Last updated at Fri, 09 Jun 2023 22:02:27 GMT
It has been a busy few weeks in the security space; the MOVEit vulnerability filling our news feeds with dancing lemurs and a Barracuda vulnerability that has us all wondering how many shredders out there can handle a 1U appliance. Despite those very worthwhile distractions, Metasploit has made another strong release, with 3 new exploits, 1 new auxiliary module, and 2 new payloads!
New module content (6)
GitLab Authenticated File Read
Description: This adds an exploit that leverages an authenticated arbitrary file read on Github 16.0.0. This vulnerability is identified as CVE-2023-2825.
PaperCut PaperCutNG Authentication Bypass
Description: This adds an exploit module that leverages an authentication bypass to get remote code execution on PaperCut NG version 8.0.0 to 19.2.7 (inclusive), version 20.0.0 to 20.1.6 (inclusive), version 21.0.0 to 21.2.10 (inclusive) and version 22.0.0 to 22.0.8 (inclusive). This vulnerability is identified as CVE-2023-27350. Due to an improper access control in the
SetupCompleted class, it is possible to bypass authentication and abuse the built-in scripting functionality for printers to obtain code execution as the SYSTEM user on Windows and the less privileged
papercut user on Linux.
ManageEngine ADManager Plus ChangePasswordAction Authenticated Command Injection
Description: This adds an exploit module for CVE-2023-29084 which is an authenticated RCE in Zoho ManageEngine ADManager Plus. A remote attacker can leverage this vulnerability to execute OS commands by crafting a request to update the server's configuration. The modified configuration's value is restored by the exploit once it is completed. This exploit is incompatible with HTTP payloads due to the exploit modifying the HTTP proxy configuration of the server during exploitation.
Delta Electronics InfraSuite Device Master Deserialization
Description: A module has been added for CVE-2023-1133, an unauthenticated .NET deserialization vulnerability in Delta Electronics InfraSuite Device Master versions below v1.0.5 in the
ParseUDPPacket() method of the 'Device-Gateway-Status' process. Successful exploitation leads to unauthenticated code execution as the user running the 'Device-Gateway-Status' process.
New MIPS64 Fetch Payload
Description: Add MIPS64 Linux Fetch Payloads
New *nix Adduser Payload
Description: This adds a command payload module that creates a new privileged user on a *nix target system.
Enhancements and features (4)
- #17868 from Ryuuuuu - The
ms15_034_http_sys_memory_dump.rbmodule has been updated to improve its handling of the
check_hostfunction so that the information about target exploitability is more accurate.
- #18062 from smashery - A new mixin has been added to support detecting the architecture of the host OS on Windows systems. Support for other OSes will be added at a later date.
- #18064 from ErikWynter - The
grafana_plugin_traversalmodule has been updated to support beta and pre-release versions of Grafana.
- #18066 from jmartin-r7 - The archer_c7_traversal module has been converted to a gather module and updated to include a
checkmethod so that users can appropriately check if a target is an Archer router or not.
Bugs fixed (5)
- #17917 from bcoles - Two bugs have been fixed in
post/multi/manage/shell_to_meterpreter: one was caused by a lack of validation on the payload being used when using the
PAYLOAD_OVERRIDEoption to ensure the payload was valid, and one was caused by the module creating a handler but failing to pass the RHOST information along, causing the handler to run with an invalid configuration.
- #18040 from manishkumarr1017 - This fixes a Python's payload issue with Windows where it was failing due to
bytes args is not allowed on Windows.
- #18055 from adfoster-r7 - This updates the
post/multi/gather/aws_keysmodule to mark the platforms it is compatible with.
- #18056 from zgoldman-r7 - A bug has been fixed whereby command stager progress could go over 100%. This has now been fixed so that command stager progress should never go over 100%.
- #18074 from cdelafuente-r7 - A typo has been fixed in the
exploits/multi/http/gitlab_github_import_rce_cve_2022_2992module that prevent proper exception handling from occurring, and additional YARD documentation has been added for some related functions that were missing appropriate documentation on the exceptions they might throw.
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).