Site icon API Security Blog

Metasploit weekly wrap-up

## New module content (1)

### Metabase Setup Token RCE

![Metasploit weekly wrap-up](https://blog.rapid7.com/content/images/2023/08/metasploit-ascii-1-2.png)

Authors: Maxwell Garrett, Shubham Shah, and h00die
**Type:** Exploit
**Pull request:** [#18232]() contributed by [h00die]()
**Path:** `exploits/linux/http/metabase_setup_token_rce`
**AttackerKB reference:** [CVE-2023-38646]()

**Description:** This adds a module for an unauthenticated RCE against Metabase. Metabase versions before 0.46.6.1 contain a bug where an unauthenticated user can retrieve a setup-token. With this, they can query an API endpoint to setup a new database, then inject an H2 connection string RCE.

## Enhanced Modules (1)

Modules which have either been enhanced, or renamed:

* [#18264]() from [zeroSteiner]() – Updates the `exploits/freebsd/http/citrix_formssso_target_rce` module for CVE-2023-3519 to include two new targets, Citrix ADC (NetScaler) 12.1-65.25, and 12.1-64.17. This module now supports automatic targeting based on the `Last-Modified` header of the `logon/fonts/citrix-fonts.css` resource.

## Enhancements and features (6)

* [#18191]() from [jvoisin]() – This adds support for detecting whether a Metasploit session is running in a Podman container and improves detection for sessions running in Docker, LXC, and WLS containers.
* [#18224]() from [rorymckinley]() – This adds the first iteration of specs for SSH Login scanner.
* [#18231]() from [ErikWynter]() – This adds index selection for the modules returned via the favorites (or show favorites) command.
* [#18244]() from [cgranleese-r7]() – Adds tests to ensure the consistency of Metasploit payloads.
* [#18274]() from [wvu]() – Updates CVE-2020-14871 `exploits/solaris/ssh/pam_username_bof` docs.

## Bugs fixed (2)

* [#18220]() from [dwelch-r7]() – Adds additional error handling when loading Metasploit payloads to msfconsole’s startup process to ensure missing payloads do not crash msfconsole.
* [#18260]() from [adfoster-r7]() – This adds a fix to verify the `EC2_ID` module option is validated.

## Documentation

You can find the latest Metasploit documentation on our docsite at [docs.metasploit.com]().

## Get it

As always, you can update to the latest Metasploit Framework with `msfupdate`
and you can get more details on the changes since the last blog post from
GitHub:

* [Pull Requests 6.3.28…6.3.29]()
* [Full diff 6.3.28…6.3.29]()

If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest.
To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the
[binary installers]() (which also include the commercial edition).Read More

Exit mobile version