Our own jheysel-r7 added an exploit leveraging the fascinating tool of php filter chaining to prepend a payload using encoding conversion characters and h00die et. al. have come through and added 3 new Ansible post modules to gather configuration information, read files, and deploy payloads. While none offer instantaneous answers across the universe, they will certainly help in red team exercises.
Authors: h00die and n0tty
Type: Exploit
Pull request: #18627 contributed by h00die
Path: linux/local/ansible_node_deployer
Author: h00die
Type: Post
Pull request: #18627 contributed by h00die
Path: linux/gather/ansible
Authors: h00die and rioasmara
Type: Post
Pull request: #18627 contributed by h00die
Path: linux/gather/ansible_playbook_error_message_file_reader
Description: This adds 3 post-exploitation modules for Ansible. The first one gathers information and configuration. The second exploits an arbitrary file read that enables an attacker to read the first line of a file (typically /etc/shadow
), when the compromised account is configured with password-less sudo
permissions. The last one is an exploit that can deploy a payload to all the nodes in the network.
Authors: Nex Team, Valentin Lobstein, and jheysel-r7
Type: Exploit
Pull request: #18633 contributed by jheysel-r7
Path: multi/http/wp_backup_migration_php_filter
Description: This adds an exploit module that leverages an unauthenticated RCE in the WordPress plugin Backup Migration
versions prior to 1.3.7. This vulnerability is identified as CVE-2023-6553. This also adds a library that implements a technique called PHP Filter Chaining
which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversion.
features set smb_session_type true
.Msf::Exploit::Local
module types to ensure that sysinfo
will not break again in the future.uninitialized constant Msf::Simple::Exploit::ExploitDriver
exception that could sometimes occur when running Metasploit framework’s payload modules.lib/metasploit/framework/credential.rb
to be correct.You can always find more documentation on our docsite at docs.metasploit.com.
PLEASE ADD RN-TAGS TO THESE PULL REQUESTS BEFORE RELEASING THE WRAP UP, AND RERUN THE WRAPUP SCRIPT
auxiliary/admin/scada/modicon_password_recovery
, auxiliary/scanner/lotus/lotus_domino_hashes
, auxiliary/sniffer/psnuffle
, exploits/unix/webapp/vbulletin_vote_sqli_exec
exploit modules with a database connected.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro