Metasploit Wrap-Up: Nov. 6, 2020

Last updated at Tue, 23 Jan 2024 21:49:05 GMT

Insert 'What Year Is It' meme

h00die contributed the Mikrotik unauthenticated directory traversal file read auxiliary gather module, largely a port of the PoC by Ali Mosajjal. The vulnerability CVE-2018-14847 allows any file from the router to be read through the Winbox server in RouterOS due to a lack of validation and trust in the Winbox client. The auxiliary/gather/mikrotik_winbox_fileread module exploits this vulnerability by communicating with the Winbox server on port 8291 and requests the system user database file. One would hope all vulnerable MikroTik’s have been patched by now, but if you happen to discover a vulnerable instance it's time to dump the credentials! Vulnerable versions of MikroTik RouterOS are:

• (bugfix) 6.30.1-6.40.7
• (current) 6.29-6.42
• (RC) 6.29rc1-6.43rc3

WordPress plugin giveth

Security researcher mslavco discovered an unauthenticated, time-based blind SQL injection in the Loginizer WordPress plugin’s log parameter. h00die contributed the WordPress Loginizer log SQLi Scanner auxiliary scanner module that exploits the vulnerability (CVE-2020-27615 to extract user credentials and then store them in the database. Loginizer versions 1.6.3 and earlier are vulnerable to the auxiliary/scanner/http/wp_loginizer_log_sqli module, and it is important to note that successful exploitation requires WordPress 5.4 (or newer) or 5.5 (or newer).

New modules (2)

• Mikrotik Winbox Arbitrary File Read by h00die and mosajjal, which exploits CVE-2018-14847
• WordPress Loginizer log SQLi Scanner by h00die, mslavco, and red0xff, which exploits CVE-2020-27615

Enhancements and features

• PR #14252 by h00die updates the Avira password gather to store captured credentials in the database and adds support for exporting Raw-MD5u hashes, which are used by Avira to store passwords.
• PR #14270 by Jeffrey Martin adds guards to notify users of incorrect or missing encoders while allowing the encoding process to continue.
• PR #14282 by h00die enhanced the Metasploit loader to provide more accurate error messages when an external module fails to load.
• PR #14297 by Steve Passino updated auxiliary/scanner/http/zabbix_login to support Zabbix version 3.x, 4.x, and 5.x up to the latest 5.2 LTS release.

Bugs fixed

• PR #14222 by JRodriguez556 replace calls to the depreciated URI.encode function with calls to Rex::Text.uri_encode in exploits/multi/http/php_fpm_rce.
• PR #14323 by Spencer McIntyre fixes an issue in auxiliary/gather/enum_dns that only affects zone transfer enumeration (AXFR) by using the nameservers specified in the datastore NS option.
• PR #14326 by Christopher Granleese fixes an issue in store_loot in which certain data types were not properly stored and resulted in a subsequent stack trace.
• PR #14350 by Matúš Bursa added the missing nasm dependency to ensure that tools/exploit/nasm_shell.rb works as expected when running inside of Docker.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.14...6.0.15
• Full diff 6.0.14...6.0.15

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).