Community contributor Erik Wynter added a local exploit module for a DLL hijacking vulnerability he discovered in Windows Server 2012. The TiWorker.exe
process that runs as NT AUTHORITY\SYSTEM
attempts to load SrClient.dll
, which does not exist on the system. Because of this, privilege escalation is possible, but the success of the exploit relies on two things: The user that the current session is running as must be able to write the payload to the file system as SrClient.dll
, and directory the payload is placed in must be present in the system path. Assuming the aforementioned requirements are met, the exploit module writes the payload to the target and leverages the wuauclt
utility to spawn TiWorker.exe
which then loads the malicious DLL and results in a Meterpreter session running as NT AUTHORITY\SYSTEM
.
First-time Metasploit contributor, thesunRider made an addition to the Msf::Exploit::Remote::HTTP::Wordpress::Users
mixin, specifically the wordpress_user_exists?()
method. This change extends the regex used in determining valid accounts on Wordpress installations, and most importantly, this adds support for Wordpress 5.x
versions to the auxiliary/scanner/http/wordpress_login_enum
module.
Community contributor geyslan modified the linux/x86/exec
payload module to be generated with metasm and introduced a new option for the payload, NullFreeVersion
, which allows users to choose between generating a standard version of the payload or a null byte free version. Both versions of the payload are fairly small; however, the new null byte free variant is especially useful for exploits with payload size constraints, as opting for an encoder could potentially expand the payloadβs size beyond the requirements for successful exploitation.
bcoles made a number of substantial improvements to the exploit/linux/http/nagios_xi_magpie_debug
module that include bug fixes and coverage for older versions of Nagios. Additionally, the changes improve the stealth and reliability of the module by ensuring the proper deletion of uploaded artifacts and falling back to a low-privilege session in the event that the exploitβs privilege escalation attempt fails.
linux/x86/exec
payload to now use metasm, making the source code more readable and adds a new, larger NULL byte free variant.exploits/linux/http/nagios_xi_magpie_debug
module to automatically check if the target is vulnerable, as well as improved error handling and documentation. Additionally, the module has been updated so that it supports older versions of Nagios by adding additional writable paths that the exploit can use, and a fallback mechanism has been implemented to gain a shell as apache
if the privilege elevation attempt fails.exploits/windows/http/dup_scout_enterprise_login_bof
module to add: support for v9.9.14 of Dup Scout Enterprise, additional Notes
which may help pentesters determine the potential side effects of the exploit, support for the AutoCheck
mixin to allow users to automatically check if a target is vulnerable prior to exploiting it, support for automatic targeting whereby the exploit will automatically determine the version of the target and will adjust the exploit accordingly if it is vulnerable, and compliance with new RuboCop standards.post/multi/gather/firefox_creds
module to support gathering profiles from newer versions of Firefox which now use the default profile name of .default-release
vs. the old name of .default
.lib/msf/core/exploit/remote/http/wordpress/users.rb
to support valid username identification and login identification for newer versions of WordPress up-to-and-including 5.7.auxiliary/scanner/http/http_traversal
scanner to avoid a NULL pointer crash when a serverβs response body is empty. Also fixed another bug whereby empty files would be created if the server responded with a 404 response code but the body of the response was empty.Interrupt
could skip proper clean-up.impersonate_ssl.rb
module has been updated to add a new SNI option for retrieving the SSL Certificate, allowing it to properly retrieve SSL certificates in cases where the SNI option needs to be appropriately specified. In addition, RuboCop changes have also been applied to tidy up the code and remove some dangerous code in favor of safer solutions.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).