Last updated at Fri, 23 Feb 2024 21:37:19 GMT

Unicode your way to a php payload and three modules to add to your playbook for Ansible

Our own jheysel-r7 added an exploit leveraging the fascinating tool of php filter chaining to prepend a payload using encoding conversion characters and h00die et. al. have come through and added 3 new Ansible post modules to gather configuration information, read files, and deploy payloads. While none offer instantaneous answers across the universe, they will certainly help in red team exercises.

New module content (4)

Ansible Agent Payload Deployer (1 of 3 Ansible post modules)

Authors: h00die and n0tty
Type: Exploit
Pull request: #18627 contributed by h00die
Path: linux/local/ansible_node_deployer

Ansible Config Gather (2 of 3 Ansible post modules)

Author: h00die
Type: Post
Pull request: #18627 contributed by h00die
Path: linux/gather/ansible

Ansible Playbook Error Message File Reader (3 of 3 Ansible post modules)

Authors: h00die and rioasmara
Type: Post
Pull request: #18627 contributed by h00die
Path: linux/gather/ansible_playbook_error_message_file_reader

Description: This adds 3 post-exploitation modules for Ansible. The first one gathers information and configuration. The second exploits an arbitrary file read that enables an attacker to read the first line of a file (typically /etc/shadow), when the compromised account is configured with password-less sudo permissions. The last one is an exploit that can deploy a payload to all the nodes in the network.

WordPress Backup Migration Plugin PHP Filter Chain RCE

Authors: Nex Team, Valentin Lobstein, and jheysel-r7
Type: Exploit
Pull request: #18633 contributed by jheysel-r7
Path: multi/http/wp_backup_migration_php_filter

Description: This adds an exploit module that leverages an unauthenticated RCE in the WordPress plugin Backup Migration versions prior to 1.3.7. This vulnerability is identified as CVE-2023-6553. This also adds a library that implements a technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversion.

Enhancements and features (2)

  • #18596 from dwelch-r7 - Updates multiple SMB modules to work with the new upcoming SMB session type support. This beta functionality is currently behind a feature flag, and can be enabled with features set smb_session_type true.
  • #18682 from adfoster-r7 - Add tests for Msf::Exploit::Local module types to ensure that sysinfo will not break again in the future.

Bugs fixed (2)

  • #18655 from adfoster-r7 - Ensures the module will automatically be used when the hierarchical search functionality is enabled and only one module result is found.
  • #18710 from adfoster-r7 - Fixes an uninitialized constant Msf::Simple::Exploit::ExploitDriver exception that could sometimes occur when running Metasploit framework's payload modules.

Documentation added (1)

  • #18702 from Sh3llSp4wn - Updates the documentation for the private and public fields in lib/metasploit/framework/credential.rb to be correct.

You can always find more documentation on our docsite at docs.metasploit.com.

Missing rn-* label on Github (1)

PLEASE ADD RN-TAGS TO THESE PULL REQUESTS BEFORE RELEASING THE WRAP UP, AND RERUN THE WRAPUP SCRIPT

  • #18398 from errorxyz - Fixes deprecation warnings when running the auxiliary/admin/scada/modicon_password_recovery, auxiliary/scanner/lotus/lotus_domino_hashes, auxiliary/sniffer/psnuffle, exploits/unix/webapp/vbulletin_vote_sqli_exec exploit modules with a database connected.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro