Last updated at Fri, 09 Feb 2024 19:35:23 GMT
Go go gadget Fortra GoAnywhere MFT Module
This Metasploit release contains a module for one of 2024's hottest vulnerabilities to date: CVE-2024-0204. The path traversal vulnerability in Fortra GoAnywhere MFT allows for unauthenticated attackers to access the
InitialAccountSetup.xhtml endpoint which is used during the products initial setup to create the first administrator user. After setup has completed, this endpoint is supposed to be no longer available. Attackers can use this vulnerability to create a user with Administrator privileges. Once Administrative privileges have been obtained for the GoAnywhere MFT application, uploading a
.jsp payload in order to achieve RCE is trivial.
New module content (3)
runc (docker) File Descriptor Leak Privilege Escalation
Description: This adds a local privilege escalation exploit that leverages an internal file descriptor leak in runc versions prior to 1.1.12. An attacker with docker privileges is able write an arbitrary file on the host file system with the permissions of runc (typically root). With this, the module uploads a payload, sets the execute and the SUID permissions to escalate privileges.
Cacti RCE via SQLi in pollers.php
Description: This PR adds an exploit module which leverages a SQLi (CVE-2023-49085) and a LFI (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to achieve RCE.
Fortra GoAnywhere MFT Unauthenticated Remote Code Execution
Description: This pull request adds an exploit module for CVE-2024-0204 which is a path traversal vulnerability which results in unauthenticated RCE in Fortra GoAnywhere MFT. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.
Enhancements and features (3)
- #18696 from zgoldman-r7 - Introduces a standalone MSSQL client class that can be used in new contexts not tied to a specific module.
- #18718 from cgranleese-r7 - Updates the
auxiliary/scanner/mysql/mysql_login.rbmodule to include a new
CreateSessionoption that opens an interactive session. This functionality is currently behind a feature flag which can be enabled with
features set mysql_session_type true.
- #18761 from dwelch-r7 - Adds a user notification that new modules support a
CreateSessionoption. This functionality is currently behind a feature flag which can be enabled with the
Bugs fixed (3)
- #18704 from dwelch-r7 - Fixes a bug with framework having 0 registered nop modules when the defer-module-loads feature was enabled.
- #18773 from sjanusz-r7 - Fixes an issue where
Ctrl+Cwhen in the context of an interactive PostgreSQL shell prompt inside the PostgreSQL session type did work correctly.
- #18803 from dwelch-r7 - Fixes a crash when using
exploit/multi/handlerwith an invalid payload name.
Documentation added (1)
- #18782 from ekalinichev-r7 - Updates our existing Windows installation documentation to mention that Administrator privileges are required when installing via our
You can always find more documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro