Active Directory LDAP Library
This week Metasploit added a library for working with Active Directory Domain Controllers over LDAP. The library consolidates common functionality and implements a caching mechanism to support common operations such as looking up objects by their DN, sAMAccountName, or SID. Objects are then cached, so repeated lookups don’t have to contact the server.
In addition to this, the library adds a brand new API for analyzing security descriptors to determine if permissions are granted to a specific SID. This effectively enables Metasploit to test for and identify permission-related issues. This has been added to a handful of modules.
The auxiliary/admin/ldap/ad_cs_cert_template module will now not only show the raw nTSecurityDescriptor in its SDDL representation, but will analyze it to show which permissions the currently authenticated user has applied.
msf6 auxiliary(admin/ldap/ad_cs_cert_template) > read
[*] Running module against 192.168.159.10
[*] Discovering base DN automatically
[+] Read certificate template data for: CN=ESC4-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[*] Certificate template data written to: /home/smcintyre/.msf4/loot/20250710104332_default_192.168.159.10_windows.ad.cs.te_104079.json
[*] Certificate Template:
[*] distinguishedName: CN=ESC4-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[*] displayName: ESC4-Test
[*] objectGUID: c7dc6220-c290-40e5-8a6c-24e512282318
[*] nTSecurityDescriptor: D:PAI(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-3978004297-3499718965-4169012971-2102)(OA;;CR;a05b8cc2-17bc-4802-a710-e7c15ab866a2;;S-1-5-21-3978004297-3499718965-4169012971-2102)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;DA)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;EA)(A;;LCRPWPRCWDWO;;;S-1-5-21-3978004297-3499718965-4169012971-2102)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-3978004297-3499718965-4169012971-1000)(A;;LCRPLORC;;;AU)
[*] * Permissions applied for [email protected]: READ, WRITE, ENROLL, AUTOENROLL
...
[+] The operation completed successfully!
[*] Auxiliary module execution completed
msf6 auxiliary(admin/ldap/ad_cs_cert_template) >
In this case, the user can see that they have READ, WRITE, ENROLL and AUTOENROLL permissions to the ESC4-Test template.
Additionally, the auxiliary/admin/ldap/shadow_credentials and auxiliary/admin/ldap/rbcd modules now have check methods to determine if the necessary permissions are available for the module to run. For example, the Role Base Constrained Delegation module will check if it has the Read Properties (RP) and Write Properties (WP) permissions on the delegation target. In the following example, the sandy user has the necessary permissions for the victim account but not the smcintyre account.
msf6 auxiliary(admin/ldap/rbcd) > check LDAPUsername=sandy DELEGATE_TO=smcintyre
[*] Discovering base DN automatically
[*] 192.168.159.10:389 - The target is not exploitable. The object can not be written to.
msf6 auxiliary(admin/ldap/rbcd) > check LDAPUsername=sandy DELEGATE_TO=victim
[*] Discovering base DN automatically
[+] 192.168.159.10:389 - The target is vulnerable. The object can be written to.
msf6 auxiliary(admin/ldap/rbcd) >
Multiple Brother devices at risk
Our very own Stephen Fewer conducted an impressive 0-day research project into Brother’s devices that started last year. You can find more information about this research on this disclosure blog here, which also contains the technical analysis white paper. This week, Stephen added a module that leverages one of the disclosed vulnerabilities: an authentication bypass via default administrator password generation (CVE-2024-51978). This issue is known to impact 695 models across several vendors, including Brother, Konica Minolta, Inc., and Toshiba Tec Corporation.
An unauthenticated remote attacker can obtain a vulnerable device’s serial number through various methods, including HTTP/HTTPS/IPP (via CVE-2024-51977), SNMP, or PJL. This serial number can then be converted into the device’s default administrator password – the complex password typically found on a sticker attached to the device. If the default administrator password remains unchanged, the attacker can use these credentials to successfully log in to the target device.
New module content (4)
Multiple Brother devices authentication bypass via default administrator password generation
Author: sfewer-r7 Type: Auxiliary Pull request: #20349 contributed by sfewer-r7 Path: admin/misc/brother_default_admin_auth_bypass_cve_2024_51978 AttackerKB reference: CVE-2024-51978
Description: This adds a new auxiliary module that leverages CVE-2024-51978, an authentication bypass vulnerability impacting 695 models from several vendors, including Brother, Konica Minolta, Inc., and Toshiba Tec Corporation. This exploit enables a remote attacker to generate the administrator password by leaking the device’s serial number, which can be obtained via unauthenticated HTTP, HTTPS, IPP, SNMP, or PJL requests.
ISPConfig language_edit.php PHP Code Injection
Authors: Egidio Romano and syfi Type: Exploit Pull request: #20354 contributed by happybear-21 Path: linux/http/ispconfig_lang_edit_php_code_injection AttackerKB reference: CVE-2023-46818
Description: This adds a new module for ISPConfig. The version before 3.2.11p1 contains code injection vulnerability in language_edit.php file. Exploitation requires admin credentials and the admin_allow_langedit option to be enabled. If it’s not, the module will enable this option automatically.
Wing FTP Server NULL-byte Authentication Bypass (CVE-2025-47812)
Authors: Julien Ahrens and Valentin Lobstein Type: Exploit Pull request: #20364 contributed by Chocapikk Path: multi/http/wingftp_null_byte_rce AttackerKB reference: CVE-2025-47812
Description: This adds unauthenticated remote code execution for WingFTP (CVE-2025-47812). It can be used against both Windows/Linux systems and can be exploited using anonymous users (if enabled).
Linux Set Hostname
Author: Muzaffer Umut ŞAHİN [email protected] Type: Payload (Single) Pull request: #20334 contributed by xHector1337 Path: linux/x64/set_hostname
Description: Adds payload module for set_hostame syscall, which changes hostname to pwned or user-defined hostname.
Enhancements and features (4)
- #19709 from szymonj99 – Updates the irb library version for improved debugging support.
- #20209 from adfoster-r7 – Updates Metasploit Framework to use Ruby 3.3.8 by default.
- #20345 from zeroSteiner – This adds a library for working with remote Active Directory Domain Controllers via LDAP. It provides methods for performing common operations such as looking up objects by their DN, sAMAccountName and SID. It also allows checking security descriptors to determine whether specific permissions are granted to a SID, effectively enabling Metasploit to identify permission based issues. Two modules have been updated to take advantage of this in the form of new check methods.
- #20371 from zeroSteiner – Condenses the Metasploit banner stats into less lines and adds a note about Metasploit Framework being a Rapid7 Open Source Project.
Bugs fixed (1)
- #20365 from Chocapikk – This updates the unix/http/maltrail_rce exploit module to fix some issues related to metadata and HTTP requests.
Documentation added (1)
- #20373 from adfoster-r7 – This updates the Metasploit logo on the documentation site.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro