I'm very Emby-ous
Community contributor btnz-k has authored a new Emby Version Scanner module consisting of both an exploit and a scanner for the SSRF vulnerability found in Emby. Emby is a previously open source media server designed to organize, play, and stream audio and video to a variety of devices.
SharePoint of entry
SharePoint, a document management and storage system designed to integrate with Microsoft Office, patched a vuln in May 2021 that allowed authenticated users to perform Remote Code Execution. Our own Spencer McIntyre and wvu authored a PR that allows exploitation of this vulnerability on unpatched systems. The user will need to have the
SPBasePermissions.ManageLists permission on the targeted site, but by default users can manually make their own site where that permission will be present.
New module content (4)
- Emby Version Scanner by Btnz, which exploits CVE-2020-26948 - This PR adds an aux scanner and module to exploit CVE-2020-26948, an SSRF against emby servers
- IPFire 2.25 Core Update 156 and Prior pakfire.cgi Authenticated RCE by Grant Willcox and Mücahit Saratar, which exploits CVE-2021-33393 - A new module has been added to exploit CVE-2021-33393, an authenticated command injection vulnerability in the
/cgi-bin/pakfire.cgiweb page of IPFire devices running versions 2.25 Core Update 156 and prior. Successful exploitation results in remote code execution as the
- HashiCorp Nomad Remote Command Execution by Wyatt Dahlenburg ( - Adds a new multi/misc/nomad_exec module for HashiCorp's Nomad product. This module supports the use of the 'raw_exec' and 'exec' drivers to create a job that spawns a shell.
- Microsoft SharePoint Unsafe Control and ViewState RCE by wvu, Spencer McIntyre, and Unknown, which exploits ZDI-21-573 - A new exploit for CVE-2021-31181 has been added, which exploits a RCE in SharePoint that was patched in May 2021. Successful exploitation requires the attacker to have login credentials for a SharePoint user who has
SPBasePermissions.ManageListspermissions on any SharePoint site, and grants the attacker remote code execution as the user running the SharePoint server.
Enhancements and features
- #15109 from zeroSteiner - An update has been made so that when a user attempts to load an extension that isn't available for the current Meterpreter type, they will now receive a list of payloads that would yield a Meterpreter session that would be capable of loading the specified extension. Additionally, when a user runs a command that's in an extension that hasn't been loaded yet, Metasploit will now tell the user which extension needs to be loaded for the command to run.
- #15187 from dwelch-r7 - Updates the msfdb script to now prompt the user before enabling the remote http webservice functionality, defaulting to being disabled. It is still possible to enable this functionality after the fact with
msfdb --component webservice init
- #15316 from zeroSteiner - The assembly stub used by the
PrependForkoption for Linux payloads has been updated to call
setsid(2)in the child process to properly run the payload in the background before calling
fork(2)again. This ensures the payload properly runs when the target environment is expecting the command or payload to return, and ensures the payloads better emulate the Mettle payload's
backgroundcommand to ensure better consistency across payloads.
- #15319 from pingport80 - This fixes a localization issue in the
post/windows/gather/enum_hyperv_vmsmodule where on non-English systems the error message would not match the specified regular expression.
- #15328 from zeroSteiner - The
lib/msf/core/session/provider/single_command_shell.rblibrary has been updated to address an issue whereby
shell_read_until_tokenmay sometimes fail to return output if the randomized token being used to delimit output is contained within the legitimate output as well.
- #15337 from 0xShoreditch - A bug has been fixed in
apache_activemq_upload_jsp.rbwhereby the URI and filesystem path were not separated appropriately. Additionally, extra checks were added to handle error conditions that may arise during module operation.
- #15340 from adfoster-r7 - A bug was identified in
-dflag was not being correctly honored, preventing users from being able to delete hosts from their database. This has now been fixed.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).