Rapid 7 - Metasploit Wrap-Up
Login brute-force utility
Jan Rude added a new module that gives users the ability to brute-force login for Linux Syncovery. This expands Framework's capability to scan logins to Syncovery, a popular web GUI for backups.
WordPress extension SQL injection module
Cydave, destr4ct, and jheysel-r7 contributed a new module that takes advantage of a vulnerable WordPress extension. This allows Framework users to take advantage of CVE-2022-0739, leveraging a UNION-based SQL injection to gather hashed passwords of WordPress users. For vulnerable versions, anyone who can access the BookingPress plugin page will also have access to all the credentials in the database, yikes! There are currently 3,000 active installs of the plugin, which isn't a huge number by WordPress standards—but the ease of remote exploitation makes it a fun addition to the framework.
New module content (3)
- Wordpress BookingPress bookingpress_front_get_category_services SQLi by cydave, destr4ct, and jheysel-r7, which exploits CVE-2022-0739 - A new module has been added for CVE-2022-0739 which is an unauthenticated SQL injection in WP BookingPress prior to 1.0.11 in the
bookingpress_front_get_category_services
AJAX action. - Syncovery For Linux Web-GUI Login Utility by Jan Rude - This adds a login scanner module for Syncovery for Linux.
- VMware vCenter vScalation Priv Esc by Yuval Lazar and h00die, which exploits CVE-2021-22015 - This PR adds a privilege escalation for users in the
cis
group to escalate to root on certain versions of vCenter. A service file/usr/lib/vmware-vmon/java-wrapper-vmon
has improper permissions allowingcis
group members to write to it. Upon host reboot orvmware-vmon
service restart, a root shell is obtained.
Enhancements and features (2)
- #17214 from h00die - This PR improves upon the data gathered on a vCenter server originally implemented in #16871, including library integration, optimization, and de-duplication.
- #17332 from bcoles - Updates
windows/gather/enum_proxy
to support non-Meterpreter sessions (shell, PowerShell).
Bugs fixed (5)
- #17183 from rbowes-r7 - This adds some small changes, cleanups, and fixes to the
linux/http/zimbra_unrar_cve_2022_30333
andlinux/http/zimbra_cpio_cve_2022_41352
Zimbra exploit modules, along withlinux/local/zimbra_slapper_priv_esc
documentation. Particularly, this fixes an issue that prevented the exploit modules from working properly when the handler was prematurely shut down. - #17305 from cgranleese-r7 - Updates Metasploit's RPC to automatically choose an appropriate payload if
module.execute
is invoked without a payload set. This mimics the functionality ofmsfconsole
. - #17323 from h00die - Fixes a bug when attempting to detect
enlightenment_sys
inexploits/linux/local/ubuntu_enlightenment_mount_priv_esc
. - #17330 from zeroSteiner - This fixes an issue in the ProxyShell module, which limited the email enumeration to 100 entries. Now, it correctly enumerates all the emails before finding one that is suitable for exploitation.
- #17342 from gwillcox-r7 - This adds the necessary control to the search queries used to find vulnerable certificate templates in an AD CS environment. Prior to this, non-privileged users would not be able to read the security descriptor field.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
from Rapid7 Blog https://blog.rapid7.com/2022/12/09/metasploit-wrap-up-156/
Comments
Post a Comment