Last updated at Fri, 16 Jun 2023 20:40:51 GMT
Metasploit T-Shirt Design Contest
In honor of Metasploit's 20th anniversary, Rapid7 is launching special edition t-shirts - and we're inviting members of our community to have a hand in its creation. The contest winner will have their design featured on the shirts, which will then be available to pick up at Black Hat 2023.
We will be accepting submissions from now through June 30! Contest details, design guidelines, and submission instructions here
New module content (12)
RPyC 4.1.0 through 4.1.1 Remote Command Execution
Description: Adds a new
rpyc_rce module to exploit CVE-2019-16328 and achieve remote command execution as the vulnerable server’s service user.
Apache RocketMQ Version Scanner
Description: This PR adds a version scanner for Apache RocketMQ.
Symmetricom SyncServer Unauthenticated Remote Command Execution
Description: This adds an exploit for Symmetricom SyncServer appliances (S100-S300 series) vulnerable to an unauthenticated command injection in the
hostname parameter in a request to the
/controller/ping.php endpoint. The command injection vulnerability is patched in the S650 v2.2. Requesting the endpoint will result in a redirect to the login page; however, the command will still be executed, resulting in RCE as the
TerraMaster TOS 4.2.06 or lower - Unauthenticated Remote Code Execution
Description: This adds an exploit for TerraMaster NAS devices running TOS 4.2.06 or prior. The logic in
include/makecvs.php permits shell metacharacters through the
Event parameter in a GET request, permitting the upload of a webshell without authentication. Through this, an attacker can achieve remote code execution as the user running the TOS web interface.
TerraMaster TOS 4.2.15 or lower - RCE chain from unauthenticated to root via session crafting.
Description: This exploits a series of vulnerabilities including session crafting and command injection in TerraMaster NAS versions
4.2.15 and below to achieve unauthenticated RCE as the
TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989
Description: This exploits an administrative password leak and command injection vulnerability on TerraMaster devices running TerraMaster Operating System (TOS) versions
4.2.29 and below to achieve unauthenticated RCE as the
Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution
Description: This adds an exploit for CVE-2023-28771 which is a remote, unauthenticated OS command injection in IKE service of several Zyxel devices. Successful exploitation results in remote command execution as the
Oracle Weblogic PreAuth Remote Command Execution via ForeignOpaqueReference IIOP Deserialization
Description: This adds an exploit for CVE-2023-21839 which is an unauthenticated RCE in Oracle Weblogic. Successful exploitation results in remote code execution as the
Three x86 Linux Fetch Payloads
Author: Spencer McIntyre
Pull request: #18084
Description: Fetch and execute a x86 payload from an HTTP server. These modules were developed live on stream. Fetch based payloads offer a shorter path from command injection to a Metasploit session
Description: This adds the
post/windows/manage/make_token module which is capable of creating new tokens from known credentials and then setting them in a running instance of Meterpreter, which can allow that session to access resources it might not have previously been able to access.
Enhancements and features (11)
- #17336 from smashery - This PR adds new code to simplify and standardize windows version checking and comparisons.
- #17781 from araout42 - Adds support for module writers to supply a custom
include_dirsarray when using the MinGW library to compile payloads.
- #17942 from cdelafuente-r7 - The script generated by the web_delivery module is blocked by the Antimalware Scan Interface (AMSI) on newer versions of windows. This PR includes an enhancement which allows the web_delivery module to bypass AMSI.
- #17955 from jvoisin - Reduces the size of PHP payloads such as
- #18050 from adfoster-r7 - Adds a new post/test/all module which will run all available post/test modules against the open session.
- #18069 from sempervictus - This updates the LDAP server library to handle unbind requests.
- #18089 from shellchocolat - Adds supports for masm output format when generating payloads.
- #18106 from adfoster-r7 - This PR updates Meterpreter's
setg SessionTLVLogging truesupport to no longer truncate useful values such as payload UUIDs, file paths, executed commands etc.
- #18109 from adfoster-r7 - Update test post modules to always have a clean, writable, and consistent test file system directory when running modules under the loadpath test/modules directory.
- #18110 from adfoster-r7 - When running test modules that have been loaded by loadpath test/modules, any verbose printing logic generated will now be prefixed by the current test that is being run.
- #18115 from adfoster-r7 - This PR updates unknown windows errors on python Meterpreter to include original error code.
Bugs fixed (15)
- #18051 from adfoster-r7 - Adds additional skip calls to the test/post modules to ensure that only relevant test expectations are run against the specified session without crashes.
- #18054 from bwatters-r7 - This PR fixes the issue where an ArgumentError was thrown on the FETCH_SRVHOST option when running the info command when using a fetch payload.
- #18068 from smashery - Fixes a bug that caused
multi/manage/shell_to_meterpreterto not break when
- #18076 from smashery - This fixes a bug in the Windows Meterpreter's memory free API.
- #18083 from zeroSteiner - A bug has been fixed in the stdapi extension of Meterpreter when calling the
stdapi_sys_process_memory_freecommand. This incorrectly handled memory, leading to a double free condition, which would crash Meterpreter. This has since been fixed.
- #18090 from adfoster-r7 - The
EXPORTaction will now consistently order exported entries.
- #18097 from adfoster-r7 - This PR fixes Python Meterpreter sessions from crashing when extracting macOS network configuration when using the
- #18098 from adfoster-r7 - This PR Fixes rex-text crashes when running ruby 3.3.
- #18099 from adfoster-r7 - This PR fixes Python Meterpreter subprocess deadlock and file descriptor leak caused by the stdout/stderr file descriptors not being closed.
- #18101 from adfoster-r7 - This PR fixes a Python Meterpreter macOS route command crash when
ifconfighas a gateway name as a mac address separated by dots.
- #18102 from adfoster-r7 - This PR adds a fix for false negatives on files not existing on windows python Meterpreter.
- #18105 from adfoster-r7 - This PR fixes a bug when running the time command in msfconsole with complex commands.
- #18108 from adfoster-r7 - Updates the
test/servicesmodule to more consistently pass. This module is useful for developers contributing enhancements or new functionality to Meterpreter and other payloads. It is available after running
- #18111 from adfoster-r7 - This PR fixes an initialized constant error when Meterpreter registry key reads timeout.
- #18112 from adfoster-r7 - This PR fixes a symlink test bug when running python Meterpreter on windows.
Documentation added (1)
You can always find more documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).