Last updated at Tue, 16 Jan 2024 01:27:41 GMT
Backups that Cause Problems
hypn0s contributed a module that exploits Snap Creek’s Duplicator plugin for WordPress. Duplicator is a plugin that eases the backup and migration of WordPress installations. For versions 1.2.40 and below, Duplicator leaves behind a number of sensitive files, including one that gives access to controlling the WordPress restoration process. Sending a POST request to the now accessible installer page leads to writing directly to the wp-config file, which when requested, can lead to remote code execution.
Labels and Shells
modpr0be both discovered a vulnerability and contributed a module that exploits a stack-based buffer overflow in CyberLink LabelPrint software v2.5 and below. The module generates an lpp file containing shellcode in the track tag and arbitrary data for the others. Opening the file with the CyberLink LabelPrint software results in command execution. This module has been successfully tested on Windows 7, 8.1, and 10.
New Modules
Exploit modules (3 new)
- Snap Creek Duplicator WordPress plugin code injection by Julien Legras and Thomas Chauchefoin, which exploits CVE-2018-17207
- CyberLink LabelPrint 2.5 Stack Buffer Overflow by f3ci and modpr0be, which exploits CVE-2017-14627
- Serve DLL via webdav server by James Cook and Ryan Hanson
Auxiliary and post modules (1 new)
- Oracle DB Privilege Escalation via Function-Based Index by David Litchfield and Moshe Kaplan
Improvements
-
averagesecurityguy introduced a new option to auxiliary modules,
CreateSession, in order to opt out of session creation when testing credentials. -
dgarvit added some functionality to the
show pluginscommand that will display both the currently loaded plugins and plugins currently available. -
busterb updated Mettle payloads with various bug fixes and compatibility improvements, including some contributions from timwr.
-
bcoles introduced some improvements to the
linux/gather/enum_configsmodule that prevents the storage of empty configuration files as loot. Additionally, bcoles added thekernel_configmethod that returns details on the current kernel configuration and added checks to thepost/linux/gather/enum_protectionsmodule. -
clee-r7 made fixes to Go modules that produced corrupt output.
-
jmartin-r7 added a service mapping feature that links imported scan data to the associated vulnerable service port.
-
mrjefftang added support for the ext_server_unhook extension that removes runtime hooks applied by AV.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try outthe newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.
