Metasploit Weekly Wrap-Up 08/02/2024

Metasploit goes to Hacker Summer Camp

Next week, Metasploit will have demos at both Black Hat and DEF CON where the latest functionality from this year will be presented. The Black Hat demo will be on Thursday the 8th from 10:10 to 11:25 and the DEF CON demo will be on Saturday the 10th from 12:00 to 13:45.

The highlights will include demonstrations of:

• Exploiting unconstrained delegation entirely in Metasploit with the new post/windows/manage/kerberos_tickets module and Pass-the-Ticket support for auxiliary/gather/windows_secrets_dump. Next with secrets in hand, we’ll demonstrate forging tickets using the new diamond and sapphire techniques.
• Using the new LDAP, SMB and MSSQL session types for both interactive exploration and post modules.
• Configuring the latest DNS options for advanced pivoting scenarios.

New module content (2)

OpenMediaVault rpc.php Authenticated Cron Remote Code Execution

Authors: Brandon Perry [email protected] and h00die-gr3y [email protected]
Type: Exploit
Pull request: #19298 contributed by h00die-gr3y
Path: unix/webapp/openmediavault_auth_cron_rce
AttackerKB reference: CVE-2013-3632

Description: This adds a new module that leverages a vulnerability in OpenMediaVault versions starting from 1.0 until the recent release 7.4.2-2. This vulnerability (CVE-2013-3632) allows an authenticated user to create cron jobs as root on the system and achieve remote code execution.

mySCADA MyPRO Authenticated Command Injection (CVE-2023-28384)

Author: Michael Heinzl
Type: Exploit
Pull request: #19337 contributed by h4x-x0r
Path: windows/scada/mypro_cmdexe
AttackerKB reference: CVE-2023-28384

Description: This adds an exploit module for CVE-2023-28384, a command injection vulnerability in MySCADA MyPRO versions before and including 2.28 allowing the execution of arbitrary commands as NT AUTHORITY\SYSTEM.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

• #19331 from Takahiro-Yoko - This update the linux/http/empire_skywalker exploit module to add a new technique that leverages a path traversal vulnerability in BC Security Empire versions before 5.9.3 (CVE-2024-6127). An attacker can achieve unauthenticated remote code execution over HTTP by acting as a normal agent. It is still possible to use this module with older versions from ProjectEmpire/Empire by setting a specific datastore option.
• #19344 from jheysel-r7 - This updates the windows/http/forticlient_ems_fctid_sqli exploit module to gain code execution on FortiClient EMS FCTID for the affected version within the range 7.2.x.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.19…6.4.20
• Full diff 6.4.19…6.4.20

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro