## Have you built out that awesome media room?


If your guilty pleasures include using a mobile device to make your home entertainment system WOW your guests, you might be using [Unified Remote](). I hope you are extra cautious about what devices you let on that WiFi network. A prolific community member [h00die]() added a module this week that uses a recently published vulnerability from [H4RK3NZ0]() to leverage an unprotected configuration page exposed on the media service, combined with just a little bit of protocol info the module makes that media server a prime target for pranks and other less friendly activities by guests on the network.

## Finding the needles in that Linux memory stack

Brought to you by the combined efforts of many members of the Metasploit Community, Linux meterpeter payloads now offer a new way to hunt down passwords in memory on all those delicious Linux sessions you gather with Metasploit. The new `post/linux/gather/mimipenguin` module hunts down clear text passwords in Linux memory based on [MimiPenguin]().

## We all love to share code with the public

A new [module]() this week makes sharing public code risky business if you are using a bitbucket server to host that repository. Checkout out the nitty gritty in our [blog post]() from earlier this week.

## Metasploit plays well with others

[Last week’s update]() brought with it an awesome way to utilize Metasploit with payload generated by [Sliver]() that even ranked a call out in their [latest release notes](). Great to see the community promoting these updates for more people to learn about and utilize.

## New module content (4)

* [VICIdial Multiple Authenticated SQLi]() by [h00die](), which exploits [CVE-2022-34878]() – This PR adds a module which exploits several authenticated sqli in VICIdial (CVE-2022-34876, CVE-2022-34877, CVE-2022-34878).
* [Bitbucket Git Command Injection]() by Jang, [Ron Bowes](), [Shelby Pace](), and TheGrandPew, which exploits [CVE-2022-36804]() – Adds an exploit for CVE-2022-36804 which is an unauthenticated RCE in Bitbucket.
* [Unified Remote Auth Bypass to RCE]() by [H4RK3NZ0]() and [h00die](), which exploits [CVE-2022-3229]() – This adds an exploit module to exploit an authentication bypass to achieve remote code execution in Unified Remote on Windows. Note that the latest version (3.11.0.2483) is vulnerable, which makes it a 0-Day.
* [MimiPenguin]() by [Shelby Pace](), [bcoles](), and [huntergregal](), which exploits [CVE-2018-20781]() – This adds a port of Mimipenguin to Metasploit. Relying on [mem_search() and mem_read()](), this searches the memory regions of various processes for needles that are found near passwords in cleartext. Using the locations for all of the needles found, this will search the nearby regions for possible passwords.

## Enhancements and features (6)

* [#16940]() from [adfoster-r7]() – Rewrites Metasploit’s datastore to fix multiple bugs and edge cases. The `unset` command will now consistently unset previously set datastore values, so that default values are used once again. Explicitly clearing a datastore value can be done with the `set –clear OptionName` command. Modules that require protocol specific option names such as SMBUser/FTPUser/BIND_DN/etc can now be consistently set with just username/password/domain options, i.e. `set username Administrator` instead of `set SMBUser Administrator`. This rewrite is currently behind a feature flag which can be enabled with `features set datastore_fallbacks true`.
* [#17002]() from [bcoles]() – The `lib/msf/core/post/windows/accounts.rb`, `lib/msf/core/post/windows/ldap.rb`, and `lib/msf/core/post/windows/wmic.rb` libraries have been updated to replace calls to `load_extapi` with ExtAPI compatibility checks which will check if the session supports ExtAPI, since if the sessions supports ExtAPI, it should already be loaded.
* [#17003]() from [bcoles]() – `enum_patches` has had its code updated to output the patches enumerated as a table and store the results long term in a CSV file. Additionally, a check has been added to see if the current session supports the required Meterpreter extension compatibility prior to trying to run the module. Finally, the code and documentation have been cleaned up and modernized.
* [#17015]() from [jmartin-r7]() – Updates `auxiliary/scanner/http/http_login` to report login success when the http status code is in the range `200,201,300-308`. This functionality is user-configurable with `set HttpSuccessCodes 200`.
* [#17049]() from [bcoles]() – Adds Notes module meta information and replaces custom `get_members` method with `get_members_from_group` from the Post API.
* [#17051]() from [bcoles]() – Adds module documentation, notes for module meta information, and improves module error handling.

## Bugs fixed (3)

* [#17023]() from [zeroSteiner]() – The `post/windows/manage/rollback_defender_signatures` module has been updated to work on WoW64 sessions, and has had its code updated so that the default action is now a valid option.
* [#17036]() from [zeroSteiner]() – Fixes a bug where the `sessions` command would show the connection as coming from losthost 127.0.0.1, instead of the correct peer host address for reverse_http Meterpreter sessions.
* [#17052]() from [adfoster-r7]() – Fixes an error in Metasploit-framework when the host machine has OpenSSL 3.

## Get it

As always, you can update to the latest Metasploit Framework with `msfupdate`
and you can get more details on the changes since the last blog post from
GitHub:

* [Pull Requests 6.2.18…6.2.19]()
* [Full diff 6.2.18…6.2.19]()

If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest.
To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the
[binary installers]() (which also include the commercial edition).Read More