Metasploit Wrap-Up 05/10/2024

Password Spraying support

Multiple bruteforce/login scanner modules have been updated to support a PASSWORD_SPRAY module option. This work was completed in pull request #19079 from nrathaus as well as an additional update from our developers . When the password spraying option is set, the order of attempted users and password attempts are changed.

For example, with the usernames user1, user2, and passwords password1 and password2. The default bruteforce logic will attempt all passwords against the first user, before continuing to the next user:

user1:password1
user1:password2
user2:password1
user2:password2

When the PASSWORD_SPRAY option is set, each password is tried against each username first:

user1:password1
user2:password1
user1:password2
user2:password2

This change of order can be useful as it decreases the risk of account lock out for larger password lists.

New module content (4)

CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read

Authors: Christiaan Beek, jheysel-r7, ma4ter, and yoryio
Type: Auxiliary
Pull request: #19050 contributed by jheysel-r7
Path: gather/coldfusion_pms_servlet_file_read
AttackerKB reference: CVE-2024-20767

Description: This adds an auxiliary module to exploit an Arbitrary File Read Vulnerability in Adobe ColdFusion versions prior to ‘2023 Update 6’ and prior to ‘2021 Update 12’.

CrushFTP Unauthenticated Arbitrary File Read

Author: remmons-r7
Type: Auxiliary
Pull request: #19147 contributed by remmons-r7
Path: gather/crushftp_fileread_cve_2024_4040
AttackerKB reference: CVE-2024-4040

Description: This adds an exploit module that leverages an unauthenticated server-side template injection vulnerability in CrushFTP versions prior to 10.7.1 and prior to 11.1.0 (as well as legacy 9.x versions) to read any files on the server file system as root.

MSSQL Version Utility

Author: Zach Goldman
Type: Auxiliary
Pull request: #18907 contributed by zgoldman-r7
Path: scanner/mssql/mssql_version

Description: Adds a new auxiliary/scanner/mssql/mssql_version module for fingerprinting Microsoft SQL Server targets.

Docker Privileged Container Kernel Escape

Authors: Eran Ayalon, Ilan Sokol, and Nick Cottrell
Type: Exploit
Pull request: #18519 contributed by rad10
Path: linux/local/docker_privileged_container_kernel_escape

Description: This adds a local exploit that allows Metasploit to escape container environments in which the SYS_MODULE capability is present.

Enhancements and features (3)

• #19125 from zgoldman-r7 - Updates MSSQL platform/arch fingerprinting to be more resilient.
• #19127 from smashery - This implements LDAP signing and encryption for both NTLM and Kerberos.
• #19158 from cgranleese-r7 - Updates multiple login modules to support the PASSWORD_SPRAY datastore option.

Bugs fixed (3)

• #19156 from cgranleese-r7 - Fixes a bug with the PASSWORD_SPRAY support for login scanners were the default username datastore option was not being tried.
• #19159 from cgranleese-r7 - Improves the error detection when detecting platform and arch for PostgreSQL session types.
• #19163 from zeroSteiner - Updates the modules/auxiliary/scanner/smb/smb_version module to support a user defined RPORT. Previously the module was hard-coded to test port 139 and 445.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.7…6.4.8
• Full diff 6.4.7…6.4.8

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Download Gartner® 2024 Strategic Roadmap for Managing Threat Exposure ▶︎