Metasploit is the world’s most used penetration testing framework. It helps security teams verify vulnerabilities, manage security assessments, and improve security awareness. Metasploit 6.2.0 is now available. It includes 138 new modules, 148 enhancements and features, improvements, and 156 bug fixes.
“Our continued focus for Metasploit is on on adding support for modern attacks so the community can highlight risk and test security controls for paths that attackers use regularly. Metasploit 6.2.0 continued this theme with SMBv3 server support, a new global capture plugin, and a slew of modules that target vulnerabilities that are actively exploited in the wild today,” Raj Samani, Chief Scientist at Rapid7, told Help Net Security.
Each week, the Metasploit team publishes a wrap-up with granular release notes for new Metasploit modules. Below is a list of some recent modules that pen testers are actively using on engagements (with success).
VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell) by RageLtMan, Spencer McIntyre, jbaines-r7, and w3bd3vil, which exploits CVE-2021-44228: A vCenter-specific exploit leveraging the Log4Shell vulnerability to achieve unauthenticated RCE as root / SYSTEM. This exploit has been tested on both Windows and Linux targets.
F5 BIG-IP iControl RCE via REST Authentication Bypass by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits CVE-2022-1388: This module targets CVE-2022-1388, a vulnerability impacting F5 BIG-IP versions prior to 184.108.40.206. By making a special request, an attacker can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the root user on affected systems.
VMware Workspace ONE Access CVE-2022-22954 by wvu, Udhaya Prakash, and mr_me, which exploits CVE-2022-22954: This module exploits an unauthenticated remote code execution flaw in VMWare Workspace ONE Access installations; the vulnerability is being used broadly in the wild.
Zyxel Firewall ZTP Unauthenticated Command Injection by jbaines-r7, which exploits CVE-2022-30525: This module targets CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the nobody user. The vulnerability was discovered by Rapid7 researcher Jake Baines.
Local privilege escalation
CVE-2022-21999 SpoolFool Privesc by Oliver Lyak and Shelby Pace, which exploits CVE-2022-21999: A local privilege escalation targeting the spool service on Windows 10 or Server builds 18362 or earlier.
Dirty Pipe Local Privilege Escalation via CVE-2022-0847 by Max Kellermann and timwr, which exploits CVE-2022-0847: A module targeting a privilege escalation vulnerability in the Linux kernel starting with version 5.8. The module leverages the vulnerability to overwrite a SUID binary in order to gain privileges as the root user.
- Metasploit has facilitated capturing credentials for years with protocol-specific modules all under the auxiliary/server/capture namespace. Users can start and configure each of these modules individually, but as of MSF 6.2.0, a new capture plugin can also streamline this process for users. The capture plugin currently starts 13 different services (17 including SSL-enabled versions) on the same listening IP address including remote interfaces via Meterpreter.
- Metasploit 6.2.0 contains a new standalone tool for spawning an SMB server that allows read-only access to the current working directory. This new SMB server functionality supports SMB v1/2/3, as well as encryption support for SMB v3.
- The windows/smb/smb_relay has been updated so users can now relay over SMB versions 2 and 3. In addition, the module can now select multiple targets that Metasploit will intelligently cycle through to ensure that it is not wasting incoming connections.
- Metasploit has added features to libraries that provide listening services (like HTTP, FTP, LDAP, etc) to allow them to be bound to an explicit IP address and port combination that is independent of what is typically the SRVHOST option.