Committing to some shells in GitList
Shelby has been killing it with new exploit and aux modules by the day. In this iteration, she's produced an exploit for GitList 0.6.0 and likely older versions. The software is built on PHP and allows users to view a Git repo on the web. Through an argument injection, a fake pager can be executed... that is really our shell. There's no reverting this one!
phpMyAdmin today, phpMyAdmin tomorrow
Our pentester-turned-dev and general bad*ss Jacob comes at us this week with a well-researched and implemented exploit module for phpMyAdmin 4.8.0 and 4.8.1. This vuln turns LFI (local file inclusion) into RCE (remote code execution, of course!). Jacob's exploit works on both Windows and Linux, including a MySQL table file on Windows and the PHP sessions file on Linux. Great job!
C randomization for your
evasion totally legit needs
Longtime dev and researcher sinn3r aka "Wei Chen" took it upon himself to add C code randomization capabilities to
Metasploit::Framework::Compiler. Now you can take raw C code, mutate it, and compile it on the fly with Metasploit. You can use the new feature independently or within a module. The possibilities are endless!
Exploit modules (9 new)
- Apache CouchDB Arbitrary Command Execution by Green-m, Joan Touzet, and Max Justicz, which exploits CVE-2017-12635
- HP VAN SDN Controller Root Command Injection by wvu and Matt Bergin
- IBM QRadar SIEM Unauthenticated Remote Code Execution by Pedro Ribeiro, which exploits CVE-2018-1612
- HID discoveryd command_blink_on Unauthenticated RCE by Brendan Coles, Ricky "HeadlessZeke" Lawshae, and coldfusion39, which exploits ZDI-16-223
- GitList v0.6.0 Argument Injection Vulnerability by Kacper Szurek and Shelby Pace, which exploits CVE-2018-1000533
- Monstra CMS Authenticated Arbitrary File Upload by Ishaq Mohammed and Touhid M.Shaikh, which exploits CVE-2017-18048
- phpMyAdmin Authenticated Remote Code Execution by ChaMd5, Henry Huang, and Jacob Robles, which exploits CVE-2018-12613
- Manage Engine Exchange Reporter Plus Unauthenticated RCE by Kacper Szurek
Auxiliary and post modules (4 new)
- Docker Server Version Scanner by Agora-Security
- DCOM Exec by Alberto Solino and Spencer McIntyre
- Open a file or URL on the target computer by Eliott Teissonniere
- Multi Manage the screensaver of the target computer by Eliott Teissonniere
- Added missing CVE references by sinn3r. Ongoing work by Aaron Soto, Jacob Robles, and sinn3r to add missing or document unavailable CVE references in modules.
- Added bind handler messages by wvu. Bind handlers now print connection errors if
VERBOSEis enabled in the console. They would run silently before.
- Added WPCHECK option by bcoles. The
WPCHECKadvanced option has been added to enable or disable checking for WordPress before exploitation.
- Removed ring buffer by busterb. The ring buffer for sessions and channels has been replaced with streams. This shouldn't be noticeable to most users.
- Fixed module_reference tool by sinn3r. The
module_referencetool would break on Python external modules. It has been fixed to continue running.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.