Last updated at Fri, 29 Jul 2022 20:32:42 GMT
Roxy-WI Unauthenticated RCE
This week, community member Nuri Çilengir added an unauthenticated RCE for Roxy-WI. Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers. The vulnerability can be triggered by a specially crafted POST request to a Python script where the
ipbackend parameter is vulnerable to OS command injection. The result is reliable code execution within the context of the web application user.
Fewer Meterpreter Scripts
Community member bcoles removed multiple Meterpreter scripts which have been deprecated for years. Metasploit’s documentation has omitted details on how to write them since 2014 and removing the existing ones in favor of their new post-module equivalents ensures users are using the most up-to-date code and workflows. Post modules have a number of advantages over Meterpreter scripts and Metasploit has equivalents for each of the Meterpreter scripts that were removed.
Msfconsole will now suggest datastore option names when an invalid option is specified. This should help users understand when they make a mistake and misspell an option name. The original behavior would just set the invalid option which may leave the user confused when they think they set one thing but the option did not actually change.
For example, prior to these changes setting
LHSOT (instead of
LHOST) the option would just be set, effectively not doing anything.
msf6 exploit(windows/smb/psexec) > set LHSOT 192.168.169.1 LHSOT => 192.168.169.1
Now the new behavior will identify that
LHSOT is not valid in the current context and will suggest setting
msf6 exploit(windows/smb/psexec) > set LHSOT 192.168.159.1 [-] Unknown datastore option: LHSOT. Did you mean LHOST? msf6 exploit(windows/smb/psexec) >
New module content (1)
- Roxy-WI Prior to 126.96.36.199 Unauthenticated Command Injection RCE by Nuri Çilengir, which exploits CVE-2022-31137
Enhancements and features (6)
- #16774 from zeroSteiner - The
setcommand has been updated so that if an invalid datastore option is provided, a suggestion will be made for a valid datastore option, where possible. Additionally, the behavior has been changed so that one can no longer set a datastore value that is not valid within the given content.
- #16798 from bcoles - The deprecated
scripts/meterpreter/pml_driver_config.rbscript has been removed from Metasploit since Metasploit scripts have been deprecated for over 5 years now. Please use
exploit/windows/local/service_permissionsinstead which contains a more modern implementation of the same principle this exploit utilized.
- #16801 from bcoles - The deprecated
scripts/meterpreter/schelevator.rbscript has been removed in favor of
exploit/windows/local/ms10_092_schelevator. Scripts were deprecated over 5 years ago and should no longer be used.
- #16823 from bcoles - The deprecated
scripts/meterpreter/prefetchtool.rbhas been removed and replaced with the
- #16830 from bcoles - Remove deprecated
scripts/meterpreter/getvncpw.rbscript in favor of the
post/windows/gather/credentials/vncpost module which is more modern and has more features.
- #16831 from bcoles - Remove the deprecated
scripts/meterpreter/get_env.rbin favor of the
Bugs fixed (6)
- #16094 from 3V3RYONE - A bug has been fixed in the
pg_ctl.rbhelper whereby it was possible that initializing and starting databases using
msfdb initmight fail due to the
pg_ctl.rbhelper not properly setting
unix_socket_directoriesto a path that a non-root user can write to. This code has now been updated so that it will set the
unix_socket_directoriessetting to a path that the current user can write to or will error out if it cannot find a writeable directory to use for the socket file.
- #16668 from sempervictus - A bug has been fixed in the HTTP crawler module and its associated library whereby the code expected an object to be populated when it may not be. This has been fixed with additional validation.
- #16810 from entity0xfe - The
hostcommand has been updated to fix a bug whereby the
-tflag was not properly accepting the
<tag>parameter that it was supposed to accept and process. Additionally, the documentation for this option has been updated to be clearer.
- #16817 from jmartin-r7 - Several modules and libraries were previously calling
Msf::Config.get_config_rootwhich did not properly account for changes to the configuration path that the user might make. These calls have been replaced with calls to
Msf::Config.config_directorywhich will appropriately take the user's configuration settings into account.
- #16819 from adfoster-r7 - A bug has been fixed whereby running the
hostscommand with the
-cflag to filter by columns would result in a stack trace. The command now correctly returns the output with only the columns specified to the
- #16824 from bcoles - A bug has been fixed in the
is_system?post exploitation methods, which previously incorrectly reported the user as always being an administrator and a system user respectively when run on shell sessions.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).