## Fetch Based Payloads: Making the Path from Command Injection to Metasploit Session Shorter ![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2023/05/metasploit-fence.png) This week we’re releasing Metasploit fetch payloads. Fetch payloads are command-based payloads that leverage network-enabled applications on remote hosts and different protocol servers to serve, download, and execute binary payloads. Over the last year, two thirds of the exploit modules landed to Metasploit Framework were command injection exploits. These exploits will be much easier to write with our new payloads.You can check out the documentation [here](), and we’ll have a longer blog post on the feature out soon. ## New Exploit: Privilege Escalation for `invscout` RPM AIX systems up to and including 7.2 were vulnerable to a command injection in the `invscout` utility. Tim Brown and bcoles created a new module to take advantage of this, giving privilege escalation to root in these systems. This addresses [CVE-2023-28528](). It’s available for Framework users now at `use exploit/aix/local/invscout_rpm_priv_esc`. ## New module content (3) ### `invscout` RPM Privilege Escalation Authors: Tim Brown and bcoles Type: Exploit Pull request: [#17993]() contributed by [bcoles]() AttackerKB reference: [CVE-2023-28528]() Description: This module leverages a command injection vulnerability in the setuid `invscout` utility on AIX systems 7.2 and prior to achieve effective-uid root privileges. ### Ivanti Avalanche FileStoreConfig File Upload Authors: Piotr Bazydlo and Shelby Pace Type: Exploit Pull request: [#17979]() contributed by [space-r7]() CVE reference: ZDI-23-456 Description: An exploit has been added for CVE-2023-28128, an authenticated file upload vulnerability in versions below v6.4.0.186 of Ivanti Avalanche that allows authenticated administrators to change the default path to the web root of the applications, upload a JSP file, and achieve RCE as `NT AUTHORITY\SYSTEM`. This occurs due to Ivanti Avalanche not properly validating MS-DOS style short names in the configuration path.This occurs due to Ivanti Avalanche not properly validating MS-DOS style short names in the configuration path. ### Fetch Based Payloads Author: Brendan Watters Type: Payload Pull request: [#17782]() contributed by [bwatters-r7]() Description: This adds a set of command payloads that facilitate fetching and executing a payload file from Metasploit. ## Enhancements and features (3) * [#17985]() from [spmedia]() \- Fixes a typo in the `post/windows/manage/sticky_keys` module. * [#17990]() from [bcoles]() \- Adds AutoCheck functionality and notes metadata to `exploits/aix/local/ibstat_path`. * [#17991]() from [rad10]() \- A default configuration file has been added for [Solargraph](), a language server that can help VS Code users (and users of other code editors that might not have a language server built in) obtain IntelliSense, in-line documentation, and code completion functionality for Metasploit's code. For VS Code users, it is recommended to install the Solargraph plugin [here]() to take advantage of this change. ## Bugs fixed (3) * [#17967]() from [adfoster-r7]() \- Fixes Ruby 3.1 crashes and resource leaks when garbage collecting Meterpreter resources. * [#18005]() from [adfoster-r7]() \- This fixes a crash when running a module through Socks4a proxy. * [#18006]() from [adfoster-r7]() \- This fixes an error when msfconsole opens browser links without a display present. ## Documentation You can find the latest Metasploit documentation on our docsite at [docs.metasploit.com](). ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.3.16...6.3.17]() * [Full diff 6.3.16...6.3.17]() If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the [binary installers]() (which also include the commercial edition).

Query Builder