8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
This week Metasploit Framework gained a credential gatherer for Wowza Streaming Engine Manager. Credentials for this application are stored in a file named admin.password
in a known location and the file is readable by default by BUILTIN\Users
on Windows and is world readable on Linux… The module was written by community contributor bcoles who also wrote a login scanner for Wowza this week. The login scanner can be used to validate the credentials found by the gatherer. The two modules complement each other quite nicely.
Author: bcoles
Type: Auxiliary
Pull request: #17733 contributed by bcoles
Description: This adds a login scanner module to brute force credentials of Wowza Streaming Engine Manager.
Authors: Sw33t.0day and h00die-gr3y
Type: Exploit
Pull request: #17507 contributed by h00die-gr3y
AttackerKB reference: CVE-2023-22952
Description: A module has been added which exploits CVE-2023-22952, a RCE vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2. Successful exploitation as an unauthenticated attacker will result in remote code execution as the user running the web services, which is typically www-data
.
Author: bcoles
Type: Post
Pull request: #17737 contributed by bcoles
Description: This adds a post module that collects Wowza Streaming Engine user credentials from the admin.password
local configuration file. This file is world-readable by default on Linux and readable by BUILTIN\Users
on Windows.
admin/kerberos/forge_ticket
to support a new extra_sids
option which can be useful for including cross-domain SIDs for forging external Kerberos trust tickets as part of cross-trust domain escalation. The admin/kerberos/inspect_ticket
has also been updated to support viewing these extra SID values.arp
command to Python Meterpreter on Linux, and adding support for displaying IPv6 routing tables using the route
command on Windows.max_consecutive_error_count
and max_error_count
. These options allow users to set the maximum number of errors that are allowed to occur when connecting as well as the maximum number of consecutive errors that are allowed when connecting before the login scanner will give up on a target.msfconsole
has been updated so that performance profiling can also take into account the time it takes to load msfenv
and console related libraries, thereby allowing for more accurate performance profiling.route add
and route delete
commands as well as the ability to get process information such as process names and paths.data/wordlists/password.lst
password list has been updated to include the master password that LastPass suggests as an example when a user goes to create a new master password, r50$K28vaIFiYxaY
, into the password list, as well as to fix some encoding issues.auxiliary/admin/kerberos/keytab.rb
module to additionally export any NTHASHES, which can be useful for decrypting Kerberos network traffic in Wireshark.lib/msf/core/payload/apk.rb
has been updated so that by default it only decompiles the main classes instead of all classes, fixing some issues whereby decompiling all classes would prevent creation of a backdoored APK. This also bumps up the minimum apktool
version to 2.4.1 and makes it so that versions prior to 2.7.0 of apktool
will throw a warning about being potentially out of date.modules/encoders/php/base64.rb
encoder whereby strings were being passed as literal strings without being properly quoted, which could result in errors on newer versions of PHP.route
command on newer versions of Windows on Windows Meterpreter, and a fix so that both C Meterpreter and Python Meterpreter sessions will attempt to enable the same set of permissions when running getprivs
.getprivs
, fix a error in packet_transmit_http
whereby error codes were not appropriately returned, and update the arp
command to properly return the interface name instead of the index for the interface
column.METASPLOIT_CPU_PROFILE
and METASPLOIT_MEMORY_PROFILE
options and to explain how to profile msfconsole
’s and msfvenom
’s performance on systems.You can always find more documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N