Metasploit Wrap-Up: 4/29/22

Last updated at Sat, 20 Jan 2024 22:21:10 GMT

Redis Sandbox Escape

Our very own Jake Baines wrote a module that performs a sandbox escape on Redis versions between 5.0.0 and 6.1.0 and achieves remote code execution as the redis user. Redis installations can be password protected, so this module supports exploiting the vulnerability with and without authentication.

While this module targets Redis software, the vulnerability (CVE-2022-0543) only presents itself on Debian-based Linux distributions due to the Lua package interface remaining enabled. The existence of the Lua package interface means that arbitrary libraries can be loaded and used to evade the protections of the sandbox. This vulnerability has been reported as being exploited in the wild.

Antivirus Enumeration

Thanks to sempervictus we now have a post module for enumerating installed antivirus products on Windows systems. Using either a Meterpreter or shell session, the module detects these installations through WMI queries and saves the information to the database. Some of the data returned includes versioning information, possibly clueing a user in on a potential next target for privilege escalation.

New module content (2)

• Redis Lua Sandbox Escape by Reginaldo Silva and jbaines-r7, which exploits CVE-2022-0543 - This exploit achieves remote code execution as the redis user via a sandbox escape in several Redis versions distributed through Debian-based Linux distributions.
• Windows Installed AntiVirus Enumeration by rageltman - This adds a module that enumerates all installed AV products on Windows.

Enhancements and features (1)

• #16486 from adfoster-r7 - This adds an initial set of pen testing docs to https://docs.metasploit.com/docs/pentesting/

Bugs fixed (2)

• #16450 from ORelio - This updates exploit/multi/vnc/vnc_keyboard_exec to include a delay that increases reliability when getting a shell and typing out long commands.
• #16509 from adfoster-r7 - This ensures proper escaping of HTML in code blocks that are produced by the info -d command.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.39...6.1.40
• Full diff 6.1.39...6.1.40

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).