Metasploit Wrap-Up: 7/19/19

Last updated at Thu, 25 Jan 2024 02:02:50 GMT

RCE with a Key

An exploit module for Laravel Framework was submitted by community contributor aushack. The module targets an insecure unserialize call with the X-XSRF-TOKEN HTTP request header, which was discovered by Ståle Pettersen. Since the exploit requires the Laravel APP_KEY to reach the vulnerable unserialize call, aushack included information leak checks in the module to extract the APP_KEY if necessary. A Google dork, such as the one shown by finnwea, could be used to retrieve the APP_KEY of a misconfigured Laravel server.

AppXSVC

space-r7 submitted a module that combines an AppXSVC DACL permissions overwrite, discovered by Nabeel Ahmed, with DiagHub DLL hijacking, discovered by James Forshaw, to execute code as SYSTEM. Windows AppXSVC on Windows 10 builds prior to 17763 improperly handles hard links which allows a user to gain full privileges over a SYSTEM-owned file. After gaining control of a SYSTEM file the contents are overwritten with a DLL and then loaded by the DiaHub service for code execution.

New modules (4)

• PHP Laravel Framework token Unserialize Remote Command Execution by Ståle Pettersen and aushack, which exploits CVE-2017-16894
• Xymon useradm Command Execution by Markus Krell and bcoles, which exploits CVE-2016-2056
• AppXSvc Hard Link Privilege Escalation by James Forshaw, Nabeel Ahmed, and Shelby Pace, which exploits CVE-2019-0841
• Windows NtUserSetWindowFNID Win32k User Callback by Jacob Robles, Kaspersky Lab, and ze0r, which exploits CVE-2018-8453

Enhancements and features

• PR #12031 by bcoles adds a shutdown method to the Msf::Exploit::Remote::Tcp mixin, exposing the shutdown method from Rex::Socket::Tcp to provide a consistent interface for module developers.

Bugs fixed

• PR #12087 by wvu-r7 ensures that shell features like globs and pipes work again when executing passthrough commands.
• PR #12086 by aushack fixes and refactors #check in auxiliary/admin/http/joomla_registration_privesc to perform as intended.
• PR #12085 by wvu-r7 fixes #is_payload_compatible? by returning false for nil payloads

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 5.0.36...5.0.37
• Full diff 5.0.36...5.0.37

We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).