Metasploit Weekly Wrap-Up

Power[shell]Point

This week’s new features and improvements start with two new exploit modules leveraging CVE-2023-34960 Chamilo versions 1.11.18 and below and CVE-2023-26469 in Jorani 1.0.0. Like CVE-2023-34960, I too, feel attacked by PowerPoint sometimes.
We also have several improvements, including additions to fetch payloads, PostgreSQL authentication, and documentation.

New module content (2)

Chamilo unauthenticated command injection in PowerPoint upload

Authors: Randorisec and h00die-gr3y
Type: Exploit
Pull request: #18233 contributed by h00die-gr3y
Path: exploits/linux/http/chamilo_unauth_rce_cve_2023_34960
AttackerKB reference: CVE-2023-34960

Description: This adds an exploit module that leverages an unauthenticated remote command execution vulnerability Chamilo versions 1.11.18 and below. This vulnerability is identified as CVE-2023-34960. Due to a functionality called Chamilo Rapid to easily convert PowerPoint slides to courses on Chamilo, it is possible for an unauthenticated remote attacker to execute arbitrary commands at OS level using a malicious SOAP request at the vulnerable endpoint /main/webservices/additional_webservices.php.

Jorani unauthenticated Remote Code Execution

Author: RIOUX Guilhem (jrjgjk)
Type: Exploit
Pull request: #18123 contributed by Guilhem7
Path: exploits/multi/php/jorani_path_trav
AttackerKB reference: CVE-2023-26469

Description: This PR adds a module that chains together a log poisoning LFI redirection bypass and a path traversal vulnerability to obtain unauthenticated RCE.

Enhancements and features (4)

• #18214 from bwatters-r7 - This makes two improvements to the fetch payloads. The first improvement is that the FETCH_SRVHOST option will be set to LHOST when LHOST is set and FETCH_SRVHOST is not, meaning there is now one less option users need to set when using a payload with a reverse stager. The second improvement is that the default command for the Windows HTTP payload has been changed to CERTUTIL which will offer better compatibility with older versions of Windows than the previous CURL command. The HTTPS and TFTP payloads will still default to CURL.
• #18276 from adfoster-r7 - Updates all PostgreSQL modules to now support a newer form of authentication (SASL-SCRAM-256) that pen testers are seeing in the wildnow more frequently seeing in the wild. This includes the modules for PostgreSQL authentication brute force, version fingerprinting, running queries, etc.
• #18307 from ismaildawoodjee - This fixes documentation typos with the exploit/multi/http/subrion_cms_file_upload_rce module.
• #18308 from ismaildawoodjee - Improves the readability of documentation/modules/exploit/windows/http/smartermail_rce.

Bugs fixed (5)

• #18272 from sfewer-r7 - This fixes an issue in the exploit module multi/http/adobe_coldfusion_rce_cve_2023_26360 when the target ColdFusion server is deployed with a Development profile.
• #18287 from zeroSteiner - This fixes a stack trace thrown by the forge_ticket module when the SPN datastore option was left blank. The module now fails due to bad-config and gives a detailed error message.
• #18297 from adfoster-r7 - This fixes the broken scanner/mysql/mysql_authbypass_hashdump module and adds documentation for the module.
• #18298 from adfoster-r7 - Changes the behavior of setting LHOST as an interface name, for example with set LHOST eth0. Previously, a non-deterministic IP would be resolved from the adapter name if the adapter had multiple IPv4/IPv6 addresses registered. Now the lowest ordinal IPv4 addresses is preferenced first, followed by any IPv6 addresses.
• #18306 from zeroSteiner - Fixes a crash when parsing ThriftHeader binary data.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.30…6.3.31
• Full diff 6.3.30…6.3.31

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Download Rapid7’s 2023 Mid-Year Threat Report ▶︎