Last updated at Wed, 17 Jan 2024 01:09:31 GMT

WordPress RCE

tiyeuse submitted a Metasploit module for an authenticated remote code execution vulnerability in WordPress, which was described in a blog post by RIPS Technology. After authenticating as a user with at least author privileges, the module starts by uploading an image file with PHP code that will be used later. Then the image metadata that references the file location on disk is overwritten with an image update request. The updated reference will contain a location within a WordPress theme directory. By using the crop image functionality, the image file will be saved to the updated location in the metadata entry. Finally, a new post is created and uses the image file as a page template, which is allowed since the image has been saved within the theme directory. When the new post is requested, the PHP code in the image file will be executed on the WordPress server.

Zimbra RCE

In the blog post A Saga of Code Executions on Zimbra by An Trinh, a vulnerability chain is described that would allow an unauthenticated user to get remote code execution on vulnerable versions of Zimbra. jrobles-r7 submitted a Metasploit module that follows the exploit path in the "Breaking Zimbra part 1" section of the post. The exploit starts by retrieving a password in a Zimbra configuration file using an XXE vulnerability in the AutodiscoverServlet. The credentials are used to get a user cookie, which is needed in the SSRF exploit to get an admin cookie by proxying an AuthRequest to the admin port. After getting an admin cookie, the exploit finishes by uploading and executing a webshell.

New modules (4)

Enhancements and features

  • PR #11702 by jmartin-r7 updates to metasm 1.0.4, which includes fixes for shellcode generation when Ruby 2.5+ runs on Windows.

Having issues with staged payload from a Windows Metasploit console? An update was recently released for Metasm to help Windows generate the right assembly. When digging into this issue, we found that the updated compiler used for Ruby 2.5 on Windows threw a curveball at Array.sort_by that only impacted Windows systems. Lesson compiler qsort at your own peril.

Bugs fixed

  • PR #11704 by jrobles-r7 fixes an issue where a host header can be emitted twice if the Host header is specified directly in the headers list with the HTTP client.
  • PR #11660 by wvu-r7 ensures modules aren't attempting to create PowerShell payloads with the no-longer-supported use_single_quotesoption in favor of the supported wrap_double_quotes option.
  • PR #11699 by busterb resolves an issue reported by Gwerb where exceptions were not correctly handled when there is a failure to use psexec against a target.
  • PR #11682 by JavanXD updates the apache_range_dos module to properly target hosts for checking vulnerability.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).