Metasploit Wrapup

Committing to some shells in GitList

Shelby has been killing it with new exploit and aux modules by the day. In this iteration, she's produced an exploit for GitList 0.6.0 and likely older versions. The software is built on PHP and allows users to view a Git repo on the web. Through an argument injection, a fake pager can be executed... that is really our shell. There's no reverting this one!

phpMyAdmin today, phpMyAdmin tomorrow

Our pentester-turned-dev and general bad*ss Jacob comes at us this week with a well-researched and implemented exploit module for phpMyAdmin 4.8.0 and 4.8.1. This vuln turns LFI (local file inclusion) into RCE (remote code execution, of course!). Jacob's exploit works on both Windows and Linux, including a MySQL table file on Windows and the PHP sessions file on Linux. Great job!

C randomization for your evasion totally legit needs

Longtime dev and researcher sinn3r aka "Wei Chen" took it upon himself to add C code randomization capabilities to Metasploit::Framework::Compiler. Now you can take raw C code, mutate it, and compile it on the fly with Metasploit. You can use the new feature independently or within a module. The possibilities are endless!

New Modules

Exploit modules (9 new)

• Apache CouchDB Arbitrary Command Execution by Green-m, Joan Touzet, and Max Justicz, which exploits CVE-2017-12635
• HP VAN SDN Controller Root Command Injection by wvu and Matt Bergin
• IBM QRadar SIEM Unauthenticated Remote Code Execution by Pedro Ribeiro, which exploits CVE-2018-1612
• HID discoveryd command_blink_on Unauthenticated RCE by Brendan Coles, Ricky "HeadlessZeke" Lawshae, and coldfusion39, which exploits ZDI-16-223
• GitList v0.6.0 Argument Injection Vulnerability by Kacper Szurek and Shelby Pace, which exploits CVE-2018-1000533
• Monstra CMS Authenticated Arbitrary File Upload by Ishaq Mohammed and Touhid M.Shaikh, which exploits CVE-2017-18048
• phpMyAdmin Authenticated Remote Code Execution by ChaMd5, Henry Huang, and Jacob Robles, which exploits CVE-2018-12613
• Manage Engine Exchange Reporter Plus Unauthenticated RCE by Kacper Szurek

Auxiliary and post modules (4 new)

• Docker Server Version Scanner by Agora-Security
• DCOM Exec by Alberto Solino and Spencer McIntyre
• Open a file or URL on the target computer by Eliott Teissonniere
• Multi Manage the screensaver of the target computer by Eliott Teissonniere

Improvements

• Added missing CVE references by sinn3r. Ongoing work by Aaron Soto, Jacob Robles, and sinn3r to add missing or document unavailable CVE references in modules.
• Added bind handler messages by wvu. Bind handlers now print connection errors if VERBOSE is enabled in the console. They would run silently before.
• Added WPCHECK option by bcoles. The WPCHECK advanced option has been added to enable or disable checking for WordPress before exploitation.
• Removed ring buffer by busterb. The ring buffer for sessions and channels has been replaced with streams. This shouldn't be noticeable to most users.
• Fixed module_reference tool by sinn3r. The module_reference tool would break on Python external modules. It has been fixed to continue running.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 4.17.0...4.17.1
• Full diff 4.17.0...4.17.1
• Development diff 745471ea...4114d5e8

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.