Metasploit Weekly Wrap-Up

New module content (4)

Roundcube TimeZone Authenticated File Disclosure

Authors: joel, stonepresto, and thomascube
Type: Auxiliary
Pull request: #18286 contributed by cudalac
Path: auxiliary/gather/roundcube_auth_file_read
AttackerKB reference: CVE-2017-16651

Description: This PR adds a module to retrieve an arbitrary file on hosts running Roundcube versions from 1.1.0 through version 1.3.2.

Elasticsearch Memory Disclosure

Authors: Eric Howard, R0NY, and h00die
Type: Auxiliary
Pull request: #18322 contributed by h00die
Path: auxiliary/scanner/http/elasticsearch_memory_disclosure
AttackerKB reference: CVE-2021-22145

Description: Adds an aux scanner module which exploits a memory disclosure vulnerability within Elasticsearch 7.10.0 to 7.13.3 (inclusive) by submitting a malformed query that generates an error message containing previously used portions of a data buffer. The disclosed memory could contain sensitive information such as Elasticsearch documents or authentication details.

QueueJumper - MSMQ RCE Check

Authors: Bastian Kanbach, Haifei Li, and Wayne Low
Type: Auxiliary
Pull request: #18281 contributed by bka-dev
Path: auxiliary/scanner/msmq/cve_2023_21554_queuejumper
AttackerKB reference: CVE-2023-21554

Description: This PR adds a module that detects Windows hosts that are vulnerable to Microsoft Message Queuing Remote Code Execution aka QueueJumper.

SolarView Compact unauthenticated remote command execution vulnerability.

Author: h00die-gr3y
Type: Exploit
Pull request: #18313 contributed by h00die-gr3y
Path: exploits/linux/http/solarview_unauth_rce_cve_2023_23333
AttackerKB reference: CVE-2023-23333

Description: This PR adds a module which exploits a vulnerability that allows remote code execution on a vulnerable SolarView Compact device by bypassing internal restrictions through the vulnerable endpoint downloader.php using the file parameter. Firmware versions up to v6.33 are vulnerable.

Enhancements and features (2)

• #18179 from jvoisin - This improves the windows checkvm post module by adding new techniques to identify the hypervisor in which the session is running.
• #18190 from jvoisin - This improves the linux checkvm post module by adding new techniques to identify the hypervisor in which the session is running.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.32…6.3.33
• Full diff 6.3.32…6.3.33

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Download Rapid7’s 2023 Mid-Year Threat Report ▶︎