{"id":2653,"date":"2025-05-02T15:33:40","date_gmt":"2025-05-02T15:33:40","guid":{"rendered":"http:\/\/localhost\/?p=2653"},"modified":"2025-05-02T15:33:40","modified_gmt":"2025-05-02T15:33:40","slug":"metasploit-wrap-up-05022025","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=2653","title":{"rendered":"Metasploit Wrap-Up 05\/02\/2025"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nMetasploit Wrap-Up 05\/02\/2025<\/td>\n<\/tr>\n
Type<\/th>\nrapid7blog<\/td>\n<\/tr>\n
Published<\/th>\n2025-05-02T19:38:42<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-05-02T19:53:14<\/td>\n<\/tr>\n
CVSS Score<\/th>\n6.1 (MEDIUM)<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\nNETWORK<\/td>\n<\/tr>\n
Attack Complexity<\/th>\nLOW<\/td>\n<\/tr>\n
Privileges Required<\/th>\nNONE<\/td>\n<\/tr>\n
User Interaction<\/th>\nREQUIRED<\/td>\n<\/tr>\n
Scope<\/th>\nCHANGED<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\nLOW<\/td>\n<\/tr>\n
Integrity Impact<\/th>\nLOW<\/td>\n<\/tr>\n
Availability Impact<\/th>\nNONE<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\nCVE-2023-41425, CVE-2025-3095<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\ninfo<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n ## Meterpreter Extended API Clipboard Monitoring<\/p>\n

![Metasploit Wrap-Up 05\/02\/2025](https:\/\/blog.rapid7.com\/content\/images\/2025\/05\/metasploit-sky.png)<\/p>\n

Security is hard, and Open Source Security is a collaborative effort. This week, Metasploit released a fix for a vulnerability that was privately disclosed to us by long-time community member bcoles. The vulnerability in question impacted Metasploit users who were using the clipboard monitoring functionality contained within the extended-API Meterpreter extension (`extapi`). After a user enables monitoring, they would typically run `clipboard_monitor_stop` or `clipboard_monitor_dump` to retrieve information from the compromised host. The vulnerability existed in Metasploit\u2019s handling of files that may be present in the remote hosts clipboard. When files were downloaded, they would, by default, be written to in the current working directory and would overwrite any existing files.<\/p>\n

An attacker could leverage this by placing a malicious file into their clipboard and waiting for the Metasploit operator to download it, then execute it. As an example, an attacker may assume that the Metasploit operator is running Metasploit from the current working directory of Metasploit itself. In that case, they could have a malicious Ruby file named msfconsole in their clipboard. When the Metasploit operator dumps the contents of the remote clipboard, their local copy of `msfconsole` would be overwritten and then executed the next time they started Metasploit. It should be noted that the file that is written to is printed in the command\u2019s output, but may be ignored by the user.<\/p>\n

Now with the changes introduced in #19938, the extapi\u2019s clipboard monitoring commands have been updated to make this significantly more difficult. Two primary changes were made. Now Metasploit will require a directory to be specified by the user of where file contents should be written to. Additionally, files will not be overwritten automatically. In order to overwrite an existing file, the user must specify the –force argument. If a file would be or is overwritten, it will be noted in the output:<\/p>\n

meterpreter > clipboard_monitor_dump -d test_dir –force -p
\n Files captured at 2025-04-01 19:11:30.0503
\n ==========================================
\n Remote Path : C:\\Users\\smcintyre\\Desktop\\hello-world.txt
\n File size : 11 bytes
\n Downloading : C:\\Users\\smcintyre\\Desktop\\hello-world.txt -> \/home\/smcintyre\/Repositories\/metasploit-framework.pr\/test_dir\/hello-world.txt
\n Downloaded 11.00 B of 11.00 B (100.0%) : C:\\Users\\smcintyre\\Desktop\\hello-world.txt -> \/home\/smcintyre\/Repositories\/metasploit-framework.pr\/test_dir\/hello-world.txt
\n Completed : Overwrote existing file \/home\/smcintyre\/Repositories\/metasploit-framework.pr\/test_dir\/hello-world.txt<\/p>\n

The Metasploit team would like to thank bcoles for bringing this issue to our attention. We have assigned it CVE-2025-3095 and evaluated it with a CVSS score of 5.0 \/ Medium (CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:A\/VC:N\/VI:H\/VA:N\/SC:N\/SI:N\/SA:N\/E:P). This vulnerability was fixed in Metasploit version 6.4.60, released on April 30th, 2025.<\/p>\n

## New module content (2)<\/p>\n

### LDAP Password Disclosure<\/p>\n

Authors: Hynek Petrak, Spencer McIntyre, Thomas Seigneuret, and Tyler Booth
\nType: Auxiliary
\nPull request: #20017 contributed by zeroSteiner
\nPath: `gather\/ldap_passwords`<\/p>\n

Description: This updates and renames the ldap_hashdump module to ldap_passwords, extending its functionality to extract secrets used by LAPSv1 and LAPSv2 in Active Directory environments, alongside existing LDAP implementations. It simplifies usage by unifying techniques under one module and avoids requiring users to fingerprint the server type. Associated tests were also updated to include AD-specific data using Samba as a test LDAP server.<\/p>\n

### WonderCMS Remote Code Execution<\/p>\n

Authors: Milad “Ex3ptionaL” Karimi and msutovsky-r7
\nType: Exploit
\nPull request: #20081 contributed by msutovsky-r7
\nPath: `multi\/http\/wondercms_rce`
\nAttackerKB reference: CVE-2023-41425<\/p>\n

Description: Adds a new module \u201cexploit\/multi\/http\/wondercms_rce\u201d which exploits CVE-2023-41425 – a file upload vulnerability. The module will authenticate against the vulnerable WonderCMS instance using a given password and then creates a zip file with a malicious PHP file. The module then uploads a zip file, which gets automatically parsed into `\/themes` directory and executed by the application.<\/p>\n

## Enhancements and features (1)<\/p>\n

* #20110 from bcoles \\- Improves code quality, metadata, and fixes some edge-case bugs within the `modules\/post\/osx` modules.<\/p>\n

## Documentation<\/p>\n

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.<\/p>\n

## Get it<\/p>\n

As always, you can update to the latest Metasploit Framework with `msfupdate`
\nand you can get more details on the changes since the last blog post from
\nGitHub:<\/p>\n

* Pull Requests 6.4.60…6.4.61
\n * Full diff 6.4.60…6.4.61<\/p>\n

If you are a `git` user, you can clone the Metasploit Framework repo (master branch) for the latest.
\nTo install fresh without using git, you can use the open-source-only Nightly Installers or the
\ncommercial edition Metasploit Pro\n <\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n6.1<\/td>\n<\/tr>\n
Severity<\/th>\nMEDIUM<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n