Metasploit Weekly Wrap-Up


## Nagios XI web shell upload module ![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2022/02/metasploit-sky.png) New this week is a [Nagios Web Shell Upload module](<https://github.com/rapid7/metasploit-framework/pull/16150>) from Rapid7' own [Jake Baines](<https://github.com/jbaines-r7>), which exploits [CVE-2021-37343](<https://attackerkb.com/topics/zxpvqMqOHQ/cve-2021-37343?referrer=blog>). This module builds upon the existing [Nagios XI scanner](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/http/nagios_xi_scanner.md>) written by [Erik Wynter](<https://github.com/ErikWynter>). Versions of Nagios XI prior to 5.8.5 are vulnerable to a path traversal exploit through an admin-authenticated PHP web shell that results in code execution as the `www-data` user. ## Ignition for Laravel RCE module Community contributor [heyder](<http://https://github.com/heyder>) [added a module](<https://github.com/rapid7/metasploit-framework/pull/16159>) which exploits [CVE-2021-3129](<https://attackerkb.com/topics/KP6wETuZyw/cve-2021-3129?referrer=blog>) in Ignition for Laravel, versions prior to 2.5.2. This module allows for unauthenticated remote code execution due to insecure usage of the PHP functions `file_get_contents()` and `file_put_contents()`. ## New module content (3) * [Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump](<https://github.com/rapid7/metasploit-framework/pull/16087>) by jbaines-r7, which exploits [CVE-2020-5723](<https://attackerkb.com/topics/RB012Xn6ww/cve-2020-5723?referrer=blog>) \- A new module has been added which exploits [CVE-2020-5724](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-5724>), a blind SQL injection in GrandStream UCM62xx IP PBX devices prior to firmware version 1.20.22 to dump usernames and passwords from the `users` table as an unauthenticated attacker. Successfully gathered credentials will be stored in Metasploit's credential database for use in further attacks. * [Nagios XI Autodiscovery Webshell Upload](<https://github.com/rapid7/metasploit-framework/pull/16150>) by Claroty Team82 and jbaines-r7, which exploits [CVE-2021-37343](<https://attackerkb.com/topics/zxpvqMqOHQ/cve-2021-37343?referrer=blog>) \- This exploits a path traversal vulnerability in Nagios XI versions below `5.8.5` to achieve authenticated code execution as the `www-data` user. * [Unauthenticated remote code execution in Ignition](<https://github.com/rapid7/metasploit-framework/pull/16159>) by Heyder Andrade and ambionics, which exploits [CVE-2021-3129](<https://attackerkb.com/topics/KP6wETuZyw/cve-2021-3129?referrer=blog>) \- This module exploits a vulnerability in Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). ## Enhancements and features * [#16076](<https://github.com/rapid7/metasploit-framework/pull/16076>) from [bcoles](<https://github.com/bcoles>) \- This change adds the Meterpreter session type to the post/osx/gather/hashdump, hiding a warning when the module is run with a Meterpreter session. * [#16117](<https://github.com/rapid7/metasploit-framework/pull/16117>) from [zeroSteiner](<https://github.com/zeroSteiner>) \- This makes some Log4Shell updates. It refactors the scanner to reduce duplicate code, and fix a couple of minor bugs. * [#16161](<https://github.com/rapid7/metasploit-framework/pull/16161>) from [smashery](<https://github.com/smashery>) \- This PR updates the user agent strings for HTTP payloads to use the latest user agent strings for Chrome, Edge and Firefox on Windows and MacOS, as well as IPad. * [#16170](<https://github.com/rapid7/metasploit-framework/pull/16170>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \- This change fixes the native_arch functionality on Java and ensures the native architecture is displayed when running `meterpreter > sysinfo` on Java. * [#16173](<https://github.com/rapid7/metasploit-framework/pull/16173>) from [AlanFoster](<https://github.com/AlanFoster>) \- Adds additional `--no-readline` and `--readline` options to msfconsole for configuring the use of Readline suppor.t * [#16181](<https://github.com/rapid7/metasploit-framework/pull/16181>) from [AlanFoster](<https://github.com/AlanFoster>) \- This adds a resource script for extracting the Meterpreter commands from currently open sessions. * [#16192](<https://github.com/rapid7/metasploit-framework/pull/16192>) from [zha0gongz1](<https://github.com/zha0gongz1>) \- The session notifier has been updated to support notifying about new sessions via WeChat using the ServerJang API and servers. * [#16195](<https://github.com/rapid7/metasploit-framework/pull/16195>) from [darrenmartyn](<https://github.com/darrenmartyn>) \- The `hp_dataprotector_cmd_exec.rb` module has been updated to support x64 payloads. This fixes a bug whereby x64 payloads were not supported as the `Arch` value was not set, leading it to default to x86 payloads only. ## Bugs fixed * [#16174](<https://github.com/rapid7/metasploit-framework/pull/16174>) from [AlanFoster](<https://github.com/AlanFoster>) \- This change fixes the mode specification on File.read required for ruby 3 on multiple modules. * [#16175](<https://github.com/rapid7/metasploit-framework/pull/16175>) from [AlanFoster](<https://github.com/AlanFoster>) \- This change fixes the loadpath command summary to display the module types in alphabetical order. * [#16177](<https://github.com/rapid7/metasploit-framework/pull/16177>) from [AlanFoster](<https://github.com/AlanFoster>) \- This change fixes the post(test/search) Meterpreter tests on OSX. * [#16184](<https://github.com/rapid7/metasploit-framework/pull/16184>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- This fixes a crash when running msfconsole on a Windows host in conjunction with the `sessions -u` command. * [#16194](<https://github.com/rapid7/metasploit-framework/pull/16194>) from [zeroSteiner](<https://github.com/zeroSteiner>) \- This fixes a crash when using Metasploit's psexec module with the Command target. ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.1.29...6.1.30](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-02-09T14%3A46%3A38-06%3A00..2022-02-16T23%3A31%3A40-06%3A00%22>) * [Full diff 6.1.29...6.1.30](<https://github.com/rapid7/metasploit-framework/compare/6.1.29...6.1.30>) If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).