Metasploit is an open-source penetration testing framework created by Rapid7 that enables security professionals to simulate attacks against computer systems, networks, and applications.

It includes several tools and modules that can be used to test the target system’s security, detect vulnerabilities, and use them to gain access to the system.

Two recent noteworthy vulnerabilities that have gained a lot of attention are CVE-2023-20198, which affects the Cisco IOS XE OS, and CVE-2023-46604, which affects Apache MQ and can lead to the deployment of ransomware.

According to Rapid7 reports, eight new Metasploit exploit modules have also been added, targeting the most recent vulnerabilities.

Eight New Metasploit Exploit Modules

Cisco IOS-XE Unauthenticated Command Line Interface (CLI) execution:

Three modules are included in this PR: The first module, admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 executes unauthenticated remote CLI commands by utilizing CVE-2023-20198. 

The second module, auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 executes unauthenticated remote OS commands by utilizing both CVE-2023-20198 and CVE-2023-20273. 

The third module, exploit/linux/misc/cisco_ios_xe_rce employs the same two vulnerabilities to execute an arbitrary payload on the target.

MagnusBilling Application Unauthenticated Remote Command Execution

This includes an exploit module that uses MagnusBilling versions 6 and 7’s CVE-2023-30258. This command injection vulnerability permits unauthenticated remote code execution in the context of the user executing the web server process.

Apache ActiveMQ Unauthenticated Remote Code Execution

This pull request is an exploit module for CVE-2023-46604, which affects the Apache ActiveMQ OpenWire transport unmarshaller.

AjaxPro Deserialization Remote Code Execution

This PR includes an RCE module for AjaxPro that uses insecure data deserialization to obtain remote code execution on the target OS in the context of the user running the website that used AjaxPro.

Apache NiFi Credentials Gather

This PR adds a post module for Apache NiFi to steal configuration and credential information.

Windows Gather PL/SQL Developer Connection Credentials

This is a Post module in which Windows gather PL/SQL developer connection credentials.

New Features and Enhancements

• This PR reduces the number of requests sent to the host by the Windows checkvm post module while attempting to detect which hypervisor the session is operating in by preserving the first responses in instance variables for further usage in the module.
• It improves the Kerberos service authenticator hostname matching for ccache credentials.
• Updates the auxiliary/scanner/http/grafana_plugin_traversal module to add a disclosure date and a link to the original disclosure blog post.

Bug Fixes

This PR addresses a stability issue with the f5_bigip_tmui_rce_cve_2023_46747 module. All of the details about the changes are available here.