Newsy.co

Metasploit Weekly Wrap-Up

MOVEit

Metasploit Weekly Wrap-Up

It has been a busy few weeks in the security space; the MOVEit vulnerability filling our news feeds with dancing lemurs and a Barracuda vulnerability that has us all wondering how many shredders out there can handle a 1U appliance. Despite those very worthwhile distractions, Metasploit has made another strong release, with 3 new exploits, 1 new auxiliary module, and 2 new payloads!

New module content (6)

GitLab Authenticated File Read

Authors: Vitellozzo, h00die, and pwnie
Type: Auxiliary
Pull request: #18039 contributed by h00die
AttackerKB reference: CVE-2023-2825

Description: This adds an exploit that leverages an authenticated arbitrary file read on Github 16.0.0. This vulnerability is identified as CVE-2023-2825.

PaperCut PaperCutNG Authentication Bypass

Author: catatonicprime
Type: Exploit
Pull request: #17936 contributed by catatonicprime
AttackerKB reference: CVE-2023-27350

Description: This adds an exploit module that leverages an authentication bypass to get remote code execution on PaperCut NG version 8.0.0 to 19.2.7 (inclusive), version 20.0.0 to 20.1.6 (inclusive), version 21.0.0 to 21.2.10 (inclusive) and version 22.0.0 to 22.0.8 (inclusive). This vulnerability is identified as CVE-2023-27350. Due to an improper access control in the SetupCompleted class, it is possible to bypass authentication and abuse the built-in scripting functionality for printers to obtain code execution as the SYSTEM user on Windows and the less privileged papercut user on Linux.

ManageEngine ADManager Plus ChangePasswordAction Authenticated Command Injection

Authors: Dinh Hoang, Grant Willcox, and Simon Humbert
Type: Exploit
Pull request: #18018 contributed by gwillcox-r7
AttackerKB reference: CVE-2023-29084

Description: This adds an exploit module for CVE-2023-29084 which is an authenticated RCE in Zoho ManageEngine ADManager Plus. A remote attacker can leverage this vulnerability to execute OS commands by crafting a request to update the server's configuration. The modified configuration's value is restored by the exploit once it is completed. This exploit is incompatible with HTTP payloads due to the exploit modifying the HTTP proxy configuration of the server during exploitation.

Delta Electronics InfraSuite Device Master Deserialization

Authors: Anonymous and Shelby Pace
Type: Exploit
Pull request: #18072 contributed by space-r7
AttackerKB reference: CVE-2023-1133

Description: A module has been added for CVE-2023-1133, an unauthenticated .NET deserialization vulnerability in Delta Electronics InfraSuite Device Master versions below v1.0.5 in the ParseUDPPacket() method of the 'Device-Gateway-Status' process. Successful exploitation leads to unauthenticated code execution as the user running the 'Device-Gateway-Status' process.

New MIPS64 Fetch Payload

Author: zeroSteiner
Type: Payload
Pull request: #18044 contributed by zeroSteiner

Description: Add MIPS64 Linux Fetch Payloads

New *nix Adduser Payload

Author: rad10
Type: Payload
Pull request: #18002 contributed by rad10

Description: This adds a command payload module that creates a new privileged user on a *nix target system.

Enhancements and features (4)

  • #17868 from Ryuuuuu - The ms15_034_http_sys_memory_dump.rb module has been updated to improve its handling of the check_host function so that the information about target exploitability is more accurate.
  • #18062 from smashery - A new mixin has been added to support detecting the architecture of the host OS on Windows systems. Support for other OSes will be added at a later date.
  • #18064 from ErikWynter - The grafana_plugin_traversal module has been updated to support beta and pre-release versions of Grafana.
  • #18066 from jmartin-r7 - The archer_c7_traversal module has been converted to a gather module and updated to include a check method so that users can appropriately check if a target is an Archer router or not.

Bugs fixed (5)

  • #17917 from bcoles - Two bugs have been fixed in post/multi/manage/shell_to_meterpreter: one was caused by a lack of validation on the payload being used when using the PAYLOAD_OVERRIDE option to ensure the payload was valid, and one was caused by the module creating a handler but failing to pass the RHOST information along, causing the handler to run with an invalid configuration.
  • #18040 from manishkumarr1017 - This fixes a Python's payload issue with Windows where it was failing due to bytes args is not allowed on Windows.
  • #18055 from adfoster-r7 - This updates the post/multi/gather/aws_keys module to mark the platforms it is compatible with.
  • #18056 from zgoldman-r7 - A bug has been fixed whereby command stager progress could go over 100%. This has now been fixed so that command stager progress should never go over 100%.
  • #18074 from cdelafuente-r7 - A typo has been fixed in the exploits/multi/http/gitlab_github_import_rce_cve_2022_2992 module that prevent proper exception handling from occurring, and additional YARD documentation has been added for some related functions that were missing appropriate documentation on the exceptions they might throw.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

  • Pull Requests 6.3.19...6.3.20
  • Full diff 6.3.19...6.3.20

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).