Returning community contributor mekhalleh submitted a module targeting a path traversal vulnerability within the SSL VPN web portal in multiple versions of FortiOS. The flaw is leveraged to read the usernames and passwords of currently logged in users which are stored in plaintext on the file system. This vulnerability is identified as CVE-2018-13379 and can be reliably exploited remotely, without any authentication. Despite the fact that the vulnerability is several years old, CVE-2018-13379 is still known to be exploited in the wild, including in state-sponsored attacks targeting U.S. government agencies and infrastructure.
Two modules received improvements to their targeting capabilities. The ever-popular exploit for MS17-010 was updated by zerosum0x0 (one of the original authors) with an updated fingerprint for properly targeting Windows Storage Server 2008. This allows the exploit module to be used against affected versions of that Server 2008 variant. Additionally, a KarjaSoft Sami FTP exploit was updated by long-time community contributor bcoles who made a number of improvements to it but notably updated the exploit to only rely on an offset within a DLL that is distributed with the vulnerable software. When memory corruption exploits need the address of a POP, POP, RET instruction (as this one does for the SEH overwrite), they are more reliable when referencing one that is distributed with the software and won’t change, unlike libraries that come with the host operating system and are regularly updated.
/dev/cmdb/sslvpn_websession
file, containing the plaintext list of currently connected usernames and their associated passwords. These credentials can then be saved to the creds
database for use in future attacks.psexec_ms17_010.rb
library has been updated to support additionally fingerprinting Windows Storage Server 2008 R2 targets as potentially exploitable targets, thereby allowing users to exploit Windows Storage Server 2008 R2 targets vulnerable to MS17-010.Faker
library is always available for use within modules when generating fake data for bypassing WAF etc.search
command within Meterpreter has had its logic updated to support searches that start at the root directory, aka /
. These types of searches were previously not returning any results due to a logic bug within the code, which has now been fixed.require rex/ui
statement that prevented execution of msfrpc
.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).