This week’s release has a lot of new content and features modules targeting two major recent vulnerabilities that got a great deal of attention: CVE-2023-46604 targeting Apache MQ resulting in ransomware deployment and CVE-2023-20198 targeting Cisco IOS XE OS.
Author: sfewer-r7
Type: Auxiliary
Pull request: #18507 contributed by sfewer-r7
Path: admin/http/cisco_ios_xe_cli_exec_cve_2023_20198
Description: This PR adds three modules: auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198
leverages CVE-2023-20198 to perform unauthenticated remote CLI command execution, module auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273
leverages both CVE-2023-20198 and CVE-2023-20273 to perform unauthenticated remote OS command execution, and exploit/linux/misc/cisco_ios_xe_rce
uses the same two vulnerabilities to run an arbitrary payload on the target.
Authors: Eldstal and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18481 contributed by h00die-gr3y
Path: linux/http/magnusbilling_unauth_rce_cve_2023_30258
Description: This adds an exploit module that leverages CVE-2023-30258, a command injection vulnerability in MagnusBilling versions 6 and 7 that allows unauthenticated remote code execution in the context of the user running the web server process.
Authors: X1r0z and sfewer-r7
Type: Exploit
Pull request: #18501 contributed by sfewer-r7
Path: multi/misc/apache_activemq_rce_cve_2023_46604
Description: This pull request is an exploit module for CVE-2023-46604, affecting the OpenWire transport unmarshaller in Apache ActiveMQ.
Authors: Hans-Martin Münch (MOGWAI LABS) and Jemmy Wang
Type: Exploit
Pull request: #18494 contributed by Jemmy1228
Path: windows/http/ajaxpro_deserialization_rce
Description: This PR adds an RCE module for AjaxPro which leverages an insecure deserialization of data to get remote code execution on the target OS in the context of the user running the website which utilized AjaxPro.
Authors: Topaco and h00die
Type: Post
Pull request: #18503 contributed by h00die
Path: linux/gather/apache_nifi_credentials
Description: This PR adds a post module to steal config and credential information for Apache NiFi.
Authors: Adam Caudill and Jemmy Wang
Type: Post
Pull request: #18491
Path: windows/gather/credentials/plsql_developer
Description: Unable to find PR information, please complete manually
auxiliary/scanner/http/grafana_plugin_traversal
module to include a disclosure date and a link to the original disclosure blog post.You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).