Last updated at Fri, 07 Feb 2025 21:40:17 GMT

Gathering data and improving workflows

This week's release includes 2 new auxiliary modules targeting Argus Surveillance DVR and Ivanti Connect Secure. The former, contributed by Maxwell Francis, and based on the work of John Page, can be used to retrieve arbitrary files on the target's filesystem by exploiting an unauthenticated directory traversal vulnerability. The latter, brought by our very own Martin Šutovský, is a HTTP login scanner for Ivanti Connect Secure. This release also adds many improvements related to our Github continuous integration process and to the AD CS attack-based workflow. Thanks to the community for making Metasploit great!

New module content (2)

Argus Surveillance DVR 4.0.0.0 - Directory Traversal

Authors: John Page and Maxwell Francis
Type: Auxiliary
Pull request: #19847 contributed by TheBigStonk
Path: gather/argus_dvr_4_lfi_cve_2018_15745
AttackerKB reference: CVE-2018-15745

Description: Adds a module which exploits CVE-2018-15745, an unauthenticated directory traversal leading to file disclosure in Argus Surveillance DVR 4.0.0.0.

Ivanti Connect Secure HTTP Scanner

Author: msutovsky-r7
Type: Auxiliary
Pull request: #19844 contributed by msutovsky-r7
Path: scanner/ivanti/login_scanner

Description: This adds an auxiliary module for Ivanti Connect Secure HTTP Login.

Enhancements and features (3)

  • #19779 from h00die - Adds a Github workflow to run update_wordpress_vulnerabilities.rb, update_user_agent_strings.rb and update_joomla_components.rb and to post a weekly PR with the changes from each update script. This also converts both update_joomla_components and update_user_agent_strings from python scripts to ruby scripts.
  • #19849 from zeroSteiner - This makes changes to the ldap_esc_vulnerable_cert_finder, ad_cs_cert_template and get_ticket modules to enable them to be used as part of larger workflow automation. For all three modules, it adds a return value to indicate that the operation was successful and include some relevant information. LDAP object caching has been introduced to reduce the number of queries sent to the target. A #build_certificate_details method to consolidate the collection of information about certificate templates. This ensures that all certificates are returned with common information, regardless of their vulnerability status. DNS records are looked up from LDAP to avoid crashing in instances where the DNS hostname of the CA server can not be resolved by Metasploit's running configuration. This would be the case when a DC is targeted without the ability to resolve addresses within its domain.
  • #19856 from bwatters-r7 - This fixes certificate request behavior for the esc8 relay module as well as adds domain controller template support. The certificate generation for the Computer template now correctly requests based on the Machine template name instead of the DisplayName, which previously caused failures. When in AUTO mode and a computer login is detected, the module now attempts to generate certificates based on both the Machine and DomainController templates. This ensures that if a login is coerced from a domain controller (Petit Potam), the appropriate DC certificate is obtained.

Bugs fixed (2)

  • #19813 from h00die - Fixes an issue were Rex::Version.new was causing modules to crash when run against instances of Amazon Linux and other distributions which have a different format for displaying the kernel version.
  • #19837 from adfoster-r7 - Fixes a bug which caused incorrect creation of multiple Mdm::TaskService objects when calling report_service from modules.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.