Last updated at Fri, 28 Oct 2022 17:45:29 GMT

GLPI htmLawed PHP Command Injection

Our very own bwatters-r7 wrote a module for an unauthenticated PHP command injection vulnerability that exists in various versions of GLPI. The vulnerability is due to a third-party vendor test script being present in default installations. A POST request to vendor/htmlawed/htmlawed/htmLawedTest.php directly allows an attacker to execute exec() through the hhook and test parameters, resulting in unauthenticated RCE as the www-data user. The GLPI project has released an advisory detailing patched versions available for download and also noting that this vulnerability has been seen exploited in the wild.

Vagrant Breakout Exploit

Community contributor bcoles added a module that exploits a built-in Vagrant feature to break out of a Vagrant box and gain access to the host system. Specifically, the shared project folder that exists on the host is mounted on the guest Vagrant box as a writable directory, and the project’s configuration file exists there. Every time a user on the host executes a vagrant command from within the project directory, the Ruby code within the config file gets executed. As a result, an attacker can add arbitrary code to the config file, wait for the user to run a vagrant command, and then gain a shell on the host system with the privileges of the user who ran the command. Since there is no intention to patch this issue, denying the shared folders feature for Vagrant projects is the best way to prevent this.

vCenter Secrets Dump Module

h00die and npm-cesium137-io submitted a post module that targets vCenter appliances. Using an elevated session, this module collects DC credentials, SSO user accounts and hashes, domain information, certificates, and more. The information gathered can be used to add new SSO admin users to vCenter, sign forged SAML assertions, and to dump more data via the auxiliary/gather/vmware_vcenter_vmdir_ldap module.

New module content (3)

  • GLPI htmLawed php command injection by bwatters-r7 and cosad3s, which exploits CVE-2022-35914 - This PR adds a module for CVE-2022-35914, a php command injection vulnerability in GLPI versions up to and including 10.0.2.
  • Vagrant Synced Folder Vagrantfile Breakout by bcoles - This PR adds a module that exploits a default Vagrant shared folder to append a Ruby payload to the Vagrant project Vagrantfile config file. The payload gets executed the next time the user runs a vagrant command.
  • vCenter Secrets Dump by h00die and npm-cesium137-io - This PR adds the post/linux/gather/vcenter_secrets_dump module to dump vCenter vmdir dcAccountPassword and platform certificates.

Enhancements and features (7)

  • #16979 from gwillcox-r7 - This improves the existing ldap_query module by allowing it to decode some data types into a human readable format.
  • #17050 from usiegl00 - This updates the osx stager to no longer write artifacts to disk when performing in-memory code loading.
  • #17071 from gwillcox-r7 - This adds additional predefined LDAP queries to the existing ldap_query module that can help enumerate specific information in support of certain attack paths.
  • #17128 from cgranleese-r7 - Updates auxiliary/scanner/smb/smb_enumshares to support specifying a share name such as run smb://Account:Password@TargetIP spidershares=true showfiles=true share=TargetShareName. Useful files are now also highlighted automatically.
  • #17164 from r3nt0n - This adds a new option, THEME_DIR to the exploit/multi/http/wp_crop_rce module that is useful when the current Wordpress theme cannot be auto-detected by the module or when a user leverages other means of determining the theme.
  • #17176 from llamasoft - This updates the Python Meterpreter stage to calculate the necessary data for AES encryption at runtime which reduces the stage size by about 6,000 bytes.
  • #17185 from adfoster-r7 - Updates msfconsole's tips command to include the analyze command, as well as hosts -R and services -R

Bugs fixed (2)

  • #17172 from bcoles - Fixes a bug in Msf::Post::File.append_file which caused file contents to be overwritten on non-Windows sessions.
  • #17187 from ErikWynter - Fixes an issue in the aerohive_netconfig_lfi_log_poison_rce exploit module that resulted in the vulnerable version 10.0r8 being flagged as non-vulnerable

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).