Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2025/03/14/metasploit-weekly-wrap-up-03-14-25/

New module content (1)

InvoiceShelf unauthenticated PHP Deserialization Vulnerability

Authors: Mickaël Benassouli, Rémi Matasse, and h00die-gr3y
Type: Exploit
Pull request: #19950 contributed by h00die-gr3y
Path: linux/http/invoiceshelf_unauth_rce_cve_2024_55556
AttackerKB reference: CVE-2024-55556

Description: Deserialization module for CVE-2024-55556, exploiting unauthenticated PHP deserialization vulnerability in InvoiceShelf.

Bugs fixed (3)

• #19937 from fabpiaf – Fixes a crash when a running HTTP server attempted to perform HTML escaping.
• #19944 from Takahiro-Yoko – Enhancing existing module for CVE-2025-0655 by adding dynamically generated session for bypassing authentication.
• #19955 from zeroSteiner – Updates the way we tag URLs in gather/ldap_esc_vulnerable_cert_finder to better support vulnerability reporting.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.52…6.4.53
• Full diff 6.4.52…6.4.53

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2025/02/28/metasploit-weekly-wrap-up-02-28-2025/

New module content (5)

mySCADA myPRO Manager Credential Harvester (CVE-2025-24865 and CVE-2025-22896)

Author: Michael Heinzl
Type: Auxiliary
Pull request: #19878 contributed by h4x-x0r
Path: admin/scada/mypro_mgr_creds
AttackerKB reference: CVE-2025-22896

Description: This module adds credential harvesting for MySCADA MyPro Manager using CVE-2025-24865 and CVE-2025-22896.

NetAlertX File Read Vulnerability

Authors: chebuya and msutovsky-r7
Type: Auxiliary
Pull request: #19881 contributed by msutovsky-r7
Path: scanner/http/netalertx_file_read
AttackerKB reference: CVE-2024-48766

Description: This adds an auxiliary module allowing arbitrary file read on vulnerable (CVE-2024-48766) NetAlertX targets.

SimpleHelp Path Traversal Vulnerability CVE-2024-57727

Authors: horizon3ai, imjdl, and jheysel-r7
Type: Auxiliary
Pull request: #19894 contributed by jheysel-r7
Path: scanner/http/simplehelp_toolbox_path_traversal
AttackerKB reference: CVE-2024-57727

Description: This adds an auxiliary module for SimpleHelp; the vulnerability (CVE-2024-57727) is a path traversal which allows arbitrary file read.

Invoice Ninja unauthenticated PHP Deserialization Vulnerability

Authors: Mickaël Benassouli, Rémi Matasse, and h00die-gr3y
Type: Exploit
Pull request: #19897 contributed by h00die-gr3y
Path: linux/http/invoiceninja_unauth_rce_cve_2024_55555
AttackerKB reference: CVE-2024-55555

Description: This adds an exploit module for Invoice Ninja, the vulnerability (CVE-2024-55555) is an unauthenticated RCE exploitable by having the APP_KEY value for the Laravel installation.

RaspberryMatic unauthenticated Remote Code Execution vulnerability through HMServer File Upload.

Authors: h00die-gr3y and h0ng10
Type: Exploit
Pull request: #19841 contributed by h00die-gr3y
Path: linux/http/raspberrymatic_unauth_rce_cve_2024_24578
AttackerKB reference: CVE-2024-24578

Description: Adds support for CVE-2024-24578, an unauthenticated file write and ZipSlip vulnerability allowing attackers to upload a compressed file that will not be bounds-checked and expanded automatically, allowing the overwrite of arbitrary files. In this case, we overwrite the watchdog script, run by a cron job every 5 minutes.

Bugs fixed (1)

• #19893 from bwatters-r7 – This removes a CVE reference from an LPE because the vulnerability identified by the CVE is not exploited in the LPE module. The CVE was instead referring to an RCE which led to the discovery of the technique employed by the RCE. The LPE technique was never acknowledged by the vendor as a vulnerability.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.50…6.4.51
• Full diff 6.4.50…6.4.51

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2025/01/10/metasploit-wrap-up-01-10-2025/

New module content (4)

GameOver(lay) Privilege Escalation and Container Escape

Authors: bwatters-r7, g1vi, gardnerapp, and h00die
Type: Exploit
Pull request: #19460 contributed by gardnerapp
Path: linux/local/gameoverlay_privesc
AttackerKB reference: CVE-2023-2640

Description: Adds a module for CVE-2023-2640 and CVE-2023-32629, a local privilege escalation in some Ubuntu kernel versions by abusing overly-trusting OverlayFS features.

Clinic’s Patient Management System 1.0 – Unauthenticated RCE

Authors: Aaryan Golatkar and Oğulcan Hami Gül
Type: Exploit
Pull request: #19733 contributed by aaryan-11-x
Path: multi/http/clinic_pms_fileupload_rce
AttackerKB reference: CVE-2022-40471

Description: New exploit module for Clinic’s Patient Management System 1.0, also dubbed as CVE-2022-40471. The module exploits unrestricted file upload, which can be further used to get remote code execution (RCE) through a malicious PHP file.

WordPress WP Time Capsule Arbitrary File Upload to RCE

Authors: Rein Daelman and Valentin Lobstein
Type: Exploit
Pull request: #19713 contributed by Chocapikk
Path: multi/http/wp_time_capsule_file_upload_rce
AttackerKB reference: CVE-2024-8856

Description: This exploits a Remote Code Execution (RCE) vulnerability identified as CVE-2024-8856 in the WordPress WP Time Capsule plugin (versions ≤ 1.22.21). This vulnerability allows unauthenticated attackers to upload and execute arbitrary files due to improper validation within the plugin.

WSO2 API Manager Documentation File Upload Remote Code Execution

Authors: Heyder Andrade <@HeyderAndrade>, Redway Security <redwaysecurity.com>, and Siebene@ <@Siebene7>
Type: Exploit
Pull request: #19647 contributed by heyder
Path: multi/http/wso2_api_manager_file_upload_rce

Description: Adds an exploit module for a vulnerability in the ‘Add API Documentation’ feature of WSO2 API Manager and allows malicious users with specific permissions to upload arbitrary files to a user-controlled server location. This flaw allows for RCE on the target system.

Enhancements and features (4)

• #19546 from adfoster-r7 – Improves the database module cache performance from ~3 minutes to ~1 minute by performing bulk inserts of module metadata instead of multiple smaller inserts for every module/reference/author/etc.
• #19660 from zeroSteiner – Updates OptEnum to validate values without being case sensitive while preserving the case the author was expecting.
• #19715 from oddlittlebird – Improves db/README.md documentation.
• #19718 from sjanusz-r7 – Expose the currently authenticated rpc_token to RPC handlers.

Bugs fixed (3)

• #19719 from bwatters-r7 – The bug in fetch payload resulted in malformed bash command when setting FETCH_DELETE to true, causing syntax error. While we fixed the original error, when we were testing the fix, we noticed a race condition – causing deleting the payload file before executing it. In the final fix, we added random sleep between executing and deleting to prevent race condition and to keep bash syntax integrity.
• #19721 from bwatters-r7 – This updates the way the module checks the Windows build version to determine if it’s vulnerable to CVE-2020-0668.
• #19739 from sjanusz-r7 – Fixes an issue with the post/multi/recon/local_exploit_suggester module which would crash if a TARGET value was set.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.40…6.4.41
• Full diff 6.4.40…6.4.41

If you are a git user, you can clone the [Metasploit Framework repo][repo] (master branch) for the latest.
To install fresh without using git, you can use the open-source-only [Nightly Installers][nightly] or the
commercial edition Metasploit Pro

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2024/10/04/metasploit-weekly-wrap-up-10-04-2024/

New module content (3)

cups-browsed Information Disclosure

Authors: bcoles and evilsocket
Type: Auxiliary
Pull request: #19510 contributed by bcoles
Path: scanner/misc/cups_browsed_info_disclosure

Description: Adds scanner module to retrieve CUPS version and kernel version information from cups-browsed services.

Acronis Cyber Infrastructure default password remote code execution

Authors: Acronis International GmbH and h00die-gr3y
Type: Exploit
Pull request: #19463 contributed by h00die-gr3y
Path: linux/http/acronis_cyber_infra_cve_2023_45249
AttackerKB reference: CVE-2023-45249

Description: This module exploits a default password vulnerability in Acronis Cyber Infrastructure (ACI) which allows an attacker to access the ACI PostgreSQL database and gain administrative access to the ACI Web Portal. This allows for the attacker to upload ssh keys that enables root access to the appliance/server. This attack can be remotely executed over the WAN as long as the PostgreSQL and SSH services are exposed to the outside world.

VICIdial Authenticated Remote Code Execution

Authors: Jaggar Henry of KoreLogic, Inc. and Valentin Lobstein
Type: Exploit
Pull request: #19456 contributed by Chocapikk
Path: unix/webapp/vicidial_agent_authenticated_rce
AttackerKB reference: CVE-2024-8504

Description: This adds a module to exploit CVE-2024-8504 an authenticated RCE in VICIdial.

Enhancements and features (3)

• #19466 from jvoisin
• #19471 from zeroSteiner – This adds a plugin that offers the fzuse command to offer a different UI for the selection of modules. It requires fzf to be present.
• #19480 from jvoisin – This updates exploits/linux/local/service_persistence.rb to work on systems that are running OpenRC. This module will create a service on the box, and mark it for auto-restart.

Bugs fixed (2)

• #19523 from adfoster-r7
• #19526 from sjanusz-r7 – Reverts the Readline to Reline library upgrade, to fix an issue where users could not input Chinese characters correctly.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.28…6.4.29
• Full diff 6.4.28…6.4.29

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2024/07/26/metasploit-weekly-wrap-up-41/

New module content (3)

Magento XXE Unserialize Arbitrary File Read

Authors: Heyder and Sergey Temnikov
Type: Auxiliary
Pull request: #19304 contributed by heyder
Path: gather/magento_xxe_cve_2024_34102
AttackerKB reference: CVE-2024-34102

Description: This adds an auxiliary module for an XXE which results in an arbitrary file in Magento which is being tracked as CVE-2024-34102.

Ghostscript Command Execution via Format String

Authors: Christophe De La fuente and Thomas Rinsma
Type: Exploit
Pull request: #19313 contributed by cdelafuente-r7
Path: multi/fileformat/ghostscript_format_string_cve_2024_29510
AttackerKB reference: CVE-2024-29510

Description: This adds an exploit module targeting CVE-2024-29510, a format string vulnerability in Ghostscript versions before 10.03.1 to achieve a SAFER sandbox bypass and execute arbitrary commands.

Softing Secure Integration Server v1.22 Remote Code Execution

Authors: Chris Anastasio (muffin) of Incite Team, Imran E. Dawoodjee [email protected], and Steven Seeley (mr_me) of Incite Team
Type: Exploit
Pull request: #19084 contributed by ide0x90
Path: windows/http/softing_sis_rce
CVE reference: ZDI-22-1156

Description: This adds a module targeting CVE-2022-1373 and CVE-2022-2334 as an exploit chain against Softing Secure Integration Server 1.22.

Enhancements and features (2)

• #19338 from adfoster-r7 – Improves error handling and progress tracking in the auxiliary/gather/kerberos_enumusers and gather/asrep modules.
• #19340 from adfoster-r7 – Improve setg SessionLogging support to work with command shells, as well as allowing logging to be turned on/off at any point – not just for newly created sessions.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.18…6.4.19
• Full diff 6.4.18…6.4.19

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2024/03/08/metasploit-wrap-up-03-08-2024/

New module content (2)

GitLab Tags RSS feed email disclosure

Authors: erruquill and n00bhaxor
Type: Auxiliary
Pull request: #18821 contributed by n00bhaxor
Path: gather/gitlab_tags_rss_feed_email_disclosure
AttackerKB reference: CVE-2023-5612

Description: This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-5612) in Gitlab versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 to retrieve user email addresses via tags feed.

BoidCMS Command Injection

Authors: 1337kid and bwatters-r7
Type: Exploit
Pull request: #18827 contributed by bwatters-r7
Path: multi/http/cve_2023_38836_boidcms
AttackerKB reference: CVE-2023-38836

Description: This PR adds an authenticated RCE against BoidCMS versions 2.0.0 and earlier. The underlying issue in the vulnerability CVE-2023-38836 is that the file upload check allows a php file to be uploaded and executes as a media file if the GIF header is present in the PHP file.

Enhancements and features (11)

• #18686 from h00die – This updates the existing auxiliary/scanner/ssh/ssh_version module with new checks for supported cryptographic algorithms and version detection capabilities.
• #18715 from errorxyz – This adds a Splunk library for use by future modules. It also updates the existing exploit/multi/http/splunk_privilege_escalation_cve_2023_32707 module to use it.
• #18796 from errorxyz – This updates the ManageEngine Endpoint Central and ServiceDesk Plus RCE modules for CVE-2022-47966. Particularly, it adds a Java target to be able to use Java-based payloads.
• #18862 from sjanusz-r7 – This PR aligns the client’s peerhost and peerport API for the recently added SQL-based sessions (postgres, mssql, mysql).
• #18875 from dwelch-r7 – This PR adds conditional validation of options depending on the chosen connection type, so for example if you want to connect via RHOST we also check (where applicable) that RPORT or the USERNAME is set. When a connection is made over an existing SESSION we can still allow the user to only set SESSION and not worry about the missing values only required for a new RHOST connection.
• #18887 from cgranleese-r7 – Updates the search command to now search modules that are compatible with a specified session type, for instance: search session_type:meterpreter or search session_type:smb.
• #18903 from sjanusz-r7 – This PR improves the UX by correctly handling databases changes by updating the prompt to now get the appropriate database value in the context of a MySQL or MSSQL session.
• #18905 from cgranleese-r7 – Improves the pwd command output for SMB sessions.
• #18908 from adfoster-r7 – Update SAMR computer and ICPR cert to support SMB sessions.
• #18921 from dwelch-r7 – This adds the IP address to the SMB session prompt when there is no selected share.
• #18926 from cgranleese-r7 – Update sessions to have a consistent set of local file system commands.

Bugs fixed (5)

• #18844 from sfewer-r7 – This fixes a bug in the file dropper mixin that would prevent files from being deleted with a Windows shell session.
• #18897 from adfoster-r7 – Updates the smb_login module to support configuring the negotiated SMB protocol versions and whether encryption is negotiated.
• #18904 from double16 – Fixes the windows/gather/bloodhound module to no longer incorrectly validate the OutputDirectory option.
• #18920 from dwelch-r7 – This PR fixes an issue with the autorunscript module option within an SMB session.
• #18928 from dwelch-r7 – This PR fixes an issue when running the auxiliary/gather/windows_secrets_dump module while using the SESSION module option to connect, that caused the client to be disconnected and unable to be reused for subsequent runs/other modules.

Documentation (1)

• #18929 from adfoster-r7 – Updates the Metasploit API documentation library to the latest available version to avoid CVE-2024-27285 – an XSS in the default YARD template. Thanks to Aviv Keller for reporting.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.58…6.3.59
• Full diff 6.3.58…6.3.59

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2024/01/05/metasploit-weekly-wrap-up-40/

New module content (2)

Splunk __raw Server Info Disclosure

Authors: KOF2002, h00die, and n00bhaxor
Type: Auxiliary
Pull request: #18635 contributed by n00bhaxor
Path: gather/splunk_raw_server_info

Description: This PR adds a module for an authenticated Splunk information disclosure vulnerability. This module gathers information about the host machine and the Splunk install including OS version, build, CPU arch, Splunk license keys, etc.

[msf](Jobs:0 Agents:0) > use auxiliary/gather/splunk_raw_server_info 
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set username admin
username => admin
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set password splunksplunk
password => splunksplunk
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > set verbose true
verbose => true
[msf](Jobs:0 Agents:0) auxiliary(gather/splunk_raw_server_info) > run
[*] Running module against 127.0.0.1
[+] Output saved to /root/.msf4/loot/20231220204049_default_127.0.0.1_splunk.system.st_943292.json
[+] Hostname: 523a845e8652
[+] CPU Architecture: x86_64
[+] Operating System: Linux
[+] OS Build: #1 SMP PREEMPT_DYNAMIC Debian 6.5.6-1kali1 (2023-10-09)
[+] OS Version: 6.5.0-kali3-amd64
[+] Splunk Version: 7.1.0
[+] Trial Version?: false
[+] Splunk Forwarder?: false
[+] Splunk Product Type: splunk
[+] License State: OK
[+] License Key(s): ["FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"]
[+] Splunk Server Roles: ["indexer", "license_master"]
[+] Splunk Server Startup Time: 2023-12-21 01:40:02
[*] Auxiliary module execution completed

Craft CMS unauthenticated Remote Code Execution (RCE)

Authors: Thanh, chybeta, and h00die-gr3y [email protected]
Type: Exploit
Pull request: #18612 contributed by h00die-gr3y
Path: linux/http/craftcms_unauth_rce_cve_2023_41892

Description: This adds an exploit module that leverages a remote code execution vulnerability in CraftCMS versions between 4.0.0-RC1 and 4.4.14. This vulnerability is identified as CVE-2023-41892 and allows an unauthenticated attacker to execute arbitrary code remotely.

Enhancements and features (2)

• #18610 from sjanusz-r7 – This PR enables the Metasploit Payload Warnings feature by default. When enabled Metasploit will output warnings about missing Metasploit payloads, for instance if they were removed by antivirus.
• #18632 from jvoisin – This PR adds improvements to the Glibc Tunables Privilege Escalation module. In the event the file command is not present on the target the module will try to use the readelf command to get the ld.so build ID and determine whether or not the target is compatible with the exploit.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.48…6.3.49
• Full diff 6.3.48…6.3.49

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2023/10/06/metasploit-weekly-wrap-up-30/

New module content (3)

LDAP Login Scanner

Author: Dean Welch
Type: Auxiliary
Pull request: #18197 contributed by dwelch-r7
Path: scanner/ldap/ldap_login

Description: This PR adds a new login scanner module for LDAP. Login scanners are the classes that provide functionality for testing authentication against various different protocols and mechanisms. This LDAP login scanner supports multiple types of authentication including: Plaintext, NTLM, Kerberos and SChannel.

Junos OS PHPRC Environment Variable Manipulation RCE

Authors: Jacob Baines, Ron Bowes, and jheysel-r7
Type: Exploit
Pull request: #18389 contributed by jheysel-r7
Path: freebsd/http/junos_phprc_auto_prepend_file

Description: This adds an exploit module that leverages a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. This vulnerability is identified as CVE-2023-36845 and allows an attacker to achieve unauthenticated remote code execution as a low privileged user. This module also includes a jailbreak feature that consists in changing the root password and establishing an SSH session as the root user. The original password is restored when the module terminates.

Progress Software WS_FTP Unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #18414 contributed by sfewer-r7
Path: windows/http/ws_ftp_rce_cve_2023_40044

Description: This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP server prior to 8.7.4 and 8.8.2 are vulnerable to this issue. The vulnerability was originally discovered by AssetNote.

AttackerKB Assessment: (https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044/rapid7-analysis)

Enhancements and features (6)

• #17919 from bcoles – This PR adds support for starting and stopping Windows services using the service control manager to shell payloads.
• #18338 from smashery – This PR updates the kerberos.rb library such that when a kerberos login is attempted, on a user where pre-authentication is not required, the module now requests a RRC4-HMAC ticket, since it’s more easily crackable.
• #18363 from j0ev – This PR adds support to outputting payloads in octal in both framework and venom.
• #18412 from zeroSteiner – This adds additional usage tips to Metasploit, expanding the pool that is selected from on startup.
• #18420 from smashery – :
  This PR updates the user-agent string reported by our http payloads. We update this periodically to make sure that our payloads don’t stick out having an older user agent string.
• #18425 from adfoster-r7 – Adds history support to the nasm and metasm shells. Now when re-opening these shells, previously typed commands should be remembered and available.

Bugs fixed (1)

• #18372 from gcarmix – Fixed an issue in the generic shell download command.

Documentation added (3)

• #18277 from cnnrshd –
  This PR adds new documentation for how to create a command injection exploit module.
• #18347 from bwatters-r7 – This PR updates the how-to-write-a-check-method docs to better explain to not use fail_with to align with best practices when making sure a check method returns a check code.
• #18393 from adfoster-r7 – Updates the running modules landing page on the Wiki with more beginner friendly information on searching for and running modules.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.36…6.3.37
• Full diff 6.3.36…6.3.37

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2023/02/17/metasploit-wrap-up-193/

Cisco RV Series Auth Bypass and Command Injection

Thanks to community contributor neterum, Metasploit framework just gained an awesome new module which targets Cisco Small Business RV Series Routers. The module actually exploits two vulnerabilities, an authentication bypass CVE-2022-20705 and a command injection vulnerability CVE-2022-20707 in order to achieve code execution in the context of user www-data.

New module content (2)

Cisco RV Series Authentication Bypass and Command Injection

Authors: Biem Pham, Neterum, and jbaines-r7
Type: Exploit
Pull request: #17599 contributed by neterum
Attacker KB Reference: CVE-2022-20707

Description: An exploit for Cisco RV160, RV260, RV340 and RV345 Small Business Routers prior to firmware version 1.0.03.26 has been added which exploits CVE-2022-20705, an authentication bypass, and CVE-2022-20707, a command injection vulnerability, to achieve remote code execution as the www-data user on affected devices as an unauthenticated attacker.

GitLab GitHub Repo Import Deserialization RCE

Authors: Heyder Andrade, RedWay Security, and William Bowling (vakzz)
Type: Exploit
Pull request: #17281 contributed by heyder
AttackerKB reference: CVE-2022-2992

Description: This adds an exploit for CVE-2022-2992 which is authenticated remote command execution in GitLab.

Enhancements and features (1)

• #17594 from zeroSteiner – The DLL template code has been updated so that tools such as msfvenom can use DLL templates with payloads that were larger than 4096 bytes, such as unstaged payloads. Note that this update only applies to the default DLL templates that Metasploit provides, and not to external DLL templates which are restricted to 4096 bytes at this time.

Bugs fixed (1)

• #17645 from adfoster-r7 – Fixes a bug that caused warnings to be output on Arch Linux environments when starting msfconsole

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.2…6.3.3
• Full diff 6.3.2…6.3.3

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).