Rapid 7 - Metasploit Weekly Wrap-Up 01/19/24
Unicode your way to a php payload and three modules to add to your playbook for Ansible
Our own jheysel-r7 added an exploit leveraging the fascinating tool of php filter chaining to prepend a payload using encoding conversion characters and h00die et. al. have come through and added 3 new Ansible post modules to gather configuration information, read files, and deploy payloads. While none offer instantaneous answers across the universe, they will certainly help in red team exercises.
New module content (4)
Ansible Agent Payload Deployer (1 of 3 Ansible post modules)
Authors: h00die and n0tty
Type: Exploit
Pull request: #18627 contributed by h00die
Path: linux/local/ansible_node_deployer
Ansible Config Gather (2 of 3 Ansible post modules)
Author: h00die
Type: Post
Pull request: #18627 contributed by h00die
Path: linux/gather/ansible
Ansible Playbook Error Message File Reader (3 of 3 Ansible post modules)
Authors: h00die and rioasmara
Type: Post
Pull request: #18627 contributed by h00die
Path: linux/gather/ansible_playbook_error_message_file_reader
Description: This adds 3 post-exploitation modules for Ansible. The first one gathers information and configuration. The second exploits an arbitrary file read that enables an attacker to read the first line of a file (typically /etc/shadow
), when the compromised account is configured with password-less sudo
permissions. The last one is an exploit that can deploy a payload to all the nodes in the network.
WordPress Backup Migration Plugin PHP Filter Chain RCE
Authors: Nex Team, Valentin Lobstein, and jheysel-r7
Type: Exploit
Pull request: #18633 contributed by jheysel-r7
Path: multi/http/wp_backup_migration_php_filter
Description: This adds an exploit module that leverages an unauthenticated RCE in the WordPress plugin Backup Migration
versions prior to 1.3.7. This vulnerability is identified as CVE-2023-6553. This also adds a library that implements a technique called PHP Filter Chaining
which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversion.
Enhancements and features (2)
- #18596 from dwelch-r7 - Updates multiple SMB modules to work with the new upcoming SMB session type support. This beta functionality is currently behind a feature flag, and can be enabled with
features set smb_session_type true
. - #18682 from adfoster-r7 - Add tests for
Msf::Exploit::Local
module types to ensure thatsysinfo
will not break again in the future.
Bugs fixed (2)
- #18655 from adfoster-r7 - Ensures the module will automatically be used when the hierarchical search functionality is enabled and only one module result is found.
- #18710 from adfoster-r7 - Fixes an
uninitialized constant Msf::Simple::Exploit::ExploitDriver
exception that could sometimes occur when running Metasploit framework's payload modules.
Documentation added (1)
- #18702 from Sh3llSp4wn - Updates the documentation for the private and public fields in
lib/metasploit/framework/credential.rb
to be correct.
You can always find more documentation on our docsite at docs.metasploit.com.
Missing rn-* label on Github (1)
PLEASE ADD RN-TAGS TO THESE PULL REQUESTS BEFORE RELEASING THE WRAP UP, AND RERUN THE WRAPUP SCRIPT
- #18398 from errorxyz - Fixes deprecation warnings when running the
auxiliary/admin/scada/modicon_password_recovery
,auxiliary/scanner/lotus/lotus_domino_hashes
,auxiliary/sniffer/psnuffle
,exploits/unix/webapp/vbulletin_vote_sqli_exec
exploit modules with a database connected.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
from Rapid7 Cybersecurity Blog https://blog.rapid7.com/2024/01/19/metasploit-weekly-wrap-up-01-19-24/
Comments
Post a Comment