Archive directory traversals, now with your daily allowance of JSP
In a year already full of hot vulnerabilities, CVE-2021-21972 in VMware's vCenter Server may already seem like old news. It's not, though! Thanks to wvu-r7 for grabbing this unauthenticated file upload combined with archive directory traversal to upload some sweet web shells. Also, thanks to smcintyre-r7 for reviewing and testing.
Keeping track of your favorite modules
If Metasploit's more than 3,500 modules ever feel like too much to track, kalba-security has added the
favorites command to
msfconsole. This new command allows users to save their favorite modules in a list viewable with
show favorites. Thanks to space-r7 for helping get this over the line!
Google Summer of Code 2021
We are happy to announce that Metasploit Framework has been accepted for the 2021 iteration of Google Summer of Code! This year we are primarily looking for projects that increase visibility into the data that Metasploit collects or that make using exploitation APIs smoother. For more details on project ideas and how to apply, check out our GSoC wiki page.
New Modules (3)
- VMware vCenter Server Unauthenticated OVA File Upload RCE by wvu, Mikhail Klyuchnikov, Viss, and mr_me, which exploits CVE-2021-21972, an unauthenticated RCE in VMware Center.
- HPE Systems Insight Manager AMF Deserialization RCE by Grant Willcox, Harrison Neal, and Jang, which exploits ZDI-20-1449 (CVE-2020-7200), targeting the
7.6.xversions of HPE Systems Insight Manager software. Unauthenticated code execution as the user running the HPE SIM software (typically local administrator) can be obtained by sending a serialized AMF request to the
- Microsoft Windows RRAS Service MIBEntryGet Overflow by Equation Group, Shadow Brokers, Víctor Portal, and bcoles, which exploits CVE-2017-8461, a remote RCE in Routing and Remote Access Service (RRAS) on Windows Server 2003 identified as CVE-2017-8461. This allows executing arbitrary commands with SYSTEM user privileges.
Enhancements and features
- #14201 from kalba-security implements a new
favorite, which allows users to save favorite / commonly-used modules to a list for easy retrieval later.
- #14732 from zeroSteiner adds a new Java deserialization mixin and modifies existing Java deserialization exploit modules to use the new mixin. Additionally, this fixes both the generation of the
ysoserialpayloads and the payloads themselves with improvements to the generation script,
find_ysoserial_offsets.rband pinning the
ysoserialversion that's used in the generation process.
- #14792 from gwillcox-r7 updates 11 modules targeting Windows systems that were improperly checking the environment architecture which led to broken WOW64 detection in some cases.
- #14871 from dwelch-r7 ensures that the BinData library is always available for use within modules
- #14874 from dwelch-r7 fixes autoloading when utilizing
Msf::RPC::Clientin external tooling.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).