Multiple bruteforce/login scanner modules have been updated to support a PASSWORD_SPRAY
module option. This work was completed in pull request #19079 from nrathaus as well as an additional update from our developers . When the password spraying option is set, the order of attempted users and password attempts are changed.
For example, with the usernames user1
, user2
, and passwords password1
and password2
. The default bruteforce logic will attempt all passwords against the first user, before continuing to the next user:
user1:password1
user1:password2
user2:password1
user2:password2
When the PASSWORD_SPRAY
option is set, each password is tried against each username first:
user1:password1
user2:password1
user1:password2
user2:password2
This change of order can be useful as it decreases the risk of account lock out for larger password lists.
Authors: Christiaan Beek, jheysel-r7, ma4ter, and yoryio
Type: Auxiliary
Pull request: #19050 contributed by jheysel-r7
Path: gather/coldfusion_pms_servlet_file_read
AttackerKB reference: CVE-2024-20767
Description: This adds an auxiliary module to exploit an Arbitrary File Read Vulnerability in Adobe ColdFusion versions prior to โ2023 Update 6โ and prior to โ2021 Update 12โ.
Author: remmons-r7
Type: Auxiliary
Pull request: #19147 contributed by remmons-r7
Path: gather/crushftp_fileread_cve_2024_4040
AttackerKB reference: CVE-2024-4040
Description: This adds an exploit module that leverages an unauthenticated server-side template injection vulnerability in CrushFTP versions prior to 10.7.1 and prior to 11.1.0 (as well as legacy 9.x versions) to read any files on the server file system as root.
Author: Zach Goldman
Type: Auxiliary
Pull request: #18907 contributed by zgoldman-r7
Path: scanner/mssql/mssql_version
Description: Adds a new auxiliary/scanner/mssql/mssql_version
module for fingerprinting Microsoft SQL Server targets.
Authors: Eran Ayalon, Ilan Sokol, and Nick Cottrell
Type: Exploit
Pull request: #18519 contributed by rad10
Path: linux/local/docker_privileged_container_kernel_escape
Description: This adds a local exploit that allows Metasploit to escape container environments in which the SYS_MODULE
capability is present.
PASSWORD_SPRAY
datastore option.PASSWORD_SPRAY
support for login scanners were the default username
datastore option was not being tried.modules/auxiliary/scanner/smb/smb_version
module to support a user defined RPORT
. Previously the module was hard-coded to test port 139 and 445.You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
Download Gartnerยฎ 2024 Strategic Roadmap for Managing Threat Exposure โถ๏ธ