Metasploit Weekly Wrap-Up

Veritas Backup Exec Agent RCE

This module kindly provided by c0rs targets the Veritas Backup Exec Agent in order to gain RCE as the system/root user.
The exploit itself is actually a chain of 3 separate CVEs (CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878) which only makes it more impressive.
While you’re patching, why not take the time to test your backups too.

Hikvision IP Camera user impersonation

This vulnerability has been present in Hikvision products since 2014 and comes to us courtesy of h00die-gr3y.
The main culprit here is in Hikvisions authentication mechanism which allows you to login as any valid user using only their username and from that point this module allows you to set a new password for your chosen username so now you can log in "legitimately".

New module content (6)

• Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic by Monte Crypto and h00die-gr3y, which exploits CVE-2017-7921 - A new module has been added in for CVE-2017-7921, an improper authentication logic bug in HikVision cameras. Successfully exploiting this vulnerability allows unauthenticated attackers to impersonate any valid user on the affected camera, which can be used to gain full control over the camera.
• Netfilter nft_set_elem_init Heap Overflow Privilege Escalation by Arthur Mongodin and Redouane NIBOUCHA, which exploits CVE-2022-34918 - This is a local-privilege escalation exploit targeting CVE-2022-34918, a vulnerability in the Netfilter component of the Linux kernel.
• qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE) by Giacomo Casoni, Leon Trappett (thepcn3rd), and Rishal Dwivedi (Loginsoft), which exploits CVE-2020-7246 - Adds an exploit that targets an authenticated arbitrary file upload vulnerability to gain code execution on qdPM 9.1 and lower.
• Veritas Backup Exec Agent Remote Code Execution by Alexander Korotin, which exploits CVE-2021-27878 - This module exploits a chain of the vulnerabilities CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878 in Veritas Backup Exec Agent which leads to remote code execution with privileges of system or root user.
• Mobile Mouse RCE by CHOKRI HAMMEDI and h00die - This PR includes a module that uses default configuration in Unified Remote to spawn a run prompt and return a shell.
• Wifi Mouse RCE by H4RK3NZ0, REDHATAUGUST, and h00die, which exploits CVE-2022-3218 - A new module has been added for CVE-2022-3218, an unpatched (at the time of publication) authentication bypass in WiFi Mouse (Mouse Server) from Necta LLC which can be used to gain RCE as the user running Wifi Mouse (Mouse Server).

Enhancements and features (2)

• #16981 from bcoles - This PR fixes several bugs as well as style and documentation inconsistencies as well as implementing new library methods.
• #17048 from bcoles - :
  This PR Updates the enum_token module by adding documentation, clarifying the description, improving efficiency, and leveraging library code.

Bugs fixed (3)

• #16994 from zeroSteiner - Fixes multiple issues with registry manipulation on opened sessions.
• #17054 from zeroSteiner - Fixes a crash when using the info and generate commands for adapted single (unstaged) payloads - such as cmd/windows/powershell/meterpreter/reverse_tcp.
• #17073 from cgranleese-r7 - Fixes a bug where sessions opened by running one of the rexec_login / rlogin_login / rsh_login modules would die after module completion.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.19…6.2.20
• Full diff 6.2.19…6.2.20

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).