Last updated at Sat, 20 Jan 2024 22:19:05 GMT

Cacti Unauthenticated Command Injection

Thanks to community contributor Erik Wynter, Metasploit Framework now has an exploit module for an unauthenticated command injection vulnerability in the Cacti network-monitoring software. The vulnerability is due to a proc_open() call that accepts unsanitized user input in remote_agent.php. Provided that the target server has data that's tied to the POLLER_ACTION_SCRIPT_PHP action, the vulnerable proc_open() call can be reached with a single GET request. Successful exploitation will result in a session as the user running the Cacti server.

Python Meterpreter Gets a Few Upgrades

The latest release includes some improvements to Python Meterpreter which gets the payload a little closer to feature parity with Windows Meterpreter. For Windows Python Meterpreter, NtAlexio2 added the enumdesktops command, which like with Windows Meterpreter, enumerates all of the accessible desktops it can find. Our very own zeroSteiner added dual stack IPv4 / IPv6 TCP support for Python Meterpreter. Working across both Windows and Linux, this improvement enables Python Meterpreter to listen on all interfaces it can listen on, including ones that have IPv6 addresses.

New module content (1)

Cacti 1.2.22 unauthenticated command injection

Authors: Erik Wynter, Owen Gong, Stefan Schiller, and Steven Seeley
Type: Exploit
Pull request: #17407 contributed by ErikWynter
AttackerKB reference: CVE-2022-46169

Description: This adds an exploit that targets various versions of Cacti network-monitoring software. For versions 1.2.22 and below, there exists an unauthenticated command injection vulnerability in remote_agent.php that when exploited, will result in remote code execution as the user running the Cacti server.

Enhancements and features (3)

  • #17340 from zeroSteiner - The Python Meterpreter has been updated to warn that the bind information is ignored when a reverse port forward is created to prevent confusion when this information is supplied by a user.
  • #17518 from zeroSteiner - A new adapter has been added to run Python payloads on Windows. This is notably useful for testing Python payloads as SYSTEM or delivered on demand through an exploit module such as psexec.
  • #17519 from jmartin-r7 - Improves the SMTP delivery error handling for the auxiliary/client/smtp/emailer module.

Bugs fixed (2)

  • #17516 from zeroSteiner - The version of Metasploit-payloads has been bumped up to add support for dual IPv4/IPv6 stacks to Python Meterpreter, add support for enumerating desktops with the enumdesktops command to Python Meterpreter, and also add support for binding to the specified localhost to compiled versions of Meterpreter.
  • #17525 from adfoster-r7 - Fixes a deprecation warning when using socks proxy support in Metasploit.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).