Metasploit Weekly Wrap-Up 09/27/2024

Last updated at Fri, 27 Sep 2024 19:21:52 GMT

Epic Release!

This week's release includes 5 new modules, 6 enhancements, 4 fixes and 1 documentation update. Among the new additions, we have an account take over, SQL injection, RCE, and LPE! Thank you to all the contributors who made it possible!

New Module Content (5)

Cisco Smart Software Manager (SSM) On-Prem Account Takeover (CVE-2024-20419)

Authors: Michael Heinzl and Mohammed Adel
Type: Auxiliary
Pull request: #19375 contributed by h4x-x0r
Path: admin/http/cisco_ssm_onprem_account
AttackerKB reference: CVE-2024-20419

Description: This is a new module which exploits an account takeover vulnerability in Cisco Smart Software Manager (SSM) On-Prem <= 8-202206, by changing the password of the admin user to one that is attacker-controlled.

WhatsUp Gold SQL Injection (CVE-2024-6670)

Authors: Michael Heinzl and Sina Kheirkhah ( <Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)>
Type: Auxiliary
Pull request: #19436 contributed by h4x-x0r
Path: admin/http/whatsup_gold_sqli
CVE reference: ZDI-24-1185

Description: This is a new module which exploits a SQL injection vulnerability in WhatsUp Gold versions before v24.0.0. Successful exploitation allows an unauthenticated remote attacker to change the password of the admin user.

Vicidial SQL Injection Time-based Admin Credentials Enumeration

Authors: Jaggar Henry of KoreLogic, Inc. and Valentin Lobstein
Type: Auxiliary
Pull request: #19453 contributed by Chocapikk
Path: scanner/http/vicidial_sql_enum_users_pass
AttackerKB reference: CVE-2024-8503

Description: This adds a new auxiliary module that exploits a time-based SQL injection vulnerability in VICIdial to enumerate admin credentials. This auxiliary module is designed for MySQL databases and allows the retrieval of admin usernames and passwords through blind SQL injection.

Traccar v5 Remote Code Execution (CVE-2024-31214 and CVE-2024-24809)

Authors: Michael Heinzl, Naveen Sunkavally, and yiliufeng168
Type: Exploit
Pull request: #19416 contributed by h4x-x0r
Path: linux/http/traccar_rce_upload
AttackerKB reference: CVE-2024-24809

Description: This module exploits two vulnerabilities in Traccar v5.1 - v5.12 to obtain remote code execution: A path traversal vulnerability CVE-2024-24809 and an unrestricted file upload vulnerability CVE-2024-31214.

Local Privilege Escalation via CVE-2023-0386

Authors: Takahiro Yokoyama, sxlmnwb, and xkaneiki
Type: Exploit
Pull request: #19441 contributed by Takahiro-Yoko
Path: linux/local/cve_2023_0386_overlayfs_priv_esc
AttackerKB reference: CVE-2023-0386

Description: This adds an exploit module that leverages a flaw in the Linux kernel’s OverlayFS subsystem, which allows unauthorized access to the execution of the setuid file with capabilities (CVE-2023-0386). This enables a local user to escalate their privileges on the system.

Enhancements and Features (6)

• #19397 from sjanusz-r7 - This replaces the Readline library with Reline.
• #19448 from jvoisin - Adds a number of improvements to modules/post/multi/manage/screensaver.rb. A new UNLOCK action has been added. When the LOCK action is selected instead of only checking to see if xdg-screensaver lock exists on the target, the module will check for the presence of qdbus, dbus-send and loginctl. Improved error handling when running on Windows or Solaris has also been added.
• #19451 from jvoisin - Before this change php NOP sleds would be comprised of only spaces. Now the space, tab, semi-colon, carriage return and line feed characters will all be used in a random assortment to generate NOP sleds when needed.
• #19462 from jvoisin - This adds an Auto option to the Msf::Post::Linux::Compile library. This enables automatic selection of the compiler according to what is available locally on the target system.
• #19467 from jvoisin - This updates the lib/msf/core/exploit/remote/http/wordpress/admin.rb library such that when generate_plugin method gets called and the payload type is not ARCH_PHP - the library will use the php_preamble/php_system_block combo instead of hardcoding system/base64, as system might not be available on some WordPress deployments, and the combo has some low-hanging evasions for this case. This change also randomizes the license header of the plugin.
• #19478 from bcoles - Updates Metasploit to support new constants for RISCV32BE, RISCV32LE, RISCV64BE, RISCV64LE, LOONGARCH64.

Bugs Fixed (4)

• #19184 from adfoster-r7 - This updates bundler version and fixes multiple warnings when booting msfconsole.
• #19474 from sfewer-r7 - This fixes a bug in the DNS resolver on Windows platforms that prevented it from initializing.
• #19475 from NtAlexio2 - This refactors the pipe_auditor scanner module to allow an RPORT argument to be specified and refactors it to follow more recent patterns used by SMB modules.
• #19491 from jvoisin - Fixes a crash in lib/msf/core/payload/php.rb.

Documentation Added (1)

• #19493 from adfoster-r7 - Improves the documentation for testing that the post exploitation API works against the currently opened sessions.

You can always find more documentation on our docsite at docs.metasploit.com.

Get It

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.27...6.4.28
• Full diff 6.4.27...6.4.28

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro