Last updated at Fri, 18 Feb 2022 21:24:12 GMT

Nagios XI web shell upload module

New this week is a Nagios Web Shell Upload module from Rapid7' own Jake Baines, which exploits CVE-2021-37343. This module builds upon the existing Nagios XI scanner written by Erik Wynter. Versions of Nagios XI prior to 5.8.5 are vulnerable to a path traversal exploit through an admin-authenticated PHP web shell that results in code execution as the www-data user.

Ignition for Laravel RCE module

Community contributor heyder added a module which exploits CVE-2021-3129 in Ignition for Laravel, versions prior to 2.5.2. This module allows for unauthenticated remote code execution due to insecure usage of the PHP functions file_get_contents() and file_put_contents().

New module content (3)

  • Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump by jbaines-r7, which exploits CVE-2020-5723 - A new module has been added which exploits CVE-2020-5724, a blind SQL injection in GrandStream UCM62xx IP PBX devices prior to firmware version 1.20.22 to dump usernames and passwords from the users table as an unauthenticated attacker. Successfully gathered credentials will be stored in Metasploit's credential database for use in further attacks.
  • Nagios XI Autodiscovery Webshell Upload by Claroty Team82 and jbaines-r7, which exploits CVE-2021-37343 - This exploits a path traversal vulnerability in Nagios XI versions below 5.8.5 to achieve authenticated code execution as the www-data user.
  • Unauthenticated remote code execution in Ignition by Heyder Andrade and ambionics, which exploits CVE-2021-3129 - This module exploits a vulnerability in Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents().

Enhancements and features

  • #16076 from bcoles - This change adds the Meterpreter session type to the post/osx/gather/hashdump, hiding a warning when the module is run with a Meterpreter session.
  • #16117 from zeroSteiner - This makes some Log4Shell updates. It refactors the scanner to reduce duplicate code, and fix a couple of minor bugs.
  • #16161 from smashery - This PR updates the user agent strings for HTTP payloads to use the latest user agent strings for Chrome, Edge and Firefox on Windows and MacOS, as well as IPad.
  • #16170 from sjanusz-r7 - This change fixes the native_arch functionality on Java and ensures the native architecture is displayed when running meterpreter > sysinfo on Java.
  • #16173 from AlanFoster - Adds additional --no-readline and --readline options to msfconsole for configuring the use of Readline suppor.t
  • #16181 from AlanFoster - This adds a resource script for extracting the Meterpreter commands from currently open sessions.
  • #16192 from zha0gongz1 - The session notifier has been updated to support notifying about new sessions via WeChat using the ServerJang API and servers.
  • #16195 from darrenmartyn - The hp_dataprotector_cmd_exec.rb module has been updated to support x64 payloads. This fixes a bug whereby x64 payloads were not supported as the Arch value was not set, leading it to default to x86 payloads only.

Bugs fixed

  • #16174 from AlanFoster - This change fixes the mode specification on File.read required for ruby 3 on multiple modules.
  • #16175 from AlanFoster - This change fixes the loadpath command summary to display the module types in alphabetical order.
  • #16177 from AlanFoster - This change fixes the post(test/search) Meterpreter tests on OSX.
  • #16184 from adfoster-r7 - This fixes a crash when running msfconsole on a Windows host in conjunction with the sessions -u command.
  • #16194 from zeroSteiner - This fixes a crash when using Metasploit's psexec module with the Command target.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).