Last updated at Fri, 20 Jan 2023 19:46:50 GMT

See something say something

Have an idea on how to expand on Metasploit Documentation on https://docs.metasploit.com/? Did you see a typo or some other error on the docs site? Thanks to adfoster-r7, submitting an update to the documentation is as easy as clicking the 'Edit this page on GitHub' link on the page you want to change. The new link will take you directly to the source in Metasploit's GitHub so you can quickly locate the Markdown and submit a PR.

New module content (3)

Mirage firewall for QubesOS 0.8.0-0.8.3 Denial of Service (DoS) Exploit

Author: Krzysztof Burghardt
Type: Auxiliary
Pull request: #17348 contributed by burghardt
AttackerKB reference: CVE-2022-46770

Description: This PR adds a module that performs a DoS attack on Mirage Firewall versions 0.8.0-0.8.3.

Wordpress Paid Membership Pro code Unauthenticated SQLi

Authors: Joshua Martinelle and h00die
Type: Auxiliary
Pull request: #17479 contributed by h00die
AttackerKB reference: CVE-2023-23488

Description: This adds an exploit module that leverages an unauthenticated SQLi against Wordpress plugin Paid Membership Pro. This vulnerability is identified as CVE-2023-23488 and affects versions prior to 2.9.8. This module retrieves Wordpress usernames and password hashes using Time-Based Blind SQL Injection technique.

Ivanti Cloud Services Appliance (CSA) Command Injection

Authors: Jakub Kramarz and h00die-gr3y
Type: Exploit
Pull request: #17449 contributed by h00die-gr3y
AttackerKB reference: CVE-2021-44529

Description: A new module has been added for CVE-2021-44529, an unauthenticated code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512. Successful exploitation requires sending a crafted cookie to the client endpoint at /client/index.php to get command execution as the nobody user.

Enhancements and features (5)

  • #17343 from h00die - This makes performance improvements to the windows/local/unquoted_service_path module.
  • #17451 from h00die - This adds netntlm and netntlmv2 hashes support to auxiliary/analyze/crack_windows module.
  • #17466 from prabhatjoshi321 - This updates the auxiliary/scanner/smb/smb_version module to store additional service information in the database so it can be viewed later.
  • #17473 from adfoster-r7 - Updates the docs site to have an edit link at the bottom of each page which will take you to the corresponding markdown file on Github for editing.
  • #17480 from h00die - A new alias has been added for payloads called exploit which will perform the same action as to_handler, to help users familiar with exploit modules to use the same familiar exploit method to open handlers when using payloads.

Bugs fixed (3)

  • #17385 from smashery - This fixes the file write and file append methods to return the expected Boolean values rather than nil.
  • #17482 from adfoster-r7 - Fixes a connection issue with reverse_https stagers that are executed on Windows servers attempting to negotiate TLS1 when Metasploit was using OpenSSL3.
  • #17491 from zeroSteiner - A bug has been fixed in the lib/msf/core/exploit/remote/ldap.rb library that handles LDAP communications for several modules to ensure that failures use the right namespace when throwing errors to prevent crashes.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).