Last updated at Fri, 02 May 2025 19:38:42 GMT
Meterpreter Extended API Clipboard Monitoring
Security is hard, and Open Source Security is a collaborative effort. This week, Metasploit released a fix for a vulnerability that was privately disclosed to us by long-time community member bcoles. The vulnerability in question impacted Metasploit users who were using the clipboard monitoring functionality contained within the extended-API Meterpreter extension (extapi). After a user enables monitoring, they would typically run clipboard_monitor_stop or clipboard_monitor_dump to retrieve information from the compromised host. The vulnerability existed in Metasploit’s handling of files that may be present in the remote hosts clipboard. When files were downloaded, they would, by default, be written to in the current working directory and would overwrite any existing files.
An attacker could leverage this by placing a malicious file into their clipboard and waiting for the Metasploit operator to download it, then execute it. As an example, an attacker may assume that the Metasploit operator is running Metasploit from the current working directory of Metasploit itself. In that case, they could have a malicious Ruby file named msfconsole in their clipboard. When the Metasploit operator dumps the contents of the remote clipboard, their local copy of msfconsole would be overwritten and then executed the next time they started Metasploit. It should be noted that the file that is written to is printed in the command’s output, but may be ignored by the user.
Now with the changes introduced in #19938, the extapi’s clipboard monitoring commands have been updated to make this significantly more difficult. Two primary changes were made. Now Metasploit will require a directory to be specified by the user of where file contents should be written to. Additionally, files will not be overwritten automatically. In order to overwrite an existing file, the user must specify the –force argument. If a file would be or is overwritten, it will be noted in the output:
meterpreter > clipboard_monitor_dump -d test_dir --force -p
Files captured at 2025-04-01 19:11:30.0503
==========================================
Remote Path : C:UserssmcintyreDesktophello-world.txt
File size : 11 bytes
Downloading : C:UserssmcintyreDesktophello-world.txt -> /home/smcintyre/Repositories/metasploit-framework.pr/test_dir/hello-world.txt
Downloaded 11.00 B of 11.00 B (100.0%) : C:UserssmcintyreDesktophello-world.txt -> /home/smcintyre/Repositories/metasploit-framework.pr/test_dir/hello-world.txt
Completed : Overwrote existing file /home/smcintyre/Repositories/metasploit-framework.pr/test_dir/hello-world.txt
The Metasploit team would like to thank bcoles for bringing this issue to our attention. We have assigned it CVE-2025-3095 and evaluated it with a CVSS score of 5.0 / Medium (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P). This vulnerability was fixed in Metasploit version 6.4.60, released on April 30th, 2025.
New module content (2)
LDAP Password Disclosure
Authors: Hynek Petrak, Spencer McIntyre, Thomas Seigneuret, and Tyler Booth
Type: Auxiliary
Pull request: #20017 contributed by zeroSteiner
Path: gather/ldap_passwords
Description: This updates and renames the ldap_hashdump module to ldap_passwords, extending its functionality to extract secrets used by LAPSv1 and LAPSv2 in Active Directory environments, alongside existing LDAP implementations. It simplifies usage by unifying techniques under one module and avoids requiring users to fingerprint the server type. Associated tests were also updated to include AD-specific data using Samba as a test LDAP server.
WonderCMS Remote Code Execution
Authors: Milad “Ex3ptionaL” Karimi and msutovsky-r7
Type: Exploit
Pull request: #20081 contributed by msutovsky-r7
Path: multi/http/wondercms_rce
AttackerKB reference: CVE-2023-41425
Description: Adds a new module “exploit/multi/http/wondercms_rce” which exploits CVE-2023-41425 – a file upload vulnerability. The module will authenticate against the vulnerable WonderCMS instance using a given password and then creates a zip file with a malicious PHP file. The module then uploads a zip file, which gets automatically parsed into /themes directory and executed by the application.
Enhancements and features (1)
- #20110 from bcoles – Improves code quality, metadata, and fixes some edge-case bugs within the
modules/post/osxmodules.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
