Last updated at Fri, 24 Feb 2023 20:08:11 GMT
Basic discover script improvements
This week two improvements were made to the
script/resource/basic_discovery.rc resource script. The first update from community member samsepi0x0 allowed commas in the RHOSTS value, making it easier to target multiple hosts. Additionally, adfoster-r7 improved the script by adding better handling for error output. This continues our trend of trying to provide more useful diagnostic information to our end users.
Google Summer of Code
The Metasploit Framework has been accepted to participate in Google’s Summer of Code program again for 2023. This event pairs new contributors with an experienced mentor as they work on an open source project (Metasploit in our case). We will soon be soliciting project proposals from the community for anyone interested in getting involved. Some project ideas are on the docs site, but folks are welcome to submit entirely new ideas for something they think would benefit the Metasploit community.
Web Based Module Counts
This week, adfoster-r7 improved our docs site with a running count of all the published modules. This information is kept up to date automatically and is a great resource for anyone looking for how many modules Metasploit has included without needing to install and start the framework. The page even allows users to dive deeper into types of modules and platforms in the same way as msfconsole.
New module content (2)
Froxlor Log Path RCE
Authors: Askar and jheysel-r7
Pull request: #17640 contributed by jheysel-r7
AttackerKB reference: CVE-2023-0315
Description: This module exploits a vulnerability in versions of Froxlor prior to 2.0.8 that allows an authenticated user to change the default log file to an arbitrary path on the system. Using this, an authenticated user can write a Twig template, that when rendered, will execute arbitrary code and grant a shell or Meterpreter session as the
pyLoad js2py Python Execution
Authors: Spencer McIntyre and bAu
Pull request: #17652 contributed by zeroSteiner
AttackerKB reference: CVE-2023-0297
Enhancements and features (1)
- #17674 from adfoster-r7 - Updates the
script/resource/basic_discovery.rcscript to better detect when the Metasploit database is not connected as well as improving error output.
Bugs fixed (2)
- #17650 from samsepi0x0 - Updates the
script/resource/basic_discovery.rcscript to support commas in RHOSTS values.
- #17660 from bugch3ck - This updates the location of where registry hives are temporarily stored by the
- #17663 from manishkumarr1017 - This fixes an issue where action names were being treated as case sensitive.
Documentation added (2)
- #17637 from adfoster-r7 - This PR adds the latest module information to docs.metasploit.com as a quick way to explore Metasploit's available modules.
- #17685 from samsepi0x0 - Fixes a broken link within Metasploit's Google Summer of Code 2023 Project Ideas.
You can always find more documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).