Metasploit Weekly Wrap-Up: Sep. 1, 2023

Last updated at Tue, 23 Jan 2024 21:59:54 GMT

Pumpkin Spice Modules

Here in the northern hemisphere, fall is on the way: leaves changing, the air growing crisp and cool, and some hackers changing the flavor of their caffeine. This release features a new exploit module targeting Apache NiFi as well as a new and improved library to interact with it.

New module content (1)

Apache NiFi H2 Connection String Remote Code Execution

Authors: Matei "Mal" Badanoiu and h00die
Type: Exploit
Pull request: #18257 contributed by h00die
Path: exploits/linux/http/apache_nifi_h2_rce
AttackerKB reference: CVE-2023-34468

Description: This adds an exploit module for a Apache NiFi h2 remote code execution identified as CVE-2023-34468. Versions 0.0.2 through 1.21.0 are vulnerable and allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. This also adds a library with helper functions for modules targeting this product.

Enhanced Modules

Modules which have either been enhanced, or renamed:

Elasticsearch Enumeration Utility

Authors: Silas Cutler and h00die
Type: Auxiliary
Pull request: #18310 contributed by h00die
Path: auxiliary/gather/elasticsearch_enum

Description: This updates the Elasticsearch auxiliary module. It has been renamed to elastic_enum, accepts credentials and will store data to disk that is pulled from the target.

• #18247 from EgeBalci - This adds an exploit module that leverages an authentication bypass and an arbitrary file upload in Netgear ProSAFE NMS300. These vulnerabilities have been identified as CVE-2023-38096 and CVE-2023-38098 respectively and affects versions below 1.7.0.22. By chaining together these vulnerabilities, an unauthenticated remote attacker can execute arbitrary code with SYSTEM privileges.

Enhancements and features (1)

• #18309 from zeroSteiner - This updates the ldap_query module to stream the results instead of collecting them all at once. This should improve the UX of using the module in large target environments with 10s of thousands of accounts and the like.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.31...6.3.32
• Full diff 6.3.31...6.3.32

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).