adds the ability to run a help command from within the interactive SQL prompt.
• #18931 from cgranleese-r7 - Adds additional help information when interacting with an SQL session.
• #18932 from adfoster-r7 - This PR adds PostgreSQL session type acceptance tests using Allure report generation as well as a local test module.

Bugs fixed (5)

• #18944 from zeroSteiner - This fixes an issue when saving and loading DNS rules from the config.
• #18945 from adfoster-r7 - Fixes an issue that caused a crash when running http crawler with database connected.
• #18949 from zeroSteiner - This updates the DNS feature to notify the user a restart is required when the feature is enabled or disabled.
• #18952 from cgranleese-r7 - Updates Postgres hashdump module to now work with newer versions of Postgres.
• #18954 from adfoster-r7 - This PR fixes an issue where modules were not honoring spooler settings.

Documentation added (3)

• #18868 from zeroSteiner - This adds documentation for the new DNS command.
• #18937 from jjoshm - Fixes a typo in the Kerberos documentation.
• #18951 from adfoster-r7 - This PR improves documentation on running Postgres acceptance tests locally.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.59…6.3.60
• Full diff 6.3.59…6.3.60

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Download Gartner® Top Trends in Cybersecurity for 2024 ▶︎