Last updated at Fri, 02 Dec 2022 21:21:30 GMT
This week's Metasploit release includes an exploit module for
CVE-2022-41082, AKA ProxyNotShell by DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q, Orange Tsai, Piotr Bazydło, Rich Warren, Soroush Dalili, and our very own Spencer McIntyre. The vulnerability
CVE-2022-41082, AKA ProxyNotShell is a deserialization flaw in Microsoft Exchange's PSRP backend. Microsoft Exchange Server 2019, Exchange Server 2016 and Exchange Server 2013 are vulnerable to a server-side request forgery (SSRF) attack and remote code execution. An authenticated attacker can use the combination of these two vulnerabilities to elevate privileges and execute arbitrary code on the target Exchange server. For more information, see CVE-2022-41082 and CONTROL YOUR TYPES OR GET PWNED. The ProxyNotShell exploit also added new Exchange SSRF functionality that allows both it and the previous ProxyShell module to target Exchange server instances which utilize a Data Access Group (DAG) backend. The Metasploit team has yet to see another public Proof of Concept that takes this configuration type into account.
Remote Control Collection RCE
Community contributors h00die and H4rk3nz0 also introduced another exploit module in this week's release. This module targets the remote control software which allows a remote person to connect and execute screen commands via mobile devices. Note that this module will only deploy a payload if the server is set without a password (default). A side note, if you're looking to learn more about how you can use metasploit to hack target servers using remote code vulnerabilities, you might find this video (https://www.youtube.com/watch?v=eLbBR956Tgw) helpful.
New module content (2)
- Microsoft Exchange ProxyNotShell RCE by DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q, Orange Tsai, Piotr Bazydło, Rich Warren, Soroush Dalili, and Spencer McIntyre, which exploits CVE-2022-41082 - This adds an exploit module for
CVE-2022-41082, AKA ProxyNotShell. This vulnerability is a deserialization flaw in Microsoft Exchange's PSRP backend. The PSRP backend can be accessed by an authenticated attacker leveraging the SSRF flaw identified as
GHSA-6ph7-8wxv-6gf2. Together, these vulnerabilities allow an authenticated attacker to execute arbitrary commands on a Microsoft Exchange Server.
- Remote Control Collection RCE by H4rk3nz0 and h00die - This PR adds an exploit targeting the Remote Control Server software which allows remote control of a PC, now including running a payload.
Enhancements and features (1)
- #17304 from om3rcitak - Improves
auxiliary/scanner/http/tomcat_mgr_login.rberror message on 401 status codes to include the user defined URI.
Bugs fixed (2)
- #17163 from jheysel-r7 - This fixes a bug in the check method where we left an artifact on disk.
- #17299 from smashery - This fixes a bug in the
polkit_dbus_auth_bypassmodule that prevented it from working with certain session types.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).