In a year already full of hot vulnerabilities, CVE-2021-21972 in VMwareโs vCenter Server may already seem like old news. Itโs not, though! Thanks to wvu-r7 for grabbing this unauthenticated file upload combined with archive directory traversal to upload some sweet web shells. Also, thanks to smcintyre-r7 for reviewing and testing.
If Metasploitโs more than 3,500 modules ever feel like too much to track, kalba-security has added the favorites
command to msfconsole
. This new command allows users to save their favorite modules in a list viewable with show favorites
. Thanks to space-r7 for helping get this over the line!
We are happy to announce that Metasploit Framework has been accepted for the 2021 iteration of Google Summer of Code! This year we are primarily looking for projects that increase visibility into the data that Metasploit collects or that make using exploitation APIs smoother. For more details on project ideas and how to apply, check out our GSoC wiki page.
7.6.x
versions of HPE Systems Insight Manager software. Unauthenticated code execution as the user running the HPE SIM software (typically local administrator) can be obtained by sending a serialized AMF request to the /simsearch/messagebroker/amfsecure
page.msfconsole
command, favorite
, which allows users to save favorite / commonly-used modules to a list for easy retrieval later.ysoserial
payloads and the payloads themselves with improvements to the generation script, find_ysoserial_offsets.rb
and pinning the ysoserial
version thatโs used in the generation process.Msf::RPC::Client
in external tooling.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).