Last updated at Fri, 23 Sep 2022 18:50:37 GMT
Have you built out that awesome media room?
If your guilty pleasures include using a mobile device to make your home entertainment system WOW your guests, you might be using Unified Remote. I hope you are extra cautious about what devices you let on that WiFi network. A prolific community member h00die added a module this week that uses a recently published vulnerability from H4RK3NZ0 to leverage an unprotected configuration page exposed on the media service, combined with just a little bit of protocol info the module makes that media server a prime target for pranks and other less friendly activities by guests on the network.
Finding the needles in that Linux memory stack
Brought to you by the combined efforts of many members of the Metasploit Community, Linux meterpeter payloads now offer a new way to hunt down passwords in memory on all those delicious Linux sessions you gather with Metasploit. The new
post/linux/gather/mimipenguin module hunts down clear text passwords in Linux memory based on MimiPenguin.
We all love to share code with the public
Metasploit plays well with others
Last week’s update brought with it an awesome way to utilize Metasploit with payload generated by Sliver that even ranked a call out in their latest release notes. Great to see the community promoting these updates for more people to learn about and utilize.
New module content (4)
- VICIdial Multiple Authenticated SQLi by h00die, which exploits CVE-2022-34878 - This PR adds a module which exploits several authenticated sqli in VICIdial (CVE-2022-34876, CVE-2022-34877, CVE-2022-34878).
- Bitbucket Git Command Injection by Jang, Ron Bowes, Shelby Pace, and TheGrandPew, which exploits CVE-2022-36804 - Adds an exploit for CVE-2022-36804 which is an unauthenticated RCE in Bitbucket.
- Unified Remote Auth Bypass to RCE by H4RK3NZ0 and h00die, which exploits CVE-2022-3229 - This adds an exploit module to exploit an authentication bypass to achieve remote code execution in Unified Remote on Windows. Note that the latest version (18.104.22.1683) is vulnerable, which makes it a 0-Day.
- MimiPenguin by Shelby Pace, bcoles, and huntergregal, which exploits CVE-2018-20781 - This adds a port of Mimipenguin to Metasploit. Relying on mem_search() and mem_read(), this searches the memory regions of various processes for needles that are found near passwords in cleartext. Using the locations for all of the needles found, this will search the nearby regions for possible passwords.
Enhancements and features (6)
- #16940 from adfoster-r7 - Rewrites Metasploit's datastore to fix multiple bugs and edge cases. The
unsetcommand will now consistently unset previously set datastore values, so that default values are used once again. Explicitly clearing a datastore value can be done with the
set --clear OptionNamecommand. Modules that require protocol specific option names such as SMBUser/FTPUser/BIND_DN/etc can now be consistently set with just username/password/domain options, i.e.
set username Administratorinstead of
set SMBUser Administrator. This rewrite is currently behind a feature flag which can be enabled with
features set datastore_fallbacks true.
- #17002 from bcoles - The
lib/msf/core/post/windows/wmic.rblibraries have been updated to replace calls to
load_extapiwith ExtAPI compatibility checks which will check if the session supports ExtAPI, since if the sessions supports ExtAPI, it should already be loaded.
- #17003 from bcoles -
enum_patcheshas had its code updated to output the patches enumerated as a table and store the results long term in a CSV file. Additionally, a check has been added to see if the current session supports the required Meterpreter extension compatibility prior to trying to run the module. Finally, the code and documentation have been cleaned up and modernized.
- #17015 from jmartin-r7 - Updates
auxiliary/scanner/http/http_loginto report login success when the http status code is in the range
200,201,300-308. This functionality is user-configurable with
set HttpSuccessCodes 200.
- #17049 from bcoles - Adds Notes module meta information and replaces custom
get_members_from_groupfrom the Post API.
- #17051 from bcoles - Adds module documentation, notes for module meta information, and improves module error handling.
Bugs fixed (3)
- #17023 from zeroSteiner - The
post/windows/manage/rollback_defender_signaturesmodule has been updated to work on WoW64 sessions, and has had its code updated so that the default action is now a valid option.
- #17036 from zeroSteiner - Fixes a bug where the
sessionscommand would show the connection as coming from losthost 127.0.0.1, instead of the correct peer host address for reverse_http Meterpreter sessions.
- #17052 from adfoster-r7 - Fixes an error in Metasploit-framework when the host machine has OpenSSL 3.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).