Last updated at Thu, 25 Jan 2024 00:35:32 GMT

Apache MQ and Three Cisco Modules in a Trenchcoat

This week’s release has a lot of new content and features modules targeting two major recent vulnerabilities that got a great deal of attention: CVE-2023-46604 targeting Apache MQ resulting in ransomware deployment and CVE-2023-20198 targeting Cisco IOS XE OS.

New module content (8)

Cisco IOS-XE unauthenticated Command Line Interface (CLI) execution

Author: sfewer-r7
Type: Auxiliary
Pull request: #18507 contributed by sfewer-r7
Path: admin/http/cisco_ios_xe_cli_exec_cve_2023_20198

Description: This PR adds three modules: auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 leverages CVE-2023-20198 to perform unauthenticated remote CLI command execution, module auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273 leverages both CVE-2023-20198 and CVE-2023-20273 to perform unauthenticated remote OS command execution, and exploit/linux/misc/cisco_ios_xe_rce uses the same two vulnerabilities to run an arbitrary payload on the target.

MagnusBilling application unauthenticated Remote Command Execution.

Authors: Eldstal and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #18481 contributed by h00die-gr3y
Path: linux/http/magnusbilling_unauth_rce_cve_2023_30258

Description: This adds an exploit module that leverages CVE-2023-30258, a command injection vulnerability in MagnusBilling versions 6 and 7 that allows unauthenticated remote code execution in the context of the user running the web server process.

Apache ActiveMQ Unauthenticated Remote Code Execution

Authors: X1r0z and sfewer-r7
Type: Exploit
Pull request: #18501 contributed by sfewer-r7
Path: multi/misc/apache_activemq_rce_cve_2023_46604

Description: This pull request is an exploit module for CVE-2023-46604, affecting the OpenWire transport unmarshaller in Apache ActiveMQ.

AjaxPro Deserialization Remote Code Execution

Authors: Hans-Martin Münch (MOGWAI LABS) and Jemmy Wang
Type: Exploit
Pull request: #18494 contributed by Jemmy1228
Path: windows/http/ajaxpro_deserialization_rce

Description: This PR adds an RCE module for AjaxPro which leverages an insecure deserialization of data to get remote code execution on the target OS in the context of the user running the website which utilized AjaxPro.

Apache NiFi Credentials Gather

Authors: Topaco and h00die
Type: Post
Pull request: #18503 contributed by h00die
Path: linux/gather/apache_nifi_credentials

Description: This PR adds a post module to steal config and credential information for Apache NiFi.

Windows Gather PL/SQL Developer Connection Credentials

Authors: Adam Caudill and Jemmy Wang
Type: Post
Pull request: #18491
Path: windows/gather/credentials/plsql_developer

Description: Unable to find PR information, please complete manually

Enhancements and features (3)

  • #18218 from gardnerapp - This PR reduces the number of requests the Windows checkvm post module sends to the host when attempting to determine what hypervisor the session is running in by saving the initial responses in instance variables for later use in the module. The PR also includes many other general code improvements.
  • #18379 from dwelch-r7 - This PR improves the Kerberos service authenticator hostname matching for ccache credentials. Prior to this change the service authenticator was filtering out valid credentials when the hostname wasn't an exact match when credentials for a domain (i.e. windomain.local) should work on a subdomain (i.e. dc.windomain.local).
  • #18504 from h00die - Updates the auxiliary/scanner/http/grafana_plugin_traversal module to include a disclosure date and a link to the original disclosure blog post.

Bugs fixed (1)

  • #18506 from zeroSteiner - This PR fixes a stability issue with the f5_bigip_tmui_rce_cve_2023_46747 module. Prior to this fix, occasionally the module would fail on login as things were running too quickly. The module now retries logging in if the first attempt fails.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).