Last updated at Fri, 10 Nov 2023 19:49:00 GMT
Apache MQ and Three Cisco Modules in a Trenchcoat
This week’s release has a lot of new content and features modules targeting two major recent vulnerabilities that got a great deal of attention: CVE-2023-46604 targeting Apache MQ resulting in ransomware deployment and CVE-2023-20198 targeting Cisco IOS XE OS.
New module content (8)
Cisco IOS-XE unauthenticated Command Line Interface (CLI) execution
Description: This PR adds three modules:
auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 leverages CVE-2023-20198 to perform unauthenticated remote CLI command execution, module
auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273 leverages both CVE-2023-20198 and CVE-2023-20273 to perform unauthenticated remote OS command execution, and
exploit/linux/misc/cisco_ios_xe_rce uses the same two vulnerabilities to run an arbitrary payload on the target.
MagnusBilling application unauthenticated Remote Command Execution.
Description: This adds an exploit module that leverages CVE-2023-30258, a command injection vulnerability in MagnusBilling versions 6 and 7 that allows unauthenticated remote code execution in the context of the user running the web server process.
Apache ActiveMQ Unauthenticated Remote Code Execution
Description: This pull request is an exploit module for CVE-2023-46604, affecting the OpenWire transport unmarshaller in Apache ActiveMQ.
AjaxPro Deserialization Remote Code Execution
Description: This PR adds an RCE module for AjaxPro which leverages an insecure deserialization of data to get remote code execution on the target OS in the context of the user running the website which utilized AjaxPro.
Apache NiFi Credentials Gather
Description: This PR adds a post module to steal config and credential information for Apache NiFi.
Windows Gather PL/SQL Developer Connection Credentials
Authors: Adam Caudill and Jemmy Wang
Pull request: #18491
Description: Unable to find PR information, please complete manually
Enhancements and features (3)
- #18218 from gardnerapp - This PR reduces the number of requests the Windows checkvm post module sends to the host when attempting to determine what hypervisor the session is running in by saving the initial responses in instance variables for later use in the module. The PR also includes many other general code improvements.
- #18379 from dwelch-r7 - This PR improves the Kerberos service authenticator hostname matching for ccache credentials. Prior to this change the service authenticator was filtering out valid credentials when the hostname wasn't an exact match when credentials for a domain (i.e. windomain.local) should work on a subdomain (i.e. dc.windomain.local).
- #18504 from h00die - Updates the
auxiliary/scanner/http/grafana_plugin_traversalmodule to include a disclosure date and a link to the original disclosure blog post.
Bugs fixed (1)
- #18506 from zeroSteiner - This PR fixes a stability issue with the f5_bigip_tmui_rce_cve_2023_46747 module. Prior to this fix, occasionally the module would fail on login as things were running too quickly. The module now retries logging in if the first attempt fails.
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).