Last updated at Fri, 03 Feb 2023 19:21:26 GMT
Metasploit 6.3 is out!
Earlier this week we announced the release of Metasploit 6.3 which came with a tonne of new modules and improvements.
The whole team worked super hard on this and we're very excited that everyone can now get their hands on it and all of the new features it has to offer!
I won't go over everything we did here because we have a whole separate blog post dedicated to the 6.3 release that you should check out if you missed it.
Dirty Cow available on macOS
We have a new module provided by timwr to exploit Dirty Cow on macOS. This module exploits a race condition in the kernel that gives the opportunity for a user to get code execution as root.
New module content (5)
CWP login.php Unauthenticated RCE
Description: Adds an exploit for CVE-2022-44877 which is an unauthenticated command injection in CentOS Control Web Panel <0.9.8.1147. Successful exploitation results in code execution as the root user.
io_uring Same Type Object Reuse Priv Esc
Description: This module exploits Linux LPE CVE-2022-1043, a bug in io_uring leading to an additional put_cred() that can be exploited to hijack credentials of other processes.
vmwgfx Driver File Descriptor Handling Priv Esc
Description: This PR adds a linux privilege escalation against VMWare virtual machines with kernel 4.14-rc1 - 5.17-rc1 due to a VMWare driver bug.
macOS Dirty Cow Arbitrary File Write Local Privilege Escalation
Description: This module is the macOS equivalent of the Dirty Cow vulnerability and allows for an unprivileged user to execute code as root.
Veeam Backup and Replication Credentials Dump
Description: Post credential capture module Veeam Backup & Recovery and Veeam ONE Monitor versions 9.x - 11.x.
Enhancements and features (11)
- #16946 from cgranleese-r7 - Updates the
show actionscommand to display a visual indicator beside the currently selected value.
- #17481 from h00die - An update has been made to the
modules/auxiliary/scanner/http/options.rbmodule to modernize a few of its options, tidy up the code, and to handle an edge case when a target server might respond with a Tomcat error page.
- #17504 from ErikWynter - Two aliases for
show favoriteshave been added, namely
favorites, to allow for easier listing of modules that users have marked as their favorites.
- #17559 from cgranleese-r7 - Adds support for Ruby 3.2
- #17560 from adfoster-r7 - Updates the Kerberos inspect_ticket module to show unsupported pac buffer ul_types in a clearer way to the user.
- #17563 from bcoles - Improves documentation and code quality for
- #17564 from serializingme - Improves the
CIPCTlvdefinition for the
- #17570 from zeroSteiner - The list of default queries used by the ldap_query module has been updated to add in the
ENUM_MACHINE_ACCOUNT_QUOTAqueries and to make some small updates to existing queries.
- #17575 from zeroSteiner - Updates the Kerberos ccache functionality to automatically perform sname switching on Service Tickets when the ticket sname does not match the Metasploit module's required sname. This allows for a service ticket associated with the SPN
service_a/host.domain.localto be used and updated to
service_b/host.domain.localdynamically as part of service authentication.
- #17577 from bcoles - Updates
modules/exploits/qnxto run the
checkcommand before attempting to exploit the target.
- #17581 from bcoles - This PR modifies the conditions in 45 local privilege escalation modules to check whether the operator set
ForceExploitto true before checking the permissions required for exploitation on the remote target, which is more efficient and quieter over the network.
Bugs fixed (4)
- #17444 from hamax97 - A bug has been fixed whereby issuing a command line argument that contained nested equals signs would not be parsed correctly, and would instead be treated as two separate command line statements.
- #17557 from zeroSteiner - This fixes the logon timestamp in the MS14-068 exploit so the generated ticket works.
- #17558 from cgranleese-r7 - Fixes running msfconsole's
analyzecommand crashing when a WinRM session was opened.
- #17561 from gwillcox-r7 - This fixes the direction for some Railgun function definitions in iphlpapi.
Documentation added (1)
You can always find more documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).