Author: Simon Janusz

RISC-V Support

Metasploit Wrap-Up: 11/08/2024

This release of Metasploit Framework has added exciting new features such as new payloads that target the RISC-V architecture. These payloads allow for the execution of commands on compromised hardware, allowing Metasploit Framework and Metasploit Payloads to be used in more environments.

SMB To HTTP(S) Relay

This new exploit worked on by Rapid7 contributors targets the ESC8 vulnerability. This work is a part of the recent Kerberos and Active Directory efforts targeting multiple ESC vulnerabilities, implementing modern security workflows into Metasploit Framework.

It includes a modified SMB capture server to repackage and forward authentication from the SMB capture server to an NTLM-authenticating HTTP server. The authenticated HTTP Client is then passed to the ESC8 module which then requests the creation of certificates and downloads them.

Python Exec Payload

A new addition to the payloads catalog this week has been a new Python payload, developed by zeroSteiner allowing for the execution of arbitrary OS commands. This payload is compatible with Python 2.7 and 3.4+.

New module content (10)

SolarWinds Web Help Desk Backdoor (CVE-2024-28987)

Authors: Michael Heinzl and Zach Hanley
Type: Auxiliary
Pull request: #19499 contributed by h4x-x0r
Path: gather/solarwinds_webhelpdesk_backdoor
AttackerKB reference: CVE-2024-28987

Description: This module exploits a backdoor in SolarWinds Web Help Desk (CVE-2024-28987) <= v12.8.3 to retrieve all tickets from the system.

WordPress TI WooCommerce Wishlist SQL Injection (CVE-2024-43917)

Authors: Rafie Muhammad and Valentin Lobstein
Type: Auxiliary
Pull request: #19517 contributed by Chocapikk
Path: scanner/http/wp_ti_woocommerce_wishlist_sqli
AttackerKB reference: CVE-2024-43917

Description: This new auxiliary module exploits an unauthenticated SQL injection vulnerability in the TI WooCommerce Wishlist plugin for WordPress (versions <= 2.8.2). The vulnerability allows attackers to execute SQL queries via the order parameter which can be used to dump usernames and their hashed passwords.

ESC8 Relay: SMB to HTTP(S)

Authors: Spencer McIntyre, bwatters-r7, and jhicks-r7
Type: Auxiliary
Pull request: #19404 contributed by bwatters-r7
Path: server/relay/esc8

Description: This is an implementation of the AD CS ESC8. It includes a library that uses a modified SMB capture server to repackage and forward authentication from the SMB capture server to an NTLM-authenticating HTTP server. The authenticated HTTP Client is then passed to the ESC8 module which then requests the creation of certificates and downloads them.

Simple

Author: bcoles bcoles@gmail.com
Type: Nop
Pull request: #19518 contributed by bcoles
Path: riscv32le/simple

Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.

Simple

Author: bcoles bcoles@gmail.com
Type: Nop
Pull request: #19518 contributed by bcoles
Path: riscv64le/simple

Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.

Linux Execute Command

Authors: bcoles bcoles@gmail.com and modexp
Type: Payload (Single)
Pull request: #19518 contributed by bcoles
Path: linux/riscv32le/exec

Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.

Linux Reboot

Author: bcoles bcoles@gmail.com
Type: Payload (Single)
Pull request: #19518 contributed by bcoles
Path: linux/riscv32le/reboot

Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.

Linux Execute Command

Authors: bcoles bcoles@gmail.com and modexp
Type: Payload (Single)
Pull request: #19518 contributed by bcoles
Path: linux/riscv64le/exec

Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.

Linux Reboot

Author: bcoles bcoles@gmail.com
Type: Payload (Single)
Pull request: #19518 contributed by bcoles
Path: linux/riscv64le/reboot

Description: Add support for RISC-V 32-bit / 64-bit Little Endian payloads. Includes Linux Execute Command payloads and Linux Reboot payloads for testing.

Python Execute Command

Author: Spencer McIntyre
Type: Payload (Single)
Pull request: #19528 contributed by zeroSteiner
Path: python/exec

Description: Adds a new exec payload leveraging python.

Enhancements and features (2)

  • #19529 from NtAlexio2 - This updates the pipe_dcerpc_auditor module to use the new pattern for handling port settings which offers users greater control over their targeting.
  • #19573 from adfoster-r7 - Updates Metasploit to Ruby 3.2.5.

Bugs fixed (2)

  • #19550 from Mathiou04 - Fixes an issue where when USER_AS_PASS as pass was enabled the USERNAME would not be attempted as a PASSWORD.
  • #19619 from smashery - This fixes a regression crash in the auxiliary/admin/kerberos/get_ticket module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.

A New Way to Encode PHP Payloads

Metasploit Weekly Wrap-Up 08/30/2024

A new PHP encoder has been released by a community contributor, jvoisin, allowing a PHP payload to be encoded as an ASCII-Hex string. This can then be decoded on the receiver to prevent issues with unescaped or bad characters.

Ray Vulnerabilities

This release of Metasploit Framework also features 3 new modules to target ray.io, which is a framework for distributing AI-related workloads across multiple machines, which makes it an excellent exploitation target. These modules can perform arbitrary file reads, perform remote code execution and command injection, making them a great all-round addition to a penetration testing workflow.

The vulnerabilities for which modules are provided are:

New module content (9)

Control iD iDSecure Authentication Bypass (CVE-2023-6329)

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #19380 contributed by h4x-x0r
Path: admin/http/idsecure_auth_bypass
AttackerKB reference: CVE-2023-6329

Description: Adds an auxiliary module targeting CVE-2023-6329, an improper access control vulnerability, which allows an unauthenticated user to compute valid credentials and to add a new administrative user to the web interface of Control iD iDSecure <= v4.7.43.0.

Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)

Authors: Michael Heinzl, mxalias, and ohnoisploited
Type: Auxiliary
Pull request: #19386 contributed by h4x-x0r
Path: admin/http/ivanti_vtm_admin
AttackerKB reference: CVE-2024-7593

Description: Adds an exploit targeting CVE-2024-7593 which is an improper access control vulnerability in Ivanti Virtual Traffic Manager (vTM) . It allows an unauthenticated remote attacker to add a new administrative user to the web interface of the product before 22.7R2.

Ray static arbitrary file read

Authors: Takahiro Yokoyama, byt3bl33d3r marcello@protectai.com, and danmcinerney dan@protectai.com
Type: Auxiliary
Pull request: #19363 contributed by Takahiro-Yoko
Path: gather/ray_lfi_cve_2023_6020
AttackerKB reference: CVE-2023-6020

Description: The auxiliary module allows reading files on the remote system through a local file inclusion vulnerability.

PHP Hex Encoder

Author: Julien Voisin
Type: Encoder
Pull request: #19420 contributed by jvoisin
Path: php/hex

Description: This adds an ascii-hex encoder for PHP with optional compression.

Ray Agent Job RCE

Authors: Takahiro Yokoyama, byt3bl33d3r marcello@protectai.com, and sierrabearchell
Type: Exploit
Pull request: #19363 contributed by Takahiro-Yoko
Path: linux/http/ray_agent_job_rce
AttackerKB reference: CVE-2023-48022

Description: This exploit module allows for arbitrary code execution on the target.

Ray cpu_profile command injection

Authors: Takahiro Yokoyama, byt3bl33d3r marcello@protectai.com, and sierrabearchell
Type: Exploit
Pull request: #19363 contributed by Takahiro-Yoko
Path: linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019
AttackerKB reference: CVE-2023-6019

Description: This exploit module allows for command injection to be performed on the target.

GiveWP Unauthenticated Donation Process Exploit

Authors: EQSTSeminar, Julien Ahrens, Valentin Lobstein, and Villu Orav
Type: Exploit
Pull request: #19424 contributed by Chocapikk
Path: multi/http/wp_givewp_rce
AttackerKB reference: CVE-2024-5932

Description: Adds a new module exploits/multi/http/wp_givewp_rce which targets CVE-2024-5932 - a critical RCE vulnerability in the WordPress GiveWP plugin (up to version 3.14.1).

pgAdmin Binary Path API RCE

Authors: Ayoub Mokhtar, M.Selim Karahan, and Mustafa Mutlu
Type: Exploit
Pull request: #19422 contributed by igomeow
Path: windows/http/pgadmin_binary_path_api
AttackerKB reference: CVE-2024-3116

Description: Adds a new module targeting all versions of PgAdmin up to 8.4 which leverages a Remote Code Execution (RCE) CVE-2024-3116 flaw through the validate binary path API.

Gather electerm Passwords

Author: Kali-Team kali-team@qq.com
Type: Post
Pull request: #19395 contributed by cn-kali-team
Path: multi/gather/electerm

Description: Adds a post module to gather passwords and saved session information stored in the Electerm program.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

  • #19393 from jheysel-r7 - Adds a patch bypass for CVE-2024-32113 (the original vulnerability this exploited). The patch released in 18.12.14 disallows the Path Traversal vulnerability to be exploited however it was later disclosed that the vulnerable endpoint was accessible all along, without the need for the Path Traversal. And so CVE-2024-38856 was issued as an Incorrect Authorization which was patched in version 18.12.15.
  • #19417 from Chocapikk - The new PHP filter chain evaluates a POST parameter, which simplifies the process and reduces the payload size enabling the module to send the entire payload in one POST request instead of writing the payload to a file character by character over many POST requests. Support for both Windows and Linux Meterpreter payloads, not just PHP Meterpreter, has also been added.

Enhancements and features (3)

  • #19377 from jvoisin - Not written.
  • #19409 from jvoisin - This adds additional fingerprinting checks to the existing post/linux/gather/checkvm module to more accurately identify VMs.
  • #19415 from zeroSteiner - Changes the output of the ldap_esc_vulnerable_cert_finder to be more useful, including display changes favoring useful templates and including an explanation of why a template may be vulnerable.

Bugs fixed (4)

  • #19241 from zgoldman-r7 - Replaced the usage a deprecated Ruby method to fix crashing modules.
  • #19376 from jvoisin - This fixes the php/base64 encoder which was previously generating php payloads that were failing when being being run due to the way single quotes were being inserted into the payload.
  • #19411 from dledda-r7 - Fixes a crash in Metasploit's RPC layer when calling module.results when a nil module result was present.
  • #19421 from zeroSteiner - This updates the windows/fileformat/adobe_pdf_embedded_exe exploit to define that its compatible with both ARCH_X86 and ARCH_X64 payloads due to it just generating an EXE.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 08/30/2024

Argument Injection for PHP on Windows

Metasploit Weekly Wrap-Up 06/21/2024

This week includes modules that target file traversal and arbitrary file read vulnerabilities for software such as Apache, SolarWinds and Check Point, with the highlight being a module for the recent PHP vulnerability submitted by sfewer-r7. This module exploits an argument injection vulnerability, resulting in remote code execution and a Meterpreter shell running in the context of the Administrator user.
Note, that this attack requires the target to be running a Japanese or Chinese locale, as the attack targets Windows’s character replacement behavior for certain code pages when calling Win32 API functions.
A default configuration of XAMPP is vulnerable. This attack is unauthenticated and the server must expose PHP in CGI mode, not FastCGI. More information on this exploit can be found on AttackerKB.

New module content (4)

Check Point Security Gateway Arbitrary File Read

Author: remmons-r7
Type: Auxiliary
Pull request: #19221 contributed by remmons-r7
Path: gather/checkpoint_gateway_fileread_cve_2024_24919
AttackerKB reference: CVE-2024-24919

Description: This module leverages an unauthenticated arbitrary root file read vulnerability for Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades are enabled on affected devices, traversal payloads can be used to read any files on the local file system. This vulnerability is tracked as CVE-2024-24919.

SolarWinds Serv-U Unauthenticated Arbitrary File Read

Authors: Hussein Daher and sfewer-r7
Type: Auxiliary
Pull request: #19255 contributed by sfewer-r7
Path: gather/solarwinds_servu_fileread_cve_2024_28995
AttackerKB reference: CVE-2024-28995

Description: This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to the vendor supplied hotfix "15.4.2 Hotfix 2" (version 15.4.2.157) are affected.

Apache OFBiz Forgot Password Directory Traversal

Authors: Mr-xn and jheysel-r7
Type: Exploit
Pull request: #19249 contributed by jheysel-r7
Path: multi/http/apache_ofbiz_forgot_password_directory_traversal
AttackerKB reference: CVE-2024-32113

Description: This adds an exploit for CVE-2024-32113, which is an unauthenticated RCE in Apache OFBiz.

PHP CGI Argument Injection Remote Code Execution

Authors: Orange Tsai, sfewer-r7, and watchTowr
Type: Exploit
Pull request: #19247 contributed by sfewer-r7
Path: windows/http/php_cgi_arg_injection_rce_cve_2024_4577
AttackerKB reference: CVE-2024-4577

Description: Windows systems running Japanese or Chinese (simplified or traditional) locales are vulnerable to a PHP CGI argument injection vulnerability. This exploit module returns a session running in the context of the Administrator user.

Enhancements and features (2)

  • #18829 from cdelafuente-r7 - Adding multiple HttpServer services in a module is sometimes complex since they share the same methods. This usually causes situations where #on_request_uri needs to be overridden to handle requests coming from each service. This updates the cmdstager and the Java HTTP ClassLoader mixins, since these are commonly used in the same module. This also updates the manageengine_servicedesk_plus_saml_rce_cve_2022_47966 module to make use of these new changes.
  • #19229 from softScheck - The junos_phprc_auto_prepend_file module used to depend on having a user authenticated to the J-Web application to steal the necessary session tokens in order to exploit. With this enhancement the module will now create a session if one doesn't exist. Also it adds datastore options to change the hash format to be compatible with older versions as well an option to attempt to set ssh root login to true before attempting to establish a root ssh session.

Bugs fixed (4)

  • #19176 from Fufu-btw - This adds the x86 and x64 architectures to the exploit/windows/http/dnn_cookie_deserialization_rce module's target metadata.
  • #19253 from aaronjfeingold - This fixes an incorrect CVE reference in the exploit/unix/http/zivif_ipcheck_exec module.
  • #19256 from adfoster-r7 - Fix warnings in acceptance tests.
  • #19261 from zeroSteiner - Fixed powershell_base64 encoder to execute encoded strings correctly.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 06/21/2024

Account Takeover using Shadow Credentials

Metasploit Weekly Wrap-Up 04/12/24

The new release of Metasploit Framework includes a Shadow Credentials module added by smashery used for reliably taking over an Active Directory user account or computer, and letting future authentication to happen as that account. This can be chained with other modules present in Metasploit Framework such as windows_secrets_dump.

Details

The module targets a ‘victim’ account that is part of a domain where the Domain Controller is running Windows Server 2016 and newer.

Using an account that has write permissions over another (or its own) user account object, the module adds a public key credential object to the user account's msDS-KeyCredentialLink property. After this, a Ticket Granting Ticket can be requested using the get_ticket module, which subsequently can be used for a pass-the-ticket style attack such as auxiliary/gather/windows_secrets_dump. This can be performed when a user contains the GenericWrite permission over another account. By default, Computer accounts have the ability to write their own value (whereas user accounts do not).

The shadow credentials added persist between password changes, making it a very useful technique for getting the TGT.

The steps for this technique (performed automatically by the module) are:
Generate and store a key and certificate locally
Store the certificate’s public key as a KeyCredential
On the domain controller, update the msDS-KeyCredentialLink property to include the newly generated KeyCredential object

After the above steps, you can:
Obtain a TGT & NTLM hash
Perform further attacks using the above values

New module content (3)

Shadow Credentials

Authors: Elad Shamir and smashery
Type: Auxiliary
Pull request: #19051 contributed by smashery
Path: admin/ldap/shadow_credentials

Description: A new module to add to, list, flush and delete from the LDAP msDS-KeyCredentialLink attribute which enables the user to execute "shadow credential" attacks for persistence and lateral movement.

Gibbon School Platform Authenticated PHP Deserialization Vulnerability

Authors: Ali Maharramli, Fikrat Guliev, Islam Rzayev, and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #19044 contributed by h00die-gr3y
Path: multi/http/gibbon_auth_rce_cve_2024_24725
AttackerKB reference: CVE-2024-24725

Description: An exploit module that exploits Gibbon online school platform version 26.0.00 and lower to achieve remote code execution. Note that authentication is required. This leverages a PHP deserialization attack via columnOrder in a POST request (CVE-2024-24725).

Rancher Audit Log Sensitive Information Leak

Author: h00die
Type: Post
Pull request: #18962 contributed by h00die
Path: linux/gather/rancher_audit_log_leak
AttackerKB reference: CVE-2023-22649

Description: A post module to leverage CVE-2023-22649 which is a sensitive information leak in the rancher service's audit logs.

Enhancements and features (4)

  • #19022 from sjanusz-r7 - Adds support to detect the MySQL server's host's platform and arch by running a query.
  • #19045 from zgoldman-r7 - Adds a set of acceptance tests for MSSQL modules.
  • #19052 from smashery - Updates Metasploit's User Agent strings to values valid for April 2024.
  • #19064 from nrathaus - Adds support to the auxiliary/scanner/snmp/snmp_login module to work over the TCP protocol in addition to UDP.

Bugs fixed (3)

  • #19056 from dwelch-r7 - Fixed an issue were the socket would be closed if targeting a single host with multiple user_file/pass_file module option combinations. This was caused when a session was successfully opened but then the next login attempt would close the socket being used by the newly created session.
  • #19059 from nrathaus - Fixed an issue with the psnuffle module's POP3 support.
  • #19069 from adfoster-r7 - Fixed an edgecase present in clients that programmatically interacted with Metasploit's remote procedure call (RPC) functionality that caused the login modules for SMB, Postgres, MySQL, and MSSQL to open a new session by default instead of it being opt in behavior.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Shared RubySMB Service Improvements

Metasploit Weekly Wrap-Up 02/02/2024

This week’s updates include improvements to Metasploit Framework’s SMB server implementation: the SMB server can now be reused across various SMB modules, which are now able to register their own unique shares and files. SMB modules can also now be executed concurrently. Currently, there are 15 SMB modules in Metasploit Framework that utilize this feature.

New module content (2)

Mirth Connect Deserialization RCE

Authors: Naveen Sunkavally, Spencer McIntyre, and r00t
Type: Exploit
Pull request: #18755 contributed by zeroSteiner
Path: multi/http/mirth_connect_cve_2023_43208

Description: This PR adds an exploit module for Mirth Connect. Versions < 4.4.1 are vulnerable to CVE-2023-43208 and CVE-2023-37679, where the former is a patch bypass for the latter. In both cases, an attacker can execute an OS command in the context of the target service using a specially crafted HTTP request and Java deserialization gadget. A technical analysis of CVE-2023-37679 is available in AttackerKB.

Puppet Config Gather

Author: h00die
Type: Post
Pull request: #18628 contributed by h00die
Path: linux/gather/puppet

Description: This PR adds a post gather module to get Puppet configs and other sensitive files.

Enhancements and features (2)

  • #18680 from zeroSteiner - This adds a service compatible with Rex::ServiceManager for SMB that can be shared among modules.
  • #18742 from sjanusz-r7 - Enhances the post/multi/gather/memory_search with additional UX improvements such as outputting a list of matched processes that are being targeted, as well as improved error handling if the process architecture is not correct.

Bugs fixed (2)

  • #18750 from adfoster-r7 - Updates the to_handler command for payload modules to support option overrides. The to_handler command is a convenient way of using multi/handler, setting the payload, and setting datastore options.
  • #18760 from adfoster-r7 - Fixes an issue where Metasploit fails to start when resolv.conf cannot be found.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Windows Local Privilege Escalation for standard users

Metasploit Wrap-Up

In this week’s release, we have an exciting new module that has been added by our very own Grant Willcox which exploits (CVE-2022-26904)[https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904], and allows for normal users to execute code as NT AUTHORITY/SYSTEM on Windows machines from Windows 7 up to and including Windows 11. Currently, the vulnerability is still not patched and there have not been any updates from MSRC regarding this vulnerability, however it may be patched in the next Patch Tuesday.

This exploit requires more than one local user to be present on the machine and the PromptOnSecureDesktop setting to be set to 1, which is the default setting.

MacOS exploitation

Our very own space-r7 has updated the recent GateKeeper module to add support for the recent CVE-2022-22616, which can be used to target all MacOS Catalina versions, and MacOS Monterey versions prior to 12.3.

This module can be used to remove the com.apple.quarantine extended attribute on a downloaded/extracted file and allows for code to be executed on the machine.

Enumerating Chocolatey applications

This week’s release also features a new module from a first-time contributor rad10, which will enumerate all applications that have been installed using Chocolatey.

This could be used when gathering information about a compromised target and potentially vulnerable software present on the machine.

New module content (5)

  • User Profile Arbitrary Junction Creation Local Privilege Elevation by Grant Willcox and KLINIX5, which exploits CVE-2022-26904 - This adds an exploit for CVE-2022-26904, which is an LPE vulnerability affecting Windows 7 through Windows 11. Leveraging this vulnerability can allow a local attacker running as a standard user, who has knowledge of another standard user's credentials, to execute code as NT AUTHORITY\SYSTEM. The PromptOnSecureDesktop setting must also be set to 1 on the affected machine for this exploit to work, which is the default setting.
  • ALLMediaServer 1.6 SEH Buffer Overflow by Hejap Zairy Al-Sharif, which exploits CVE-2022-28381 - A new module has been added in which exploits CVE-2022-28381, a remotely exploitable SEH buffer overflow vulnerability in AllMediaServer version 1.6 and prior. Successful exploitation results in remote code execution as the user running AllMediaServer.
  • Windows Gather Installed Application Within Chocolatey Enumeration by Nick Cottrell - This adds a post module that enumerates applications installed with Chocolatey on Windows systems.
  • #16082 from usiegl00 - This updates the shadow_mitm_dispatcher module by adding a new RubySMB Dispatcher, whichallows a better integration with RubySMB and enables the use of all the features provided by its client. Both SMBv2 and SMBv3 are now supported.
  • #16401 from space-r7 - This change adds support for CVE-2022-22616 to the existing Gatekeeper bypass exploit module which reportedly covers macOS Catalina all the way to MacOS Monterey versions below 12.3. Since this now targets two CVEs, we've introduced a new CVE option to select which CVE to exploit. This default is the most recent CVE.

Enhancements and features (4)

  • #15972 from sempervictus - This updates the Log4shell scanner with the LEAK_PARAMS option, providing a way to leak more target information such as environment variables.
  • #16320 from dwelch-r7 - This updates Windows Meterpreter payloads to support a new MeterpreterDebugBuild datastore option. When set to true the generated payload will have additional logging support which is visible via Window's DbgView program.
  • #16373 from adfoster-r7 - Adds initial support for Ruby 3.1
  • #16403 from sempervictus - This adds more checks to the post/windows/gather/checkvm module to better detect if the current target is a Qemu / KVM virtual machine.

Bugs fixed (3)

  • #16398 from jmartin-r7 - A number of recent payload adds did not conform to the patterns used for suggesting spec configurations. Tests for these payloads have now been manually added to ensure they will be appropriately tested as part of rspec checks.
  • #16408 from rtpt-alexanderneumann - This fixes an edge case with the multi/postgres/postgres_copy_from_program_cmd_exec module, which crashed when the randomly generated table name started with a number
  • #16419 from adfoster-r7 - A bug has been fixed whereby when using the search command and searching by disclosure_date, the help menu would instead appear. This has been remedied by improving the date handling logic for the search command.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).